The world is not ready for Google & Yahoo’s bulk sending requirements: Now is the time to take action

In October 2023, Google and Yahoo jointly announced new requirements to help deliver “a safer, less spammy inbox” for users. 

The requirements will go into place on February 1, 2024 and are specific to bulk senders – those that send over 5,000 emails daily. 

What are the new Google and Yahoo requirements for bulk senders?

The new requirements for bulk senders cover three core tenants: 

  1. Authenticate the domains you send from
  2. Make it easy for people to stop receiving your emails
  3. Don’t spam

Sounds straightforward enough. But, the requirements for domain authentication are the most complex of the three, as there are multiple sub-requirements for users, including:

  1. Publishing a DMARC policy for each domain that sends mail with at least a policy of “none”.
  2. Setting up SPF and DKIM for each domain that sends mail. Note that both SPF and DKIM are required, unlike with DMARC which only requires one or the other.
  3. Aligning the domain in the sender’s `From:` header with either the SPF domain or the DKIM domain (for direct mail only).
  4. Ensuring that sending domains or IPs have valid forward and reverse DNS records using a Forward Confirmed DNS (FcrDNS). You can read more about FCrDNS here.

See more on the new requirements in Google’s support article.

Assessing readiness on a global scale with BIMI Radar

At Red Sift, we have been following the world’s readiness for DMARC for many years using our BIMI Radar. This tool looks at over 70,000,000 domains around the world to better understand trends in the adoption of DMARC and Brand Indicators for Message Identification (BIMI) across the Internet.

BIMI was introduced in 2021 and allows businesses to show their brand logo in the avatar slot of emails they send. BIMI can only be implemented and honored for organizations that have a DMARC enforcement policy of quarantine or reject at the root level and for all subdomains.

DMARC is a protocol that allows domain owners to obtain visibility to email services that are sending on their behalf, and also to block unauthorized senders. DMARC is the only protocol that can prevent illegitimate services from sending on behalf of a domain once that domain is at a policy of quarantine or reject.

For Google and Yahoo’s bulk sending requirements, BIMI Radar provides an interesting vantage point. Since it is only looking at static DNS records, it does not give complete visibility into which domains would fully pass Google and Yahoo’s requirements. But, it does give us an idea of who has not published DMARC records and therefore will definitely fail come February 2024. 

In examining this question of who in the world is not ready for Google and Yahoo’s new requirements, interesting trends start to emerge.

Please note all data points referenced in this article are from December 2023. 

91.38% of domains globally fail new requirements

At the highest level, the world does not look ready for the new bulk-sending requirements. 

When examining all 70,000,000 domains globally, 91.38% of email-sending domains have no DMARC record and therefore would fail the new Google and Yahoo requirements! 

But, given the variety of organizations and domains that are surfaced in BIMI Radar, and that not all domains included are email sending domains, it is important to go a layer deeper to try to identify those most likely to be impacted by the bulk sending requirements.

33% of global enterprises have no DMARC record

If we use publically traded companies as a proxy for large enterprises most likely to be bulk senders, a different picture begins to emerge.

Looking at the 2,380 corresponding domains we see around the globe, 33% have no DMARC record in place. 

If we investigate this on a per-country basis, a more optimistic picture starts to emerge. In the US, France and the UK for example, only 10-14% of organizations will definitively fail the new requirements.

Conversely, in Korea and Japan, 50% of large enterprises will fail. 

Country
% that will fail Google and Yahoo Requirements
United States
6.52%
France
10.47%
Australia
10.78%
Canada
12.37%
United Kingdom
14.58%
Netherlands
16.83%
India
17.44%
Germany
20.75%
Chile
28.89%
Italy
29.81%
Spain
39.18%
Austria
45.71%
Indonesia
47.92%
Japan
50.00%
Korea
50.00%

To see other countries, visit BIMI Radar.

40% of global enterprises likely pass new requirements

Checking which sending domains pass the requirements fully requires capturing an email in real-time to ensure that  FCrDNS is configured correctly, that there is DKIM or SPF alignment, and that the DKIM key is valid. More involved checks are also required for spam rates. Therefore on a global scale, it is impossible to get true readiness statistics for all senders that will definitively pass. 

But, we can use those that have previously deployed or could deploy BIMI as an approximation of those that are likely to pass the new requirements. This is because BIMI requires DMARC enforcement, SPF and DKIM configuration, and SPF or DKIM alignment. While this does not account for FCrDNS, it is reasonable to assume those that are BIMI ready have sending domains and IPs that have valid forward and reverse DNS records.

Therefore, using BIMI readiness as a proxy, we can see where in the world large enterprises are most likely to be ready for Google and Yahoo’s new requirements. 

Globally 39.87% of large enterprises would likely pass the new requirements. We see India and the Netherlands rising in overall readiness from this view, while Korea has a surprisingly low 2.02% of companies likely passing the new requirements.

Country
% that would likely pass Google and Yahoo Requirements
United States
75%
India
70.94%
Netherlands
66.34%
United Kingdom
58.33%
France
56.99%
Canada
50.52%
Chile
38.89%
Indonesia
36.46%
Austria
34.29%
Italy
32.69%
Spain
30.93%
Germany
20.75%
Japan
15.28%
Korea
2.02%

To see other countries, visit BIMI Radar.

Using market indices to assess readiness

We can also get a proxy for readiness by examining different market indexes. This data provides interesting insight into the preparedness of the largest enterprises in different markets around the world.

We continue to see enterprises in the US and France being the most prepared. The larger indices in Europe and the UK represent those companies least prepared. 

Index
% that will fail Google and Yahoo Requirements
CAC 40 (France)
7.50%
S&P 500 (US)
8.8%
Fortune 500 (US)
9.22%
DAX (Germany)
10.00%
FTSE 100 (UK)
15.00%
Euronext 150
18.92%
FTSE 250 (UK)
21.31%

Where do we go from here?

Given that at the time of this blog’s publishing, we are just under a month away from the Google and Yahoo regulations for bulk senders going live, the most important takeaway from our findings is action. 

Businesses that send over 5,000 emails a day (or so) need to not only ensure that they have DMARC record in place, but that they SPF and DKIM in place, that there is SPF and DKIM alignment and that FcrDNS is configured correctly for every domain they send mail from. 

While BIMI Radar and other static tools are a great first step to make sure that DMARC records are in place, organizations should be using dynamic tools like Red Sift’s Investigate to make sure that the other criteria are met. 

With Red Sift Investigate, you can see if your email-sending domain will meet the new requirements in under a minute.

Check your readiness now

At Red Sift, we foresee these requirements from Google and Yahoo to be just the first step in ensuring that domains are fully authenticated. We foresee DMARC enforcement being the next logical step to the February 2024 requirements as those that meet the new requirements are essentially ready for DMARC enforcement. 

If you are looking to reach DMARC enforcement make sure to check out the award-winning Red Sift OnDMARC.

PUBLISHED BY

Rahul Powar

10 Jan. 2024

SHARE ARTICLE:

Categories

Recent Posts

VIEW ALL
Certificates

Never miss an expiring certificate again with Red Sift Certificates Lite

Francesca Rünger-Field

SSL/TLS certificates are the backbone of secure, uninterrupted digital experiences—but managing them effectively to prevent downtime remains a persistent challenge. With browser and certificate authorities looking to reduce certificate durations to as little as 90 or even 47 days, keeping track of renewals has never been more critical. That’s why we’re excited to introduce…

Read more
DMARC

Navigating G-Cloud 14 for DMARC solutions: A guide for former NCSC Mail…

Francesca Rünger-Field

Navigating G-Cloud 14 for DMARC solutions: A guide for former NCSC Mail Check users With the NCSC discontinuing key features of its Mail Check service, including DMARC aggregate and TLS reporting, after March 2025, UK public sector organisations must prepare for this change by transitioning to alternative email security solutions. To support this shift,…

Read more
DMARC

Mail Check is changing: What UK public sector organisations must know about…

Jack Lilley

The National Cyber Security Centre (NCSC) has suggested a change to Mail Check services starting on 24 March 2025. This change mainly involves ending DMARC aggregate reporting. This change comes as a measure to expand the services provided by Mail Check to any UK based organisation, while also limiting the cost and complexity of…

Read more
DMARC

Beyond DMARC: How Red Sift OnDMARC supports comprehensive DNS hygiene

Red Sift

Registrable domains and DNS play a crucial role in establishing online identity and trust, but their importance is often taken for granted. During new service setups, record updates are often overlooked, accumulating outdated entries. As infrastructure teams become increasingly overstretched,  services may be incorrectly shut down without proper cleanup, leaving behind a sprawl of…

Read more