Sophos Email customers using IP-based mailflow rule connectors must migrate to certificate-based configuration by March 31st. To see if you're affected Click Here.

Sophos Email: Understanding Gmail and Yahoo DMARC requirements

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.


Overview

This Recommended Read provides insights into recent updates regarding email authentication requirements set by two major email service providers, Google (Gmail) and Yahoo! Mail. These updates are significant as they aim to bolster email security measures and mitigate the risks associated with phishing and spoofing attacks.

Information

Starting in February 2024, they’ll require email authentication for all messages sent to their accounts. This move aims to reduce the amount of unsolicited and fraudulent emails that users receive.

You'll have additional email authentication requirements if you’re an organization that sends over 5,000 emails per day to Gmail accounts. You’ll need a Domain-based Message Authentication, Reporting & Conformance (DMARC) policy. You’ll also need to ensure Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) alignment. Furthermore, you must make it easy for recipients to unsubscribe.

Yahoo has rolled out similar requirements. Just 10 days after Google and Yahoo announced in October 2023, Apple released a best practice guide for iCloud mail. It highlighted many of the same email authentication requirements. While Apple didn’t set a hard date for publishing a DMARC policy, it recommends that bulk senders follow these best practices so their emails won’t be considered junk mail and automatically blocked.

DMARC is an email authentication protocol that helps prevent unauthorized use of domain names and protects email recipients from receiving fraudulent emails.

Domain owners sending emails to Gmail and Yahoo! Mail users must adhere to these new authentication requirements to ensure they’re delivered successfully and not flagged as suspicious or fraudulent. Failure to comply with these requirements may result in emails being rejected or filtered into spam folders, potentially impacting the sender's reputation and email deliverability.

You can access Google’s detailed Email Sender Guidelines link: [1]https://support.google.com/a/answer/81126?hl=en#zippy=%2Crequirements-for-all-senders%2Crequirements-for-sending-or-more-messages-per-day

Important: If you send more than 5,000 messages per day to Gmail accounts, follow the Requirements for sending 5,000 or more messages daily.

Requirements for senders <5,000 per day.

*SPF or DKIM email authentication required
*Ensure valid forward and reverse DNS records
*Spam rates reported in Postmaster Tools below 0.3%
*Message format adheres to RFC 5322 standard [2]https://datatracker.ietf.org/doc/html/rfc5322
*No Gmail Impersonation in FROM headers (Gmail setting DMARC Quarantine policy)
*Email forwarding requirements

Requirements for Senders >5,000 per day

*SPF and DKIM email authentication required
*Ensure valid forward and reverse DNS records
*Spam rates reported in Postmaster Tools below 0.3%
*Message format adheres to RFC 5322 standard
*No Gmail Impersonation in FROM headers (Gmail setting DMARC Quarantine policy)
*Email Forwarding requirements
*DMARC email authentication for your sending domains
*The header must be aligned with either the SPF domain or the DKIM domain
*One-click unsubscribe for subscribed messages

Google

Google FAQ

Key dates 

Starting in April 2024, we’ll begin rejecting non-compliant traffic. Rejection will be gradual and will impact non-compliant traffic only. We strongly recommend senders use the temporary failure enforcement period to make any changes required to become compliant.

Enforcement for these requirements will begin no earlier than June 2024:

*DMARC record with a minimum policy of none (p=none). Learn more about DMARC record values.
*One-click unsubscribe in marketing messages
*Mitigations are unavailable when user-reported spam rates exceed 0.3% or if the sender hasn’t met the authentication or one-click unsubscribe requirements

Make it easy to unsubscribe.

Always give recipients an easy way to unsubscribe from your messages. Letting people opt out of your messages can improve the efficiency of open rates, click-through rates, and sending. Important: If you send more than 5,000 messages per day, your marketing and subscribed messages must support one-click unsubscribe.

Yahoo

Here are the requirements specified by Yahoo for all senders.

*Authenticate your mail.

*Implement SPF or DKIM at a minimum. Keep spam complaint rates low.

*Keep your spam rate below 0.3%.
Note: Our spam rate is calculated based on mail delivered to the inbox—keep this in mind when referencing CFL data and calculating the rate in your system. Have a valid forward and reverse DNS record for your sending IPs.Comply with RFCs [5]5321 and [6]5322.
[7]Bulk Senders

Along with the requirements specified for all senders, bulk senders must comply with the following additional requirements.

*Authenticate your mail.

*Implement SPF and DKIMPublish a valid DMARC policy with at least p=none - DMARC must pass.

*Including a “rua” tag, which is properly set up to receive reports, is strongly recommended to allow monitoring during initial setup.
*Relaxed alignment is acceptable.
*Ensure the From header domain is aligned with the SPF or DKIM domains. This is required for DMARC alignment. Support easy unsubscribe.

*Implement a functioning list-unsubscribe header, which supports one-click unsubscribe for marketing and subscribed messages.

*The Post (RFC 8058) method is highly recommended.
*The mail-to method is acceptable. Have a visible unsubscribe link in the email body - this may direct to a preference page. Honor unsubscribes within 2 days.

For more information, see [8]Yahoo Sender Guidelines and [9]New Yahoo Requirements Blog.

Delving into the Three email Security Requirements

The foundation of these changes is in the implementation of SPF, DKIM, and DMARC, now mandatory for email authentication. Adhering to these protocols significantly reduces fraudulent and malicious emails, protecting inbox security by selecting and intercepting potential threats

*Sender Policy Framework (SPF) – The Sender Policy Framework helps prevent domain spoofing by allowing the senders to identify email servers with permission to send emails from their domain.

*Domain Keys Identified Mail (DKIM) – DomainKeys Identified Mail adds a digital signature to each outgoing email. This helps verify that an authorized sender sent the message and it wasn’t altered.

*Domain-based Message Authentication, Reporting, and Conformance (DMARC) – This allows domain owners to specify actions to take if an email fails authentication. Additionally, it enables reporting on email authentication outcomes




Added TAGs
[edited by: Raphael Alganes at 1:50 PM (GMT -7) on 29 Apr 2024]