Avanan states that threat actors can utilize Google’s SMTP relay service to spoof other Gmail tenants without being detected, as long as those domains do not have a DMARC policy configured with the ‘reject’ directive.