On October 3, 2023, Google and Yahoo announced a new set of requirements for email delivery that will become mandated by February 2024.
For senders that send more than 5,000 emails a day to Gmail addresses, Google will require a set of authentication measures to be met in order to ensure secure email delivery to its inboxes. While Yahoo does not state a minimum sending requirement, it will align with Google’s criteria.
The following requirements will be enforced:
- Implementation of both SPF + DKIM
- Sending with an aligned `From` domain in either the SPF or DKIM domains
- Sending from a domain with a DMARC policy of at least p=none
- Using a TLS connection for transmitting email (added as a requirement in December 2023)
- Valid forward and reverse DNS (FCrDNS)
- One-click unsubscribe (RFC 8058)
- Low spam reported rate
The full requirements are detailed in Google’s help article.
Google and Yahoo’s united stance promises a seismic shift in email security, ensuring global inboxes are safer through the enforcement of industry-acknowledged best practices.
| “We firmly believe that users worldwide deserve a more secure email environment, with fewer unwanted messages for an improved overall experience. We look forward to working with peers across the industry to boost the adoption of these email standards that benefit everyone.” Neil Kumaran, Group Product Manager, Gmail Security & Trust |
What does this mean for senders?
Failure to comply with these requirements means that emails sent to Gmail and Yahoo inboxes will not be delivered. When considering that Gmail’s 1.8 billion inboxes equate to almost a quarter of the world’s email-using population, these enforcements will have severe implications for non-compliant businesses that rely on email communication for their operations.
The good news is that these requirements are already considered best practice across the email ecosystem. They use open standards that are accessible to everyone, such as SPF, DKIM, and DMARC, that can be implemented quickly and safely with the right solution. For businesses that are yet to implement these measures, there’s never been a better time to get ahead of the curve and be ready for Google and Yahoo’s mandate.
What are the benefits of making these changes?
We are thrilled that the email industry is getting together and advocating for these changes as strong email authentication has always played a critical role in email-based business operations. This is because implementing email security protocols like SPF, DKIM, and DMARC is the only effective way to protect your business’s reputation from exact domain impersonation-based phishing attacks.
To drill into this in a little more detail, DMARC is the email security protocol that blocks exact domain impersonation attacks. It allows domain owners to take back control of their email identity by telling receiving inboxes to reject spoof emails, i.e. when a bad actor pretends to be you to send phishing emails to your employees, customers, and supply chain.
This is the same protocol that Google refers to in its latest update, where it states that DMARC is no longer a best practice recommendation but a steadfast requirement:
| “Many bulk senders don’t appropriately secure and configure their systems, allowing attackers to easily hide in their midst. To help fix that, we’ve focused on a crucial aspect of email security: the validation that a sender is who they claim to be.” New Gmail protections for a safer, less spammy inbox |
Unfortunately, email security protocols are oftentimes shrouded in myths and thought of as being too difficult to deploy, confusing, or a lot of manual work. However, with the help of an automated DMARC application that shows you actionable insights and provides step-by-step guidance, you could get to full protection in as little as 6 weeks and become compliant with Google and Yahoo’s new requirements. While it does take some level of dedication, this is simply the short-term legwork required for businesses to ensure long-term gain: having secure email communications with employees, customers, and partners and improved email deliverability.
With Google and Yahoo making email authentication a requirement, we are hopeful that these myths will be debunked and that deployment of best practice email security protocols will be deemed a business-critical initiative that is adhered to by SMBs and enterprises alike.
Want to check if you’re ready for Google and Yahoo’s upcoming changes?
If you want an easy way to make sure your email-sending domains are ready come February 1, 2024, Red Sift makes it easy.
In just 3 minutes, our free Investigate tool checks how you stack up against Google and Yahoo’s requirements and provides a visual breakdown of exactly what you need to action. All you need to do is send an email to the unique address we provide and wait for your results to come in! By testing your specific email-sending service, Investigate can ensure that FCrDNS is configured correctly, that there is DKIM or SPF alignment and that the DKIM key is valid, all of which are critical to pass Google and Yahoo’s requirements.
Example of Red Sift’s Investigate tool cards
| To check your Google and Yahoo readiness and fix any issues that exist, try our free Investigate tool now. |
Red Sift ensures email security success for 1,000+ global organizations – and can help you, too
Red Sift’s automated DMARC application, OnDMARC, enables businesses all over the globe to easily, quickly, and safely implement DMARC, thus protecting business email communications with customers, suppliers, and partners by blocking vendor fraud, account takeovers, and email spoofing.
To get started with your DMARC implementation, reach out to us to speak with an expert.
