The world is not ready for Google & Yahoo’s bulk sending requirements: Now is the time to take action

In October 2023, Google and Yahoo jointly announced new requirements to help deliver “a safer, less spammy inbox” for users. 

The requirements will go into place on February 1, 2024 and are specific to bulk senders – those that send over 5,000 emails daily. 

What are the new Google and Yahoo requirements for bulk senders?

The new requirements for bulk senders cover three core tenants: 

  1. Authenticate the domains you send from
  2. Make it easy for people to stop receiving your emails
  3. Don’t spam

Sounds straightforward enough. But, the requirements for domain authentication are the most complex of the three, as there are multiple sub-requirements for users, including:

  1. Publishing a DMARC policy for each domain that sends mail with at least a policy of “none”.
  2. Setting up SPF and DKIM for each domain that sends mail. Note that both SPF and DKIM are required, unlike with DMARC which only requires one or the other.
  3. Aligning the domain in the sender’s `From:` header with either the SPF domain or the DKIM domain (for direct mail only).
  4. Ensuring that sending domains or IPs have valid forward and reverse DNS records using a Forward Confirmed DNS (FcrDNS). You can read more about FCrDNS here.

See more on the new requirements in Google’s support article.

Assessing readiness on a global scale with BIMI Radar

At Red Sift, we have been following the world’s readiness for DMARC for many years using our BIMI Radar. This tool looks at over 70,000,000 domains around the world to better understand trends in the adoption of DMARC and Brand Indicators for Message Identification (BIMI) across the Internet.

BIMI was introduced in 2021 and allows businesses to show their brand logo in the avatar slot of emails they send. BIMI can only be implemented and honored for organizations that have a DMARC enforcement policy of quarantine or reject at the root level and for all subdomains.

DMARC is a protocol that allows domain owners to obtain visibility to email services that are sending on their behalf, and also to block unauthorized senders. DMARC is the only protocol that can prevent illegitimate services from sending on behalf of a domain once that domain is at a policy of quarantine or reject.

For Google and Yahoo’s bulk sending requirements, BIMI Radar provides an interesting vantage point. Since it is only looking at static DNS records, it does not give complete visibility into which domains would fully pass Google and Yahoo’s requirements. But, it does give us an idea of who has not published DMARC records and therefore will definitely fail come February 2024. 

In examining this question of who in the world is not ready for Google and Yahoo’s new requirements, interesting trends start to emerge.

Please note all data points referenced in this article are from December 2023. 

91.38% of domains globally fail new requirements

At the highest level, the world does not look ready for the new bulk-sending requirements. 

When examining all 70,000,000 domains globally, 91.38% of email-sending domains have no DMARC record and therefore would fail the new Google and Yahoo requirements! 

But, given the variety of organizations and domains that are surfaced in BIMI Radar, and that not all domains included are email sending domains, it is important to go a layer deeper to try to identify those most likely to be impacted by the bulk sending requirements.

33% of global enterprises have no DMARC record

If we use publically traded companies as a proxy for large enterprises most likely to be bulk senders, a different picture begins to emerge.

Looking at the 2,380 corresponding domains we see around the globe, 33% have no DMARC record in place. 

If we investigate this on a per-country basis, a more optimistic picture starts to emerge. In the US, France and the UK for example, only 10-14% of organizations will definitively fail the new requirements.

Conversely, in Korea and Japan, 50% of large enterprises will fail. 

Country
% that will fail Google and Yahoo Requirements
United States
6.52%
France
10.47%
Australia
10.78%
Canada
12.37%
United Kingdom
14.58%
Netherlands
16.83%
India
17.44%
Germany
20.75%
Chile
28.89%
Italy
29.81%
Spain
39.18%
Austria
45.71%
Indonesia
47.92%
Japan
50.00%
Korea
50.00%

To see other countries, visit BIMI Radar.

40% of global enterprises likely pass new requirements

Checking which sending domains pass the requirements fully requires capturing an email in real-time to ensure that  FCrDNS is configured correctly, that there is DKIM or SPF alignment, and that the DKIM key is valid. More involved checks are also required for spam rates. Therefore on a global scale, it is impossible to get true readiness statistics for all senders that will definitively pass. 

But, we can use those that have previously deployed or could deploy BIMI as an approximation of those that are likely to pass the new requirements. This is because BIMI requires DMARC enforcement, SPF and DKIM configuration, and SPF or DKIM alignment. While this does not account for FCrDNS, it is reasonable to assume those that are BIMI ready have sending domains and IPs that have valid forward and reverse DNS records.

Therefore, using BIMI readiness as a proxy, we can see where in the world large enterprises are most likely to be ready for Google and Yahoo’s new requirements. 

Globally 39.87% of large enterprises would likely pass the new requirements. We see India and the Netherlands rising in overall readiness from this view, while Korea has a surprisingly low 2.02% of companies likely passing the new requirements.

Country
% that would likely pass Google and Yahoo Requirements
United States
75%
India
70.94%
Netherlands
66.34%
United Kingdom
58.33%
France
56.99%
Canada
50.52%
Chile
38.89%
Indonesia
36.46%
Austria
34.29%
Italy
32.69%
Spain
30.93%
Germany
20.75%
Japan
15.28%
Korea
2.02%

To see other countries, visit BIMI Radar.

Using market indices to assess readiness

We can also get a proxy for readiness by examining different market indexes. This data provides interesting insight into the preparedness of the largest enterprises in different markets around the world.

We continue to see enterprises in the US and France being the most prepared. The larger indices in Europe and the UK represent those companies least prepared. 

Index
% that will fail Google and Yahoo Requirements
CAC 40 (France)
7.50%
S&P 500 (US)
8.8%
Fortune 500 (US)
9.22%
DAX (Germany)
10.00%
FTSE 100 (UK)
15.00%
Euronext 150
18.92%
FTSE 250 (UK)
21.31%

Where do we go from here?

Given that at the time of this blog’s publishing, we are just under a month away from the Google and Yahoo regulations for bulk senders going live, the most important takeaway from our findings is action. 

Businesses that send over 5,000 emails a day (or so) need to not only ensure that they have DMARC record in place, but that they SPF and DKIM in place, that there is SPF and DKIM alignment and that FcrDNS is configured correctly for every domain they send mail from. 

While BIMI Radar and other static tools are a great first step to make sure that DMARC records are in place, organizations should be using dynamic tools like Red Sift’s Investigate to make sure that the other criteria are met. 

With Red Sift Investigate, you can see if your email-sending domain will meet the new requirements in under a minute.

Check your readiness now

At Red Sift, we foresee these requirements from Google and Yahoo to be just the first step in ensuring that domains are fully authenticated. We foresee DMARC enforcement being the next logical step to the February 2024 requirements as those that meet the new requirements are essentially ready for DMARC enforcement. 

If you are looking to reach DMARC enforcement make sure to check out the award-winning Red Sift OnDMARC.

PUBLISHED BY

Rahul Powar

10 Jan. 2024

SHARE ARTICLE:

Categories

Recent Posts

VIEW ALL
News

Introducing DNS Guardian: Stop impersonation and spam caused by domain takeovers 

Rahul Powar

tl;dr: We’re thrilled to announce DNS Guardian — a new feature in Red Sift OnDMARC that can swiftly identify and stop domain takeovers that lead to malicious mail. Back in February, we shared updates with the community about SubdoMailing – an attack discovered by Guardio Labs. The attack was a form of subdomain takeover,…

Read more
News

Meet Red Sift Radar: The Skilled Up LLM That Finds and Fixes…

Rahul Powar

After months of beta testing and feedback, we are excited to announce that Red Sift Radar, our skilled up LLM offering seamless integration with Red Sift OnDMARC, is now commercially available.  With Red Sift Radar, security teams can detect exposures, prevent configuration drift, and classify assets or suspicious activity without adding additional headcount. By…

Read more
News

G2 Fall 2024 Report: Red Sift OnDMARC Wins Big

Francesca Rünger-Field

We’re delighted to share that Red Sift OnDMARC’s winning streak continues. This Fall, we’ve once again been named a Leader in G2’s DMARC category, achieving recognition in both the overall Leader category and Europe for the first time. This recognition is based on our high Customer Satisfaction scores and strong market presence. Red Sift…

Read more
Cybersecurity

Resilience Rising | Episode 3 with Kevin White

Red Sift

In this episode of Resilience Rising, Sean Costigan, Managing Director of Resilience Strategy at Red Sift, and Kevin White, Senior Operation Consultant with Enhanced Information Solutions, explore the critical intersection of wastewater management and cybersecurity.  The two highlight the health and operational impacts of cyber threats on water utilities, emphasizing the vulnerabilities due to…

Read more
Certificates

Your guide to PCI DSS 4.0 Cryptographic Requirements

Rebecca Warren

The Payment Card Industry Data Security Standard (PCI DSS) is a globally recognized framework designed to protect cardholder data during processing, storage, and transmission by merchants and service providers. PCI DSS outlines a set of stringent security controls that organizations handling payment card information must implement to mitigate the risk of data breaches and…

Read more