Google and Yahoo announce new requirements for email delivery

Google and Yahoo announce new requirements for email delivery

On October 3, 2023, Google and Yahoo announced a new set of requirements for email delivery that will become mandated by February 2024. 

For senders that send more than 5,000 emails a day to Gmail addresses, Google will require a set of authentication measures to be met in order to ensure secure email delivery to its inboxes. While Yahoo does not state a minimum sending requirement, it will align with Google’s criteria. 

The following requirements will be enforced:

  • Implementation of both SPF + DKIM
  • Sending with an aligned `From` domain in either the SPF or DKIM domains
  • Sending from a domain with a DMARC policy of at least p=none 
  • Using a TLS connection for transmitting email (added as a requirement in December 2023)
  • Valid forward and reverse DNS (FCrDNS)
  • One-click unsubscribe (RFC 8058)
  • Low spam reported rate

The full requirements are detailed in Google’s help article.

Google and Yahoo’s united stance promises a seismic shift in email security, ensuring global inboxes are safer through the enforcement of industry-acknowledged best practices. 

“We firmly believe that users worldwide deserve a more secure email environment, with fewer unwanted messages for an improved overall experience. We look forward to working with peers across the industry to boost the adoption of these email standards that benefit everyone.” 
Neil Kumaran, Group Product Manager, Gmail Security & Trust

What does this mean for senders?

Failure to comply with these requirements means that emails sent to Gmail and Yahoo inboxes will not be delivered. When considering that Gmail’s 1.8 billion inboxes equate to almost a quarter of the world’s email-using population, these enforcements will have severe implications for non-compliant businesses that rely on email communication for their operations. 

The good news is that these requirements are already considered best practice across the email ecosystem. They use open standards that are accessible to everyone, such as SPF, DKIM, and DMARC, that can be implemented quickly and safely with the right solution. For businesses that are yet to implement these measures, there’s never been a better time to get ahead of the curve and be ready for Google and Yahoo’s mandate.

What are the benefits of making these changes?

We are thrilled that the email industry is getting together and advocating for these changes as strong email authentication has always played a critical role in email-based business operations. This is because implementing email security protocols like SPF, DKIM, and DMARC is the only effective way to protect your business’s reputation from exact domain impersonation-based phishing attacks. 

To drill into this in a little more detail, DMARC is the email security protocol that blocks exact domain impersonation attacks. It allows domain owners to take back control of their email identity by telling receiving inboxes to reject spoof emails, i.e. when a bad actor pretends to be you to send phishing emails to your employees, customers, and supply chain. 

This is the same protocol that Google refers to in its latest update, where it states that DMARC is no longer a best practice recommendation but a steadfast requirement:

“Many bulk senders don’t appropriately secure and configure their systems, allowing attackers to easily hide in their midst. To help fix that, we’ve focused on a crucial aspect of email security: the validation that a sender is who they claim to be.”
New Gmail protections for a safer, less spammy inbox 

Unfortunately, email security protocols are oftentimes shrouded in myths and thought of as being too difficult to deploy, confusing, or a lot of manual work. However, with the help of an automated DMARC application that shows you actionable insights and provides step-by-step guidance, you could get to full protection in as little as 6 weeks and become compliant with Google and Yahoo’s new requirements. While it does take some level of dedication, this is simply the short-term legwork required for businesses to ensure long-term gain: having secure email communications with employees, customers, and partners and improved email deliverability.

With Google and Yahoo making email authentication a requirement, we are hopeful that these myths will be debunked and that deployment of best practice email security protocols will be deemed a business-critical initiative that is adhered to by SMBs and enterprises alike.

Want to check if you’re ready for Google and Yahoo’s upcoming changes?

If you want an easy way to make sure your email-sending domains are ready come February 1, 2024, Red Sift makes it easy. 

In just 3 minutes, our free Investigate tool checks how you stack up against Google and Yahoo’s requirements and provides a visual breakdown of exactly what you need to action. All you need to do is send an email to the unique address we provide and wait for your results to come in! By testing your specific email-sending service, Investigate can ensure that FCrDNS is configured correctly, that there is DKIM or SPF alignment and that the DKIM key is valid, all of which are critical to pass Google and Yahoo’s requirements.

Example of Red Sift’s Investigate tool cards

To check your Google and Yahoo readiness and fix any issues that exist, try our free Investigate tool now.

Red Sift ensures email security success for 1,000+ global organizations – and can help you, too

Red Sift’s automated DMARC application, OnDMARC, enables businesses all over the globe to easily, quickly, and safely implement DMARC, thus protecting business email communications with customers, suppliers, and partners by blocking vendor fraud, account takeovers, and email spoofing. 


To get started with your DMARC implementation, reach out to us to speak with an expert.

PUBLISHED BY

Francesca Rünger-Field

24 Oct. 2023

SHARE ARTICLE:

Categories

Recent Posts

VIEW ALL
News

Winter wins: Red Sift OnDMARC wraps up 2024 as a G2 DMARC…

Francesca Rünger-Field

The season of giving has brought us another reason to celebrate! Red Sift OnDMARC continues its winning streak in G2’s Winter 2025 report, earning Leader status in the DMARC category for another consecutive season. This recognition reflects our strong market presence and the unwavering satisfaction of our customers. Cheers to wrapping up 2024 on…

Read more
AI

Text classification in the age of LLMs

Phong Nguyen

As natural language processing (NLP) advances, text classification remains a foundational task with applications in spam detection, sentiment analysis, topic categorization, and more. Traditionally, this task depended on rule-based systems and classical machine learning algorithms. However, the emergence of deep learning, transformer architectures, and Large Language Models (LLMs) has transformed text classification, allowing for…

Read more
Security

How to drive cybersecurity as a top business priority

Jack Lilley

Everyone has a role to play in protecting the enterprise. Whether you’re shaping strategy or implementing solutions, aligning efforts to mitigate critical risks ensures a stronger, more resilient enterprise. If you missed Red Sift’s recent webinar on “From Data to Buy-In: Driving Cybersecurity as a Top Business Priority” we’ve got you covered. The session…

Read more
DMARC

BreakSPF: How to mitigate the attack

Red Sift

BreakSPF is a newly identified attack framework that exploits misconfigurations in the Sender Policy Framework (SPF) a widely used email authentication protocol. A common misconfiguration involves overly permissive IP ranges, where SPF records allow large blocks of IP addresses to send emails on behalf of a domain. These ranges often include shared infrastructures like…

Read more