The Rise of DMARC Adoption: Google and Yahoo’s Mandate
In October 2023, Google and Yahoo announced that bulk senders must have DMARC and other sender best practices in place beginning February 2024. A year after the mandate was announced, we’re taking the opportunity to check-in to see what impact this has had in the email ecosystem.
These changes are like a tune-up for the email world, and by fixing a few things under the hood, we can keep email running smoothly. But just like a tune-up, this is not a one-time exercise. Keeping email more secure, user friendly and spam-free requires constant collaboration and vigilance from the entire email community. And we’ll keep working together to make sure your inbox stays safe.
Neil Kumaran, Group Product Manager, Gmail Security & Trust
With an ever-expanding email threat landscape and losses from email exploits, it’s encouraging to see that the new requirements are making a difference. Though Yahoo didn’t have data available just yet, it’s easy to understand that their DMARC mandate has significantly reduced spam and phishing emails, as with Gmail. We’ll be sure to let you know about the Yahoo numbers when they’re available.
Why DMARC?
Some people have wondered why DMARC was included in the updated sender requirements. A primary point is that email has been and continues to be the primary method of attack for cybercriminals. Once email is compromised, bad actors can gain access to organizational resources like networks, databases, and third-party vendors. DMARC is the primary control to observe and restrict email domain.
Bad actors are better able to hide due the proliferation of bulk senders who don’t secure their sending domains. Both Google and Yahoo are reacting to the increase of both spam and phishing traffic and are motivated to keep their inboxes useful by not being overrun with unwanted intrusions.
Many SaaS platforms that send emails on behalf of their customers, such as digital marketing services, newsletters, and CRMs, are deeply invested in deliverability best practices, as their inbox placement directly reflects on the effectiveness of their services. The initiatives by Yahoo and Google mean these platforms now have a greater stake in incorporating DMARC best practices into their onboarding processes, including ensuring the accuracy of SPF records, DKIM signing, and providing DMARC recommendations.
Ash Morin, dmarcian Director of Deployment, Americas
This also increases their responsibility to educate their customers. Therefore, it is imperative that both domain owners and third-party service providers receive assistance in understanding DMARC to best support their respective organizations. We are all in this together—now, more than ever.
Ecosystem Impact
Orchestrated by two of the world’s largest inbox providers, the DMARC sender requirement has motivated email ecosystem peers to align with the industry standard. Microsoft, another major inbox provider, is laying the groundwork to require DMARC for senders, though they haven’t released a timeline as of the writing of this article.
Email service providers (ESP), who work with domain owners to send email on their behalf, are also aligning with the needs of their customers to ensure functionality of DMARC and its proven authentication protocols of SPF and DKIM. These sources, as we call them, are companies that have an infrastructure to send emails on behalf of others. They can be ESPs, internet service providers, and other services like support/ticketing systems, payment providers, e-merchant services, and the like.
No matter who their email provider is, all users deserve the safest, most secure experience possible. In the interconnected world of email, that takes all of us working together.
Marcel Becker, Yahoo Senior Director of Product
What’s Next?
The 2024 mandate from Google and Yahoo has the requirement that the DMARC policy needs to be at p=none, which allows for the monitoring of what sources are sending email on behalf of a particular domain, but has no effect on its delivery. This is the first phase for DMARC deployment but doesn’t provide any phishing or domain abuse protection.
At dmarcian, we noticed that the vast majority of the domains that came in during this surge have stayed at p=none, and will likely remain so until Google or Yahoo update their guidance and require a stronger level of enforcement. While some struggled to get the base requirement in place this year, we can expect another wave of work as organizations move through the process of identifying what the valid sources are that are sending on their behalf.
As part of our mission to spread the adoption of DMARC, we have created the largest, most comprehensive resource of senders at dmarc.io. This free, ungated database lists thousands of global senders globally, along with detailed information about their capacity to support DMARC and the supporting technologies of SPF and DKIM. This feeds into our powerful source-classification engine of our DMARC Management Platform that makes the work of identifying valid uses of your email domains much easier.
One of the takeaways from the Google and Yahoo mandate is that DMARC, as a technology, is moving from the realm of specialized IT technicians and cybersecurity specialists to something that affects marketing departments and small business owners.
To address this shift, dmarcian is committed to providing free educational resources as well as continuously improving our offerings to reflect this dynamic change. We’re here to make the job easier for the people who are doing the work of making email better.
Check out our free DMARC resources:
We’re Here to Help
With a team of email security experts and a mission of making email and the internet more trustworthy through domain security, dmarcian is here to help assess an organization’s domain catalog and implement and manage DMARC for the long haul.
Want to continue the conversation? Head over to the dmarcian Forum.