Google & Yahoo to Roll Out New Email Authentication & Spam Prevention Requirements in February 2024
Starting early next year, new digital identity validation and spam-prevention requirements for bulk email senders will kick into effect. Are you ready?
Does your organization send out emails to subscribers, customers, or prospects? Does that list include email addresses that end in “@gmail.com,” “@googlemail.com” or “@yahoo.com”? How about Google Workspace email accounts (i.e., those that don’t end in the traditional @gmail.com”)?
If you answered yes to any of those inquiries, then you should probably be aware of email security changes coming down the pike. Google and Yahoo have teamed up to start rolling out new email authentication and user rights requirements for bulk mail senders who send messages to Gmail account users.
But what do these changes mean for your organization?
Let’s hash it out.
What to Know About the New Requirements
Google announced it would be implementing new bulk email protections for Gmail users starting in February 2024. The requirements span from enhancing message authentication to improving unsubscription capabilities. It’s part of the company’s continuing efforts to fight spam, which is greatly needed when you consider that it reports blocking “15 billion unwanted emails per day.”
This Effort Extends Beyond Google and Is Poised to Impact the Email Community at Large
That’s right — Google isn’t alone in this initiative. According to the company’s official statement: “Keeping email more secure, user friendly and spam-free requires constant collaboration and vigilance from the entire email community.” The announcement shares that other industry partners, including Yahoo, have committed to instituting new policies as well. Yahoo also announced the initiative separately as well on its own blog.
Since Gmail is a part of Google Workspace, which has more than 3 billion users, it’s easy to see the potential reach of these changes. Because these requirements are built upon open standards, they’re poised to benefit most email recipients — even those using other email service providers — when senders implement the necessary changes.
Who the New Requirements Will Apply To
New requirements apply to all senders who send messages to Gmail account holders. If you’re sending 5,000 or more messages to Yahoo or Gmail email addresses in a day, then heads up — there are additional new requirements that will apply to you.
What the Three New Email Security Requirements Entail
The new changes boil down to three salient points for email senders:
1. Enable Email Authentication
Sending authenticated messages enables email security systems to successfully identify and block billions of scam and malicious emails and eliminate inbox clutter. Google states that for your emails to be trusted, senders must follow email security best practices. This involves implementing the traditional trifecta of authenticated email delivery:
- Sender policy framework (SPF) prevents unauthorized users from sending messages from your domain.
- Domainkeys identified mail (DKIM) enables recipient servers to check whether messages received from your domain actually came from your organization, and
- Domain message authentication reporting (DMARC) provides instructions for what to do with messages that fail SPF and DKIM.
Not sure whether your domain has any of these email security measures enabled? Check your domain using a DNS record-checking tool. For example, here’s what it looks like when we ran a check on TheSSLStore.com’s DNS txt records:
Pro Tip: Don’t Just Implement SPF, DKIM and DMARC… Use BIMI and VMCs, Too!
Do you know what would be a great addition to this list of authentication and email security measures? Using brand indicators for message identification (BIMI) and verified mark certificates (VMCs). This potent combination enables organizations to display their verified logos in recipients’ inboxes so users can verify the authenticity of a message before clicking on it.
This would be especially fitting when you consider that Google announced its support of BIMI and VMCs for greater email authentication and brand trust.
Now, we won’t get into all of the details about those security tools here, but you can read more about them in our other blog posts:
- Verified Mark Certificates & the BIMI Standard: Show Your Company Logo in Your Customer’s Inbox
- How to Get a Verified Mark Certificate (VMC — The Ultimate Guide)
- How Can I Brand My Mail? Use a VMC and BIMI
Alright, let’s get back to Google’s list of new bulk email requirements.
2. Make Unsubscribing Easy for Users
No one wants to waste time figuring out how to unsubscribe from unwanted emails. Now, all bulk senders must give more control to email recipients via the unsubscribe option. According to Google’s blog post:
“[…] we’re requiring that large senders give Gmail recipients the ability to unsubscribe from commercial email in one click, and that they process unsubscription requests within two days. We’ve built these requirements on open standards so that once senders implement them, everyone who uses email benefits.”
3. Keep Spam Complaints Lower Than 0.1%
This last requirement is probably the most notable of the bunch. This approach aims to prevent users from being spammed with unwanted or irrelevant messages by implementing a spam rate threshold requirement. Okay, that’s cool, but you may wonder why it’s a big deal. This is because Gmail’s current email sender guidelines recommend keeping spam complaints below 0.1% (no more than 0.3% for “any sustained period of time”), but it’s just that — a recommendation that many senders have ignored.
Starting in February, it’ll no longer be a recommendation; rather, it’ll be an enforced requirement. So, if you want to have any hope of your messages reaching recipients’ inboxes, you’d better get started on meeting these requirements now.
To learn more about these three requirements, check out Google’s requirements for all senders and its additional requirements for sending 5,000 or more messages per day.
Why Bother?
According to Google’s blog post, after implementing other email authentication requirements last year, 75% fewer unauthenticated messages made it into users’ inboxes. But more can be done to combat the ever-increasing number of phishing and malicious messages being sent each day.
If you’re a large email sender, then you should begin implementing changes now ahead of the upcoming holiday season. This way, you don’t get caught off-guard with other end-of-year priorities and allow this change to fall by the wayside.
If you decide you want to up your email security game or have questions about how to get a VMC to display your organization’s verified logo in recipients’ inboxes, get in touch with one of our email security specialists today.
5 Ways to Determine if a Website is Fake, Fraudulent, or a Scam – 2018
in Hashing Out Cyber SecurityHow to Fix ‘ERR_SSL_PROTOCOL_ERROR’ on Google Chrome
in Everything EncryptionRe-Hashed: How to Fix SSL Connection Errors on Android Phones
in Everything EncryptionCloud Security: 5 Serious Emerging Cloud Computing Threats to Avoid
in ssl certificatesThis is what happens when your SSL certificate expires
in Everything EncryptionRe-Hashed: Troubleshoot Firefox’s “Performing TLS Handshake” Message
in Hashing Out Cyber SecurityReport it Right: AMCA got hacked – Not Quest and LabCorp
in Hashing Out Cyber SecurityRe-Hashed: How to clear HSTS settings in Chrome and Firefox
in Everything EncryptionRe-Hashed: The Difference Between SHA-1, SHA-2 and SHA-256 Hash Algorithms
in Everything EncryptionThe Difference Between Root Certificates and Intermediate Certificates
in Everything EncryptionThe difference between Encryption, Hashing and Salting
in Everything EncryptionRe-Hashed: How To Disable Firefox Insecure Password Warnings
in Hashing Out Cyber SecurityCipher Suites: Ciphers, Algorithms and Negotiating Security Settings
in Everything EncryptionThe Ultimate Hacker Movies List for December 2020
in Hashing Out Cyber Security Monthly DigestAnatomy of a Scam: Work from home for Amazon
in Hashing Out Cyber SecurityThe Top 9 Cyber Security Threats That Will Ruin Your Day
in Hashing Out Cyber SecurityHow strong is 256-bit Encryption?
in Everything EncryptionRe-Hashed: How to Trust Manually Installed Root Certificates in iOS 10.3
in Everything EncryptionHow to View SSL Certificate Details in Chrome 56
in Industry LowdownPayPal Phishing Certificates Far More Prevalent Than Previously Thought
in Industry Lowdown