Mimecast: Google & Yahoo Authentication Changes - Service Update - February 2024

SERVICE UPDATE

 

Availability	February 2024
Product(s)	Email Security Cloud Gateway
Who is Affected	All customers sending mail to Gmail or Yahoo/AOL

 

 

Overview

Google and Yahoo have recently announced updated sender requirements that will be going into effect at the beginning of February 2024.  These new requirements are rooted in long-standing Internet standards and best practices.

All senders will need to follow a basic set of requirements; however, additional requirements may come into play depending on mail volume and type of mail (promotional vs. transactional).   

 

Applicable to All Senders

1. Email Authentication: SPF and DKIM will be REQUIRED.

• SPF (Sender Policy Framework) is an email authentication technology that allows the domain owner to specify which IP addresses are authorized to send email on behalf of that domain. When an email message is received, the recipient's email server checks the SPF record for the sender domain to ensure the message comes from an authorized IP address. If the SPF check fails, the message may be rejected under Google and Yahoo’s new requirements.
• DKIM (DomainKeys Identified Mail) is an email authentication technology that uses cryptographic signatures to verify the authenticity of email messages. When an email message is sent, DKIM adds a digital signature to the message header, which the recipient's email server can verify to ensure that the message has not been tampered with in transit and originated from the claimed sender domain.

Starting in February 2024, these long-established email authentication best practices will become a requirement. A progressive enforcement plan is expected as Google and Yahoo work with customers to ensure the delivery of messages consumers want to receive and filter out messages they don’t.

To ensure email validation within Mimecast, customers are required to authorize all sending domains through our platform. Without this authorization, Mimecast will be unable to validate using SPF. For additional details, please refer to Email Security Cloud Gateway - Finding DNS Authentication Code.

2. Ensure Valid Forward and Reverse DNS Records (PTR Records)

Authentication goes beyond SPF and DKIM; having valid forward and reverse DNS records is critical. These records verify that the sending hostname is associated with the sending IP address. Every IP address must be mapped to a hostname in the PTR record. The hostname specified in the PTR record must also have a forward DNS that refers to the sending IP address.

3. Maintain Low End-User Complaint (Spam) Rates

Understanding the performance of your mail is a responsibility that should not be overlooked. Regularly monitor your domain’s spam rate in Google’s Postmaster Tools.  Aim to keep this spam complaint rate below 0.10%.  Complaint rates nearing 0.30% or above, especially for sustained periods, will now lead to deferrals or blocking.

4. Message Format Compliance (RFC 5322)

Google and Yahoo specifically call out the need to ensure alignment with the Internet Message Format standards found in RFC 5322.  Make sure your company strives to understand and adhere to these standards.

5. Do Not Impersonate Gmail From: Headers

Gmail's impending DMARC quarantine policy prohibits impersonating Gmail From: headers, emphasizing the need for authenticity and credibility in email communication.

6. Implement ARC Headers for Forwarded Emails

Addressing the nuances of forwarding emails and implementing ARC (Authenticated Received Chain) headers is essential to ensure the authenticity and integrity of forwarded messages, specifically for mailing lists and inbound gateways.

 

Additional Requirements for Senders >5,000 Per Day. (Bulk)

While Google and Yahoo both sidestep the use of specific numbers to quantify “bulk” sending, they both provide a rough idea of what they’re trying to address:  Bulk sending, in their eyes, means a collection of messages, around 5,000 or so per day, all having materially similar subject lines and/or content.   It’s also important to note that Bulk messaging can take place over a period of time and with multiple sends.

Additional requirements are provided and outlined below for those who may fall into this category.

7. DMARC Policy Enforcement

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication technology that provides policy and reporting mechanisms for DKIM and SPF. DMARC allows the domain owner to specify how email messages that fail DKIM and SPF checks should be handled, and it provides feedback on the results of those checks. DMARC helps to prevent email spoofing and phishing by ensuring that email messages are only accepted if they meet the authentication policies specified by the domain owner.
Mimecast customers sending a larger volume of messages per day to major mailbox providers must have a DMARC policy in their DNS.  Gmail’s minimum requirement for DMARC is p=none, instructing the receiving mailbox provider to take no action on an email that fails an SPF/DKIM check. P=Quarantine or P=Reject is recommended. 

8. DMARC Alignment

For direct mail, the domain in a sender’s From: header must be aligned with the SPF or DKIM domains.  DMARC passes or fails a message based on how closely the message From: header matches the sending domain specified by SPF or DKIM. This is called alignment.
Mimecast customers must ensure the “from” address specified in the “From: header” matches the domain authenticated with SPF or DKIM. Beyond this, there is strict and relaxed alignment, and you need to consider several scenarios (including subdomains). Thankfully, Google has an entire blog post explaining those scenarios in great detail, but it is worth mentioning that relaxed alignment is allowed.

9. One-Click Unsubscribe Option in a List-Unsubscribe

Enabling a one-click unsubscribe option in a list-unsubscribe header is mandated. This empowers recipients to easily opt-out, enhancing user experience and compliance.  Unsubscribe actions must be taken within two days. It is also suggested (but not mandatory) that an unsubscribe link within the body of the email leading to a preference center be added.  Failure of bulk senders to include this functionality may result in mail rejections.