The world is not ready for Google & Yahoo’s bulk sending requirements: Now is the time to take action

In October 2023, Google and Yahoo jointly announced new requirements to help deliver “a safer, less spammy inbox” for users. 

The requirements will go into place on February 1, 2024 and are specific to bulk senders – those that send over 5,000 emails daily. 

What are the new Google and Yahoo requirements for bulk senders?

The new requirements for bulk senders cover three core tenants: 

  1. Authenticate the domains you send from
  2. Make it easy for people to stop receiving your emails
  3. Don’t spam

Sounds straightforward enough. But, the requirements for domain authentication are the most complex of the three, as there are multiple sub-requirements for users, including:

  1. Publishing a DMARC policy for each domain that sends mail with at least a policy of “none”.
  2. Setting up SPF and DKIM for each domain that sends mail. Note that both SPF and DKIM are required, unlike with DMARC which only requires one or the other.
  3. Aligning the domain in the sender’s `From:` header with either the SPF domain or the DKIM domain (for direct mail only).
  4. Ensuring that sending domains or IPs have valid forward and reverse DNS records using a Forward Confirmed DNS (FcrDNS). You can read more about FCrDNS here.

See more on the new requirements in Google’s support article.

Assessing readiness on a global scale with BIMI Radar

At Red Sift, we have been following the world’s readiness for DMARC for many years using our BIMI Radar. This tool looks at over 70,000,000 domains around the world to better understand trends in the adoption of DMARC and Brand Indicators for Message Identification (BIMI) across the Internet.

BIMI was introduced in 2021 and allows businesses to show their brand logo in the avatar slot of emails they send. BIMI can only be implemented and honored for organizations that have a DMARC enforcement policy of quarantine or reject at the root level and for all subdomains.

DMARC is a protocol that allows domain owners to obtain visibility to email services that are sending on their behalf, and also to block unauthorized senders. DMARC is the only protocol that can prevent illegitimate services from sending on behalf of a domain once that domain is at a policy of quarantine or reject.

For Google and Yahoo’s bulk sending requirements, BIMI Radar provides an interesting vantage point. Since it is only looking at static DNS records, it does not give complete visibility into which domains would fully pass Google and Yahoo’s requirements. But, it does give us an idea of who has not published DMARC records and therefore will definitely fail come February 2024. 

In examining this question of who in the world is not ready for Google and Yahoo’s new requirements, interesting trends start to emerge.

Please note all data points referenced in this article are from December 2023. 

91.38% of domains globally fail new requirements

At the highest level, the world does not look ready for the new bulk-sending requirements. 

When examining all 70,000,000 domains globally, 91.38% of email-sending domains have no DMARC record and therefore would fail the new Google and Yahoo requirements! 

But, given the variety of organizations and domains that are surfaced in BIMI Radar, and that not all domains included are email sending domains, it is important to go a layer deeper to try to identify those most likely to be impacted by the bulk sending requirements.

33% of global enterprises have no DMARC record

If we use publically traded companies as a proxy for large enterprises most likely to be bulk senders, a different picture begins to emerge.

Looking at the 2,380 corresponding domains we see around the globe, 33% have no DMARC record in place. 

If we investigate this on a per-country basis, a more optimistic picture starts to emerge. In the US, France and the UK for example, only 10-14% of organizations will definitively fail the new requirements.

Conversely, in Korea and Japan, 50% of large enterprises will fail. 

Country
% that will fail Google and Yahoo Requirements
United States
6.52%
France
10.47%
Australia
10.78%
Canada
12.37%
United Kingdom
14.58%
Netherlands
16.83%
India
17.44%
Germany
20.75%
Chile
28.89%
Italy
29.81%
Spain
39.18%
Austria
45.71%
Indonesia
47.92%
Japan
50.00%
Korea
50.00%

To see other countries, visit BIMI Radar.

40% of global enterprises likely pass new requirements

Checking which sending domains pass the requirements fully requires capturing an email in real-time to ensure that  FCrDNS is configured correctly, that there is DKIM or SPF alignment, and that the DKIM key is valid. More involved checks are also required for spam rates. Therefore on a global scale, it is impossible to get true readiness statistics for all senders that will definitively pass. 

But, we can use those that have previously deployed or could deploy BIMI as an approximation of those that are likely to pass the new requirements. This is because BIMI requires DMARC enforcement, SPF and DKIM configuration, and SPF or DKIM alignment. While this does not account for FCrDNS, it is reasonable to assume those that are BIMI ready have sending domains and IPs that have valid forward and reverse DNS records.

Therefore, using BIMI readiness as a proxy, we can see where in the world large enterprises are most likely to be ready for Google and Yahoo’s new requirements. 

Globally 39.87% of large enterprises would likely pass the new requirements. We see India and the Netherlands rising in overall readiness from this view, while Korea has a surprisingly low 2.02% of companies likely passing the new requirements.

Country
% that would likely pass Google and Yahoo Requirements
United States
75%
India
70.94%
Netherlands
66.34%
United Kingdom
58.33%
France
56.99%
Canada
50.52%
Chile
38.89%
Indonesia
36.46%
Austria
34.29%
Italy
32.69%
Spain
30.93%
Germany
20.75%
Japan
15.28%
Korea
2.02%

To see other countries, visit BIMI Radar.

Using market indices to assess readiness

We can also get a proxy for readiness by examining different market indexes. This data provides interesting insight into the preparedness of the largest enterprises in different markets around the world.

We continue to see enterprises in the US and France being the most prepared. The larger indices in Europe and the UK represent those companies least prepared. 

Index
% that will fail Google and Yahoo Requirements
CAC 40 (France)
7.50%
S&P 500 (US)
8.8%
Fortune 500 (US)
9.22%
DAX (Germany)
10.00%
FTSE 100 (UK)
15.00%
Euronext 150
18.92%
FTSE 250 (UK)
21.31%

Where do we go from here?

Given that at the time of this blog’s publishing, we are just under a month away from the Google and Yahoo regulations for bulk senders going live, the most important takeaway from our findings is action. 

Businesses that send over 5,000 emails a day (or so) need to not only ensure that they have DMARC record in place, but that they SPF and DKIM in place, that there is SPF and DKIM alignment and that FcrDNS is configured correctly for every domain they send mail from. 

While BIMI Radar and other static tools are a great first step to make sure that DMARC records are in place, organizations should be using dynamic tools like Red Sift’s Investigate to make sure that the other criteria are met. 

With Red Sift Investigate, you can see if your email-sending domain will meet the new requirements in under a minute.

Check your readiness now

At Red Sift, we foresee these requirements from Google and Yahoo to be just the first step in ensuring that domains are fully authenticated. We foresee DMARC enforcement being the next logical step to the February 2024 requirements as those that meet the new requirements are essentially ready for DMARC enforcement. 

If you are looking to reach DMARC enforcement make sure to check out the award-winning Red Sift OnDMARC.

PUBLISHED BY

Rahul Powar

10 Jan. 2024

SHARE ARTICLE:

Categories

Recent Posts

VIEW ALL
News

Red Sift Recognized on Deloitte’s EMEA Fast 500™ List

Francesca Rünger-Field

We’re thrilled to share that Red Sift has been included in Deloitte’s 2023 EMEA Fast 500 list. This recognition stems from 389% revenue growth over three years, $54 million in Series B funding, acquiring ASM innovator Hardenize, and introducing the Red Sift Pulse Platform. Read the press release here. About the award The Deloitte Technology Fast…

Read more
Brand Protection

The vital role of cybersecurity for Nonprofits: A deep dive 

Sean Costigan

Save the Children, a beacon of hope and change, has been dedicated to improving the lives of children for over a century. Founded in London, it now has a presence in 29 nations, employing 844 staff members in the UK alone and engaging over 3600 formal volunteers. As charities and nonprofits like Save the…

Read more
News

Red Sift brings DMARC data to the SOC with new Cisco XDR…

Rebecca Warren

Today, we’re thrilled to announce that we’re extending our partnership by joining the Cisco Security Technical Alliance and integrating Red Sift OnDMARC with Cisco XDR. This integration builds on the Domain Protection partnership we announced in November 2023 to bring visibility of business email compromise into the SOC (security operations center). At release, Red…

Read more
Certificates

Preventing certificate related violations in cybersecurity frameworks:  A guide to certificate monitoring…

Rebecca Warren

TLS is one of the most widely adopted security protocols in the world allowing for unprecedented levels of commerce across the internet.  At the core of the TLS protocol is TLS certificates. Organizations must deploy TLS certificates and corresponding private keys to their systems to provide them with unique identities that can be reliably…

Read more