Google - New Authentication Requirements for Email Senders

Starting on February 1, 2024, a new set of guidelines for bulk email senders will be implemented as per Google's initiatives to provide supplementary security measures against email threats, such as email spoofing and email spam. Email senders who are sending more than 5,000 messages per day to Gmail accounts must adhere to the new authentication requirements discussed in this article. Email senders must follow these guidelines to ensure normalcy in email delivery to and from email platforms.

This article discusses the following topics.

• What are Google's New Requirements for Senders? ⤵
  • For All Email Senders ⤵
  • For Bulk Email Senders ⤵
• Related Articles ⤵

What are Google's New Requirements for Senders?

For All Email Senders

The following measures will help improve email security by mitigating the risks that are associated with malicious, spammy, and unsolicited emails, regardless of your organization's email volume. All email users should adhere to the following set of guidelines.

• SPF and DKIM records setup - Implement SPF or DKIM records for your domain to combat email spoofing and enhance security. 
   
• DNS records validation - Confirm that your IPs or sending domains possess valid forward and reverse DNS records (rDNS). This alignment ensures the sending hostname is correctly mapped to the sending IP address.
   
• TLS encryption - Use Transport Layer Security (TLS) connections for transmitting emails, enhancing privacy and security. Google Workspace facilitates TLS activation and setup.
   
• Spam minimization - Keep reported spam rates below 0.1% in Google’s Postmaster Tools. Rates exceeding 0.3% may lead to increased spam classification by Google. Regularly monitor spam reports to prevent messages from being categorized as spam.
   
• Message formatting - Adhere to the Internet Message Format (IMF) standard when formatting messages. This standard outlines the fundamental format of email messages.
   
• Avoid Gmail From: header impersonation - Refrain from impersonating Gmail From: headers. Google is enforcing a new DMARC policy that could quarantine or block emails impersonating Gmail addresses.
   
• ARC Headers for forwarded emails - If regularly forwarding emails, consider adding Authenticated Received Chain (ARC) headers to maintain SPF and DKIM authentication. For mailing lists, include a List-id: header in outgoing messages for clear identification.

Adhering to these guidelines ensures a more secure email environment and reduces the likelihood of email-related security issues.

For Bulk Email Senders (more than 5,000 messages a day)

If your organization is sending more than 5,000 emails, these are the additional requirements that must be followed beyond the initial requirements listed above.

1. Set up DMARC records

   The DMARC policy signals to your receivers that your messages are DKIM-protected. Additionally, it provides instructions on how to handle messages that do not pass, are marked as junk, or are rejected.

   1. Add a TXT record to create a DMARC  record following the standard format.

      v=DMARC1; p=none; rua=mailto:[user email]

      For more information on how to add DNS records to your control panel, please visit the How to Change DNS Zones article.

   2. Consider the following DMARC options:

      • None: No action needed; useful for monitoring.
      • Quarantine: Messages should be set aside.
      • Reject: Messages should be rejected.
        It is recommended that DMARC policies be introduced gradually. Start with a setting of None, progress to Quarantine, and eventually to Reject. Make sure to check on DMARC reports at each stage to ensure messages are signed and not spoofed.

   3. Enter the email address where you want to receive DMARC reports in the Send Reports to field. The email address must be under the domain you are managing.

      An email address is required to configure your DMARC policy. It will be used to receive reports on authenticated messages and flagged messages, including reasons why. The email must be under the same domain as the DKIM domain. If not, publish a DNS report record to allow it to receive reports from a different domain.

2. Ensure that users can unsubscribe

   Marketing and subscribed messages must facilitate a one-click "Unsubscribe" option and include a clearly visible "Unsubscribe" link in the message body.

   Only send emails to individuals who have expressed a desire to receive messages from you. This reduces the likelihood of them marking messages from your domain as spam. Frequent reports of messages from your domain as spam can negatively impact your domain's reputation over time.

Related Articles

• Changing DNS Zones in cPanel
• Problems with Email Spoof, SPF
• Using DKM & SPF with Third-Party DNS
• What are SPF Records?

Google External Documentation:

• Email Sender Guidelines (Help Center)