Google and Yahoo announced new email authentication requirements for those sending email to their users, with a rapid deadline of February 2024. At Fortra, we commend this push to require email authentication as a huge step in the ongoing fight against spoofing and abuse. But if the requirements are not in place by the deadline, certain emails may no longer be delivered. This could prove detrimental to organizations relying on email for invoices, marketing, and other business transactions. In short, if you don’t have Domain-based Message Authentication, Reporting & Conformance (DMARC) in place, you don’t have much time.
What Does This Mean for My Organization?
These requirements should not come as a surprise to most, as Google and Yahoo have been talking about “no auth, no entry” for several years. Many organizations have met these requirements as part of existing best practices for security and email deliverability. Having Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and DMARC protects your email domains from spoofing attacks and fraud while also increasing your email deliverability.
Perhaps your organization is ready and feeling confident about all specific requirements that will be applied to those domains sending 5,000 or more messages a day. Or perhaps your organization is not fully prepared and a looming sense that you may not be ready by February 2024 is keeping you up at night.
Before resorting to mass panic and running for the hills, let’s look at some of the specific requirements by Google.
SPF and DKIM for Your Domain
SPF is an email authentication standard used to identify the email servers that are authorized to send email for a given domain (the envelope domain). DKIM is an email authentication tool that uses cryptographic signatures to authenticate that email content was, in fact, signed by a given signing domain and the content has not been changed. DKIM identifies if emails have been modified during transit.
For more on why having both is best, read DKIM vs. SPF.
DMARC for Your Domain (Record Can be p=none)
Having a DMARC policy where p=none is the lowest standard by which a policy can be set. It means, if an email fails email authentication, nothing needs to be done to the email. However, DMARC reporting will become critical to senders to understand email authentication results and how to handle emails going forward. Importantly, it can give insights into SPF and DKIM including:
- SPF and DKIM results, even showing messages without SPF or DKIM
- SPF and DKIM alignment problems with DMARC
- Always monitor your DMARC reports for changes
Must Pass DMARC Alignment
DMARC ties together the results of SPF and DKIM, then adds a layer of spoofing protection called “alignment”. DMARC alignment requires that the user visible From header domain is organizationally related to either the DKIM signing domain or the envelope domain used by SPF.
Even the savviest DMARC customers may second guess themselves on this one. Many organizations, especially those sending 5,000 or more a day, may use third-party vendors for mail sends. These vendors could be used for marketing sends or finance for invoice sends. Whatever the reason, make sure you are aligned with your vendors. If your From is [email protected], your DKIM signature or envelope From domain must be companyabc.com or a subdomain of that.
Valid Forward and Reverse DNS
Your sending IP address must have valid reverse DNS (PTR record) configured. Additionally, the hostname in the PTR record must resolve back to the sending IP address.
Spam Rates Need to be Below 0.3%
Organizations need to register, monitor, and know their numbers. If people are viewing your emails as spam in a percentage over 0.3%, it is likely Google will treat your domain negatively.
Don't Spoof Gmail.com
If your organization is spoofing Gmail, your email sends may be in trouble. This seems like a no-brainer. However, this happens more often than one might think.
If You Forward Mail, Sign with ARC
ARC is an email authentication standard designed to address the challenges that arise when emails pass through multiple intermediaries, such as mailing lists or forwarding services. In traditional email authentication systems like SPF, DKIM, and DMARC, the original authentication information may get modified as emails traverse these intermediaries, leading to potential authentication failures.
When ARC is implemented by email forwarders and mailing lists, it allows an email receiver at the email’s final destination, to understand if the originating sender legitimately authenticated that email, even though intermediate forwards may have nullified the original authentication.
One-Click Unsubscribe for Subscribed Messages
The one-click unsubscribe may not be a complicated one to understand, but it is required. A one-click unsubscribe takes away any additional steps for the email recipient. They simply click the button next to the sender’s address and are removed from the mail list.
This can all seem daunting, but it cannot be ignored. Yahoo Mail has nearly 228 million users in 2023 compared to Gmail with 1.8 billion users in 2023. Sending emails to those who use these mail providers is necessary to your business. No matter where you are in the DMARC journey, Fortra can help.
Don't Have DMARC Protection?
There’s no denying, if you do not have DMARC set up, you do not have much time. DMARC is no longer a nice to have, it is essential for the health of your business. Fortra’s Agari DMARC Protection provides all the requirements needed to keep emails moving and keep you compliant with Google and Yahoo. Get a free demo today.