Deploy DMARC to ensure Gmail users receive your emails

Gmail and Yahoo have implemented new rules impacting e-mail senders, notably requiring the deployment of DMARC. Here’s how it works.

These enhancements are designed to improve mailbox protection against spam, phishing and identity theft.

From February 2024, senders who send 5,000 or more messages per day to Gmail accounts will have to authenticate outgoing e-mails via DMARC.

They must also avoid sending unwanted or unsolicited e-mails. What’s more, they must also make it easy for recipients to unsubscribe.

Under these conditions, the indicated spam rates should be below 0.10%. A spam rate of 0.30% should be avoided, as indicated by Google’s official recommendations.

Understanding how DMARC, SPF and DKIM work with the new Gmail rules

DMARC is an e-mail authentication method enabling e-mail administrators toprevent malicious third parties from spoofing their identity, commonly known as “email spoofing”. It is extremely dangerous, as the fake e-mail is perceived as being sent from your own domain name… without you having sent it.

Mail servers technically offer this dangerous possibility. In these cases ofidentity theft of your own domain name, the victim tends to blame the organization that failed to protect it sufficiently.

To defend against this kind of abuse, DNS helps prevent the delivery of malicious e-mails using your own domain name.

An AFNIC expert paper reminds us that for an e-mail to pass DMARC validation, it must first pass SPF or DKIM validation.

List IP addresses authorized to send mail on your behalf with SPF

The SPF (“Sender Policy Framework”) protocol lists the IP addresses authorized to send e-mail on your behalf. This whitelist of addresses often includes the host of your mail server, the solution you use to distribute your newsletter, or the software you use to send your invoices.

In this way, recipient mail servers ensure that the sending IP is actually authorized to send e-mails using the domain name.

Add a DKIM signature to all outgoing e-mails

The DKIM (DomainKeys Identified Mail) protocol provides a mechanism for authenticating e-mail messages using a cryptographic key.

DKIM uses asymmetric encryption to certify e-mails and combat identity theft.

As indicated by AFNIC, ” the mail server receiving the e-mail is responsible for retrieving the public key published in the DNS server in order to check the validity of the signatures. This DKIM verification confirms that the sender is authorized and that the message has not been altered during transport. “.

In the event of an invalid signature or no DKIM record, message transmission is a DKIM failure.

DMARC is based on two key technical functions: the Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM).

DMARC and pass, quarantine or reject options

When Solidnames assists customers wishing to protect themselves against the practice of “email spoofing”, we do so in three stages.

Since 2016, Solidnames has been offering to let emails through for analysis. This first step enables us to work with the domain name owner to identify which IP addresses are using his or her name. Once this whitelist has been established, the quarantine option is deployed.

In practice, unauthorized e-mails end up in the recipient’s spam folder. Finally, the last step is the outright rejection of all non-compliant e-mails. As a general rule, these three steps are completed in one quarter.

It should be noted that Solidnames applies this methodology for domain names addressing e-mails.

For domain names registered defensively (i.e. not intended to send e-mail), the practice is different.

In these cases, no IP address is noted as authorized to send mail in the SPF. In addition, DMARC policy is rejection.

This means that Solidnames customers’ defensive domain names are also protected against email spoofing.

This free option is included in the price of domain name management.

Finally, it should be noted that DMARC also allows you to obtain reports from the mail servers that receive e-mail from your domain name. These reports are very useful for detecting abuse.

Why are Gmail users no longer receiving my e-mails? Check your DMARC registration!

In recent years, a number of organizations have taken an interest in these three standards: SPF, DKIM and DMARC.

Since its creation, Solidnames has relayed the recommendations of the Global Cyber Alliance, US government agencies and France’s Ministry of the Economy.

These communications aim to strengthen organizations’ security against digital identity theft.

Eight years later, it’s Google and Yahoo, two of the world’s leading e-mail providers, who are enabling many companies to adopt these best practices.

If your organization delivers more than 5,000 messages a day, the domain name supporting the messaging must have a DMARC policy in its DNS. If this is not the case, they will no longer be delivered from February 2024.

It’s worth pointing out that Google is not intransigent in this first stage. A simple p=none DMAC policy is sufficient for Gmail and Yahoo. This means that in the event of unauthorized IP addresses, e-mails are still delivered.

Implementing a DMARC policy, even if set to “none”, for high-volume senders (over 5,000 e-mails/day) shouldn’t be too complex.

Less than 10% of .FR domain names have deployed DMARC

In 2023, the .FR domain name registry conducted a study on the use of SPF, DKIM and DMARC among the 4 million .FR domain names.

In its conclusions, AFNIC notes that ” less than 10% of domain names published in the .fr zone make full use of DNS to ensure the authenticity of their e-mail messages “. More specifically, ” DMARC remains under-deployed in the .FR zone: 7.8% of domains publish a DMARC policy “.

It’s therefore important to deploy DMARC so that emails reach Gmail and Yahoo email owners. While the 5,000 mails per day gauge may seem high, it is likely that Google will lower it as these protocols are deployed.

Furthermore, the AFNIC study showed that ” the proportion of .FR domain names protected against spoofing is very low: only 1.3% of the entire zone publishes a DMARC p=reject? policy“.

Add your brand logo to the e-mails you send with BIMI

BIMI (“Brand Indicators for Message Identification”) is an e-mail standard. It allows you to add a brand logo to authenticated messages sent from your domain name.

BIMI-compatible email clients (such as Gmail or La Poste) then display your brand logo next to your messages in the inbox.

Since 2022, Solidnames has been using BIMI to address its @solidnames.fr contacts. Our technical team also offers this standard to customers.

BIMI enables brand logos and their ownership to be validated using Verified Brand Certificates (VMCs). In this way, recipients can be sure that the logos displayed in their inboxes are legitimate.

Another prerequisite for using BIMI is that messages must be authenticated by DMARC.

DMARC must then be configured in blocking mode (quarantine or rejection) and not in “none” (free pass).

Recipients can trust the legitimacy of messages sent from your organization. Indeed, they are authenticated with DMARC and display your brand logo alongside messages from your organization via BIMI.

If you’d like to deploy SPF, DMARC and DKIM, or even BIMI on your domain names, don ‘t hesitate to contact Solidnames to help you get started.