Google and Yahoo announce new requirements for email delivery

Google and Yahoo announce new requirements for email delivery

On October 3, 2023, Google and Yahoo announced a new set of requirements for email delivery that will become mandated by February 2024. 

For senders that send more than 5,000 emails a day to Gmail addresses, Google will require a set of authentication measures to be met in order to ensure secure email delivery to its inboxes. While Yahoo does not state a minimum sending requirement, it will align with Google’s criteria. 

The following requirements will be enforced:

  • Implementation of both SPF + DKIM
  • Sending with an aligned `From` domain in either the SPF or DKIM domains
  • Sending from a domain with a DMARC policy of at least p=none 
  • Using a TLS connection for transmitting email (added as a requirement in December 2023)
  • Valid forward and reverse DNS (FCrDNS)
  • One-click unsubscribe (RFC 8058)
  • Low spam reported rate

The full requirements are detailed in Google’s help article.

Google and Yahoo’s united stance promises a seismic shift in email security, ensuring global inboxes are safer through the enforcement of industry-acknowledged best practices. 

“We firmly believe that users worldwide deserve a more secure email environment, with fewer unwanted messages for an improved overall experience. We look forward to working with peers across the industry to boost the adoption of these email standards that benefit everyone.” 
Neil Kumaran, Group Product Manager, Gmail Security & Trust

What does this mean for senders?

Failure to comply with these requirements means that emails sent to Gmail and Yahoo inboxes will not be delivered. When considering that Gmail’s 1.8 billion inboxes equate to almost a quarter of the world’s email-using population, these enforcements will have severe implications for non-compliant businesses that rely on email communication for their operations. 

The good news is that these requirements are already considered best practice across the email ecosystem. They use open standards that are accessible to everyone, such as SPF, DKIM, and DMARC, that can be implemented quickly and safely with the right solution. For businesses that are yet to implement these measures, there’s never been a better time to get ahead of the curve and be ready for Google and Yahoo’s mandate.

What are the benefits of making these changes?

We are thrilled that the email industry is getting together and advocating for these changes as strong email authentication has always played a critical role in email-based business operations. This is because implementing email security protocols like SPF, DKIM, and DMARC is the only effective way to protect your business’s reputation from exact domain impersonation-based phishing attacks. 

To drill into this in a little more detail, DMARC is the email security protocol that blocks exact domain impersonation attacks. It allows domain owners to take back control of their email identity by telling receiving inboxes to reject spoof emails, i.e. when a bad actor pretends to be you to send phishing emails to your employees, customers, and supply chain. 

This is the same protocol that Google refers to in its latest update, where it states that DMARC is no longer a best practice recommendation but a steadfast requirement:

“Many bulk senders don’t appropriately secure and configure their systems, allowing attackers to easily hide in their midst. To help fix that, we’ve focused on a crucial aspect of email security: the validation that a sender is who they claim to be.”
New Gmail protections for a safer, less spammy inbox 

Unfortunately, email security protocols are oftentimes shrouded in myths and thought of as being too difficult to deploy, confusing, or a lot of manual work. However, with the help of an automated DMARC application that shows you actionable insights and provides step-by-step guidance, you could get to full protection in as little as 6 weeks and become compliant with Google and Yahoo’s new requirements. While it does take some level of dedication, this is simply the short-term legwork required for businesses to ensure long-term gain: having secure email communications with employees, customers, and partners and improved email deliverability.

With Google and Yahoo making email authentication a requirement, we are hopeful that these myths will be debunked and that deployment of best practice email security protocols will be deemed a business-critical initiative that is adhered to by SMBs and enterprises alike.

Want to check if you’re ready for Google and Yahoo’s upcoming changes?

If you want an easy way to make sure your email-sending domains are ready come February 1, 2024, Red Sift makes it easy. 

In just 3 minutes, our free Investigate tool checks how you stack up against Google and Yahoo’s requirements and provides a visual breakdown of exactly what you need to action. All you need to do is send an email to the unique address we provide and wait for your results to come in! By testing your specific email-sending service, Investigate can ensure that FCrDNS is configured correctly, that there is DKIM or SPF alignment and that the DKIM key is valid, all of which are critical to pass Google and Yahoo’s requirements.

Example of Red Sift’s Investigate tool cards

To check your Google and Yahoo readiness and fix any issues that exist, try our free Investigate tool now.

Red Sift ensures email security success for 1,000+ global organizations – and can help you, too

Red Sift’s automated DMARC application, OnDMARC, enables businesses all over the globe to easily, quickly, and safely implement DMARC, thus protecting business email communications with customers, suppliers, and partners by blocking vendor fraud, account takeovers, and email spoofing. 


To get started with your DMARC implementation, reach out to us to speak with an expert.

PUBLISHED BY

Francesca Rünger-Field

24 Oct. 2023

SHARE ARTICLE:

Categories

Recent Posts

VIEW ALL
News

Introducing DNS Guardian: Stop impersonation and spam caused by domain takeovers 

Rahul Powar

tl;dr: We’re thrilled to announce DNS Guardian — a new feature in Red Sift OnDMARC that can swiftly identify and stop domain takeovers that lead to malicious mail. Back in February, we shared updates with the community about SubdoMailing – an attack discovered by Guardio Labs. The attack was a form of subdomain takeover,…

Read more
News

Meet Red Sift Radar: The Skilled Up LLM That Finds and Fixes…

Rahul Powar

After months of beta testing and feedback, we are excited to announce that Red Sift Radar, our skilled up LLM offering seamless integration with Red Sift OnDMARC, is now commercially available.  With Red Sift Radar, security teams can detect exposures, prevent configuration drift, and classify assets or suspicious activity without adding additional headcount. By…

Read more
News

G2 Fall 2024 Report: Red Sift OnDMARC Wins Big

Francesca Rünger-Field

We’re delighted to share that Red Sift OnDMARC’s winning streak continues. This Fall, we’ve once again been named a Leader in G2’s DMARC category, achieving recognition in both the overall Leader category and Europe for the first time. This recognition is based on our high Customer Satisfaction scores and strong market presence. Red Sift…

Read more
Cybersecurity

Resilience Rising | Episode 3 with Kevin White

Red Sift

In this episode of Resilience Rising, Sean Costigan, Managing Director of Resilience Strategy at Red Sift, and Kevin White, Senior Operation Consultant with Enhanced Information Solutions, explore the critical intersection of wastewater management and cybersecurity.  The two highlight the health and operational impacts of cyber threats on water utilities, emphasizing the vulnerabilities due to…

Read more
Certificates

Your guide to PCI DSS 4.0 Cryptographic Requirements

Rebecca Warren

The Payment Card Industry Data Security Standard (PCI DSS) is a globally recognized framework designed to protect cardholder data during processing, storage, and transmission by merchants and service providers. PCI DSS outlines a set of stringent security controls that organizations handling payment card information must implement to mitigate the risk of data breaches and…

Read more