The Impact of Google & Yahoo Sender Requirements on European Businesses
In February 2024, Google and Yahoo started implementing a series of gradual enforcements for organisations that send over 5000 emails daily, also defined as bulk email senders. These enforcements are especially relevant to Domain-based Message Authentication, Reporting & Conformance (DMARC).
With this initiative, Google and Yahoo intend to reduce the overall amount of spam and spoofed content sent across the internet, especially focusing on the authentication of an organisation’s email infrastructure. This move, aimed at combating spam and improving email security, involves using Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and DMARC standards.
This article covers the Google and Yahoo requirement specifications and focuses on the potential impacts on European businesses. In particular, it addresses the complications of implementing DMARC across the European email ecosystem and the necessary steps to comply with the enforcement.
- Impact on European Email Senders: A Closer Look
- Challenges of Implementing DMARC
- Intersection with GDPR
- DMARC Guidelines and Mandates in Europe
- Preparing for Change: Steps to Compliance
Impact on European Email Senders: A Closer Look
Popular Email Providers in Europe
Europe’s email landscape comprises providers like GMX, T-Online, Orange, and BT Internet, which are popular alongside Gmail. Compliance with the new policies is crucial for businesses using these platforms for customer communication.
For example, email providers like GMX and T-Online are top-rated in Germany. A German company using these services must align its email practices with DMARC to ensure deliverability and reputation. If a German retail company fails to implement DMARC properly, its marketing emails might be rejected or marked as spam, significantly impacting customer outreach.
Another example is from France, where Orange is a widely used email service. French businesses, especially those in e-commerce, must adhere to DMARC standards to maintain effective communication with their customers. Non-compliance could lead to important transactional emails, such as order confirmations or shipping notifications, being filtered out, causing customer dissatisfaction and potential loss of business.
A multinational corporation across Europe might use several email systems to cater to regional preferences. For instance, they might use BT Internet for their UK operations and KPN for the Netherlands. Ensuring DMARC compliance across these varied systems can be challenging, requiring a coordinated effort and possibly different configurations to meet the specific requirements of each email provider.
In some other countries like Spain and Italy, there might be a lower level of awareness about DMARC. This lack of awareness can lead to slower adoption rates among small- and medium-sized enterprises (SMEs), leaving them more vulnerable to email spoofing and phishing attacks.
Challenges of Implementing DMARC
Technical
Implementing DMARC in an organisation’s email infrastructure can be a complex task, as it relies upon two protocols, DKIM and SPF, requiring either one to be “aligned” with the email domain presented in the “From” address of each message.
Alignment is a key concept in DMARC—the domain used for a passing SPF or DKIM result MUST match the domain of the From header in the email message body.
In some European regions, there might be a significant need for more awareness about the benefits and necessity of DMARC. This is particularly true for sectors that are not traditionally tech-savvy. For instance, a network of small libraries across Italy might be unaware of how DMARC can protect their email communications, leaving them vulnerable to phishing and spoofing attacks.
Furthermore, many European businesses are SMEs that might find adapting to these changes challenging due to resource constraints. These businesses may require guidance or external support to implement SPF, DKIM, and DMARC protocols effectively.
An organisation without in-house IT expertise may struggle to implement DMARC successfully. At dmarcian, our mission is to make DMARC easy for everyone, and we have the technical expertise required to guide you through every step of the process. We also have a network of strategic partners that can help organisations deploy DMARC.
Local data protection laws
In countries with stringent data protection laws, businesses might need help to align DMARC implementation with local regulations. Reporting and handling data, as DMARC requires, could potentially conflict with GDPR or other local data protection laws, creating a compliance dilemma.
One key aspect of DMARC reporting is the difference between aggregate and forensic reports.
- Aggregate Reports (RUA): Offer a comprehensive summary of email traffic using your domain, presenting data on pass/fail rates for DMARC checks without specific details on individual emails. They are typically generated every day and enable domain owners to assess the effectiveness of their email authentication strategies over time.
- Forensic Reports (RUF): Provide in-depth information about individual emails that fail DMARC authentication, including header information and reasons for failure. However, because Forensic Reports can contain detailed information, including potential personally identifiable information (PII), there are privacy considerations. For this reason, many reporters don’t generate forensic reports.
Intersection with GDPR
The new email requirements intersect with Europe’s GDPR, particularly concerning data handling and privacy during email communications. GDPR’s consent requirements could influence how businesses manage their email lists and engagement tracking, necessitating a careful approach to align with DMARC policies and GDPR mandates.
The enforcement of GDPR varies considerably across EU countries, with some being more active and stringent in applying the regulations. Countries like Spain, Ireland, Italy, and Germany have been particularly active in enforcing GDPR.
For example, consider a European online retailer that collects customer emails for order confirmations, shipping notifications, and promotional campaigns. Under GDPR, this retailer is responsible for ensuring the confidentiality and integrity of personal data, including protection against unauthorised or unlawful processing and accidental loss, destruction, or damage.
The approach to GDPR enforcement across the EU reflects a balance between education and penalties, with many authorities preferring to provide guidance and tools to promote compliance, especially in the initial years of GDPR implementation.
DMARC Guidelines and Mandates in Europe
Despite the lack of a unified mandate for DMARC implementation in Europe, the European Commission has published recommendations to improve its messaging infrastructure across all businesses.
Sources:
- EU Internet Standards
- UE Internet Standards – Methodology
- An analysis of uptake in the EU: September 2023
Europe’s approach to DMARC implementation reveals a contrast: some countries enforce it through legal mandates, ensuring uniform email security practices, while others merely offer recommendations, leading to a fragmented adoption landscape. Below is a list of European countries that have adopted guidelines and mandates on DMARC implementation.
Countries with published mandates:
Countries with published guidelines:
We’ve been keeping track of DMARC mandates and guidances and are making that research available.
Preparing for Change: Steps to Compliance
Businesses should start preparing now to ensure a smooth transition. Key steps include setting up DMARC, SPF, and DKIM and monitoring compliance using tools like Google Postmaster. It’s also important to keep spam rates below the required threshold and consider the nuances of email communication in different European countries.
Summary of requirements
- Your domains must have a DMARC policy in your DNS
- Your messages must pass DMARC
- Sending IPs must have a PTR record, also known as DNS pointer record.
- Don’t send spam
- Properly format your messages
- Don’t spoof gmail.com or yahoo.com
- Include one-click unsubscribe
Get more details on the Google and Yahoo sender requirements that went into effect February 1, 2024.
Adapting to these changes is crucial for maintaining effective email communication and avoiding deliverability issues. By starting preparations now, businesses can remain compliant and continue to reach their customers effectively.
Enforcement of the Google and Yahoo requirements will be phased, starting with temporary failures for a small proportion of non-compliant bulk sender traffic. Over the year, this will progress to outright rejections of non-compliant emails. Google and Yahoo will continue to provide updated guidelines and assistance for senders to adapt to these new standards.
We’re Here to Help
With a team of email security experts and a mission of making email and the internet more trustworthy through domain security, dmarcian is here to help assess an organization’s domain catalog and implement and manage DMARC for the long haul.
Want to continue the conversation? Head over to the dmarcian Forum.
