In a bid to make it more difficult for spammers and cybercriminals, Google and Yahoo have started requiring businesses to implement a tougher new email authentication protocol, known as DMARC. From 1st April 2024, non-compliant emails will begin to be rejected and this makes it important that businesses sending bulk mail implement DMARC before that date. In this post, we take a detailed look at what the new rules are and what businesses need to do.
Contents
An introduction to DMARC
Created to eradicate spoofing, Domain-based Message Authentication Reporting & Conformance (DMARC) is a security protocol that verifies your email. Essentially, it is the only technology, used en-masse, that ensures the trustworthiness of the ‘from’ domain in the email’s header. It does this using several other protocols, i.e., the Domain Name System (DNS), DomainKeys Identified Mail (DKIM), and Sender Policy Framework (SPF) protocols. The DKIM verifies your email’s content hasn’t been tampered with, while the SPF lists the servers and services that are authorised to send your emails. For DMARC to work, DKIM or SPF have to be in place on your email domain and a DMARC record needs to be added to your DNS.
One of the important aspects of DMARC is that it allows your email domain’s policy to be shared. This enables web servers to send you information about how your email moves through their systems and thus lets you identify spoof or spam emails using your domain name.
While DMARC is becoming more popular as a way to protect customers from phishing and limit the impact on brand reputation from spoofing, the number of organisations that use it is still small. In May 2020, only 71,000 UK domains had it in place . The new rules by Google and Yahoo will now require DMARC to be implemented on a much wider scale.
Need better business email? Read 8 Things to Look for in an Email Hosting Solution
Why you need to comply with DMARC
There are several important reasons why businesses need to comply with DMARC, especially those that send significant amounts of emails. A major argument for implementing the protocol is that it helps prevent your company’s domain name from being used in spoofing and phishing attacks. This helps protect your customers from being defrauded or having their devices compromised and ensures the hard-earned reputation of your brand isn’t tarnished.
Beyond security and reputation, DMARC compliance is also important from an operational point of view. Today, a growing number of email service providers use DMARC records to verify that incoming emails are genuine. If your emails don’t comply, they risk being labelled as spam or even being completely rejected. This doesn’t just apply to marketing communications but to all emails, including those that contain important information, like contract renewal reminders, invoices or updated policies.
With major email providers like Google and Yahoo now tightening their policies, compliance is even more important as it can affect your emails arriving at these highly popular service providers’ addresses if you do not comply by the given deadlines.
Find out How to Protect Your Business from Phishing
Google and Yahoo’s requirements
Google and Yahoo introduced stricter rules for emails that fail to meet DMARC standards on February 1, 2024. From April 1, they will begin rejecting an as yet unspecified percentage of non-compliant emails. This means that if half of your emails are compliant and half are not, a percentage of the non-compliant emails will be blocked. This, however, is a phased introduction and the number of non-compliant emails being rejected will increase over time.
There are effectively, two sets of rules, one applying to all senders and the other to those who send more than 5,000 bulk emails to Gmail or Yahoo addresses per day. All senders will be required to have email authentication, including SPF and DKIM protocols, and they must have low spam rates. Google and Yahoo have implemented a new 0.3% maximum spam rate requirement, which means if more than 0.3% of your emails arriving at their addresses are marked as spam, then increasing numbers could be rejected or put straight in the spam folder.
For bulk senders, companies must have a DMARC policy as well as SPF and DKIM?authentication in place. Additionally, by June 1, 2024, all marketing emails will need to have a one-click unsubscribe option. Google and Yahoo are not the only companies heading in this direction, Apple is currently developing similar rules and it is likely that other major email providers will follow suit sooner rather than later.
Understanding DMARC policies
When you implement a DMARC policy, you can instruct email servers on how to handle any messages that fail DKIM and SPF verification but that claim to be from your domain. There are three policies, known as ‘p= policies,’ that you can choose from, ‘none’, ‘quarantine’ and ‘reject’.
A ‘none’ policy simply tells the inbound server not to take any action when it receives an unverified email. ‘Quarantine’ advises the recipient server to quarantine these emails, usually resulting in them being sent to the spam folder. ‘Reject’, meanwhile, advises that these emails are blocked completely. In all cases, you should receive an emailed report from the recipient server about the failed verification.
Google and Yahoo only require a DMARC policy to be in place, they do not stipulate which of these three options you should have. The best option to begin with is to implement the ‘none’ option as this will allow you to monitor your emails before considering whether to adopt a stricter policy later.
Discover How to Protect Against Email-Related Data Breaches
Authentication alignment
To meet Google and Yahoo guidelines, your DMARC records must align with either your SPF or your DKIM. This provides a way to doubly ensure that your email is authentic. Ideally, it would be better to align your DMARC records with both of the other verification methods, but this is not required for compliance at present.
Challenges and considerations
Complying with Google and Yahoo’s DMARC rules by April 1st may be a challenge. To implement a DMARC protocol, you’ll need DKIM or SPF to be in place on your email domain and you’ll need to publish a .txt DMARC record in your DNS. If you lack the in-house experience to put this in place, there are a growing number of online tools you can use to help, as well as professional consultants who can implement it for you.
Conclusion
To tackle the rise in spoofing and phishing, Google and Yahoo are tightening their rules on email verification. They require all companies that send emails to their email servers to have either SPF or DKIM protocols in place and less than 0.3% spam rates. Businesses that send over 5,000 emails a day are also required to have a DMARC policy. Marketing emails must also have a one-click unsubscribe link. From 1st April 2024, the companies will begin to block emails that fail these verification measures. Hopefully, from reading this post, you’ll understand the new rules being introduced, what they mean for your company and what you will need to do to comply with them.
Looking for more ways to enhance email security? Take a look at our Email SSL Certificates.
