Email security: new requirements from Google and Yahoo | Square Eye

Email security: new requirements from Google and Yahoo

28 Feb 2024

From 1 February 2024, new authentication requirements started to roll out for email marketing platforms.  These new requirements only affect bulk mail senders – organisations who send more than 5000 emails in a single day to addresses hosted by Google or Yahoo – but they are likely to apply to smaller senders in future.  So if nothing else it’s a good opportunity to check your email verifications settings and ensure nothing is missing that would help your emails reach their targets.

What’s the problem with email?

As you know, email can be trouble.  They multiply and overwhelm, causing overflowing Inboxes.  People get sent emails they didn’t ask for, and despite the best intentions (and onerous requirements) of GDPR, opting out  can be difficult.  Worst of all, emails can be conduits for phishing scams or for cyber attacks.

Fighting back:  email security measures

Over the last several years, email service providers and governments have introduced multiple measures to protect your Inbox, including:

  • A requirement for ‘one-click unsubscribe’ links to allow you to leave mailing lists easily;
  • ‘Double opt-in’ verification methods where you need to click a link, sent by email, to join a mailing list in the first place;
  • Domain name settings such as DMARC, DKIM and SPF to help prove the right people are sending the right emails (we’ll get into this below);
  • Checkboxes on sign-up forms to grant consent for handling your personal data, and other GDPR measures for retention and deletion;
  • Advanced threat protection (ATP) and other behind-the-scenes measures.

You’ll be well aware of some of these, and perhaps not of others, but it’s reassuring to know that email has been moving (if slowly) in a more secure direction.

The new requirements

In February 2024 Google and Yahoo began a collaborative effort to enforce a set of sender requirements to protect their users from unwanted and potentially harmful emails. They now require that bulk email senders (sending more than 5000 emails in a single day to mailboxes hosted by Google or Yahoo) adopt the following key practices.  Note that a “mailbox hosted by Google” doesn’t just mean a Gmail address;  at Square Eye, our email is hosted by Google Workspace, and many other organisations use it too.

Domain authentication

  • Sender Policy Framework (SPF) – allows domain owners to specify which IP addresses are authorized to send emails on behalf of their domain. This helps prevent email spoofing (senders pretending to be other organisations) and phishing attacks. Implementing this improves domain reputation and email deliverability.
  • DomainKeys Identified Mail (DKIM) – is an authentification protocol that confirms your legitimacy as a sender. It verifies whether or not email messages have been altered in transit. 
  • Domain-based Message Authentication, Reporting & confirmation (DMARC) – this standard prevents your domain from being used to send emails without your permission. DMARC (if set up) blocks and prevents fraudulent emails before they get any where near your inbox.

One-click unsubscribe

This must be enabled for all bulk email communications.

Spam rate

This must be kept to less than 0.3% (that is the number of emails classified as spam by recipients).

If you don’t send bulk email on that scale, your mailouts shouldn’t be affected at this stage.  But the requirements may well be extended to apply to smaller senders in future, and having the right domain settings now will improve your deliverability anyway.  So we recommend that you (or your IT company, or we) check your settings and tools and ensure you are compliant.

Four quick ways to check your existing settings

1. SPF

SPF Record Check 

Since your SPF record needs to include information about every service you use to send email (e.g. Microsoft, Google, Salesforce, Hubspot, Quickbooks, a support ticketing system etc), nobody can tell if your SPF record is complete from the outside, since they don’t know which services you use.  However this tool can tell you if you’re missing an SPF record entirely.

To use it, enter your primary domain name (e.g. where indicated and click the orange button.  You should get a result like this:

SPF record check image

Note: an SPF record is only allowed to include references to a maximum of 10 third-party services.  If (like us) you use more than 10, you can use a service like Dmarcly Safe SPF to handle the additional details.


DKIM Record Lookup

You can use this tool to test your DKIM settings, but you need to know the “selector” which is specific to your email provider.  For example, as Google Workspace users, the selector for us is “google”.

DKIM record lookup

Doing this tells us our DKIM is valid:

DKIM record is valid

If your DKIM record is missing, the National Cyber Security Centre offers some info about creating DKIM records, but as it says, the exact requirements depend on your email hosting provider.  So look for a help article in their documentation or ask them for the settings you need to add to your domain name.


DMARC Record Tester

This one’s easy:  enter your domain name and find out if your settings are valid.  You should get this:

DMARC record tester

4. DMARC monitoring

You may like to set up monitoring for DMARC, which helps prevent spammers sending emails from your domain and tells you if senders are impersonating you..  Postmark (our website email delivery service of choice) offers a free service to monitor major ISPs and look for emails sent from your domain that do not pass DMARC checks.  You get a weekly, human-friendly report;  sign up here.

Postmark weekly digest

This report (and the extra detail not shown) tells us both that we have some third-party services that need verifying and that some people may be sending emails pretending to be from 

That’s a lot of jargon.  What do we need to DO?

 If the testing tools say your domain is configured properly for all three, you don’t need to do anything.  If there is any doubt, however, then you should:

  • Ask whoever administers your email and domain name (which may be more than one person or company) to test and apply the requirements; or
  • Do so yourself if you’re comfortable doing so;  or
  • Ask us (at [email protected]).  (If we don’t have access to your domain name, we can still advise the person who does.)

If you’d rather we test your domains for you, we can do that;  let us know who your email service provider is first.