How to Implement Google's New Email Authentication Requirements
Starting February 1, 2024, Google will start applying new security rules for email authentication, mainly for those who send lots of emails at once. These rules are designed to make email safer and to stop fake emails and phishing attacks. Follow these guidelines to ensure emails are sent and received smoothly on different platforms.
- What to Know About Google's New Sender Requirements
- For All Email Sender
- For Bulk Email Senders (Sending Over 5,000 Messages Daily)
Google's latest update to email authentication standards includes various protocols. The specific requirements depend on your organization's email usage, which is broadly divided into two categories: for all email senders and for bulk senders.
Here are certain measures to comply with that will enhance email security by filtering out malicious, unwanted, or spam messages.
- Implement SPF or DKIM - Set up Sender Policy Framework (SPF) or DomainKeys Identified Mail (DKIM) for your domain. These are effective in reducing email spoofing and security risks.
- Validate DNS Records - Ensure that your IP addresses or sending domains have proper forward and reverse DNS records. This confirms that the sending hostname corresponds to the IP address.
- Utilize TLS Connections - Use Transport Layer Security (TLS) for email transmission. This encryption secures email privacy and requires both sender and recipient to use TLS. In Google Workspace, TLS can be activated and configured.
- Keep Spam Rates Low - Maintain a spam report rate below 0.1% in Google’s Postmaster Tools , ensuring it never exceeds 0.3%. High spam rates can lead to increased spam classification by Google. Regularly check spam reports to avoid your emails being marked as spam.
- Adhere to Internet Message Format Standard - Format your email messages according to the Internet Message Format Standard, which outlines the basic structure of email messages.
- Avoid Impersonating Gmail "From" Headers - Do not impersonate Gmail in the From: headers of your emails. Google's new DMARC policy might quarantine or block emails that do so.
- Add ARC Headers for Forwarded Emails - For senders regularly forwarding emails, such as mailing lists, it's important to add Authenticated Received Chain (ARC) headers and a 'List-id:' header for clear identification, maintaining SPF and DKIM authentication through various stages.
For organizations sending over 5,000 messages a day, here are the additional requirements:
- Implement DMARC Record - To set up the DMARC record, check the steps below:
• Set Up a DMARC Record: Utilize a TXT DNS Record to create a DMARC Record following the standard format:
v=DMARC1; p=none; rua=mailto:[user email] l]
• Please consider the following DMARC options:
a. None: No action needed; useful for monitoring.
b. Quarantine: Messages should be set aside.
c. Reject: Messages should be rejected. • Setting Up DMARC Report Delivery: In the Send Reports to field, input the email address where you would like to receive DMARC reports. Ensure this email is associated with the domain you are overseeing.
- Enable Users to Unsubscribe with a Single Click - Marketing and subscription-based emails should offer a straightforward one-click opt-out option, with an easily noticeable unsubscribe link included in the email content.
Send emails only to those who have shown interest in receiving them from you, minimizing the chances of your emails being marked as spam. Repeated instances of your domain's emails being reported as spam can gradually harm your domain's reputation. Learn more about Google's Email sender guidelines.