The release of these guidelines is fantastic news with email being one of the world’s top digital communication channels for business and personal use alike. These moves by email providers to further protect users against cybercriminals means that they can look forward to far less spam and illegitimate emails.
In today’s digital landscape, email phishing is the most common type of cybercrime malicious actors use to get their hands on precious user data with phishing emails accounting for 91% of cyberattacks.
Gmail’s AI-powered defenses alone block almost 15 billion unwanted emails daily and prevent over 99.9% of spam, phishing, and malware from reaching users’ inboxes. However, in its announcement earlier this month, Google stated that current cyberthreats are “more complex and pressing than ever”.
This has led to the email provider’s release of its new guidelines for bulk email senders (those sending over 5 000 emails to Gmail addresses per day). Google also noted that it’s not the only email provider pushing for these changes and Yahoo followed closely with its own updated bulk sender requirements. Bulk senders must meet these requirements by February 2024.
“No matter who their email provider is, all users deserve the safest, most secure experience possible. In the interconnected world of email, that takes all of us working together. Yahoo looks forward to working with Google and the rest of the email community to make these common sense, high-impact changes the new industry standard,” says Marcel Becker, Sr. Director of Product at Yahoo.
Both organizations noted that many bulk email senders fail to set up their email ecosystems correctly, allowing cybercrooks to slip through their defenses undetected.
To address this problem the new bulk sender requirements zoom in on a vital aspect of email security: the validation that a sender is who they say they are. In addition, these requirements will make it easier for users to unsubscribe from emails as well as clear their inboxes of unwanted emails.
A closer look at the new requirements
By February 2024 bulk senders must:
- Authenticate their emails
Bulk senders will need to ensure that users can trust every email they receive from them by implementing robust global email authentication standards including Domain-based Message Authentication, Reporting and Conformance (DMARC). This also includes implementation of DMARC’s built-in standards Domain Keys Identified Mail (DKIM) and Sender Policy Framework (SPF). We’ve given a brief overview of these below.
- Make unsubscribing easy
If you’ve ever unsubscribed from an email chain only to receive more emails from the same sender, this requirement will give you immense joy. Gmail and Yahoo will require that large-volume senders allow recipients to unsubscribe from unwanted emails in one click and that these requests are processed within two days.
- Only send emails people want to receive
This requirement furthers the mission of email providers to keep unwanted spam out of user inboxes. Bulk email senders will have to stay below Google and Yahoo’s spam email thresholds.
“These practices should be considered basic email hygiene,” Google said, “and many senders already meet most of these requirements.” For those senders that don’t, both Google and Yahoo have published guidance to make it easier to achieve compliance.
Google’s focus on email authentication is especially relevant considering the communication tool’s frequent use in impersonation attacks through fake email. The company says, “As basic as it sounds, it’s still sometimes impossible to verify who an email is from given the web of antiquated and inconsistent systems on the Internet.”
While Google’s 2022 requirement that emails sent to Gmail addresses must have some form of authentication led to a 75% drop in unauthenticated messages, the organization says that there’s much more it needs to do, starting with new requirements for bulk senders. So why should your business care about email authentication? Read on to find out.
The importance of email authentication
There’s a security flaw in the way that email was first designed. This is highlighted by the popularity of phishing attacks. In 2022 alone, a concerning 854 000 domain names were reported for phishing.
This means that email authentication is no longer an option if businesses want to protect themselves and their stakeholders from the reach of cybercriminals.
This email design flaw leads to four main issues for organizations:
Cybercriminals can send emails from your domain defrauding staff, customers, and suppliers.
An email can be intercepted and changed without the knowledge of the sender or recipient.
- Delivery issues
Legitimate email often lands in Spam and false positives cause business disruption.
- Inadequate visibility and audit
Organizations have no active visibility into who is sending emails from their domains.
Without effective email authentication protocols in place, you’re putting your business at risk of impersonation that could lead to possibly irreparable financial and reputational damages.
While existing perimeter protection and anti-spam may protect your internal stakeholders, it doesn’t shield your customers, suppliers, and the rest of the world from fraudulent emails sent using your domain.
This makes Google and Yahoo’s new requirements a win-win for bulk senders and users, as both will be far more protected against the damages of malicious emails from February 2024.
Let’s look at Google and Yahoo’s recommended email authentication methods in a bit more detail:
- DMARC – A global email authentication standard that provides data analytics and enforcement across SPF and DKIM. It ensures that only real email, from the real sender ever reaches the recipient’s inbox, securing them against phishing, spoofing and impersonation attacks. Once a business domain is DMARC compliant, businesses can also implement BIMI, an additional authentication layer that allows for the display of its logo beside emails in inboxes. BIMI maximizes email impact by increasing brand recognition, preventing impersonation, and improving email delivery.
- SPF – A list of certified servers that are authorized to send email from your domain. It prevents cybercriminals from using your domain to send fake emails.
- DKIM – An email signing technology that allows receivers to check if an email is authentic and hasn’t been tampered with during transit.
DMARC encompasses both SPF and DKIM to effectively safeguard your business against impersonation and the damages related to it.
Leverage a DMARC expert for hassle-free compliance
DMARC is the best technology standard to secure your business against fraudulent email activity. It thoroughly evaluates the source of an email to ensure that only legitimate emails ever reach an inbox. The details of implementing Google and Yahoo’s new bulk sender guidelines for email authentication may seem overwhelming, but you don’t need to embark on your journey to compliance alone.
Sendmarc is a leader in email security that your business can rely on for fast, seamless, and scalable DMARC implementation. In fact, we guarantee that our product will be implemented, working, and giving full protection from fraudulent email activity in a maximum of 90 days.
If you’d like to see if your domain is vulnerable to impersonation, you can check its score here. Or contact us today to see how we can assist you in meeting the new email authentication requirement easily.