Social engineering, specifically phishing, continues to be the most common method of entry for a malicious attacker. To combat this threat, Google and Yahoo recently outlined plans to increase mail security across all personal and business domains. In April 2024, these new security controls will become mandatory for delivery to any Google or Yahoo address, including any businesses that utilize Google Workspace. Implementation guidelines are broken down into two groups: organizations that send more than 5,000 emails daily and those that send less than 5,000 emails daily.
What does this mean for your organization?
The recent announcement from Google and Yahoo includes several controls that must be in place for email to be sent to a Google or Yahoo domain. If you do not have the minimum recommended controls in place, your emails will automatically be marked as spam.
What are the new requirements?
The list below includes all requirements for sending mail to Yahoo and Google addresses. Most of these requirements are likely in place at your organization already, but it would be worthwhile to double-check, especially item #1.
Less than 5,000 emails per day:
-
- Google and Yahoo will begin requiring the use of SPF records, DKIM records, and DMARC to reduce the amount of spam and phishing emails that make it to your employee’s inboxes. Every organization that sends less than 5,000 emails daily MUST have SPF or DKIM email authentication in place (although having both is preferred).
- All organizations must have valid forward and reverse DNS Records (aka PTR Records)
- All organizations must use a TLS connection for transmitting email
- You must keep spam rates below .10%
- All organizations must not impersonate Gmail “from:” headers
- Format messages according to the Internet Message Format standard (RFC 5322).
- If you regularly forward emails, you must include ARC headers in outgoing mail.
More than 5,000 emails per day:
-
- Everything listed above must be in place with one change: organizations that send more than 5,000 emails per day must have SPF, DKIM, and DMARC records in place.
What does this mean?
Sender Policy Framework (SPF) acts as an envelope for your email. The SPF record tells the recipient where the email came from. The recipient can look at the envelope, see your return address in the top left corner, compare this return address to the address on the file, and rest assured, knowing the letter came from you. This SPF record, however, does not guarantee the contents inside the envelope.
DomainKeys Identified Mail (DKIM) is a signature proving that the envelope’s contents have not been altered since the message was sent. With SPF and DKIM in place, you know that the sender is true, and the contents they sent you are also true.
Domain-based Message Authentication, Reporting, and Conformance (DMARC) checks the DKIM and SPF signatures to ensure everything is correct. If any issues are identified, DMARC tells recipient email servers what to do with your email.
The implementation steps for SPF, DKIM, and DMARC differ depending on your email provider. The bare minimum requirement for email delivery is an SPF record, however, creating DKIM and DMARC records is highly recommended. These settings reduce the amount of spam that makes it to an employee’s inbox and show the recipient that your organization takes security seriously.
Employee education is the first step in combating the threats of social engineering. Contact the IT Services team to see how GBQ can bolster your organization’s security awareness and training program.
Article written by:
John Stuart
Senior Cybersecurity Analyst