If you have a Gmail or Yahoo account, you probably know how cluttered your inbox can get with unsolicited email and other email that is clearly trying to defraud you. If you have ever thought to yourself “why can’t these companies do a better job blocking these fraudulent messages and make it easier for me to receive less unsolicited mail?”, you are not alone.
The good news is: Google and Yahoo are doing something about it, and things are about to change. The bad news is: If your company sends email to Google and Yahoo users, you may have some work to do and not a lot of time to do it.
Google has announced that starting February 2024, Gmail will require email authentication to be in place when sending messages to Gmail accounts. If you’re a bulk sender who sends more than 5,000 emails per day to Gmail accounts, you’ll have even more email authentication requirements to meet. You’ll also need to have a DMARC policy in place, ensure SPF and DKIM alignment, and you’ll need to make it easy for recipients to unsubscribe (one-click unsubscribe). (You can access Google’s detailed Email Sender Guidelines here.)
Yahoo is rolling out similar requirements. The company recently announced that it will require strong email authentication to be in place by early 2024 to help stem the flow of malicious messages and reduce the amount of low value emails cluttering users’ inboxes.
Are you prepared to meet these requirements? Here’s what you should know.
New Google and Yahoo email requirements
The new requirements are broken down into two categories. All senders will need to follow the first set. Depending on how much email you send per day, there are also additional rules.
Applicable to all senders:
- Email authentication. This is a critical measure to help prevent threat actors from sending email under the pretence of being from your organisation. This tactic is referred to as domain spoofing and, if left unprotected, allows cyber criminals to weaponize sending domains for malicious cyber attacks.
- SPF is an email authentication protocol designed to prevent email spoofing, a common technique used in phishing attacks and email spam. As an integral part of email cybersecurity, SPF enables the receiving mail server to check whether incoming email comes from an IP address authorised by that domain’s administrator.
- DKIM is a protocol that allows an organisation to take responsibility for transmitting a message by signing it in a way that mailbox providers can verify. DKIM record verification is made possible through cryptographic authentication.
- Low spam rates. If recipients report your messages as spam at a rate that exceeds the new .3% requirement, your messages could be blocked or sent directly to a spam Folder.
Requirements for senders of more than 5,000 messages per day:
- SPF and DKIM must be in place. Companies that send to Gmail or Yahoo must have Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) authentication methods implemented.
- Companies must have a DMARC policy in place. DMARC, which stands for Domain-based Message Authentication, Reporting and Conformance, is an email authentication standard that provides domain-level protection of the email channel.
- DMARC authentication detects and prevents email spoofing techniques used in phishing, business email compromise (BEC) and other email-based attacks.
- DMARC builds on the existing standards of Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM). It is the first and only widely deployed technology that can make the header “from” domain trustworthy. The domain owner can publish a DMARC record in the Domain Name System (DNS) and create a policy to tell receivers what to do with emails that fail authentication.
- Messages must pass DMARC alignment. This means that the sending Envelope From domain is the same as the Header From domain, or that the DKIM domain is the same as the Header From domain.
- Messages must include one-click unsubscribe. For subscribed messages, messages must contain List-Unsubscribe message headers and a clearly visible unsubscribe link in the message body that can be initiated with a single click (one-click unsubscribe). Unsubscribe actions must be taken for a requesting user within two days.
Google requirements at-a-glance
Requirements for Senders <5,000 per day
Requirements for Senders >5,000 per day
What happens if you miss the deadline?
If your company relies on email to communicate with your customers and you don’t implement email authentication, these changes are going to significantly impact the deliverability of your messages to customers with Gmail and Yahoo accounts. If you send over 5,000 emails to these accounts daily and fail to have SPF and DKIM, or don’t have a DMARC policy implemented, these non-deliveries will have an even greater impact on your business.
Proofpoint can help
Proofpoint is an industry leader when it comes to email authentication. More Fortune 1000 Companies rely on Proofpoint for DMARC than our next five closest competitors combined. We have the tools, resources and experience to assess your current status and help close the gap more effectively and efficiently than you would if you tackled it on your own.
Proofpoint’s Email Fraud Defense (EFD) solution provides access to highly-experienced consultants who can guide you through each step of your DMARC journey, helping you to meet the new requirements and also protect your overall brand reputation. EFD also includes Hosted SPF and Hosted DKIM services that can simplify management and streamline your implementation.
For transactional emails, ones that may be sent from applications or from third-party partners on your behalf, Proofpoint’s Secure Email Relay solution can not only ensure that all these messages are DKIM signed but it can also help with achieving DMARC alignment at an accelerated rate.
In response to these new requirements, Proofpoint is now offering a free Email Deliverability Assessment to help identify potential gaps and provide recommendations on a path forward, so you can minimize the impact of these changes on your business. You can also visit our DMARC Creation Wizard today to check your DMARC and SPF statuses. For a deep dive on the requirements and implementation demo on Proofpoint Email Fraud Defense and Proofpoint Secure Email Relay, join us for a live webinar on Tuesday, December 12th.