Google’s announcement on October 3, 2023, is a massive change that is intended to impact email senders who send more than 5,000 emails to Gmail inboxes each day.
In order to make Gmail inboxes trusted and safe spaces for recipients, Google will be enforcing a handful of new requirements for these types of senders. Beginning in February 2024, email senders will need to have the following requirements in place in order to get email delivered:
- Implement both SPF + DKIM
- Send from a domain with a DMARC policy of at least p=none
- Send with an aligned From domain
- Valid forward and reverse DNS
- One-click unsubscribe
- Low spam rate
For many email senders, these new requirements won’t impact their email programs, but for others, these changes will mean they’ll need to re-examine their current email authentication and sending practices.
Below, we’ll dive into the details of each new requirement, what this means for senders and recipients, the reasoning behind making this policy change, and what we think it means for the future of email.
The new requirements
Implement SPF and DKIM
SPF and DKIM are mature, robust email authentication protocols that have been in existence for over a decade each. SPF and DKIM provide two different methods not only for authorizing the use of a domain name in an email message, but also for helping to ensure that a domain owner gets proper credit for their sending practices.
Send from a domain with a DMARC policy of at least p=none
DMARC is a protocol that builds on SPF and DKIM:
- To authorize the use of a domain in the visible From header
- Give the domain owner insight into the authentication practices of mail streams using that domain
- Provide the domain owner a mechanism to request handling of messages that fail authentication checks (referred to as a policy preference)
A DMARC DNS record with a policy preference of p=none is the lowest bar for participating in DMARC, as it requests no special handling for messages that fail authentication, but at the same time, gives the domain owner full visibility into its mail streams. The data collected at this step allows the domain owner to make any adjustments to authentication practices necessary before moving on to stronger policy preferences.
Send with an aligned From domain
With this requirement, Google is asking for each message to have a visible From domain that aligns with either the SPF or DKIM domain, with a preference for alignment with the DKIM domain.
For those unfamiliar with the concept, the term “alignment” here comes straight from the DMARC protocol, and per that protocol, two domains are in alignment if they’re identical or at least share an organizational domain (i.e., the domain that is registered when an organization wishes to establish a presence on the public Internet).
For example, “valimail.com” is our organizational domain, and the domains “sales.valimail.com” and “auth.valimail.com” are in alignment with each other because they share the same organizational domain.
Valid forward and reverse DNS
Among other records in the DNS, there are two types that are specifically keyed around IP addresses. The DNS “A” record is used to map hostnames to IP addresses (sometimes called “forward DNS”), and the DNS “PTR” record is used to map IP addresses to hostnames (sometimes called “reverse DNS”).
It has long been a best practice for inbound mail servers to require that sending servers connect from IP addresses that have existing PTR records, but Google is going one step further here and requiring not only that the connecting IP address have a PTR record, but also that the PTR record resolves to a hostname that then resolves back to that same IP address.
The reason for this requirement is that anyone with control over DNS can publish PTR records resolving to any name they choose, so it’s very easy to attempt to spoof ownership.
As an example, if there were an IP address 18.104.22.168 which had its PTR resolve to mailServer.knownbrand.com, Google would require the A record for mailServer.knownbrand.com also resolves to the IP address 22.214.171.124, a technique sometimes called Forward Confirmed reverse DNS or just “FCrDNS.”
As defined in RFC 8058, when a sender inserts specially crafted headers in a message, it signals to the mail client that the recipient can unsubscribe from that sender’s messages with just one click if the mail client supports the functionality. Gmail supports this functionality, which can be seen in any number of messages you might see in the Promotions tab or elsewhere from B2C emails:
The image above is a notification from Lattice. The “Unsubscribe” link next to the sender’s email address in this example is the One-Click Unsubscribe that Google is requiring here.
Low spam rate
When Gmail users report unwanted messages as spam, its filters use those reports and other heuristics to identify mail that is likely to be unwanted.
This “Low Spam Rate” requirement doesn’t come with any numbers publicly attached to it, but their intention seems pretty clear; domain owners must send wanted mail to people who demonstrate that it’s wanted (through engaging with those messages) or else the domain owners will lose the privilege of sending mail to Gmail.
What this means for senders and recipients
It’s important to note here that this policy change from Google is meant to benefit the end recipient. Google wants to ensure that Gmail users can trust the mail they receive, and by making SPF, DKIM, and DMARC requirements, they’re taking an excellent first step.
These requirements are a pretty low bar for most email senders, but they’re things that bad actors usually fail to implement. With this requirement, Gmail users can be a bit more confident that the messages they’re receiving are at least getting past basic email authentication.
“While it’s easy to think this policy change will only impact marketing and other commercial emails, the fact is there are many other types of email that organizations send. These changes impact all email coming from a domain, and while that might include mail being sent through Mailchimp or SendGrid, there are many other emails flowing through the organization’s ecosystem.”Seth Blank, CTO of Valimail
Without ensuring all email coming from your domain is following these requirements, your HR team might not be able to get payroll emails delivered, or the sales team sending outreach messages to prospects might get email blocked.
For senders of legitimate email, these requirements shouldn’t be revolutionary, but organizations should at least double-check that they have their bases covered. If you’re curious about the email coming from your domain, sign up for Monitor for free today to get visibility into your SPF, DKIM, and DMARC records.
Why make this policy change?
The benefit of requiring authentication is increased trust and safety throughout the entire ecosystem, at every mailbox provider that validates email authentication (hint: it’s all of them). For businesses sending email, this means protecting their employees, their customers, their executives, and their brand.
At Valimail, we believe that authentication is foundational, and doing it the right way is critical. Email is rife with abuse, and we must do better as an ecosystem to protect everyone. You should be able to trust your email– the email in your inbox should be from who it says it’s from, not a malicious actor pretending to be someone else. When a sender properly authenticates their email, it ensures that no one else can send fake email using their authenticated domains.
“Google’s policy is a great first start; requiring aligned SPF or DKIM with a DMARC policy of at least p=none is a phenomenal low bar, and more is needed. Until all senders utilize the strongest authentication — DMARC at enforcement — their domains are spoofable, and bad actors can continue to defraud users at an accelerating rate.
DMARC at enforcement is not well deployed enough in the market for this to be a realistic requirement today. We hope Google can get aggressive at raising the bar, so strong authentication becomes the norm for everyone in the near future. This is where the real protection for everyone kicks in.
This policy update from Google is a huge step towards a safer world in email for everyone.”Seth Blank, CTO of Valimail
At its core, this announcement is Google’s way of telling legitimate senders that if they don’t follow these well-established best practices, their email is not going to be delivered.
“Many bulk senders don’t appropriately secure and configure their systems, allowing attackers to easily hide in their midst. To help fix that, we’ve focused on a crucial aspect of email security: the validation that a sender is who they claim to be.”Google’s Announcement
This announcement is huge as it will impact nearly every Gmail mailbox holder. This policy is the first time any email inbox provider has placed requirements for widely adopted email sending and email authentication best practices.
What does this update mean for the future?
This policy update is a great first step in the right direction, and it’s just the beginning. Google is likely going to evolve from here, and at some point in the future, we expect Google to require DMARC enforcement in order for email to get delivered correctly.
Over the past few years, we’ve seen an incredible increase in businesses and other organizations adopting DMARC. Unfortunately, the vast majority of those senders aren’t enforcing DMARC with policies of p=quarantine or p=reject. We believe this means the ecosystem isn’t quite ready for Gmail, or any other inbox provider, to implement a strict DMARC requirement.
The writing is on the wall though.
This update from Goole is a sign that SPF, DKIM, DMARC, and all the other sending best practices are making the shift from recommendations to requirements. Once Gmail requires any sort of DMARC record, it’s likely only time before their recommendation that senders set their policy at p=quarantine or p=reject becomes another requirement.
If you’re reading this, it means you’re already ahead of the curve when it comes to running a successful email ecosystem. No matter what tool you use, it’s important that you take the steps to ensure your email gets delivered as intended.
To make sure you’re meeting all of Google’s new requirements, and to start protecting your domain and your brand: