Google and Yahoo have both announced new email authentication requirements that will impact mail delivery. Email senders will need to strongly authenticate their email messages following well-established best practices such as DMARC, SPF, and DKIM. The move aims to help the firms better identify and block malicious messages and declutter users’ inboxes, limiting attackers’ ability to exploit resources without detection. Bulk senders will also be required to enable easy unsubscription and ensure they’re only sending desired email.
The lack of secure email authentication protocols exposes organizations and users to increased risk of businesses email compromise (BEC) and phishing attacks. In June of 2023, research from cybersecurity firm Centristic found that less than half (47%) of 150 banks incorporated in the UK implement the strictest and recommended level of DMARC and more than 90% of small business firms in the US fail to implement DMARC. This is subjecting customers, staff, and stakeholders to increased risk of email-based impersonation attacks. Important to note for those business that have not yet implemented DMARC is the risk of impersonation by bad actors.
Many bulk senders and nearly all other senders don’t appropriately secure and configure their systems, allowing attackers to easily impersonate email addresses and scam recipients. “To help fix that, we’ve focused on a crucial aspect of email security: the validation that a sender is who they claim to be. As basic as it sounds, it’s still sometimes impossible to verify who an email is from given the web of antiquated and inconsistent systems on the internet.” Google wrote.
In the first quarter of 2024, Gmail and Yahoo Mail started to require senders to strongly authenticate their emails following best practices. “Ultimately, this will close loopholes exploited by attackers that threaten everyone who uses email,” according to Google.
“We firmly believe that users worldwide deserve a more secure email environment, with fewer unwanted messages for an improved overall experience,” said Neil Kumaran, group product manager, Gmail security and trust. “We look forward to working with peers across the industry to boost the adoption of these email standards that benefit everyone.”
No matter who their email provider is, all users deserve the safest, most secure experience possible, commented Marcel Becker, senior director of product at Yahoo. “In the interconnected world of email, that takes all of us working together. Yahoo looks forward to working with Google and the rest of the email community to make these common-sense, high-impact changes the new industry standard.”
Both Google and Yahoo have published guidance on improving email systems.
DMARC, DKIM, and SPF are three email authentication methods. Together, they help prevent spammers, phishers, and other unauthorized parties from sending emails on behalf of a domain they do not own. A domain, roughly speaking, is a website address like "example.com". Domains form the second half of an email address: alice@example.com, for instance.
DKIM and SPF can be compared to a business license or a doctor's medical degree displayed on the wall of an office — they help demonstrate legitimacy.
Meanwhile, DMARC tells mail servers what to do when DKIM or SPF fail, whether that is marking the failing emails as "spam," delivering the emails anyway, or dropping the emails altogether.
Domains that have not set up SPF, DKIM, and DMARC correctly may find that their emails get quarantined as SPAM or are not delivered to their recipients. They are also in danger of having spammers impersonate them.
Fill in the form below and include your email address and my team will run tests to see if your email security is properly configured. These types of misconfiguration errors are extremely common and easy to fix.