Hopefully you're aware that Google and Yahoo already rolled out their new email authentication requirements for those sending email to their users in February, and we at Fortra commend this push to require email authentication as a huge step in the ongoing fight against spoofing and abuse. But if you didn't implement their requirements, is it too late?
Well, the truth is that certain emails (many of which are essential to your business!) may no longer be landing in your recipients' mailboxes. Obviously, this could prove detrimental to organizations relying on email for invoices, marketing, and other business transactions.
But before running for the hills, here's a bit of reassurance – if you don’t have Domain-based Message Authentication, Reporting & Conformance (DMARC) in place already, there are still some steps you can take before your email comes to a grinding halt! And this is where Fortra's Agari DMARC Protection can help.
But It's 2024–Are You Saying These Providers Are STILL Keeping Score?
These requirements should not come as a surprise as Google and Yahoo have been talking about “no auth, no entry” for several years. Because having Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and DMARC policies set up protects your email domains from spoofing attacks and fraud, while also increasing your email deliverability. Perhaps you are feeling confident about all the specific requirements that have been applied to those domains sending 5,000 or more messages a day. Or maybe with February 2024 in the rearview, your organization is still not fully prepared and it's keeping you up at night. Luckily, there is a rollout period for enforcing the guidelines and here are the details*:
- From February - March 2024, bulk senders who haven't met sender requirements will start getting temporary errors (with error codes) on a small percentage of their non-compliant email traffic. These are basically a red flag to help identify which emails don’t meet the guidelines so they can resolve them before they cause a total halt.
- In April, Google will start rejecting a certain percentage of non-compliant email traffic and will continue to gradually increase the rejection rate. (For example, if 75% of a sender’s traffic meets the requirements, Google will start rejecting a percentage of the remaining 25% of traffic that is out of compliance.)
- Finally, bulk senders have until June 1, 2024 to implement "one-click unsubscribe" in all commercial, promotional messages.
AAH, What If I Don't Know What All of These Terms and Acronyms Mean? Fortra Is Here to Help!
SPF and DKIM for Your Domain
SPF is an email authentication standard used to identify the email servers that are authorized to send email for a given domain (the envelope domain). DKIM is an email authentication tool that uses cryptographic signatures to authenticate that email content was, in fact, signed by a given signing domain and the content has not been changed. DKIM identifies if emails have been modified during transit.
For more on why having both is best, read DKIM vs. SPF.
DMARC for Your Domain (Record Can Be p=none)
Having a DMARC policy where p=none is the lowest standard by which a policy can be set. It means, if an email fails email authentication, nothing needs to be done to the email. However, DMARC reporting will become critical to senders to understand email authentication results and how to handle emails going forward. Importantly, it can give insights into SPF and DKIM including:
- SPF and DKIM results, even showing messages without SPF or DKIM
- SPF and DKIM alignment problems with DMARC
- Always monitor your DMARC reports for changes
Fortra's Senior Director of Product Management, shows how to account for these new requirements in Google and Yahoo.
Must Pass DMARC Alignment!
DMARC ties together the results of SPF and DKIM, then adds a layer of spoofing protection called “alignment”. DMARC alignment requires that the user visible From header domain is organizationally related to either the DKIM signing domain or the envelope domain used by SPF.
But even the savviest DMARC customers may second guess themselves on this one. Many organizations, especially those sending 5,000 or more a day, may use third-party vendors for mail sends. These vendors could be used for marketing sends or finance for invoice sends. Whatever the reason, make sure you are aligned with your vendors. If your From is [email protected], your DKIM signature or envelope From domain must be companyabc.com or a subdomain of that.
Valid Forward and Reverse DNS
Your sending IP address must have valid reverse DNS (PTR record) configured. Additionally, the hostname in the PTR record must resolve back to the sending IP address.
Spam Rates Need to Be Below 0.3%
Organizations need to register, monitor, and know their numbers. If people are viewing your emails as spam in a percentage over 0.3%, it is likely Google will treat your domain negatively.
Don't Spoof Gmail.com!
If your organization is spoofing Gmail, your email sends may be in trouble. This seems like a no-brainer. However, this happens more often than one might think.
If You Forward Mail, Sign with ARC
ARC is an email authentication standard designed to address the challenges that arise when emails pass through multiple intermediaries, such as mailing lists or forwarding services. In traditional email authentication systems like SPF, DKIM, and DMARC, the original authentication information may get modified as emails traverse these intermediaries, leading to potential authentication failures.
When ARC is implemented by email forwarders and mailing lists, it allows an email receiver at the email’s final destination, to understand if the originating sender legitimately authenticated that email, even though intermediate forwards may have nullified the original authentication.
"One-Click Unsubscribe" for Subscribed Messages
The one-click unsubscribe may not be a complicated one to understand, but it is required. A one-click unsubscribe takes away any additional steps for the email recipient. They simply click the button next to the sender’s address and are removed from the mail list.
*For the most up-to-date details on these requirements or the DMARC compliance timeline, please visit Google's FAQs here.
Don't Have DMARC Protection?
There’s no denying, a DMARC policy is no longer a nice-to-have, it's a MUST-HAVE for the health of your business. Fortra’s Agari DMARC Protection provides all the tools needed to keep emails moving and your organization compliant.
Already Have DMARC Protection?
No matter where you are in the DMARC journey, we can help. Contact your Fortra representative now to review your DMARC reporting to make sure you are adhering to Google's and Yahoo's latest requirements.
