Today, Google announced a policy change that is setting a bar, the first real bar of its kind in the email ecosystem, with specific requirements for email sent to their 1.9 billion inboxes. Google will be requiring authentication, using open standards accessible to anyone, from senders. This will have a massive, positive impact on the trust and safety of inboxes globally, beyond just Gmail.
“Your email should be trusted and safe. Everyone’s email should be. This is Valimail’s mission: restore trust to email. We believe that authentication is foundational, and doing it the right way is critical. Google is elevating best practices — having strong authentication — into requirements. We welcome this! And we’re looking forward to partnering with Google to take this even further and ensure quality of enforcement.”
Seth Blank, CTO of Valimail
Starting in February 2024, Google will enforce a number of requirements as listed in this support article. Your business’s email — from transactional password resets to marketing campaigns to corporate person-to-person messages — will not deliver effectively to Gmail inboxes if you do not clear these bars.
The majority of email worldwide is delivered to and read from Gmail, and as a result, if your business does not take Google’s requirements seriously, it will effectively lose the ability to use email as a channel for customer and corporate communications.
The good news is that these bars are already basic hygiene, and your business probably has much less to do than you think. Here’s a breakdown of the most impactful and important requirements from the announcement, alongside how to meet each one:
Google’s new requirement | How to meet it |
Authenticate your email using SPF and DKIM, with at least one of them aligned with your From domain | 1. Use SPF and DKIM 2. Send with an aligned From domain |
Send from a domain with a DMARC policy of at least p=none | 1. Understand what DMARC policy is 2. Create a free Valimail Monitor account and set your p=none record |
Have valid forward and reverse DNS for your mail systems | Follow recommended email server practices |
Enable easy unsubscription by using the one-click unsubscribe header | Most third parties that send on your behalf should automatically do this for you! |
Maintain a low spam rate | Use Google Postmaster Tools to monitor your spam rate |
We have more information detailing each of these new requirements, what they do, and how organizations can ensure they meet them in our other post, The New Requirements for Email Delivery at Gmail.
At its core, Google’s requirements enshrine Domain-based Message Authentication Reporting and Conformance (DMARC). Google is elevating the core concepts of DMARC — that authentication must be based upon what is displayed to the user (known as alignment) — from a best practice to a requirement. This is what has enabled DMARC to combat fraud so effectively. This is what all senders of email need to provide the strongest protection for their customers, employees, executives, and brand.
Google is saying that DMARC is the gold standard, and it’s no longer acceptable to take it as a recommendation instead of a requirement:
“Many bulk senders don’t appropriately secure and configure their systems, allowing attackers to easily hide in their midst. To help fix that, we’ve focused on a crucial aspect of email security: the validation that a sender is who they claim to be.”
Google’s Announcement
As champions of DMARC and making it accessible to everyone, we could not agree more strongly with the need for DMARC for everyone. This is what Valimail does best. With the best enforcement rates, the best time to enforcement, the most patents and innovation in the space, customers that absolutely love our products, and the #1 market leadership position– you need to do DMARC, and we invite you to do it with us.
We believe that visibility should be free.
Use Valimail Monitor so that you can ensure you’re meeting Google’s requirements and take the first step toward protecting your brand and stopping fraudulent email from being sent on behalf of your domain.