As we previously reported, Google and Yahoo both announced updated requirements for sending more than 5000 messages daily to Gmail and Yahoo addresses, respectively. These new standards will go into effect on February 1st, 2024 and will include domain authentication.
Authentication is typically done by setting up SPF records and DKIM; most email marketing senders have already set this up. Now, larger senders will need to fully align DMARC to both SPF and DKIM to ensure authentication.
Our biggest Paubox Email API and Paubox Marketing customers need DMARC next month. You must have a DMARC policy in your DNS. However, a monitor-mode policy of p=none will suffice for Google and Yahoo. Your messages must pass DMARC.
All bulk mail senders of any size must set up SPF or DKIM email authentication for your domain. As a Paubox customer, you'll already have this set up from verifying your domain, so no action is needed.
Additional rules apply to all Paubox Marketing customers who send 5000 or more emails on the same day.
Related: HIPAA compliant email marketing: What you need to know
Google and Yahoo are implementing these new standards to reduce phishing, spam, and malware transmitted through email.
Google says that "bulk senders who don't meet sender requirements will start getting temporary errors (with error codes) on a small percentage of their non-compliant email traffic."
By April 2024, Google will increase the rate of rejected non-compliant emails; by June 2024, large senders must meet all requirements to ensure continued delivery.
According to Neil Kumaran, Google's Group Product Manager, Gmail Security & Trust, "Many bulk senders don't appropriately secure and configure their systems, allowing attackers to easily hide in their midst. To help fix that, we've focused on a crucial aspect of email security: the validation that a sender is who they claim to be."
Beyond complying with Google's standards, Elena Yau, Director of Information Technology at Five Acres, says that setting up DKIM and SPF records along with DMARC alignment is part of an effective strategy to mitigate risks.
Elena explains that "Cybersecurity is a community effort. It is an endeavor larger than any one person, team, company, or organization because vulnerabilities of one are used to footprint and exploit another. When one cyberattack is over, it has only begun for the next victim.
"I believe that the lowest hanging fruit to enhance cybersecurity globally is email since that is a common denominator across all organizations."
She recommends that "all organizations review their SPF, DKIM, and DMARC and set up policies like Paubox’s ExecProtect to prevent spoofing authorities in their organization that deals with personnel records, financials, internal operations and has authorities for approval."
While setting up authentication was previously considered a best practice to avoid landing in the junk folder, these new rules require senders to use SPF records, DKIM, and DMARC to authenticate their emails.
The main requirements are:
DMARC stands for Domain-based Message Authentication, Reporting, and Conformance. It's an email validation system designed to protect your domain from being used for email spoofing and phishing. It builds on two existing mechanisms, Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM), to verify the authenticity of the sender's domain.
To comply with the new sender rules, set up DMARC by publishing a DMARC record for your domain. To pass DMARC authentication, the authenticating domain must be the same domain in the message From: header.
A best practice, according to Elena Yau, is "using -all at the end of the SPF to hard fail any unapproved entities. It is amazing how often I see a soft fail ~all that allows spoofing from unknown domains. Of course, SPF cannot operate alone and would also need a strong pairing of DKIM and DMARC. "