New guidelines announced by Google and Yahoo to boost email security and delivery.
In response to the growing danger of cyber attacks via email, Google and Yahoo have revealed their intention to introduce stricter email authentication requirements from 2024 onwards. The fresh standards will necessitate that senders demonstrate the legitimacy of their emails and ensure that they have not been tampered with or forged.
Starting on 1 February 2024, Gmail and Yahoo email addresses will require a new set of mandatory guidelines for email delivery.
To ensure secure email delivery, organisations that send over 5,000 emails per day will need to comply with the new regulations. Several measures will need to be implemented by organisations to guarantee that their emails reach the inboxes of Gmail and Yahoo recipients and avoid your emails being blocked or marked as spam.
Which accounts are affected?
Any google or yahoo email address will be impacted. A google account is one of these account types:
@gmail.com, @googlemail.com and any work or school account from google workspace.
All yahoo email accounts that end in @yahoo.com and various old yahoo accounts, such as @rocketmail.com
What are the new requirements?
Set up SPF and DKIM email authentication for your domain.
Set up DMARC email authentication for your sending domain to at least p=0. Google recommends setting up DMARC reports so that you can monitor emails sent from your domain or ones that appear to be sent from your domain too.
Set up one-click unsubscribe and include a clearly visible unsubscribe link in the message body.
Ensure sending domains and IPs have PTR records.
Format messages according to RFC 5322.
What are SPF, DKIM and DMARC?
SPF
SPF stands for Sender Policy Framework, and this allows you to publish IP addresses which should be trusted for your domain. We can imagine SPF as a virtual security guard for your email, and you are giving them an approved list of ‘guests’, basically who is allowed to send emails on your behalf. If an email was to be sent from an IP address not on the list, it is likely to be flagged as suspicious. Find out how to create and iterate an SPF record here.
DKIM
DKIM stands for DomainKeys Identified Mail and allows you to cryptographically sign emails that you send to authenticate that it is from your domain. Essentially, DKIM is like putting a digital seal of authenticity on your email; it is a signature that can only be created by you and your email server. Once it reaches its destination, the receiver can check the ‘seal’ to make sure that it is really from who it says it is and that it hasn’t been tampered with along the way. Find out how to create and manage your DKIM record here.
DMARC
DMARC stands for Domain-based Message Authentication, Reporting and Conformance and allows your organisation to set policies on how receiving email servers deal with emails that do not pass SPF or DKIM checks, including emails that should be discarded if they are untrusted. We can think of DMARC as the boss overseeing SPF and DKIM, so once an email has passed its checks, DMARC decides what to do with it by telling the receiving server whether to accept, mark it as suspicious or reject the email.
Why are these measures being put in place?
It's all about keeping your email safe and secure and reducing the number of spam emails that end up in the user’s inbox. Implementing email authentication measures should be considered best practice for all organisations, big and small. Without implementing these guidelines, emails sent from large organisations might get sent to junk folders or even not get delivered at all.
Large organisations are a popular target for cybercriminals when it comes to spoofing. Malicious actors often choose to spoof large entities, such as Royal Mail and Paypal, because most users regularly receive emails from them. As a result, these entities are most likely to be successful, with recipients often expecting an email from that company. Implementing measures to prevent spoofing will significantly reduce the amount of spam emails people receive from malicious actors pretending to be these types of larger organisations. This will give users more confidence that the emails they receive are legitimate and increase trust.
FAQs
How do these new guidelines from Google and Yahoo specifically aim to mitigate the risk of cyber attacks via email? Are there any particular types of threats or vulnerabilities that these guidelines are designed to address?
Answer: The new guidelines introduced by Google and Yahoo are aimed at enhancing email security and mitigating the risks associated with cyber attacks via email. These guidelines require senders to demonstrate the legitimacy of their emails and ensure they haven't been tampered with or forged. Specifically, measures such as SPF, DKIM, and DMARC authentication protocols are being mandated to authenticate the sender's identity and prevent unauthorised emails from reaching recipients' inboxes. By implementing these stricter authentication requirements, Google and Yahoo aim to reduce the likelihood of phishing attempts, spoofing, and other malicious activities conducted through email.
Will these new guidelines have any impact on email deliverability or security for recipients using email services other than Gmail and Yahoo? In other words, are these changes likely to become industry standards that affect email systems beyond just Google and Yahoo?
Answer: While the immediate impact of these guidelines is directly felt by users of Gmail and Yahoo email services, their broader implications could influence email systems beyond these platforms. As Google and Yahoo are major players in the email service provider space, their adoption of stricter email authentication standards may set a precedent for industry-wide adoption. Therefore, it's possible that these changes could eventually become industry standards, affecting email deliverability and security for users across various email platforms.
Are there any potential challenges or complications that organisations might encounter when implementing the new requirements, especially for those who are not familiar with SPF, DKIM, and DMARC protocols? What resources or support will be available to assist organisations in meeting these requirements?
Answer: Setting up SPF, DKIM, and DMARC policies can be a daunting task. However, at ACDS, our skilled technical team can help you with the entire process. Additionally, Google recommends using a reporting tool to monitor sent emails and prevent any unauthorised use of your domain. Our tool, Email Guard, guarantees that your organisation is equipped with SPF, DKIM, and DMARC records and provides useful reporting and insights on a user-friendly platform.
What are the next steps for affected organisations?
If you’re an organisation that sends over 5,000 emails a day to Gmail and Yahoo accounts, then these measures will need to be put into effect by 1 February 2024. To be as secure as possible, the implementation process should begin imminently so that by the time they are mandatory, your organisation has a strong framework.
Contact us at ACDS today!
ACDS can help your organisation put these new requirements in place. Our solution is cost-effective and easy to deploy. Want to find out more about how we can help your company? Contact a cyber security expert today.