Google & Yahoo to Roll Out New Email Authentication & Spam Prevention Requirements in February 2024
1 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 5 (1 votes, average: 5.00 out of 5, rated)
Loading...

Google & Yahoo to Roll Out New Email Authentication & Spam Prevention Requirements in February 2024

Starting early next year, new digital identity validation and spam-prevention requirements for bulk email senders will kick into effect. Are you ready?

Does your organization send out emails to subscribers, customers, or prospects? Does that list include email addresses that end in “@gmail.com,” “@googlemail.com” or “@yahoo.com”? How about Google Workspace email accounts (i.e., those that don’t end in the traditional @gmail.com”)?

If you answered yes to any of those inquiries, then you should probably be aware of email security changes coming down the pike. Google and Yahoo have teamed up to start rolling out new email authentication and user rights requirements for bulk mail senders who send messages to Gmail account users.

But what do these changes mean for your organization?

Let’s hash it out.

What to Know About the New Requirements

Google announced it would be implementing new bulk email protections for Gmail users starting in February 2024. The requirements span from enhancing message authentication to improving unsubscription capabilities. It’s part of the company’s continuing efforts to fight spam, which is greatly needed when you consider that it reports blocking “15 billion unwanted emails per day.”

This Effort Extends Beyond Google and Is Poised to Impact the Email Community at Large

That’s right — Google isn’t alone in this initiative. According to the company’s official statement: “Keeping email more secure, user friendly and spam-free requires constant collaboration and vigilance from the entire email community.” The announcement shares that other industry partners, including Yahoo, have committed to instituting new policies as well. Yahoo also announced the initiative separately as well on its own blog.

Since Gmail is a part of Google Workspace, which has more than 3 billion users, it’s easy to see the potential reach of these changes. Because these requirements are built upon open standards, they’re poised to benefit most email recipients — even those using other email service providers — when senders implement the necessary changes.

Who the New Requirements Will Apply To

New requirements apply to all senders who send messages to Gmail account holders. If you’re sending 5,000 or more messages to Yahoo or Gmail email addresses in a day, then heads up — there are additional new requirements that will apply to you.

What the Three New Email Security Requirements Entail

The new changes boil down to three salient points for email senders:

1. Enable Email Authentication

Sending authenticated messages enables email security systems to successfully identify and block billions of scam and malicious emails and eliminate inbox clutter. Google states that for your emails to be trusted, senders must follow email security best practices. This involves implementing the traditional trifecta of authenticated email delivery:

  1. Sender policy framework (SPF) prevents unauthorized users from sending messages from your domain.
  2. Domainkeys identified mail (DKIM) enables recipient servers to check whether messages received from your domain actually came from your organization, and
  3. Domain message authentication reporting (DMARC) provides instructions for what to do with messages that fail SPF and DKIM.

Not sure whether your domain has any of these email security measures enabled? Check your domain using a DNS record-checking tool. For example, here’s what it looks like when we ran a check on TheSSLStore.com’s DNS txt records:

An example screenshot of the DMARCian domain checker tool results for thesslstore.com
Image caption: An example screenshot we captured when checking TheSSLstore.com’s SPF, DKIM, and DMARC records using DMARCian.

Pro Tip: Don’t Just Implement SPF, DKIM and DMARC… Use BIMI and VMCs, Too!

An example of how verified logos display when an organization pairs BIMI with a verified mark certificate (VMC)

Do you know what would be a great addition to this list of authentication and email security measures? Using brand indicators for message identification (BIMI) and verified mark certificates (VMCs). This potent combination enables organizations to display their verified logos in recipients’ inboxes so users can verify the authenticity of a message before clicking on it.

This would be especially fitting when you consider that Google announced its support of BIMI and VMCs for greater email authentication and brand trust.

Now, we won’t get into all of the details about those security tools here, but you can read more about them in our other blog posts:

Alright, let’s get back to Google’s list of new bulk email requirements.

2. Make Unsubscribing Easy for Users

No one wants to waste time figuring out how to unsubscribe from unwanted emails. Now, all bulk senders must give more control to email recipients via the unsubscribe option. According to Google’s blog post:

“[…] we’re requiring that large senders give Gmail recipients the ability to unsubscribe from commercial email in one click, and that they process unsubscription requests within two days. We’ve built these requirements on open standards so that once senders implement them, everyone who uses email benefits.”

3. Keep Spam Complaints Lower Than 0.1%

This last requirement is probably the most notable of the bunch. This approach aims to prevent users from being spammed with unwanted or irrelevant messages by implementing a spam rate threshold requirement. Okay, that’s cool, but you may wonder why it’s a big deal. This is because Gmail’s current email sender guidelines recommend keeping spam complaints below 0.1% (no more than 0.3% for “any sustained period of time”), but it’s just that — a recommendation that many senders have ignored.

Starting in February, it’ll no longer be a recommendation; rather, it’ll be an enforced requirement. So, if you want to have any hope of your messages reaching recipients’ inboxes, you’d better get started on meeting these requirements now.

To learn more about these three requirements, check out Google’s requirements for all senders and its additional requirements for sending 5,000 or more messages per day.

Why Bother?

According to Google’s blog post, after implementing other email authentication requirements last year, 75% fewer unauthenticated messages made it into users’ inboxes. But more can be done to combat the ever-increasing number of phishing and malicious messages being sent each day.

If you’re a large email sender, then you should begin implementing changes now ahead of the upcoming holiday season. This way, you don’t get caught off-guard with other end-of-year priorities and allow this change to fall by the wayside.

If you decide you want to up your email security game or have questions about how to get a VMC to display your organization’s verified logo in recipients’ inboxes, get in touch with one of our email security specialists today.

Author

Casey Crane

Casey Crane is a regular contributor to and managing editor of Hashed Out. She has more than 15 years of experience in journalism and writing, including crime analysis and IT security. Casey also serves as the Content Manager at The SSL Store.