Where are we now? One month of Google and Yahoo’s new requirements for bulk senders

As of March 1, 2024, we are one month into Google and Yahoo’s new requirements for bulk senders. Before these requirements went live, we used Red Sift’s BIMI Radar to understand global readiness, and the picture wasn’t pretty. 

At the end of January 2024, one-third of global enterprises were bound to fail the new requirements as a result of having no DMARC record in place.

Google and Yahoo have begun to enforce the requirements, so how have things evolved? 

Let’s dive in. 

Nearly 800K more DMARC records in the world

Last month we reported that 91.38% of the world’s domains would fail to meet the new requirements as they had no DMARC record. 

However, we have seen a steep increase in the adoption of DMARC since January 1 across all domains around the world. Comparing the number of domains with DMARC at the end of February to the beginning of January reveals an additional 795,824 records in place. 

See the full data set here.

But as we indicated in our last blog, global domains with a DMARC record are not the complete picture. Let’s see what has changed within large enterprises since they are the most likely to be impacted by the new requirements. 

Global improvements for public companies

In January we reported that large organizations from certain regions of the world were much more likely to fail to meet the new requirements. Specifically, we looked at large organizations that did not have any DMARC records. Though companies that have a DMARC record are not guaranteed to pass, those that don’t are guaranteed to fail. 

Around the world, the countries with some of the highest guaranteed failure rates like Italy, Germany, Japan, and Spain have made significant strides throughout February improving readiness for large enterprises by as much as 35%.

Country
% that will fail – Jan 2024
% that will fail – Feb 2024
Change
Italy
29.81%
19.23%
10.58%
Germany
20.75%
15.09%
5.66%
Canada
12.37%
9.28%
3.09%
Japan
50.00%
40.28%
9.72%
Spain
39.18%
31.96%
7.22%
Netherlands
16.83%
13.86%
2.97%
United States
6.52%
5.43%
1.09%
France
10.47%
9.30%
1.17%
Australia
10.78%
9.80%
0.98%
United Kingdom
14.58%
13.54%
1.04%
Austria
45.71%
42.86%
2.85%
Indonesia
47.92%
46.88%
1.04%
Chile
28.89%
28.29%
0.60%
India
17.44%
17.44%
0.00%

A handful of bright spots for going beyond the minimum

Google and Yahoo’s requirements for bulk senders are likely just the beginning of more stringent protocols aimed at protecting customers and users. Though the requirements today only require a DMARC policy of p=none, many (myself included) believe this is just the start of more stringent requirements. 

It is interesting to see the divides in countries choosing to take these requirements and go the step further to the DMARC policy of p=reject. 

By looking at overall BIMI readiness – defined as those domains that have a DMARC policy of at least p=reject, have SPF and DKIM configured, and SPF or DKIM alignment – we can begin to understand which areas of the world are using the new requirements for bulk senders to more fully address email security best practices.

Country
% that would likely pass – Jan 2024
% that would likely pass – Feb 2024
Change
Germany
35.8%
39.6%
3.8%
Spain
30.9%
35.1%
4.2%
United Kingdom
59.4%
61.5%
2.1%
United States
75%
77.2%
2.2%
Indonesia
37.5%
37.50%
1.04%
France
57%
58.14%
1.15%
India
70.9%
70.9%
0%
Netherlands
66.3%
66.3%
0%
Canada
50.5%
50.5%
0%
Chile
38.9%
38.9%
0%
Austria
34.3%
34.3%
0%
Italy
32.7%
32.7%
0%
Japan
15.3%
15.3%
0%

Germany and Spain, both of which were clear laggards one month ago, have seen a small percentage of organizations undertaking DMARC projects and “going all the way” to reach a full p=reject policy. 

Organizations that choose to do this when rolling out DMARC are in for an easier road ahead as requirements become more strict. 

Consistent progress among the world’s biggest companies

As we look at the largest market indices in the world, we see continued positive progress reflective of the trends above. Canada and Germany have made significant leaps and bounds to bring them closer to the rest of the world while the laggards in the US continue to realize meeting these requirements is no longer optional. 

Index
% that will fail – Jan 2024
% that will fail – Feb 2024
% change
CAC 40 (France)
7.50%
5.00%
-33%
DAX (Germany)
10.00%
6.67%
-33%
Euronext 150
18.92%
12.84%
-32%
S&P 500 (US)
8.80%
6.60%
-25%
Fortune 500 (US)
9.22%
7.62%
-17%
FTSE 100 (UK)
15.00%
13.00%
-13%
FTSE 250 (UK)
21.31%
18.58%
-13%

Are you ready for Google & Yahoo’s new requirements for bulk senders?

We continue to see the world progress towards well-known best practices for email authentication to meet Google and Yahoo’s latest requirements. I expect to see this progress continue as Google and Yahoo move from delayed delivery to full rejection. 


If you’re unsure if your business is ready, try Red Sift Investigate. With a single test email, you can check that you meet all of Google and Yahoo’s new requirements for bulk senders – including DMARC, DKIM, SPF, FcrDNS and much, much more.

PUBLISHED BY

Rebecca Warren

4 Mar. 2024

SHARE ARTICLE:

Categories

Recent Posts

VIEW ALL
Email

Cloudflare selects Red Sift as a preferred partner to provide DMARC and…

Rebecca Warren

AI-generated email attacks are rapidly growing in scale and sophistication, demanding stronger defenses from at-risk organizations. Starting today, Red Sift is excited to announce a new strategic partnership with Cloudflare, the leading connectivity cloud company, to deliver its market-leading email security application, Red Sift OnDMARC, to a broader global audience.  Today’s alignment enhances Cloudflare’s…

Read more
Cybersecurity

New Zealand moves to mandate DMARC enforcement

Jack Lilley

Executive summary: New Zealand’s Secure Government Email Framework mandates DMARC at p=reject—plus hard-fail SPF, universal DKIM, enforced MTA-STS, and TLS-RPT—by October 2025. The rules replace SEEMail, curb soaring phishing losses, and will affect every organization that emails the public sector. Key takeaways: The New Zealand Government has recently published the Secure Government Email (SGE) Common…

Read more
BEC

DMARC: The best ROI for your organization

Jack Lilley

Executive summary: Implementing DMARC delivers one of the clearest, fastest returns on investment in email security. By authenticating outgoing mail and blocking spoofed messages, DMARC cuts the direct costs of phishing and Business Email Compromise, safeguards brand reputation, and boosts deliverability—ultimately driving revenue and trimming operational workload. Key takeaways: Email is a critical communication tool for…

Read more
DMARC

400,000 DMARC boost after Microsoft’s high-volume sender update

Jack Lilley

Microsoft’s decision to join Google and Yahoo in enforcing stricter rules for high-volume senders has triggered an immediate response across the internet. In the last 30 days alone, 406,042 new domains have deployed Domain‑based Message Authentication, Reporting & Conformance (DMARC), pushing the global total to 10.9 million. While not all domains will be exclusive Outlook users,…

Read more