Google makes big changes to email security

If you've seen scary messages about your email sending lately, it's because Gmail and Yahoo! are about to tighten up the rules on what it will deliver to their users from the 1st February 2024.

Whilst SPF, DKIM and DMARC records are nothing new, it's about to be more important than ever to have them in place.

What is causing a little confusion on the web is whether these rules are for people who send to more than 5,000 Gmail users a day, or whether they're relevant for everyone. I've been studying the Google help docs to try and answer that question.

What are the records, in a nutshell?

Put very simply, SPF, DKIM and DMARC records are messages your domain gives off to the Internet to confirm it has permission to do things it does. If someone tries to do something without those messages, then it could be that they're not really officially associated with your domain. In terms of email security, this means emails which claim to be from you, but aren't, will be more easily trapped in spam filters. 

People are always shocked when I say anyone can send an email pretending to be from you - but, if you think about it, they can put whatever address they want on their outgoing email. And email service providers, such as Gmail, are trying hard to crack down on these convincing seeming spam emails. These emails are what is known as phishing - when someone emails you pretending to be from a reputable company, or your bank, or someone you know - but they're not.

SPF record

An SPF record tells the Internet which servers are allowed to be sending email from your domain.

DKIM record

A DKIM record is like a SPF record but more complicated, including cryptographic keys.

DMARC policy

A DMARC policy allows an email inbox to know what to do with emails it receives which have dodgy seeming DKIM and/or SPF records. You set your policy to tell the email inbox whether to just ignore this marker and deliver them as usual, or to quarantine them - which might mean they go to spam, or it might mean they go to the email service's own quarantine, or to not deliver them at all.

Checking if you have records set up

You can use tools such as MX Toolbox to check your current settings - enter your domain in the box and select SPF or DKIM or DMARC from the orange button drop down.

Above and below 5000 users

Gmail has said that people who send more than 5000 emails per day to Gmail clients need a DMARC policy set up from the 1st February. Meanwhile though, their docs also say that they will be enforcing a DMARC quarantine for all emails which impersonate"Gmail From: headers" meaning that even if you're under the 5000 limit, you stand an increased chance of your emails going to spam if you try to spoof the "From" part of your email. They also want everyone to have SPF and DKIM in place.

Setting up a DMARC policy

Google's recommended process for this is actually pretty involved. They recommend you roll it out over several weeks, first setting your policy to not act on anything suspicious, and then gradually increasing the severity of how you deal with suspicious emails sent using your domain. The point being that with a DMARC policy, you can set an email address to receive the DMARC report daily, so someone can run an eye over it and confirm that emails are sending as they should. Once you're happy that your legitimate emails aren't getting flagged accidentally, you can gradually increase the strictness of your rules to try and deal with any dodgy ones whilst not effective legitimate ones. Or you can leave the email address blank and not get the daily report, but that's not really the point of DMARC.

If you have any concerns about your email DNS settings, please do get in touch.