By February 2024, any company sending more than 5,000 email messages through Google or Yahoo will have to start using an authentication technology known as Domain-based Message Authentication Reporting and Conformance (DMARC).
The requirements — announced by Google and Yahoo this week — will reach much further than marketers, however, forcing all companies lagging behind in their adoption of the trio of security technologies to catch up. Enterprises using Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) will gain protection against impersonation through better authentication, while DMARC creates a notification channel back to the domain-name owner to collect information on whether their email is being spoofed.
The requirements by two large providers should push more companies to adopt DMARC until adoption reaches a level at which more effective security measures become possible, says Neil Kumaran, group product manager for Google’s Gmail Security & Trust group.
“By adopting DMARC in the ways that we’re asking, senders start getting a lot of intelligence back that will help them identify issues with their configuration [and] things they may want to change,” he says. “So there’s material benefit to sender to adopt DMARC and to think about these things collectively.”
The trio of email security technologies have seen accelerated adoption in recent years — especially during the coronavirus pandemic, when companies were forced into remote operations. As a result, about half of email senders have a DMARC record, but only 14% have set DMARC to enforce a strict policy of quarantine or reject — widely considered the end goal, according to data from Valimail, a DMARC service provider. About half of all companies have set their DMARC record to enforce a strict policy. However, only 1% of nonprofit domains have DMARC set up.
Google’s and Yahoo’s requirements are a good start, and the market is not ready for more stringent requirements. But Seth Blank, chief technology officer at Valimail, hopes major email providers will raise the bar quickly.
“I think this is absolutely fantastic, but I think it doesn’t go far enough,” he says. “I’m excited for them to raise the bar, but what we have now are a bunch of industry best practices that are inconsistently applied. You’ve got a couple of the major-volume senders doing it well, and then you’ve got everyone else, which is why the abuse is so rife in the ecosystem.”
Expanding Adoption of Email Security
In its blog post, Google outlined its requirements, including both SPF and DKIM records for authenticating email-sending domains; a DMARC record for the domain; and a “From” header that matches either the SPF or DMARC record, known as “alignment.” In addition, marketers must have spam rates below 0.3% and provide the ability to unsubscribe with a single click.
Google will apply the new rules to those who send more than 5,000 messages to Gmail addresses in a given day. Yahoo will apply the requirements to “bulk senders,” but its blog post does not define what constitutes a bulk sender. The requirements will need to be met by February 2024 for Google and “in the first quarter of 2024” for Yahoo.
Google’s announcement, along with Yahoo!’s matching move, means that DMARC adoption is no longer a suggestion, Len Shneyder, vice president of industry relations at Twilio SendGrid, an email marketing service, wrote in a blog about the news.
“[W]ith Yahoo’s news as well, you can consider this the new normal,” he wrote. “The new requirements mark a change in how the industry views email authentication and best practices: what was once a set of recommendations is now becoming an enforceable set of requirements.”
Google expects that the requirements will lead to a near-complete adoption of email authentication on its platform. Currently the company processes about 15 billion emails every day, and the number of unauthenticated messages has declined 75% since the company required that every message have some form of authentication.
Authentication Is Just the Start
The goal of the DMARC requirements is to ensure that all legitimate email has set DMARC records with their DNS service, providing authentication information to check against the headers of any received email messages. Almost every email provider will report back information about DMARC alignment to the authoritative owner of a domain.
For this reason, better identification of sources and stronger identification of messages are key to improving email technology, Google’s Kumaran says.
“Authentication itself is not a silver bullet to stopping spam, but what it does is it allows everybody to get a better understanding of the email that is flowing,” he says. “I expect filters will start to pick up on those patterns, take the benefits of authentication, and do a better job — we should see the impacts across the board.”
Once sender authentication is in place, security vendors and email providers can better filter out the bad traffic, says Blank.
“You’re in control of who’s authorized to send as you, which means by the time the message goes to any mailbox provider, the world over, the authentication is in place, and they’re able to take advantage of DMARC,” he says. “Spoofed or authenticated messages never make it to users’ inboxes, and so we get this herd immunity and protection at scale, far outside of just Google and Yahoo, where the requirements are.”
Expect Workarounds
While the requirements will likely get all legitimate marketing firms to tune up their email security configurations, companies should expect that bad actors will find ways to still send spam, phishing, and malware, says Raf Marconi, managing senior consultant with Bishop Fox.
“A malicious actor can either stay below the thresholds or use legitimate services to avoid being affected by the requirements,” he says, adding: “These new requirements should have some effect on the level of spam and phishing, but it is hard to gauge how much before the requirements have been implemented, and is also dependent on proper implementation of DKIM, SPF, and DMARC.”
In a recent report, internet services firm Cloudflare found that 89% of messages blocked as spam had correct SPF, DKIM or DMARC information, underscoring that the technologies are part of the equation, but not the entire solution, says Oren Falkowitz, field CSO for Cloudflare.
“For this reason, it is futile to solely rely on standards that track sender information in order to detect and stop campaigns,” he says. “In order to solve real damages, security teams must identify and have controls for payloads, the files, links, and malicious requests that comprise phishing and that cause damages.”
Valimail’s Blank reinforced that point.
“Bad actors tend to be the first people to follow best practices,” he says. “The assumption that having SPF, DKIM, or DMARC means the mail is good is wrong. What these mean is we know who the mail came from, and that’s critical to making reputational decisions.”