On October 3, 2023, twin announcements from M3AAWG member companies Google and Yahoo signaled that 2024 will mark the dawn of a new era, one where “No Auth, No Entry” will be the rule for bulk senders who wish to send mail to those mailbox providers and others that choose to implement similar policies.
Both providers cited sender validation as a key factor in making this policy change. Quoting Yahoo’s announcement:
“[N]umerous bulk senders fail to secure and set up their systems correctly, allowing malicious actors to exploit their resources without detection. A pivotal aspect of addressing these concerns involves sender validation, leveraging email authentication standards to guarantee the verification of the email sender’s identity.”
Mailbox providers have long advocated for email authentication since they anchor reputation to authenticated identities to support message handling decisions. Furthermore, the use of authentication protocols such as SPF, DKIM, and DMARC has long been recognized as a best practice by M3AAWG. These latest announcements serve to further codify these best practices, and allow mailbox providers to focus more of their energy on separating good and wanted mail from the bad by relying on authenticated identities and their associated reputations.
In the rest of this blog post, we’ll provide a brief overview of the new requirements and discuss what other content M3AAWG will produce in response to them.
Here is a summary of the requirements for bulk senders scheduled to begin in early 2024:
- Implement both SPF and DKIM - Mail sent to these providers must be sent using Return-Path domains that have SPF records and messages must be DKIM signed.
- Send with DMARC - The visible From: domain of messages must have an existing DMARC policy record in DNS. The required policy at this time is p=none.
- Send with an aligned From: domain - The visible From: domain must align with either a DKIM signing domain or the SPF domain, or even both. M3AAWG strongly recommends aligning with a DKIM signing domain to mitigate the risk of an SPF Upgrade Attack, where a domain with a too-permissive SPF record can be successfully spoofed under some conditions.
- Valid forward and reverse DNS - Mail must be sent from IP addresses that have valid reverse, or PTR, records in DNS, and those PTR records must resolve to hostnames that resolve back to the IP address. This is also called “Forward-Confirmed Reverse DNS” or “FCrDNS” for short.
- One-click unsubscribe - Commercial mail must have the one-click unsubscribe functionality as described in RFC 8058
- Low spam rate - A user reported spam rate under 0.3% is the required threshold
Google is Also Updating Their DMARC Record
Although it hasn’t garnered nearly as much attention as the new bulk sender requirements for sending mail to Google and Yahoo, Google announced one other change that is likely to have a significant impact. In 2024, they’ll be updating the DMARC record for gmail.com to p=quarantine from its current setting of p=none. While all mail sent using gmail.com as the From domain that is done outside the Google platform is currently failing DMARC checks, these failures are likely having minimal impact on the placement of this mail at this time. When the policy changes to p=quarantine, this failure could mean that mail sent in this manner to any domain that honors DMARC policies will end up in the recipient’s spam folder.
More On This Topic From M3AAWG
M3AAWG has plans to publish more on this topic, including updates to its existing documents that mention email authentication. These updates will ensure documents are in agreement with these new policies and are consistent with each other.
These document updates will be announced once completed.