Ask HN: How does DKIM forgery via Salesforce work
https://sammitrovic.com/infosec/gmail-account-takeover-super-realistic-ai-scam-call/
As part of that attack, it appears that the attacker was able to forge an email from `workspacesupport@google.com` which passed SPF/DKIM/DMARC checks. To explain how this is possible, Sam states:
> The header showed how they spoofed the sender email address. They are using Salesforce CRM which allows you to set the sender to whatever you like and send over Gmail/Google servers.
This explanation seems incomplete to me. Since Google outbound SMTP servers use a shared IP pool I see how sending email via this pool could circumvent SPF protections for any domains which adds `include:_spf.google.com` to their SPF policy (vs say using an outbound gateway). However, I thought that the DKIM protections should still be in place. It seems to me that the private DKIM key shouldn't be shared between Google Workspace clients in any case and therefore the forged email should not be correctly signed.
What are the best practices for Google Workspace clients to protect their domains from this type of forgery (which passes SPF/DKIM/DMARC checks)?