top of page
  • Writer's pictureSMH

Major providers update email receiver policies


The short version


Most major email providers are now going to make it harder for malicious emails to get through. However, this could also lead to some legitimate mail being stopped if your settings aren’t correct. Email senders will now have to ensure that certain authentication methods are in place in order for their emails to be delivered successfully.


This will also impact emails sent by your own customers and suppliers. If their own systems don’t conform to the new rules, then their emails won’t make it through to your inboxes. And there isn’t anything you/we can do this end to change that – it is up to them to implement the new requirements on their own servers.


If there is anything you are unsure of, or for further advice, please email us via [email protected] or give us a call on 01905 955 035.


The more in-depth version…


In order to stop the spread of malicious or spam emails, a number of the major email providers have either rolled out or are currently rolling out more robust authentication procedures. This will ultimately be a good thing and should hopefully see fewer ‘rogue’ emails making their way through to your inbox. However, it could also mean a lot of legitimate communications won’t be received, if your settings aren’t correct.


Recently, the likes of Google (Gmail), Yahoo and Apple, required authentication to be in place when sending messages. In order to meet these requirements, you will need to:


  • Have a Domain-based Message Authentication, Reporting & Conformance (DMARC) policy in place.

  • Ensure Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) alignment.

  • Make it easy for recipients to unsubscribe (one-click unsubscribe – this relates more to bulk email senders not to general correspondence.)


Following the rollout by the companies above, these requirements will also soon be implemented by Hornet (our Anti-Spam solution provider) and Microsoft (M365)


Google and Yahoo also have some additional email requirements which can be broken down into two categories. The first set of requirements will need to be followed by everyone, whilst the second set is only applicable to bulk senders.


Requirements applicable to all senders:


1.      Email authentication – This is a critical measure to help prevent threat actors from sending emails under the pretence of being from your organisation. A tactic referred to as ‘domain spoofing’ and, if left unprotected, it allows cybercriminals to weaponise sending domains for malicious cyber-attacks.

a.      SPF is an email authentication protocol designed to prevent email spoofing, a common technique used in phishing attacks and email spam. As an integral part of email cybersecurity, SPF enables the receiving mail server to check whether incoming email comes from an IP address authorised by that domain’s administrator.

b.      DKIM is a protocol that allows an organisation to take responsibility for transmitting a message by signing it in a way that mailbox providers can verify. DKIM record verification is made possible through cryptographic authentication.

2.      Low spam rates – if recipients report your messages as SPAM at a rate that exceeds the 0.3% requirement (ideally targeting 0.1% spam rates – or 1 in 1,000 messages delivered marked as spam), your messages could be blocked or sent directly to a Spam folder.  


Requirement applicable to bulk senders:


1.      SPF and DKIM must be in place – companies that send to Gmail or Yahoo must have SPF and DKIM authentication methods implemented.

2.      Companies must have a DMARC policy in place – DMARC is an email authentication standard that provides domain-level protection of the email channel.

a.      DMARC authentication detects and prevents email spoofing techniques used in phishing, business email compromise (BEC) and other email-based attacks.

b.      DMARC builds on the existing standards of Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM). It is the first and only widely deployed technology that can make the header “from” domain trustworthy. The domain owner can publish a DMARC record in the Domain Name System (DNS) and create a policy to tell receivers what to do with emails that fail authentication.

3.      Messages must pass DMARC alignment – This means that the sending Envelope From domain is the same as the Header From domain, or that the DKIM domain is the same as the Header From domain.

4.      Messages must include one-click unsubscribe – For subscribed messages, messages must contain List-Unsubscribe message headers and a clearly visible unsubscribe link in the message body that can be initiated with a single click (one-click unsubscribe). Unsubscribe actions must be taken for a requesting user within two days.  


What’s next?


From April, Google will start rejecting a percentage of non-compliant email traffic and will gradually increase the rejection rate. For example, if 75% of a sender’s traffic meets their requirements, they will start rejecting a percentage of the remaining 25% of traffic that isn’t compliant.


If you don’t implement email authentication, these changes are going to significantly impact the deliverability of your messages to your customers that use these email providers’ accounts. For those of you that send bulk emails to Gmail and Yahoo accounts and fail to have SPF and DKIM, or if you don’t have a DMARC policy implemented, these ‘non-deliveries’ will have an even greater impact on your business.


Properly aligning DMARC for your outbound email requires alterations to how your “From:” addresses are passed at the SMTP and email header level so that the domain in the from addresses matches the domain in the DKIM key and the SPF domain. When these ‘sender addressing’ changes involve working with a third-party or SaaS solutions that do not offer flexibility in their configuration, or that don’t support DKIM signing, things can get complex quickly.


One thing to be particularly aware of though please, your own customers may have issues getting email through to you. This is not something we can affect from our end; they will have to speak to their own respective IT suppliers in order to ensure their email is in compliance with the new authentication procedures.


Hopefully the above all makes sense. If there is anything you are unsure of, or for further advice, please email us via [email protected] or give us a call on 01905 955 035.


bottom of page