Out of 276.4 billion emails, approximately 50% are spam. That’s around 138.2 billion spammy emails!
While it’s true that Google’s advanced defenses can prevent nearly 100% of spam from hitting inboxes, the complexity of cyber threats is evolving by the minute. If the most secure email provider isn’t out of the woods, that means less secure alternatives, such as Yahoo, must stack up on their security measures.
For this reason, both Google and Yahoo are enforcing rules to ensure the global email system remains useful for years to come. If your mailboxes are hosted in one of those providers, you’ll have to start following specific actions in order to whitelist your domains in the future.
If you don’t act today, then…
Your emails are less likely to hit your subscribers’ inboxes.
Malicious actors can use your domain to spam without your knowledge.
Why Is This Happening?
Email is a crucial part of how we communicate, both in our personal and professional lives. While best practices have been available to ensure secure email exchanges, not everyone has taken them seriously but rather as mere “nice-to-haves”.
Fortunately, that’s about to change.
“Many bulk senders don’t appropriately secure and configure their systems, allowing attackers to easily hide in their midst. To help fix that, we’ve focused on a crucial aspect of email security: the validation that a sender is who they claim to be. As basic as it sounds, it’s still sometimes impossible to verify who an email is from given the web of antiquated and inconsistent systems on the internet,” states the Group Product Manager of Gmail Security & Trust Neil Kumaran.
Now, two of the three largest email providers are emphasizing the importance of following these rules to maintain a healthy email system. Not just for big companies but for anyone who wants their emails to work as smoothly as possible.
A Handy Timeline: What to Expect (and When to Expect It)
Starting February 2024, Gmail will be rolling out some changes for bulk email senders to improve their (and their subscribers’) email experience.
In February, they’ll let senders know about temporary errors in their emails so they can fix any issues in time.
Come April, Gmail and Yahoo will start rejecting non-compliant email traffic from senders who don’t follow the rules.
Then in June, they want to make it easier for users to unsubscribe from emails with just one click. If you’ve ever had trouble unsubscribing from an unwanted newsletter, you know how frustrating it can be.
They’re also setting clear thresholds for spam, asking senders to keep spam reports really low, under 0.1%, to make sure subscribers get less unwanted emails. These changes aim to make everyone’s inboxes safer and less cluttered.
“What Do I Need to Do?”
Make sure to authenticate all of your emails – not only from bulk sending systems but also from Google Workspace and CRMs. If you’re sending a lot of emails, Google strongly suggests that you authenticate them using proven best practices. This step is crucial to enhance email security and fend off potential cyber threats.
To authenticate your emails, follow these steps:
In your email tools, set up your Sender Domain, and enable DKIM. This will help you authenticate your emails to help mailbox providers verify you actually sent those emails.
Set up at least a neutral DMARC policy to help prevent malicious actors from impersonating your business. (A DMARC policy is a set of rules that a domain owner sets up to protect their email domain from phishing and spoofing.)
If you’re using a 3rd-party email address domain like @gmail.com, @yahoo.com or others to send marketing campaigns, you’ll need to switch to sending from your site’s branded domain instead. Besides giving your campaigns a more professional appearance, it also improves the chances of your campaigns landing in your contacts’ inboxes.
“But I’m Not a ‘Bulk’ Sender of 5000+ Emails per Day. Do These Rules Still Apply?”
Yes. These are good practices even if you’re a smaller sender. Following them will ensure you’re safeguarding your brand from the start.
When you abide by these rules, you’re looking out for your domain reputation and certifying that no one is using your brand for malicious purposes. Remember: cyber attackers don’t care if you’re big or small! So, it’s a good idea for businesses of all sizes to take this seriously.
“Okay. How Do I Do This?”
Your email platform will provide you with some DNS records that you must add to authenticate the outbound emails. Next, here’s what you should do.
5 Easy Steps Towards Compliance
Review your email systems: Examine and audit all systems that send emails on behalf of your domain. Think of your website, Google Workspace, email marketing platforms, and invoicing system.
Secure your email with DKIM: Create unique DKIM (DomainKeys Identified Mail) keys for each system and paste them to your domain’s DNS settings. DKIM keys are cryptographic signatures that validate the authenticity of your emails. Each system has a different key, which doubles down on security.
Establish customer return path: By adding a CNAME record that points to your email service provider, you’ll set up your domain as the customer return path. In case any recipients reply to those emails or bump into any problems, their responses will be redirected to your provider instead.
Implement DMARC with monitoring: Deploy DMARC (Domain-based Message Authentication, Reporting, and Conformance). Start by creating a record with basic monitoring settings, but avoid creating a blank one as it doesn’t provide user guidance on how to deal with unauthenticated emails. The monitoring settings give users reports on email authentication. For example: if an email is flagged as suspicious, the email provider will follow the DMARC (p=quarantine) policy and send the suspicious email to a spam folder. To ensure that important emails aren’t mistakenly flagged, users need to check their spam folder often.
Aim to get a DMARC to a Reject State: In a Reject state, recipients are instructed to dismiss emails that fail proper authentication. This, in turn, prevents potentially harmful emails from reaching their inboxes. This can give you peace of mind that your domain isn’t being abused without your knowledge.
Register with Google Postmaster Tools: Finally, sign up for Google Postmaster Tools to monitor your bounce rate and keep the reputation of your email healthy. This platform will give you valuable insights into how your email deliverability is working (or not working), ensuring each and every email is reaching its recipients without an issue.
“What If I Don’t Do This?”
All senders must implement SPF, DKIM, keep low spam rates, and forward/reverse DNS to comply with these new rules.
If you choose to ignore them, the emails you send will be far more susceptible to malicious intervention and will likely be flagged as unsafe. In short: even those sweet emails to your nan might go into the “spam” folder.
Not to mention, the email marketing campaigns you’ve been working so hard on will be leaking money through the cracks. You can’t nurture or sell to customers who don’t see your emails.
Google is calling this “basic email hygiene.” While it may look like a set of boring rules for some people, for others it’s a way of ensuring a secure and reliable email environment.
Let’s keep our inboxes safe, everyone. Need help with Email Authentication and Domain reputation? Check out our Google Workspace Care Plans
