Starting February, 2024, long established email authentication best practices will become a requirement. It’s as simple as that, folks. This news may be alarming to you for a variety of reasons; you may have previously interpreted these guidelines as being optional or didn’t understand the related technical complexities. Or maybe you trusted that your email service provider, or IT Department was taking care of this for you. Whichever camp you may be in, the responsibility is yours to ensure you are compliant and have the proper visibility to maintain that favorable status from that point forward. As abuse continues to mature, so must the controls that have been implemented to secure the email channel. We applaud Google and Yahoo for ushering this new reality in much of the same way that dmarcian has always taken a standards and best practices approach. Our mission has been to spread DMARC across the
Lots and lots of holidays, events and special days are approaching. Thanksgiving. Black Friday. Small business Saturday. Cyber Monday. Giving Tuesday. Christmas. Kwanzaa. Hanukkah. (And more!) And for each of these, somebody somewhere wants to send an email about it, probably to sell something. This is the busy season. This fourth quarter of the year is prime time for email marketing efforts. Everybody is ramping up. Inboxes are more full than at other times of the year, because so many folks send as much as they can, looking for as much of that email-related revenue as possible. This brings the question: how does one prepare for deliverability success during this time? My colleague Jennifer Nespola Lantz, along with Gene Gusman from Zeta, recently presented a free webinar on this topic (good stuff – check it out!) and I though it would be good to add my own two cents. The
If you’re an ESP with small customers you may have looked at the recent Google / Yahoo requirements around DMARC-style alignment for authentication and panicked a bit. Don’t impersonate Gmail From: headers. Gmail will begin using a DMARC quarantine enforcement policy, and impersonating Gmail From: headers might impact your email delivery.…For direct mail, the domain in the sender’s From: header must be aligned with either the SPF domain or the DKIM domain. This is required to pass DMARC alignment. So everyone who’s using their gmail address to send bulk mail is going to have to stop doing that within the next few months if they still want their mail to be delivered. For any ESP customer that already has, or can be convinced to buy, a domain for their web presence maybe they can be persuaded to switch to using that – though even if they can, onboarding 100,000 technically naive users
If you dig into the newly published upcoming sender requirements from Google, you’ll unearth three points that relate to DMARC. These are important enough that I wanted to highlight them specifically.First, note that Gmail is moving to a “p=quarantine” policy for gmail.com. That means it is no longer safe to send mail as (anything)@gmail.com except when doing so via Gmail’s infrastructure. This new policy update is Google telling the world to spam filter mail that says it’s from a gmail.com email address, but doesn’t pass email authentication tests. This is a big deal. Gmail, Yahoo, and many other mailbox providers are going to filter unauthenticated messages much more harshly as a result.My memory’s a little fuzzy, but I remember a freemium SMB-focused ESP that had a free “newsletter service” that I think they’ve long since shut down. The platform let you send as yourself, so they served up an awful
On Tuesday, October 3, Google and Yahoo announced updated sender requirements for those who wish to send mail to Gmail or Yahoo Mail successfully and in volume. Marcel Becker from Yahoo and Neil Kumaran from Google explain in detail what senders will have to do if they don’t want to find their mail blocked at either mailbox provider. They warn that failure to comply will result in rejected mail in early 2024.Any changes here really are evolutionary more than revolutionary. These have been solid “best practice” recommendations for a good long while; so I think of this as both “documenting what everybody knows” and laying the groundwork for reasoned, documented policy-based blocking of non-conforming mail. Those requirements boil down to this:Authenticate email. We were moving to a point where you basically already had to authenticate your email messages if you wanted inbox placement success; now it’s fair to say that it
Gmail has long pushed for adoption of email authentication best practices from email senders, effectively making it tough to get to the inbox without proper email authentication in place. They also, for years now, have been very cautious about what mail they accept over IPv6, declining to accept mail over IPv6 that fails authentication checks. Well, now those same checks now apply to all mail sent to Gmail — over IPv4 or IPv6. Meaning, if you want to send mail to Gmail, you need to authenticate that mail with Domain Keys Identified Mail (DKIM) or Sender Policy Framework (SPF).If you’re trying to send mail to Gmail subscribers, and the mail doesn’t authenticate properly, it’ll be rejected with this error message:550-5.7.26 This mail is unauthenticated, which poses a security risk to the sender and Gmail users, and has been blocked. The sender must authenticate with at least one of SPF or
Mike Masnick from Techdirt’s got a scathing breakdown of how the judge just wasn’t buying what the RNC was selling; derisively detailing their failure to prove Google bias against right-wing political senders. It’s definitely worth a read. He closes with saying that with election season upcoming, maybe that will spur the RNC to appeal the ruling. Who’s he kidding? We know this isn’t the end of it.
Remember that the RNC had sued Google, alleging that RNC emails were being unfairly dropped into Gmail spam folders due to political animus on the part of Google? Well, so far, things aren’t going in the RNC’s favor. Judge Daniel Calabretta said that while it was a “close case,” the political committee had not “sufficiently pled that Google acted in bad faith.” The judge is leaving room for the RNC to re-file, so I’m sure this isn’t the last we’ve heard of this. Read more here and here.
The Verge reports on a new change announced by Google: There’s now a good chance they’ll ask you to verify your login when you change certain Gmail settings, adjusting things like IMAP email access or adding email forwarding to a new address. Here’s the details from Google. This is a good thing, meant to prevent stealth account takeovers where you might think everything is fine, but a bad actor could be siphoning mail away without the account’s owner realizing what’s going on. I’m sure it’s going to annoy me, though, since I have a zillion Gmail accounts all with various settings around forwarding and IMAP that I am often modifying. But, I’ll happily put up with it in the name of making Gmail a more secure platform for users.[ H/T: Jennifer Nespola Lantz ]
As mentioned before, Google’s planning to disable and delete accounts that have been inactive for two years or longer; they promise not to start doing this until December; they have been warning every Google user of this change via email; and they promise to further notify impacted users before disabling specific accounts.Some folks are up in arms about this change in Google policy. According to CNBC, “Google’s plan to purge inactive accounts isn’t sitting well with some users.” But the truth is, Google has kind of been going overboard notifying everybody, and they’re clearly still in the midst of that notification process.I personally have received twenty three individual email notifications of this Google policy change so far. Perhaps I have more Google accounts than the average person, but it sure seems to me like they’re notifying everyone. I’d be surprised if anyone were really caught off guard by this policy