cyberprotect IT logo
navigating gmail yahoo email changes 2024

Navigating the New Gmail and Yahoo Email Authentication Requirements

Email Security

Patricia Espinoza

Patricia Espinoza

January 24, 2024

Navigating the New Gmail and Yahoo Email Changes 2024

What Are the Changes in Gmail and Yahoo Mail 2024?

Beginning February 2024, Google and Yahoo will enforce a more strict policy to combat spam and phishing emails.

The requirements that these two giants are imposing will also help make your business email more secure. It will keep it from being spoofed or impersonated.

If you’re an email marketer who sends emails to gmail or yahoo users, then follow this guide if you want your emails to land in your audience’s inboxes —and not get sent to the spam folder.

In this article, we’ll show you with what you need to do to make your business email compliant and safer, step by step.

The New Email Authentication Requirements by Gmail and Yahoo

1. Authenticating email / domain with security frameworks

There are three email security protocols that your business domain must now keep to stay in Google and Yahoo’s good graces:

  • SPF
  • DKIM
  • DMARC

2. Keeping spam complaint rates below 0.3%

Keeping spam rates low is easy to do if your audience expects emails from you.

Do not send newsletters to people who have not signed up for them. Meeting someone at a networking event and putting them on your mailing list does not count as an opt-in.  They must sign up themselves or given you permission to email them. 

3. One-Click unsubscribe option

If you send newsletters or other broadcast emails, you must have a visible option to unsubscribe.

“No matter who their email provider is, all users deserve the safest, most secure experience possible,” says . “In the interconnected world of email, that takes all of us working together. Yahoo looks forward to working with Google and the rest of the email community to make these common sense, high-impact changes the new industry standard.”
Marcel Becker
Sr. Dir. Product, Yahoo DOE

Reinforcing Email Deliverability and Security

These frameworks mentioned on requirement #1 are not new. They have been around for a while as recommended best practices. Since email security is becoming front and center these days, Google and Yahoo are now making their implementation mandatory.

The good news is that when implemented correctly, these protocols can only help boost the email deliverability and security of your business domain.

Sender Policy Framework (SPF)

Sender Policy Framework, SPF, identifies the mail servers and domains that send emails on behalf of your business domain. For example, your business email might have:

  • Google Workspace or Microsoft 365 as your primary ESP
  • An email marketing platform such as ActiveCampaign or Mailchimp
  • An SMTP service on your website that sends messages, forms or comments emails
  • A chatbot or helpdesk service that sends and receives leads, customer or ticket emails

SPF Record Option 1:

If your business domain uses Google Workspace ONLY

If your domain sends emails using Google Workspace only and no other email sending services, enter this SPF record on your domain DNS:

v=spf1 include:_spf.google.com ~all

If your business domain uses Microsoft 365 ONLY

If your domain sends emails using Microsoft 365 only and no other email sending services, enter this SPF record on your domain DNS:

v=spf1 include:spf.protection.outlook.com -all

SPF Record Option 2:

Your business domain uses Google Workspace AND other senders

You can begin to compose the SPF record using SPF Option 1 and add other senders as needed. To do so, we recommend using a SPF record generator.

SPF Record Generator

The easiest way to compose a correct and complete SPF record is to use a SPF record generator. The easiest and quickest tools we found are:

  1. https://easydmarc.com/tools/spf-record-generator
  2. https://powerdmarc.com/power-dmarc-toolbox/ > Generator Tools > SPF Record Generator

Publish Your SPF Record

You must now publish your SPF record in your domain’s DNS as a TXT entry:

Host or Name: enter the domain name or “@”

Value, Target or Data: the generated SPF record.

There can only be one SPF record per domain. So make sure to keep it updated to keep your domain safe.

Tip:

Keep an inventory of your business domain authorized senders in Excel, Gsheet or AirTable so you always have your SPF record updated


Domain-Key Identified Mail (DKIM)

Domain-Key Identified Mail, DKIM, increases security for your business outgoing email. It helps protect your domain from spoofing, and your outbound emails from being marked as spam.

Spoofing forges the From: field of an email to impersonate your business. DKIM detects when the From: address has been tampered with.

Without DKIM your outbound emails are more likely to be marked as spam by receiving email servers.

DKIM works with a pair of keys: Private and public.

The private key is kept securely and secretly by the ESP. The public key goes in the DNS record which receiving email servers use to authenticate the DKIM signature.

Find out if your domain provider supports 2048-bit DKIM keys. 2048-bit keys are more secure than 1024-bit. If you’re not sure which your domain registrar supports, begin with 2048-bit, and change if it gives you trouble later on.

Creating a DKIM Record for Google Workspace

Here’s the step-by-step article to create your DKIM record, including of course, your private and public DKIM keys:

https://support.google.com/a/answer/180504?hl=en&ref_topic=2752442&sjid=13662279917825445544-NC

Tip:

If the new record generates successfully but it doesn’t show under your domain, switch to a different domain in the dropdown (or go to the dashboard,) and come back or just hit refresh. You should see your domain’s DKIM record now.

Creating a DKIM Record for Microsoft 365

https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/email-authentication-dkim-configure?view=o365-worldwide

Publish your DKIM Record

Go to your domain registry and enter the DKIM record as a TXT record in the DNS settings:

Host or Name : the selector given

Value, Target or Data: the generated public key


Domain-Based Message Authentication, Reporting and Conformance (DMARC)

Domain-Based Message Authentication Reporting and Conformance, DMARC, is an email security standard that uses SPF and DKIM filters to perform more advanced security validation on emails received.

DMARC attempts to combat email scams by allowing email receiving servers to determine whether or not an email claiming to come from a domain actually comes from that domain.

DMARC defends your domain against phishing and spoofing attacks, and improves your business email deliverability. This means, it will reduce the chances that your emails will be mis-flagged as spam or untrusted email.

The DMARC standard is a must if you’re sending sensitive info with your business email such as:

  • Personal identifiable information, PII
  • Payment details or requests
  • Invoicing
  • Business transaction details

DMARC Record Settings

We could list the 11 tags that are needed to compose a DMARC record from scratch.

But (a) you can find tons of those online (i.e. here and here).

And (b) It’s easier and faster to use use one of the DMARC generator tool.

DMARC Record Generator

The easiest tools we found are these. Their forms gather all the info needed to compose a complete DMARC record.

EasyDMARC > DMARC Record Generator Tool

PowerDMARC > https://powerdmarc.com/power-dmarc-toolbox/ > Generator Tools > DMARC Record Generator

EasyDMAR’s tool in particular offers clear instructions on what info needs to go in each field. It also alerts you if there are errors or missing details.

The most important thing is that you create a policy to reject and quarantine those emails that do not pass the SPF and DKIM filters. Since there can only be one DMARC record listed on your domain’s DNS, you must combine all policies / tags into the one record.

Tip:

Start relaxed and gradually get more strict as you have gathered more deliverability intel from your domain’s DMARC reports.

Publish Your DMARC Record

Only one DMARC record per domain can be published in your domain’s DNS.

Add a new TXT entry:

Host or Name: _dmarc

Value, Target or Data: the generated DMARC record.

Monitoring Email Sender Domains

DMARC reports are sent by your email sending servers / sources, like Gmail and Yahoo, with valuable data such as:

  • Message volumes processed
  • SPF/DKIM authentication rates (are your sources complying?)
  • Actions taken: quarantine or reject 
  • Threat/Unknown (detection of your domain spoofing or impersonation)
  • Forwarded (your recipients forwarding your domains to others)

The DMARC reports allow you to fine tune issues as they arise for ongoing domain security.

DMARC reports come in XML so they will be hard to read. Use these free tools to see a human-friendly, easier-to-understand version:

https://us.dmarcian.com/xml-to-human-converter

https://mxtoolbox.com/DmarcReportAnalyzer.aspx

https://easydmarc.com/tools/dmarc-aggregated-reports

In Short

Email security is one of the most important items in a proactive cybersecurity agenda. Email is the heartbeat of your business operations. Ensure that it is well taken care of.

Need help setting these up?

Patricia Espinoza

Patricia Espinoza

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *