New requirements enter force in February 2024 for those sending emails to Gmail Accounts
4 December 2023
In an effort to reduce spam, phishing and malware-laden emails, Gmail is introducing additional technical security requirements from 1st February 2024. What does this mean for your outgoing emails?
Gmail will be implementing a number of requirements for those who want to send emails to Gmail accounts from 1st February 2024. They already claim to block around 15 billion unwanted emails every day but say these are getting increasingly more difficult to spot. Due to this increase in complexity, and a recent surge in Business Email Compromise (BEC), Gmail have decided to introduce some additional security requirements to help them to counteract this growing threat.
For legitimate business owners, and senders, this will require the implementation of a small number of technical steps that are already considered best practice when it comes to email security. There are a few more requirements for those who send more than 5,000 emails per day but we will detail everything in this post. BEC already cost businesses an estimated US$2,74 billion in 2022, according to the latest FBI IC3 report (and that only includes numbers from those who declared a loss), so the implementation can help to mitigate many financial and reputational risks, alongside ensuring companies adhere to the new requirements.
Gmail claims that many bulk senders fail to appropriately secure and configure their systems, allowing those with nefarious intentions to piggyback off their trusted reputations. As such, many of the new requirements have focused on email validation tools, basically digital watermarks and other tools that verify to a receiver that the email has been sent from a trusted source and, perhaps most importantly, that the sender is who they claim to be.
From 1st February 2024, all those who send email to a Gmail account must meet the following conditions:
- Set up Sender Policy Framework (SPF) or DomainKeys Identified Mail (DKIM) email authentication tools, both of which prevent email spoofing. Although Gmail only requires one, it can make sense to implement both as they complement one another.
- Ensure that sending domains or IPs have valid forward and reverse DNS records, also known as PTR records – More general DNS management is also considered good practice as it allows for easier management of domains, prevented unauthorised changes and reducing the risk of downtime.
- Keep spam rates reported in Postmaster Tools below 0.3% – Your spam rate can be assessed from your own Postmaster account
- Use the IMF standard message format for all emails (RFC 5322)
- Clearly list who the email is sent from, and avoid impersonation in the ‘From’ header
- Finally, if you regularly forward emails, Add ARC header to your outgoing mail as these let the receiver know that the email was forwarded to them by you. Mailing list senders should also add a header that specifies the mailing list
If you send over 5000 mails to Gmail accounts everyday, then Gmail considers a bulk sender, meaning that there are a few more things you will need:
- Set up Domain-based Message Authentication, Reporting and Conformance (DMARC) – this is an increasingly common email authentication protocol which is very difficult to spoof
- Align the sending domain in your ‘From’ header to your SPF or DKIM domain. This is part of the DMARC alignment process so may already be implemented
- Implement ‘one-click’ unsubscribe and ensure that the unsubscribe link is clearly visible in all messages.
Now the above might sound like a lot of work but much of it can be implemented relatively quickly and efficiently with the right help, but you will need to start working on it soon in order to smooth out any potential issues prior to the changes becoming mandatory on the 1st February 2024
These changes are intended to make it harder to imitate or ‘spoof’ emails being sent to Gmail domains, resulting in a safer inbox for consumers and everyone else who uses Gmail. They should limit the number of phishing emails received, and protect organisations from being impersonated, alongside the accompanying financial and reputational damage that often accompanies such deception. The changes should also mean that fewer of your emails will end up in the spam folder, or even be rejected outright.
So, where to start?
Our Digital Brand team can help you prepare and implement the changes necessary to meet all of the requirements that enter force on the 1st February 2024. We can advise you on best practice and help you navigate everything from configuration controls to domain and email security. Perhaps it is time to consider implementing Verified Mark Certificates (VMC) at the same time which, while not required, can improve email security and build brand awareness by showing your company design or logo alongside your emails when they appear in consumer’s inboxes.
We’re here to help, with all of the above and more. For more information reach out to our Digital Brands team at DigitalBrandServices@zacco.com.
Back to all news