How to comply with Google's new email sender guidelines

As we previously reported, Google and Yahoo both announced updated requirements for sending more than 5000 messages daily to Gmail and Yahoo addresses, respectively. These new standards will go into effect on February 1st, 2024 and will include domain authentication.

Authentication is typically done by setting up SPF records and DKIM; most email marketing senders have already set this up. Now, larger senders will need to fully align DMARC to both SPF and DKIM to ensure authentication.

The bottom line

Our biggest Paubox API and Paubox Marketing customers need DMARC next month. You must have a DMARC policy in your DNS. However, a monitor-mode policy of p=none will suffice for Google and Yahoo. Your messages must pass DMARC.

Who is affected?

All bulk mail senders of any size must set up SPF or DKIM email authentication for your domain. As a Paubox customer, you'll already have this set up from verifying your domain, so no action is needed.

Additional rules apply to all Paubox Marketing customers who send 5000 or more emails on the same day.

Related: HIPAA compliant email marketing: What you need to know

Why it matters

Google and Yahoo are implementing these new standards to reduce phishing, spam, and malware transmitted through email. 

Google says that "bulk senders who don't meet sender requirements will start getting temporary errors (with error codes) on a small percentage of their non-compliant email traffic." 

By April 2024, Google will increase the rate of rejected non-compliant emails; by June 2024, large senders must meet all requirements to ensure continued delivery. 

What they're saying

According to Neil Kumaran, Google's Group Product Manager, Gmail Security & Trust, "Many bulk senders don't appropriately secure and configure their systems, allowing attackers to easily hide in their midst. To help fix that, we've focused on a crucial aspect of email security: the validation that a sender is who they claim to be."

Beyond complying with Google's standards, Elena Yau, Director of Information Technology at Five Acres, says that setting up DKIM and SPF records along with DMARC alignment is part of an effective strategy to mitigate risks.

Elena explains that "Cybersecurity is a community effort. It is an endeavor larger than any one person, team, company, or organization because vulnerabilities of one are used to footprint and exploit another. When one cyberattack is over, it has only begun for the next victim.

"I believe that the lowest hanging fruit to enhance cybersecurity globally is email since that is a common denominator across all organizations."

She recommends that "all organizations review their SPF, DKIM, and DMARC and set up policies like Paubox’s ExecProtect to prevent spoofing authorities in their organization that deals with personnel records, financials, internal operations and has authorities for approval."

What changed

While setting up authentication was previously considered a best practice to avoid landing in the junk folder, these new rules require senders to use SPF records, DKIM, and DMARC to authenticate their emails. 

The main requirements are:

• Set up SPF and DKIM email authentication for your domain.
• Senders must keep their spam rate below 0.3%.
• A one-click unsubscribe link must be included in emails. Paubox has you covered here.
• The domain in the sender's From: header must be aligned with either the SPF domain or the DKIM domain. This is required to pass DMARC alignment.

How to set up DMARC

DMARC stands for Domain-based Message Authentication, Reporting, and Conformance. It's an email validation system designed to protect your domain from being used for email spoofing and phishing. It builds on two existing mechanisms, Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM), to verify the authenticity of the sender's domain.

1. SPF allows the domain owner to specify which mail servers are permitted to send email on behalf of their domain.
2. DKIM provides an encryption key and digital signature that verifies that the email message was not faked or altered.
3. DMARC ties the first two together by requiring both SPF and DKIM to pass. It also allows the domain owner to set a policy for handling emails that fail these checks (e.g., reject the message, quarantine it, or do nothing). It provides a way for the email receiver to report back to the sender about messages that pass or fail.

To comply with the new sender rules, set up DMARC by publishing a DMARC record for your domain. To pass DMARC authentication, the authenticating domain must be the same domain in the message From: header. 

A best practice, according to Elena Yau, is "using -all at the end of the SPF to hard fail any unapproved entities. It is amazing how often I see a soft fail ~all that allows spoofing from unknown domains. Of course, SPF cannot operate alone and would also need a strong pairing of DKIM and DMARC. "

Here's how to set up DMARC:

1. First, set up DKIM and SPF. This should be done 48 hours before turning on DMARC.
2. Define your DMARC record. A DMARC policy of 'none' is acceptable to comply with the new standards.
3. Log in to your domain host (e.g., GoDaddy) and navigate to your domain's DNS settings.
4. Add a DNS TXT record. 
5. Save your changes.
6. Verify your DMARC TXT record. You can do this using dmarcian's user-friendly DMARC Record Checker.