In the tech industry, creating convincing pranks on April 1 is commonplace. However, this April Fool’s Day, news of mass rejection of emails sent to Gmail account holders will be no joke. In just 14 days, new Google rules will begin in earnest that could see swathes of incoming mail blocked. Here's what you need to know about this impending, and important, change.
03/20 updates below. This article was originally published on March 18.
Mass Email Senders Have 14 Days To Comply
Google has been making it explicit since October 2023 that new email sender authentication rules will result in some messages to Gmail accounts being rejected and bounced back to the sender en masse. Neil Kumaran, a Google group product manager responsible for Gmail security and trust, announced that “starting in 2024, we’ll require bulk senders to authenticate their emails, allow for easy unsubscription and stay under a reported spam threshold.” Some of these new protections are scheduled to start in 14 days and will impact every holder of a personal Gmail account in a very positive way.
According to Google’s internal statistics, Gmail’s AI protections stop more than 99.9% of spam, phishing and malware-carrying emails from reaching users’ inboxes. To put that into context, that equates to around 15 billion daily emails. So, why is there any need for new rules impacting the mail that reaches Gmail accounts then? Those numbers are not good enough and still allow unwanted and potentially dangerous emails to slip the net.
MORE FROM FORBESGoogle Reveals New Password Security Surprise For iPhone UsersBy Davey Winder
MORE FROMFORBES ADVISOR
New Google Bulk Sender Rules Require Email Authentication
The new rules are aimed squarely at bulk senders, which Google defines as those sending at least 5,000 messages daily to Gmail addresses. That number is calculated based on emails that are sent from the same primary domain regardless of the number of subdomains used. Importantly, to be labeled as a bulk sender, that 5,000 limit only has to be reached once in 24 hours for the attribution to become permanent.
Although Google does appear to be taking a slow and steady approach to the new rules for bulk email senders to Gmail accounts, you can expect things to start ramping up from April 1. “Starting in April 2024, we’ll begin rejecting non-compliant traffic,” Google has stated in an email sender guidelines FAQ, continuing, “we strongly recommend senders use the temporary failure enforcement period to make any changes required to become compliant.”
Although the guidelines do not apply to emails sent to Google Workspace accounts, only personal Gmail accounts, they apply to all senders, including those who use Google Workspace.
MORE FROM FORBESGoogle's Ground-Breaking New Security MoveBy Davey Winder
Act Now To Boost Sender-Side Security Or Face Mass Email Rejections
The new rules aim to “boost sender-side security and increase the control users have over what gets into their inbox even more. If anything, meeting these requirements should help senders reach those who want their messages more effectively, with diminished risk of spoofing and hijacking from bad actors,” a Google spokesperson said.
Responsible email marketing specialists will already be aware of protocols such as Domain-based Message Authentication, Reporting & Conformance, DomainKeys Identified Mail and Sender Policy Framework, but now any organization considering a mass-email marketing campaign needs to ensure they are as well, or they could be made to look like fools come April.
Starting June 1, Google will also start implementing the requirement that all commercial and promotional emails have a one-click unsubscribe function for recipients. The clock is ticking.
MORE FROM FORBESMillions Of Google, WhatsApp, Facebook 2FA Security Codes Leak OnlineBy Davey Winder
03/19 update: Security researchers at Guardio Labs have uncovered a “sprawling campaign of subdomain hijacking” that could undermine Google’s attempt to protect Gmail users from malicious mass emailing campaigns. The research reveals millions of malicious emails being sent each day using a network of compromised subdomains.
“This is a vast campaign that has been ongoing for 2+ years,” Nati Tal, head of Guardio Labs, says, “prepping for Google's plans to harden email authentication policies.” The hackers inject Sender Policy Framework records to authenticate their Simple Mail Transfer Protocol servers and host unsubscribe functions on hijacked subdomains. Guardio uncovered a network of more than 8,000 domains, including hugely well-known brands such as CBS, eBay, Marvel, McAfee, and MSN, being used in the ‘SubdoMailing’ campaign.
Sadly, it’s pretty easy to pull off. The research shows how malicious actors bought a long-since forgotten domain once used and linked to MSN, for example, that could then leverage the subdomain record. In this case, they could send authenticated emails as if they were originating from msn.com rather than the sender’s domain.
"Despite Gmail's latest anti-spam efforts, the SubdoMailing tactic shows how determined cybercriminals can once again bypass such measures, exposing the significant security gap in online services we rely on daily,” Tal warns. “These bad actors’ advanced strategies suggest a notable edge over current defenses, turning minor spam into serious threats.”
A Google spokesperson told me, “Gmail has multiple layers of protections, and we’re constantly adding more to defend against this attack vector. However, this report underscores how important it is that we improve email authentication for the entire email ecosystem. That’s why we’re instituting requirements for bulk Gmail senders that help close authentication loopholes to the benefit of the entire email-sending community.”
These DMARC requirements being implemented by Google for bulk senders are an “effective and economical way to significantly improve email security for the average organization or person,” Gerasim Hovhannisyan, CEO of EasyDMARC, says. “Their leadership in pushing forward with these changes will protect thousands from malicious emails hitting their inboxes.”
The Guardio report itself also doffs its cap towards Google on this matter: “The Fight against spammers and impersonators introduced several security and authentication methods… All of those remained optional until Google stepped up last year, requiring at least one of the optional authentication methods to pass. This will also become mandatory for mass mailers (sending more than 5000 emails daily) later this year.”
Rahul Powar, CEO at Red Sift, says that organizations must acknowledge the evolving landscape of cyber threats in response to the alarming trend of hijacked subdomains from major brands being exploited in extensive spam campaigns. “The recent enforcement of stringent bulk sender requirements by major email service providers has undeniably escalated the complexity of maintaining email security,” Powar says, “compelling malicious actors to pivot their strategies towards exploiting the reputable stature of established brands through subdomain hijacking.” Powar concludes that this “underscores the critical vulnerabilities that can arise from misconfigurations and the dynamic nature of technical controls within digital infrastructures.”
The discovery of complex SubdoMailing operations reminds us that in the cybersecurity field, the goalposts are constantly moving; Hovhannisyan says, “The use of abandoned domains capable of passing DMARC checks should be a concern to any organization that relies on email authentication technology to protect their customers and data.” Hovhannisyan also warns that sensible DMARC protocols preventing unwelcome inbox intrusions will be crucial in the coming decade as AI helps develop increasingly convincing phishing emails. “Organizations should also remain vigilant and be aware of the subdomains associated with their own, understanding how these necessary regulations can be exploited and used for malicious purposes.”
03/20 update: It’s not just Google that is upping the ante when it comes to email security for holders of its Gmail personal accounts, Yahoo Mail is also implementing new rules. Marcel Becker, a senior director of product management at Yahoo, says that “numerous bulk senders fail to secure and set up their systems correctly, allowing malicious actors to exploit their resources without detection. A pivotal aspect of addressing these concerns involves sender validation, leveraging email authentication standards to guarantee the verification of the email sender’s identity“
In an effort to rectify this and return the balance of power to the user, Yahoo Mail will, “in the first quarter of 2024,” require bulk senders to authenticate their email using the same industry standards as Google is imposing, SPF, DKIM and DMARC. Also, as with Gmail, they will be required to have an easy one-click, unsubscribe option and finally, to ensure users’ inboxes are not “cluttered with unsolicited or irrelevant emails,” Yahoo Mail will “start enforcing a threshold to ensure our users can continue to enjoy a spam free mailbox.”
In response, Red Sift has published a guide to mastering Google and Yahoo’s bulk email sender requirements email marketers. Now would be a very good time to consult this if you don’t want to fall foul of the new mandatory regulations for sending bulk emails to Gmail or Yahoo Mail addresses.
Red Sift found that more than 90% of the world’s email-sending domains would fail these new regulations as they had no DMARC record. That said, the organization has also seen a “steep increase in the adoption of DMARC since January 1 across all domains around the world,” apparently in response to the looming new regulations. “Comparing the number of domains with DMARC at the end of February to the beginning of January reveals an additional 795,824 records in place,” Red Sift reports. The research also demonstrates that around the world, the countries with some of the highest guaranteed failure rates, like Italy, Germany, Japan, and Spain, have made significant strides throughout February, improving readiness for large enterprises by as much as 35%.
According to research from EasyDMARC, there are four billion daily email users with a return on investment of up to $42 for every $1 spent, meaning email marketing is one of the most successful marketing strategies, especially for the retail sector. EasyDMARC reviewed the DMARC policies of the top 1,000 global online stores and discovered only 75% had deployed the increasingly necessary security protocol. “Poor email deliverability can affect not just customer awareness but also the trust in and financial performance of e-commerce platforms,” EasyDMARC warns. “Emails missing inboxes can erode customer trust and directly impact sales, highlighting an important future link between cybersecurity compliance, brand reputation, and an organization's bottom line.”
Red Sift’s Rahul Powar cautions that “empathy is warranted for the brands caught in the crossfire, as they grapple with the challenges posed by the intricate and often decentralized nature of their online presence. These incidents serve as a stark reminder of the importance of adopting a holistic security posture. Continuous, proactive monitoring of an organization's digital footprint, coupled with rigorous inspection of security controls, is paramount in identifying and mitigating potential vulnerabilities before they can be exploited. As we navigate this complex cyber landscape, the commitment to vigilance and adaptive security measures will be pivotal in safeguarding the integrity of brands against such insidious threats.”
Kate Nowrouzi, vice president of deliverability at communications experts Sinch, warns that the “upcoming policy shifts by Google and Yahoo to intensify the fight against spam will undoubtedly send shockwaves through the email marketing world. Email sending is about to become even more complex, and the onus is on businesses to ensure emails are actually making it to their customers. With stringent new thresholds for spam classification and opt-out requirements, many brands holding onto traditional email tactics will face delivery disruptions, lost revenue, and potential damage to the sender's reputation.”
However, Nowrouzi says it’s not all doom and gloom, especially for agile marketers who are focused on the customer experience. “This shift signals an opportunity to re-evaluate dated email practices,” Nowrouzi says, “forward-thinking brands will embrace these policy changes as motivation to employ new and effective deliverability strategies. Implementing authentication protocols like DMARC and optimising traffic analytics will separate the success stories from those left behind.”
Guardio Labs has a free SubdoMailing checker as does Red Sift.
