The problem lay with the DKIM key DomainKeys Identified Mail Google used for its google.com e-mails. DKIM involves a cryptographic key that domains use to sign e-mail originating from them – or passing through them – to validate to a recipient that the domain in the header information on an e-mail is correct and that the correspondence indeed came from the stated domain. When e-mail arrives at its destination, the receiving server can look up the public key through the sender’s DNS records and verify the validity of the signature.
via How a Google Headhunters E-Mail Unraveled a Massive Net Security Hole | Threat Level | Wired.com.