Email Security:DKIM and DMARC

 

Email authentication protocols are a vital set of measures that protect against email threats. These standards help prevent email spoofing, a technique foundational to phishing and spear phishing attacks. Still, the implementation of these security measures remains far from absolute. By some estimates, fewer than 2 in every 10 organizations have an enforcement policy for DMARC, a crucial standard for preventing sender impersonation.

But that may soon change. Google and Yahoo have announced new email authentication requirements that will go into effect February 2024. The changes will implement new rules that organizations must follow to ensure normal email delivery to and from the platforms.

New Google requirements for senders
In October 2023, Google and Yahoo jointly announced they would implement new standards for email authentication. The protocols include Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain Message Authentication, Reporting, and Conformance (DMARC).

 

  • SPF prevents unauthorized senders from emailing on behalf of a domain by allowing administrators to designate legitimate senders.
  • DKIM creates a digital signature for outgoing messages that is linked to a domain and verifies whether the domain name has been modified, such as spoofed or forged.
  • DMARC allows domain owners to validate their domains by publishing a DMARC policy into a Domain Name System (DNS) record. The DMARC policy defines what actions should be taken if the email fails either SPF or DKIM authentication.
The new Google and Yahoo requirements depend on your organization’s email use, which falls into two broad categories.

 

All senders
Regardless of how many emails your organization sends, Google requires you to comply with the following measures. All are meant to increase the security of email while reducing malicious, unwanted, or spam messages.

1. Set up SPF or DKIM for your domain. While not foolproof, SPF and DKIM can help prevent email spoofing and reduce the risk of compromise.

2. Ensure your IPs or sending domains have valid forward and reverse DNS records. This ensures the sending hostname is mapped to the sending IP address.

3. Use a Transport Layer Security (TLS) connection for transmitting email. TLS encrypts email for privacy for enhanced security and only works when both the sender and recipient use the protocol. Google Workspace allows you to activate and set up TLS.

4. Minimize spam. Ensure your reported spam rates in Google’s Postmaster Tools remain below 0.1% and never reach 0.3%. Spam rates above the latter threshold may see an increased spam classification by Google. To prevent your messages from being classified as spam, Google recommends senders regularly check their spam reports in Postmaster Tools.

5. Format messages according to Internet Message Format Standard. This standard defines the basic format of email messages.

6. Refrain from impersonating Gmail From: headers. Google is adopting a new DMARC enforcement policy that may quarantine or prevent delivery of emails that impersonate Gmail From:

7. Use ARC headers to outgoing email if you forward emails regularly. Google recommends that certain senders that regularly forward emails, such as forwarding services or mailing lists, add Authenticated Received Chain (ARC) headers to their messages. These headers maintain SPF and DKIM authentication when emails pass through multiple intermediaries. For mailing list senders, Google recommends adding a List-id: header to outgoing messages to clearly identify the mailing list.

Bulk senders (more than 5,000 messages a day)
If your organization sends more than 5,000 messages per day, you must follow additional requirements beyond those outlined above.

1. Setup SPF, DKIM, and DMARC. Google requires you to adopt all three protocols and activate DMARC alignment for direct mail. The latter means the sender’s From: header must be aligned with either the SPF or DKIM domain. While Google requires DMARC adoption, Gmail allows you to set your enforcement policy to “none.” This policy means DMARC won’t act on messages—even when they fail SPF or DKIM checks.

2. Allow recipients to unsubscribe in one click. To reduce spam messages, marketing emails must include a link to unsubscribe to future messages. The link must be clearly visible and require only a single click to opt out.

What the new requirements mean for you
As these changes suggest, Google and Yahoo clearly recognize the importance of email authentication and the growing prevalence of email threats. Their efforts follow the longstanding recommendations of NIST, ANSSI, and other prominent cybersecurity institutions.

While a critical risk to your organization, email is a core aspect of your business continuity. Protect your ability to harness it by understanding the important changes coming to Gmail and Yahoo.

 

If you would like more information about email security or assistance configuring your email security please contact us and we would be more than happy to assist you.

 

Skip to content