This is an updated version of a blog post originally published in October 2023.
If you have a Gmail or Yahoo account, you probably know how cluttered your inbox can get with unsolicited email and other email that is clearly trying to defraud you. If you have ever thought to yourself “Why can’t these companies do a better job blocking these fraudulent messages and make it easier for me to receive less unsolicited mail?”, you are not alone.
The good news: Google, Yahoo and Apple are doing something about it, and things are about to change for the better for their email users. The bad news: If your company has not fully implemented email authentication measures, you have some work to do and not a lot of time to do it.
Starting February 2024, Gmail will require email authentication to be in place when sending messages to Gmail accounts. If you’re a bulk sender who sends more than 5,000 emails per day to Gmail accounts, you’ll have even more email authentication requirements to meet. You’ll also need to:
- Have a Domain-based Message Authentication, Reporting & Conformance (DMARC) policy in place
- Ensure Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) alignment
- Make it easy for recipients to unsubscribe (one-click unsubscribe)
You can access Google’s detailed Email Sender Guidelines here.
Yahoo has rolled out similar requirements. It will also require strong email authentication to be in place starting February 2024 to stem the flow of malicious messages and reduce the amount of low-value emails cluttering users’ inboxes.
Just 10 days after Google and Yahoo made their announcements in October 2023, Apple released a best practice guide for iCloud mail. It highlighted many of the same email authentication requirements. While Apple did not set a hard date for publishing a DMARC policy, it recommends that bulk senders follow these best practices so their emails won't be considered junk mail and automatically blocked.
Are you prepared to meet these requirements? Here’s what you should know.
New Google and Yahoo email requirements
The new requirements are broken down into two categories. All senders will need to follow the first set. Depending on how much email you send per day, there are also additional rules.
Applicable to all senders:
- Email authentication. This is a critical measure to help prevent threat actors from sending emails under the pretense of being from your organization. This tactic is referred to as domain spoofing and, if left unprotected, allows cybercriminals to weaponize sending domains for malicious cyberattacks.
- SPF is an email authentication protocol designed to prevent email spoofing, a common technique used in phishing attacks and email spam. As an integral part of email cybersecurity, SPF enables the receiving mail server to check whether incoming email comes from an IP address authorized by that domain’s administrator.
- DKIM is a protocol that allows an organization to take responsibility for transmitting a message by signing it in a way that mailbox providers can verify. DKIM record verification is made possible through cryptographic authentication.
- Low spam rates. If recipients report your messages as SPAM at a rate that exceeds the new 0.3% requirement (ideally targeting 0.1% spam rates, or 1 in 1,000 messages delivered marked as spam), your messages could be blocked or sent directly to a Spam folder.
Requirements for bulk senders:
- SPF and DKIM must be in place. Companies that send to Gmail or Yahoo must have SPF and DKIM authentication methods implemented.
- Companies must have a DMARC policy in place. DMARC is an email authentication standard that provides domain-level protection of the email channel.
- DMARC authentication detects and prevents email spoofing techniques used in phishing, business email compromise (BEC) and other email-based attacks.
- DMARC builds on the existing standards of Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM). It is the first and only widely deployed technology that can make the header “from” domain trustworthy. The domain owner can publish a DMARC record in the Domain Name System (DNS) and create a policy to tell receivers what to do with emails that fail authentication.
- Messages must pass DMARC alignment. This means that the sending Envelope From domain is the same as the Header From domain, or that the DKIM domain is the same as the Header From domain.
- Messages must include one-click unsubscribe. For subscribed messages, messages must contain List-Unsubscribe message headers and a clearly visible unsubscribe link in the message body that can be initiated with a single click (one-click unsubscribe). Unsubscribe actions must be taken for a requesting user within two days.
Google, Yahoo and Apple sender requirements at-a-glance
Requirement |
|
Apple |
Yahoo |
DMARC pass required (SPF or DKIM email authentication passes) |
Yes (<5,000 Msgs/day) |
Yes |
Yes |
DMARC pass required (SPF and DKIM email authentication passes) |
Yes (5,000+ Msgs/day) |
- |
Yes |
Ensure valid forward and reverse DNS PTR records |
Yes |
Yes |
Yes |
Spam rates reported in Postmaster Tools <0.3% (ideally, < 0.1%) |
Yes |
- |
Yes |
Message format adheres to email standards (RFC 5321 and 5322) |
Yes |
Yes |
Yes |
No provider domain Impersonation in FROM headers |
Yes |
Yes |
Yes |
TLS required for inbound email |
Yes |
- |
- |
Forwarded email requires ARC headers |
Yes (5,000+ Msgs/day) |
- |
- |
DMARC email authentication for your sending domains |
Yes (p=none DMARC) |
Yes |
Yes (p=none DMARC) |
From: header must be aligned with either the SPF domain or the DKIM domain |
Yes |
Yes |
Yes |
One-Click Unsubscribe for subscribed commercial/promotional messages (RFC 8058) |
Yes (June 1, 2024) |
Yes |
Yes (February 2024) |
Segregate email class types by |
Yes (by domain) |
Yes (by IP or domain) |
Yes (by IP or domain) |
Ensure SMTP tempfailure and rejection errors are adhered to |
Yes |
Yes |
Yes |
Key dates
Keep in mind these dates as these requirements roll out.
January 2024
Apple did not set a date for publishing a DMARC policy, but all other requirements were stated as ones that should be in place now. So, it’s best to assume this means immediately.
February 2024
This is Google and Yahoo’s initial deadline to meet new requirements.
Google provided further clarification about the February deadline after its initial announcement. It stated that bulk senders who don’t meet sender requirements will start getting SMTP protocol-level temporary errors (with error codes) on a small percentage of their non-compliant email traffic. These temporary errors are meant to help senders identify email traffic that doesn’t meet the new guidelines and start addressing their non-compliance.
April 2024
Google will start rejecting a percentage of non-compliant email traffic and will gradually increase the rejection rate. For example, if 75% of a sender’s traffic meets their requirements, they will start rejecting a percentage of the remaining 25% of traffic that isn’t compliant.
June 1, 2024
This is Google’s revised deadline for bulk senders to implement One-Click Unsubscribe in all commercial, promotional messages.
What happens if you miss the deadline?
If your company relies on email to communicate with your customers and you don’t implement email authentication, these changes are going to significantly impact the deliverability of your messages to customers with Gmail, Yahoo and Apple iCloud accounts. If you send bulk emails to Gmail and Yahoo accounts and fail to have SPF and DKIM, or if you don’t have a DMARC policy implemented, these non-deliveries will have an even greater impact on your business.
Be skeptical of quick fixes
Be cautious about vendors claiming “one-click” implementations to quickly reach compliance.
These announcements caught many companies off guard, and now many are scrambling to catch up. As you research what it’s going to take to meet the new requirements, you may come across claims of “one-click” solutions or solutions that can reach compliance in extremely quick timeframes.
When it sounds too good to be true, it usually is. Properly aligning DMARC for your outbound email requires alterations to how your “From:” addresses are passed at the SMTP and email header level so that the domain in the from addresses matches the domain in the DKIM key and the SPF domain. When these ‘sender addressing’ changes involve working with third-party or SaaS solutions that do not offer flexibility in their configuration, or that don’t support DKIM signing, things can get complex quickly.
Proofpoint can help
Proofpoint is an industry leader when it comes to email authentication. More Fortune 1000 Companies rely on Proofpoint for DMARC than our next five closest competitors combined. We have the tools, resources and experience to assess your status and help close the gap more effectively than you would if you tackled it on your own.
Proofpoint Email Fraud Defense provides access to highly experienced consultants who can guide you through each step of your DMARC journey, helping you to meet the new requirements and also protect your overall brand reputation. This solution also includes Hosted SPF, Hosted DKIM and Hosted DMARC to simplify management and streamline your implementation.
For transactional emails, ones that may be sent from applications or third-party partners on your behalf, Proofpoint Secure Email Relay can not only ensure that all these messages are DKIM signed but it can also help with achieving DMARC alignment at an accelerated rate.
In response to these new requirements, Proofpoint is now offering a free Email Deliverability Assessment to help identify potential gaps and provide recommendations on a path forward, so you can minimize the impact of these changes on your business. You can also visit our DMARC Creation Wizard today to check your DMARC and SPF statuses.
Don’t wait until the last minute to get started on your DMARC journey. You don’t know what issues you may need to overcome, and you don’t want to risk missing the deadlines. Reach out to Proofpoint today. We can not only prepare you for these new requirements, but we can also increase your overall security posture and help break the attack chain.