Google Enforcing New Email Rules – February 2024
The war against spam emails is nothing new – although in recent years it may have felt like the spammers were winning. However, Google has rolled out new email rules that it hopes will help protect users from phishing attacks and unsolicited messages.
While this is arguably good news – it adds some complexity for businesses who send out a large number of emails. In fact, failing to comply with these new rules means that your customers may not receive your newsletters, promotions, or other important communications! Today we’re going to examine these new rules and look at how to ensure your business is in compliance with them.
What are the new rules?
As of February 1, 2024 Google has two sets of rules – one which applies to all email senders, and a more stringent set of requirements for those who send over 5000 emails per day.
Just a heads up for readers who aren’t familiar with all of the jargon in the new rules – we will be circling back to help you understand important terms like DNS, SPF, DKIM, and DMARC.
All Senders Must:
- Enable SPF or DKIM email authentication for your domain
- Use a domain or IP which has a valid PTR record (forward and reverse DNS record)
- Transmit emails using a TLS connection
- Maintain a spam rate below 0.10% and never exceed 0.30%
- Send messages using the Internet Message Format standard
- Never impersonate Gmail From: headers
- Include ARC headers for forwarded mail
Bulk Senders (5000+ per day) Must:
- Follow all of the rules listed above, in addition to the following:
- Enable DMARC email authentication
- Direct mail must have the domain in its From: header align with either the SPF or DKIM domains
- Marketing and email subscription messages must include a clearly visible unsubscribe link and support one-click unsubscribe.
Why is Google doing this?
These new rules are designed to make it more difficult for cybercriminals to use emails as tools for disseminating spam and malware, as well as to stem the tide of unwanted bulk emails from legitimate businesses.
Essentially, Google’s new rules make it more difficult for emails to be sent using fraudulent or spoofed credentials. It’s hard to understate the importance of combating spoofed emails – as phishing emails are used to initiate 78% to 90% of all cyber attacks.
With billions of spoofed emails sent each day, it’s easy to see why Google was willing to implement these changes to their rules, even if it causes some additional headache for legitimate users.
Why are these rules affecting my email deliverability?
According to a recent Forbes article, Google is rolling out its new rules slowly and will require full compliance by June 2024. This means that over the next few months some businesses may notice sporadic email delivery errors – and these must be taken seriously as they are a sign that your email system is running afoul of the new regulations.
Older email servers may fail to comply with the new requirements in a few different ways, and generally the delivery failure notice will include an error message describing the issue. Check out Google’s comprehensive list of errors and their meaning to learn why your emails aren’t going through.
Alphabet Soup – The Letters Behind the New Rules
Every field has its jargon, and the internet feels like it might have some of the most arcane examples. Here’s a quick explainer of the critical acronyms included in the new rules and why they matter.
What is DNS?
Domain Name System (DNS) is like the internet’s phone book. It’s a system that translates human-friendly domain names (like google.com) into computer-friendly IP addresses (like 192.168.1.1).
What is a DKIM record?
DomainKeys Identified Mail (DKIM) is another type of DNS record used to authenticate emails. It adds a digital signature to the email headers, which can be verified by the recipient’s server using the public key stored in the DKIM record. This ensures that the email hasn’t been altered in transit and helps verify the sender’s identity.
What is an SPF record?
Sender Policy Framework (SPF) records are a type of DNS record that specifies which servers are authorized to send emails on behalf of a particular domain. It helps prevent spammers from forging the “From” address in an email. When an email is received, the recipient’s server can check the SPF record to verify if the sending server is allowed to send emails for that domain.
What is a DMARC record?
Domain-based Message Authentication, Reporting, and Conformance (DMARC) records build on SPF and DKIM to provide additional email authentication and reporting capabilities. It allows domain owners to specify policies for how email servers should handle messages that fail SPF and DKIM checks. DMARC also enables domain owners to receive reports on email activity, including information about failed authentication attempts and potential spoofing attempts.
How does enforcing these records help make things better?
Taken as a whole, these new record requirements make it easier for Google to ensure that the emails reaching your inbox are from who they claim to be. This makes it more difficult for cybercriminals to engage in phishing attacks and minimizes the amount of spam we’re subjected to on a daily basis.
How can I make sure my business is compliant with the new rules?
If your business has its own email server, then it is essential that you follow Google’s new guidelines in order to stay in touch with your customers. Google has guides which walk through how you can add DMARC records to your domain, enable DKIM, and define your SPF records – although be aware that the process will require a fair bit of technical know-how.
Additionally, you will want to take care to read over Google’s email guidelines to help prevent your customers from flagging your emails as spam. For instance, Google recommends against mixing email types – for instance invoices and receipts shouldn’t include product promotions.
Playing by the Rules
Google is taking its fight against spam very seriously and has no qualms against a little bit of collateral damage. If your email server is not properly configured, then it is very likely that some of your customers aren’t receiving your emails and the problem will only worsen as Google phases in their new policies.
Instead of worrying about your email configuration, our managed IT solution helps you stay focused on running your business. We will take care of correctly setting up your DNS with the right SPF, DKIM, and DMARC, as well as handling system updates, cybersecurity, and more.