Update: Google and Yahoo’s new anti-spam measures mean cleaner and safer inboxes
These global email giants have unveiled new bulk sender requirements aimed at stopping spam and malicious emails from reaching users’ inboxes.
The release of these requirements – which bulk senders should comply with by February 2024 – is fantastic news for email security. Email is one of the world’s top digital communication channels for business and personal use alike. These moves by email providers to further protect users against cybercriminals means that they can look forward to far less spam and illegitimate emails.
In today’s digital landscape, email phishing is the most common type of cybercrime malicious actors use to get their hands on precious user data with phishing emails accounting for 91% of cyberattacks.
Of the estimated 347.3 billion emails sent globally every day, 45-50% are spam, with approximately 3.4 billion being phishing.
In its announcement in October 2023, Google stated that current cyberthreats are “more complex and pressing than ever”, which has led to the release of these new requirements for bulk senders (those sending over 5 000 emails to Gmail addresses per day). Google also noted that it’s not the only email provider pushing for these changes and Yahoo followed closely with its own updated bulk sender requirements.
“No matter who their email provider is, all users deserve the safest, most secure experience possible. In the interconnected world of email, that takes all of us working together. Yahoo looks forward to working with Google and the rest of the email community to make these common sense, high-impact changes the new industry standard,” said Marcel Becker, Sr. Director of Product at Yahoo.
Both organizations noted that many bulk email senders fail to set up their email ecosystems correctly, allowing cybercrooks to slip through their defenses undetected.
To address this problem, the new bulk sender requirements zoom in on a vital aspect of email security: the validation that a sender is who they say they are through strong email authentication. In addition, these requirements will make it easier for users to unsubscribe from emails as well as keep inboxes clear of unwanted emails.
A closer look at the new requirements for bulk senders
1. Ensure that emails pass SPF and DKIM checks
Outbound email configuration must be updated to ensure that emails pass both Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) checks – instead of an either/or pass which would have sufficed previously.
This means that bulk senders must update their DNS to prove that they are who they say they are and that they’re using the correct infrastructure to send email. A passing SPF and DKIM policy ensures that only authorized senders can send email from a domain (enforced by SPF) as well as verifies that an email is authentic and hasn’t been tampered with during transit (enforced by DKIM).
2. Have a DMARC record
The domain that bulk emails are sent from must have a present and passing Domain-based Message Authentication, Reporting, and Conformance (DMARC) record.
In short, DMARC is a global email authentication standard that provides data analytics and enforcement across SPF and DKIM. It ensures that only legitimate email, from the real sender ever reaches the recipient’s inbox, securing them against phishing, spoofing, and impersonation attacks.
DMARC adds an extra layer of security to SPF and DKIM to effectively safeguard senders against impersonation and the damages related to it, such as reputation damage, depletion of recipient trust, and financial losses. DMARC compliance ensures maximized email security and deliverability of emails.
Google and Yahoo don’t require a strict DMARC policy yet and senders can start with a p=none policy to begin monitoring who’s sending emails using their domains. However, the cybersecurity industry-recommended DMARC policy remains p=reject – the strongest possible DMARC enforcement – which will block emails from unauthorized sources altogether.
3. Make unsubscribing easy
If you’ve ever unsubscribed from an email chain only to receive more emails from the same sender, this requirement will give you immense joy. Gmail and Yahoo will require that large-volume senders allow recipients to unsubscribe from unwanted emails in one click and that these requests are processed within two days.
4. Comply with the new spam rate threshold
In an industry first, Google introduced a spam threshold of below 0.3%, with Yahoo following suit. This move furthers both email providers’ missions to keep unwanted emails out of user inboxes.
This requirement benefits both recipients – who’ll be able to trust the authenticity of emails in their inboxes – and bulk senders, as with a spam threshold much lower than this, a bulk sender’s reputation, deliverability, and email performance will be negatively affected.
If senders fail to meet these requirements, Google says that messages might be rejected or delivered to recipients’ spam folders.
Find out more about the requirements in Google’s Email sender guidelines FAQ and get more details on the timeline for compliance in the outline below.
How will these new rules affect my business emails?
A concern for businesses at this stage is that their emails will be rejected if they don’t meet the updated requirements by 1 February 2024. This isn’t the case as these rules will be gradually introduced. Here’s a list of the stages for compliance that your business should take note of:
February 2024: Active monitoring of senders will begin, and some emails may be impacted. Large-volume senders that don’t meet the requirements will start seeing errors on a small percentage of non-compliant emails. This stage aims to help senders identify traffic that doesn’t adhere to the requirements and implement measures to fix this before the rules become mandatory.
April 2024: Email providers will start rejecting a portion of emails that don’t meet the rules. This rate will increase over time.
June 2024: All new requirements become mandatory. This includes one-click unsubscribe for commercial emails.
Why these changes matter
“These practices should be considered basic email hygiene,” Google said, “and many senders already meet most of these requirements.” For those senders that don’t, both Google and Yahoo have published guidance to make it easier to achieve compliance.
Google’s focus on email authentication is especially relevant considering the communication tool’s frequent use in impersonation attacks through fake email. The company says, “As basic as it sounds, it’s still sometimes impossible to verify who an email is from given the web of antiquated and inconsistent systems on the Internet.”
While Google’s 2022 requirement that emails sent to Gmail addresses must have some form of authentication led to a 75% drop in unauthenticated messages, the organization says that there’s much more it needs to do, starting with new requirements for bulk senders. So how will not complying with these changes affect your organization’s emails? Read on to find out.
The importance of email authentication
There’s a security flaw in the way that email was first designed. This is highlighted by the popularity of phishing attacks. In 2022 alone, a concerning 854 000 domain names were reported for phishing.
Email authentication is no longer an option if businesses want to protect themselves and their stakeholders from cybercriminals as well as ensure that email is delivered to the intended recipient.
This email design flaw leads to four main issues for organizations:
Impersonation
Cybercriminals can send emails from your domain defrauding staff, customers, and suppliers.Interception
An email can be intercepted and changed without the knowledge of the sender or recipient.Delivery issues
Legitimate email often lands in Spam and false positives cause business disruption.Inadequate visibility and audit
Organizations have no active visibility of who is sending emails from their domains.
Without effective email authentication protocols in place, you’re putting your business at risk of impersonation which could lead to financial and reputational damages.
While existing perimeter protection and anti-spam may protect your internal stakeholders, it doesn’t shield your customers, suppliers, and the rest of the world from fraudulent emails sent using your domain.
This makes Google and Yahoo’s new requirements a win-win for bulk senders and users, as both will be far more protected against the damages of malicious emails.
Leverage a DMARC expert for hassle-free compliance
DMARC is the best technology standard to secure your business against fraudulent email activity. It thoroughly evaluates the source of an email to ensure that only legitimate emails ever reach an inbox.
The details of implementing Google and Yahoo’s new bulk sender requirements for email authentication may seem overwhelming, but you don’t need to embark on your journey to compliance alone.
Sendmarc is a leader in email security that your business can rely on for fast, seamless, and scalable DMARC implementation for organizations of any size.
If you’d like to see if your domain is vulnerable to impersonation, you can check its score here. Or contact us today to see how we can assist you in meeting the new email authentication requirements in the easiest way possible.