In October 2023, Google and Yahoo jointly announced new requirements to help deliver “a safer, less spammy inbox” for users.
The requirements will go into place on February 1, 2024 and are specific to bulk senders – those that send over 5,000 emails daily.
What are the new Google and Yahoo requirements for bulk senders?
The new requirements for bulk senders cover three core tenants:
- Authenticate the domains you send from
- Make it easy for people to stop receiving your emails
- Don’t spam
Sounds straightforward enough. But, the requirements for domain authentication are the most complex of the three, as there are multiple sub-requirements for users, including:
- Publishing a DMARC policy for each domain that sends mail with at least a policy of “none”.
- Setting up SPF and DKIM for each domain that sends mail. Note that both SPF and DKIM are required, unlike with DMARC which only requires one or the other.
- Aligning the domain in the sender’s `From:` header with either the SPF domain or the DKIM domain (for direct mail only).
- Ensuring that sending domains or IPs have valid forward and reverse DNS records using a Forward Confirmed DNS (FcrDNS). You can read more about FCrDNS here.
See more on the new requirements in Google’s support article.
Assessing readiness on a global scale with BIMI Radar
At Red Sift, we have been following the world’s readiness for DMARC for many years using our BIMI Radar. This tool looks at over 70,000,000 domains around the world to better understand trends in the adoption of DMARC and Brand Indicators for Message Identification (BIMI) across the Internet.
BIMI was introduced in 2021 and allows businesses to show their brand logo in the avatar slot of emails they send. BIMI can only be implemented and honored for organizations that have a DMARC enforcement policy of quarantine or reject at the root level and for all subdomains.
DMARC is a protocol that allows domain owners to obtain visibility to email services that are sending on their behalf, and also to block unauthorized senders. DMARC is the only protocol that can prevent illegitimate services from sending on behalf of a domain once that domain is at a policy of quarantine or reject.
For Google and Yahoo’s bulk sending requirements, BIMI Radar provides an interesting vantage point. Since it is only looking at static DNS records, it does not give complete visibility into which domains would fully pass Google and Yahoo’s requirements. But, it does give us an idea of who has not published DMARC records and therefore will definitely fail come February 2024.
In examining this question of who in the world is not ready for Google and Yahoo’s new requirements, interesting trends start to emerge.
Please note all data points referenced in this article are from December 2023.
91.38% of domains globally fail new requirements
At the highest level, the world does not look ready for the new bulk-sending requirements.
When examining all 70,000,000 domains globally, 91.38% of email-sending domains have no DMARC record and therefore would fail the new Google and Yahoo requirements!
But, given the variety of organizations and domains that are surfaced in BIMI Radar, and that not all domains included are email sending domains, it is important to go a layer deeper to try to identify those most likely to be impacted by the bulk sending requirements.
33% of global enterprises have no DMARC record
If we use publically traded companies as a proxy for large enterprises most likely to be bulk senders, a different picture begins to emerge.
Looking at the 2,380 corresponding domains we see around the globe, 33% have no DMARC record in place.
If we investigate this on a per-country basis, a more optimistic picture starts to emerge. In the US, France and the UK for example, only 10-14% of organizations will definitively fail the new requirements.
Conversely, in Korea and Japan, 50% of large enterprises will fail.
Country | % that will fail Google and Yahoo Requirements |
United States | 6.52% |
France | 10.47% |
Australia | 10.78% |
Canada | 12.37% |
United Kingdom | 14.58% |
Netherlands | 16.83% |
India | 17.44% |
Germany | 20.75% |
Chile | 28.89% |
Italy | 29.81% |
Spain | 39.18% |
Austria | 45.71% |
Indonesia | 47.92% |
Japan | 50.00% |
Korea | 50.00% |
To see other countries, visit BIMI Radar.
40% of global enterprises likely pass new requirements
Checking which sending domains pass the requirements fully requires capturing an email in real-time to ensure that FCrDNS is configured correctly, that there is DKIM or SPF alignment, and that the DKIM key is valid. More involved checks are also required for spam rates. Therefore on a global scale, it is impossible to get true readiness statistics for all senders that will definitively pass.
But, we can use those that have previously deployed or could deploy BIMI as an approximation of those that are likely to pass the new requirements. This is because BIMI requires DMARC enforcement, SPF and DKIM configuration, and SPF or DKIM alignment. While this does not account for FCrDNS, it is reasonable to assume those that are BIMI ready have sending domains and IPs that have valid forward and reverse DNS records.
Therefore, using BIMI readiness as a proxy, we can see where in the world large enterprises are most likely to be ready for Google and Yahoo’s new requirements.
Globally 39.87% of large enterprises would likely pass the new requirements. We see India and the Netherlands rising in overall readiness from this view, while Korea has a surprisingly low 2.02% of companies likely passing the new requirements.
Country | % that would likely pass Google and Yahoo Requirements |
United States | 75% |
India | 70.94% |
Netherlands | 66.34% |
United Kingdom | 58.33% |
France | 56.99% |
Canada | 50.52% |
Chile | 38.89% |
Indonesia | 36.46% |
Austria | 34.29% |
Italy | 32.69% |
Spain | 30.93% |
Germany | 20.75% |
Japan | 15.28% |
Korea | 2.02% |
To see other countries, visit BIMI Radar.
Using market indices to assess readiness
We can also get a proxy for readiness by examining different market indexes. This data provides interesting insight into the preparedness of the largest enterprises in different markets around the world.
We continue to see enterprises in the US and France being the most prepared. The larger indices in Europe and the UK represent those companies least prepared.
Index | % that will fail Google and Yahoo Requirements |
CAC 40 (France) | 7.50% |
S&P 500 (US) | 8.8% |
Fortune 500 (US) | 9.22% |
DAX (Germany) | 10.00% |
FTSE 100 (UK) | 15.00% |
Euronext 150 | 18.92% |
FTSE 250 (UK) | 21.31% |
Where do we go from here?
Given that at the time of this blog’s publishing, we are just under a month away from the Google and Yahoo regulations for bulk senders going live, the most important takeaway from our findings is action.
Businesses that send over 5,000 emails a day (or so) need to not only ensure that they have DMARC record in place, but that they SPF and DKIM in place, that there is SPF and DKIM alignment and that FcrDNS is configured correctly for every domain they send mail from.
While BIMI Radar and other static tools are a great first step to make sure that DMARC records are in place, organizations should be using dynamic tools like Red Sift’s Investigate to make sure that the other criteria are met.
With Red Sift Investigate, you can see if your email-sending domain will meet the new requirements in under a minute. Check your readiness now |
At Red Sift, we foresee these requirements from Google and Yahoo to be just the first step in ensuring that domains are fully authenticated. We foresee DMARC enforcement being the next logical step to the February 2024 requirements as those that meet the new requirements are essentially ready for DMARC enforcement.
If you are looking to reach DMARC enforcement make sure to check out the award-winning Red Sift OnDMARC.