KNOWNHOST BLOG

How Google, Yahoo & Apple Changed Their Email Authentication Requirements

Spam negatively impacts all email users – clogging inboxes and damaging the reputation of legitimate senders looking to take advantage of marketing and communication opportunities.

And with almost half of the estimated 360 billion emails sent each day now deemed to be spam, email service providers are having to step in to improve the customer experience. This is exactly what Google, Yahoo, and Apple are doing – introducing new email authentication requirements for bulk senders.

However, while this is a positive move for the average email user, these changes threaten to be disruptive for unprepared senders, including legitimate professionals and businesses.

In this guide, we look at these new email authentication requirements, who they impact, and how to remain compliant to avoid disruption.


What Are Email Providers Changing?

Email service providers like Google, Yahoo, and Apple are rolling out new requirements for mass email senders, changing how emails are authenticated to reduce the number of scams and phishing emails that end up in recipients’ inboxes.

These changes require additional authentication from senders to prove they are legitimate – making it more difficult for hackers to trick users into giving away personal information or opening malicious links.

Which Companies Are Changing Their Email Policy?

The three main companies rolling out these changes are Google, Yahoo, and Apple.

Below we look in detail at the different requirements for each of these providers:

Google

  • Users sending bulk emails to Gmail accounts will now face stricter authentication requirements, particularly when sending up to 5,000 emails per day (from February 2024).
  • Gmail will implement a Domain-based Message Authentication, Reporting & Conformance (DMARC) system to enhance email security.
  • Alignment between Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) will be verified to strengthen email authentication.
  • The Unsubscribe feature will be simplified to a single click, facilitating easier removal from unwanted email lists (from February 2024 – Yahoo, June 2024 – Google).

Yahoo & Apple

  • Yahoo is following Google’s lead, implementing updates to minimize inbox clutter and combat fraudulent emails (February 2024).
  • Apple has published an iCloud mail guide that outlines comparable authentication requirements, aligning with industry standards.


What Do These Changes Mean?

So, what do these changes mean for email users?

  • Enhanced Authentication: By implementing SPF and DKIM protocols, email service providers aim to reduce the occurrence of spam emails from fraudulent senders posing as legitimate organizations – by verifying the sender’s IP is authorized by the domain admin.
  • An Extra Step: Legitimate senders can still send high-volume emails; they’ll just be required to meet an additional authentication requirement to verify their credentials first.
  • Reduced Spam: Messages reported as spam at a rate surpassing 0.3% may now face potential blocking or redirection to the spam folder, leading to decreased spam rates.

How Does This Impact Me?

Many users will be affected by the changes, from everyday email users to mass senders. Here’s how each type of user will be impacted:

How Will These Changes Protect the Average User?

The changes are designed to protect the average user from scam emails, meaning:

  • A lack of spam messages in your inbox folder.
  • Tighter administrator security on sender IPs, giving users peace of mind that emails are legitimate.
  • A lower volume of spam mail taking up email storage space.

How Will These Changes Impact Mass Senders If Unprepared?

These changes, while beneficial, have the potential to disrupt legitimate email users if unprepared, as:

  • Emails sent from legitimate sources with a significant sending volume may experience a higher likelihood of being marked as spam and being delivered to recipients’ spam folders.
  • Organizations lacking a DMARC policy to ensure proper email authentication within their domain may encounter difficulties in establishing the legitimacy of their emails.

How Can I Avoid Disruption?

These changes will mostly impact email accounts that send messages in bulk. To avoid your messages being lost in the spam folder, these are the steps you must take for each email provider:

Google

  • To send over 5,000 messages daily, DMARC requires a “Pass” result from SPF or DKIM authentication.
  • A valid forward and reverse DNS PTR record is necessary.
  • Keeping spam rates below 0.3% is crucial to avoid being flagged by authentication software.
  • Messages must adhere to email format standards.
  • No domain impersonation should be present in the FROM headers.
  • TLS encryption is required for inbound email.
  • Sending domains must implement DMARC email authentication.
  • Ensure easy one-click unsubscribes are provided.

Yahoo

  • To pass DMARC, either SPF or DKIM authentication is necessary.
  • A valid forward and reverse DNS PTR record is required.
  • Maintain spam rates below 0.3% to prevent reporting by authentication software.
  • Messages must comply with email standards in terms of format.
  • Ensure there is no domain impersonation in the FROM headers.
  • Implement DMARC email authentication for sending domains.
  • Offer convenient one-click unsubscribes.

Apple

  • If sending over 5,000 messages per day, a DMARC Pass is required, with either SPF or DKIM authentication passes.
  • Ensure a valid forward and reverse DNS PTR record is in place.
  • Adhere to email standards for the message format.
  • Avoid domain impersonation in the FROM headers.
  • Implement DMARC email authentication for sending domains.
  • Offer the convenience of one-click unsubscribes.

Setting up SPF, DKIM, and DMARC Records

To avoid disruption to your communication and marketing efforts – and your emails ending up in spam folders – you’ll need to set up SPF, DKIM, and DMARC records, to comply with new authentication requirements.

What Is SPF?

SPF (Sender Policy Framework) is an email authentication protocol that confirms the legitimacy of the sender’s identity by verifying if the sending server is authorized to send emails on behalf of the domain.

What Is DKIM?

DKIM (DomainKeys Identified Mail) is an email authentication technique that employs cryptographic signatures to validate the sender and the integrity of the email content.

What Is DMARC?

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication standard that aids in thwarting email spoofing and phishing attempts by enabling domain owners to define how unauthenticated emails from their domain should be handled.

But how can you deploy these authentication protocols to remain compliant with new email requirements? Below is a simple summary:

  • SPF: Add an SPF TXT record to your DNS, specifying authorized sending servers.
  • DKIM: Generate a DKIM key pair, add the public key as a TXT record, and sign outgoing emails.
  • DMARC: Publish a DMARC TXT record, indicating your desired policy and reporting email address.

However, for a comprehensive step-by-step reference point for setting up SPF, DKIM, and DMARC Records, check out our helpful guide!

Alternatively, for more support, chat with our expert team today.


Frequently Asked Questions (FAQs)

Q: What Are SPF, DKIM, and DMARC?

A: SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance) are email authentication protocols used to verify sender identity, ensure message integrity, and prevent email spoofing and phishing attacks.

Q: What Is the Difference Between DKIM and DMARC Emails?

A: DKIM (DomainKeys Identified Mail) is an email authentication method that verifies the sender’s identity and message integrity, while DMARC (Domain-based Message Authentication, Reporting, and Conformance) is a policy framework that builds upon DKIM to provide additional controls and reporting on email authentication.

Q: What Are the Risks Associated With Not Using DKIM?

A: The risks associated with not using DKIM include increased vulnerability to email spoofing, phishing, and compromised email integrity – potentially leading to brand reputation damage and compromised communication security. For more information on how to get started with DKIM, check out our guide on how to enable DKIM with DirectAdmin.