Published on the 22/11/2023 | Written by Heather Wright
Stricter requirements for bulk emails come into force from Feb 24…
Businesses have until early 2024 to implement strong authentication for sender domains or risk having customer emails rejected as Google and Yahoo up their efforts in the fight against spam.
The changes will require any company sending more than 5,000 messages to Google or Yahoo addresses in one day to implement Sender Policy Framework (SPF)/DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting and Conformance (DMARC) email authentication for domains.
“We’ve focused on a crucial aspect of email security: Validation.”
SPF and DKIM provide protection against impersonation through better authentication, while DMARC builds on the protocols, adding linkage to the author domain name, published policies for recipient handling of authentication failures and reporting from receivers to senders.
Neil Kumaran, Google group product manager, Gmail security and trust, says many bulk senders don’t appropriately secure and configure their systems, allowing attackers to easily hide in their midst.
“To help fix that, we’ve focused on a crucial aspect of email security: The validation that a sender is who they claim to be,” he says.
“As basic as it sounds, it’s still sometimes impossible to verify who an email is from given the web of antiquated and inconsistent systems on the internet.”
Forty-eight percent of all emails sent globally last year were spam, according to Kaspersky, with phishing attacks targeting company emails continuing to prove a popular form of attack against Australian and New Zealand businesses.
Bulk senders will also be required to provide a one-click unsubscribe option – with all unsubscribe requests to be processed within two days – and to keep spam rates below 0.3 percent. The company has previously advised senders to keep spam levels below the 0.3 percent threshold, but the new rules will see that become a requirement.
Google claims its current AI technology stops more than 99.9 percent of spam, phishing and malware from hitting Gmail inboxes, blocking 15 billion unwanted emails a day.
Many senders already meet most of the requirements – which Google says should be considered basic email hygiene. It introduced policy last year requiring emails sent to Gmail addresses to have some form of authentication. That move reduced unauthenticated messages received by Gmail addresses by 75 percent, the company says.
Yahoo notes it has documented best practices previously, but that ‘numerous’ bulk senders fail to secure and set up their systems correctly, enabling resources to be exploited without detection.
SPF, DKIM and DMARC have seen increased adoption in recent years. Research from email security provider Easy DMARC has suggested that around half of email senders have a DMARC record.
The new rules come into force for Google in February 2024, while Yahoo’s changes are scheduled for ‘the first quarter of 2024’.
Google says meeting sender requirements before deadline may improve email delivery.
“If you don’t meet the requirements described… your email might not be delivered as expected, or might be marked as spam.”
“These changes are like a tune-up for the email world, and by fixing a few things under the hood, we can keep email running smoothly,” Kumaran says.
“But just like a tune-up, this is not a one-time exercise. Keeping email more secure, user friendly and spam-free requires constant collaboration and vigilance from the entire email community.”
Google has published email sender guidelines detailing the requirements for those needing to improve their systems before the February enforcement begins.