Google introduces new security requirements for bulk email senders - but should have done so years ago.

Google and Yahoo! will require the use of DMARC, SPF, and DKIM in an attempt to crackdown on spam and phishing. It is surprising that these features were not already a requirement.

2024-03-19
Google and Yahoo, major Big Tech email providers, will be requiring bulk senders of 5000+ emails per day to deploy additional security measures to prevent abuse, reduce spam, and stop phishing attacks. This comes as a major surprise when this technology itself is not new. These security measures are a great move, but none of these technologies are new. Hopefully these new requirements will push other companies to up their email security configuration.
SIGN UP

Google has announced that they will begin enforcing stricter security measures for all accounts which are sending more than 5000 emails per day to personal Gmail users. This change comes as an attempt by the Big Tech email provider to crack down on phishing emails and spam targeting users of their Gmail service. Gmail is the world's most popular email provider and also a major source of the world's spam emails. As part of these new measures they will be requiring so called "bulk senders" to implement previously optional security settings to their custom domain email addresses. These settings are DMARC, SPF, and DKIM, security settings which Tuta custom domain users were required to enable since 2019.

In the following article we will examine what these acronyms mean and how they can protect a custom email domain address from being abused for spam or phishing.

These include:

New Security Standards

The new security requirements which Google is introducing collectively provide different ways of ensuring the authenticity of emails. As with any area of IT there are a number of acronyms we should unpack and explain. What is important to note is that these are applied to custom domain addresses used by bulk senders who wish to send email traffic to Gmail users.

DMARC: Domain-based Message Authentication, Reporting, and Conformance

DMARC stands for Domain-based Message Authentication, Reporting, and Conformance. It is an email authentication protocol that gives custom domain users the ability to prevent others from using their domain without permission. When fraudsters send emails pretending to be a local business, this is called "email spoofing" and DMARC adds an additional check which prevents this. When a DMARC entry is added to the DNS settings panel from a domain provider, email servers receiving an email from that custom domain can authenticate the email based upon instructions set by the owner of the custom domain. If the checks are passed, the email can be delivered and if it fails the email will be rejected according to the configuration rules of the domain owner.

DMARC acts as the rule setter for deciding what kind of actions are taken if SPF and DKIM checks are not properly satisfied.

DMARC Authentication Explained

Image from ProofPoint security

SPF: Sender Policy Framework

Sender Policy Framework (SPF) is the next element in the new Google security requirements. The job of an SPF record is to authenticate that the sending email server is allowed to be the origin point for emails sent with the user's custom domain. This element is dependent upon a correctly configured DMARC record for determining what happens if the SPF record check fails. By publishing an SPF record in your DNS records spammers and other attackers are less likely to try and use your domain because their spam emails will be unable to verify as they are being sent from a non-authorized mail server.

SPF record example.

This SPF record will check to make sure that the email has been sent by one of these IP addresses, if the email was sent from any other mail server it will be rejected.

DKIM: DomainKeys Identified Mail

DomainKeys Identified Mail is the third required authentication protocol which Google will require for bulk senders. DKIM checks to prevent unauthorized use of custom domain email addresses as a counter measure to prevent phishing and email spoofing attacks. DKIM signatures are added as a means for email providers to verify the authenticity of the sender.

DKIM signing has three main steps:

  1. The email sender chooses which fields should be included in the DKIM signature. These can range from the "From" address, the email body, subject lines, etc. These must remain unchanged in transit or the final DKIM check will fail.
  2. The chosen fields will be hashed by the sender's email provider and the hash is encrypted using the sender's private key.
  3. After being sent the receiving email server will validate the signature by fetching the public key which matches the sender's private key. This will decrypt the hash string from step 2 and verify that no changes occurred during transit.

Only when these steps are successful will the email be delivered. If they are not satisfied, the email will be rejected according to the DMARC rule of the domain owner.

Example DKIM Signature

Here is an example DKIM signature used to protect a custom domain from being spoofed for sending spam or phishing mails.

Big Tech security changes are long overdue

Both Google and Yahoo! announced that these settings will be required on February 1st of 2024, but these security features have been available for years. While it is a great move by Big Tech to begin requiring these additional DNS security records, the timing is somewhat questionable. Google is without a doubt a leader in the IT security space, but their laissez-faire approach to email security seems somewhat out of place. Yahoo! doesn't deserve much applause here either. Following major data breaches which exposed nearly all existing accounts, this traffic should have received tighter scrutiny immediately rather than nearly a decade later.

It is great to see that Google and Yahoo! are stepping up their security requirements because in 2022, nearly 49% of all emails sent were spam.

Gmail is the leading daily spam sender at 14.5 million spam emails per day!

There is misguided criticism of privacy-oriented email services like Tuta Mail, claiming that they are a haven for miscreants and spammers. While there may be spammers who attempt to use our services, they are quickly shut down. Google's Gmail on the other hand has been reported as being responsible for sending 14.5 million spam emails per day. The unfathomable volume of spam coming from Google's mail servers alone dwarfs any spam attempts from other email providers.

The now in plance security measures are a step in the right direction, but in hindsight they should have been introduced much sooner.

Alternatives provide better, all-encompassing security.

Tuta Mail supports the full use of custom email domains, but during the custom domain configuration process we guide all users in how to get these crucial DNS security records added to better protect their custom domain from abuse by fraudsters. Other Big Tech providers have dropped this option, like Microsoft who recently removed this custom domain support from Outlook.

By choosing a private alternative to Big Tech providers, it is not only possible to take advantage of easy to configure domain options, but you can rest assured that your data is safe from Google's invasive advertising practices. By choosing Tuta to protect your emails you are also protected by our world's first post-quantum encryption. This new generation of encryption protects you and your data from intelligence agencies and their "Harvest now, decrypt later" practices.

Drop Google and choose privacy!

You deserve better than having your data scraped to train AI models which in turn push directed ads to your mailbox. You should be free to communicate securely with friends and loved ones without needing to worry about Big Tech peeking over your shoulder. By choosing a private email alternative you are protecting your freedom to express yourself.

Choose privacy today!

SIGN UP
Author
Brandon fights for your right to privacy by spreading the word about privacy respecting products like Tuta. His expertise in US privacy law, encryption usage and policy, and American surveillance politics lets him explain complicated topics and privacy issues in an easy-to-grasp language. Privacy shouldn't be a luxury and by working at Tuta, Brandon helps bring privacy and security to everyone.
Top posts
Threat Modeling In 2024: Your Guide For Better Security
10 Best Private Email Services in 2024
Google Pays 1150 Times More for Its Search Monopoly Than for Lobbying in the EU & US
Why Use A Password Manager - And Our Top 3!
Anonymous email: Create an email address without a phone number.
The Illusion Of "Swiss Privacy" Being The Best
10 best free email accounts in 2024
Latest posts
The American Privacy Rights Act stands to be America's GDPR
Google Search Is A Problem: How Google Is Crushing Tuta.
The XZ Backdoor on Linux and the importance of Open Source Software
Apple is finally giving you the choice: Take it and install a private browser right now!
Terminate subscription
Company
Community
Team
Jobs
Terms
Privacy
Legal notice
Development
Changelog
Roadmap
Security
Encryption
Open Source
GitHub
Features
Secure Email
Encrypted Calendar
Business
Support
Forum
Press
Support
Language
English
Translate