Brand Protection

    Google and Yahoo! DMARC Requirements – 2024 Update

    Guidance on how to protect your organization from spoofing by setting up DMARC in Google Workspace and meet upcoming PCI DSS credit card DMARC requirements

    by Andrew Williams

    Key Points

    • As of February 2024, senders with over 5,000 daily emails to Google and Yahoo! accounts were required to have an active DMARC policy. Implementing the DMARC email authentication protocol in Google Workspace safeguards brands.
    • Senders also need to set SPF and DKIM records per domain and ensure alignment, as well as use ARC authentication for forwarded messages.
    • DMARC policies can be set to reject, quarantine, or simply deliver email messages that fail authentication; policies can be set separately for all organization domain names; reports provide feedback on the use — and potential abuse — of domains.
    • Upcoming PCI DSS credit card DMARC policies can present additional challenges for sales and marketing teams.

    Email Send Requirements

    Back in February 2024, Google and Yahoo! changed the rules that applied to senders with over 5,000 daily emails going to Google and Yahoo! accounts. Senders are required to have an active Domain-based Message Authentication, Reporting and Conformance (DMARC) policy.

    In addition, senders are required to set SPF and DKIM records per domain and use ARC authentication for forwarded messages.

    Emails that fail authentication are rejected or marked as spam, compromising email delivery for customer communications sent by organizations that do not meet Google’s and Yahoo!’s rules. 

    What Prompted These Requirements?

    Google and Yahoo! sought to reduce the ability for attackers to hide amongst bulk senders who don’t often secure their email systems. They were determined to achieve this by focusing on email validation to reduce potential bad actors from reaching their customers’ inboxes.

    There are additional benefits to this as well. Domains that have DMARC in place have improved inbox placement, meaning emails are less likely to be flagged as spam or rejected outright.

    Technical Information to Know About DMARC and DMARC Policies

    What Is a DMARC Record?

    A DMARC record spells out for a receiving email server what to do if a Gmail message from an organization’s domain fails authentication.

    DMARC works with two email authentication methods: Sender Policy Framework (SPF) and Domain Keys Identified Mail (DKIM). SPF allows specification of which IP addresses in an organization’s domain are authorized to send email. DKIM adds a digital signature to outgoing messages. The receiving server uses SPF to authenticate the message as coming from a trusted source and DKIM to verify the message has not been altered en route.

    Google Workspace DMARC Policies

    A DMARC record needs to specify a policy for the action the receiving server should take if the incoming email fails SPF or DKIM authentication. There are three Gmail DMARC policy options:

    • None: Deliver the message normally.
    • Quarantine: Send the message to the recipient’s spam folder or to quarantine if a quarantine option is configured.
    • Reject: Do not deliver the message. Often the receiving server will inform the sender of the message failure.

    Google Workspace recommends using the “none” setting at first, and then carefully reviewing the reports. Then, as organizations identify illegitimate versus legitimate users of their domain — marketing partners, for example, that send email on their behalf — Google suggests changing the policy to quarantine, then finally to reject. Regardless of the action taken, organizations can set the DMARC record to request the receiving email server send a report indicating which of their domain’s email servers are sending email and the percentage of messages passing or failing authentication.

    Steps to Set Up a Google Workspace DMARC Record1

    DMARC is set up as a DNS TXT record on an organization’s domain host. The record contains flags specifying parameters for the receiving server. Each parameter is a tag-value pair. For example, to set the policy to reject, the tag-value pair would be “p=reject”. Following these steps will get the organization’s DMARC record set up and published:

    1. Configure both SPF and DKIM, then allow 48 hours before publishing the DMARC record.

    2. Create the DMARC record as a line of text with tag-value pairs separated by semicolons. The accompanying table lists sample tags and possible values. Be aware that these tags and values might vary from host to host. The and p tags are required and must be first. The remaining tags are optional.

    TAG

    VALUES

    vVersion. This must be DMARC1.
    pPolicy for messages that fail authentication. Possible values are rejectquarantine, or none.
    spPolicy for subdomains. Possible values are rejectquarantine or none. The default is to apply the same policy as the domain.
    pctThe percentage of invalid messages that should be acted on. Value must be 1-100, with 100 as the default.
    aspfThe alignment policy for SPF. Can be s (strict) or r (relaxed). Relaxed is the default.
    adkimThe alignment policy for DKIM. Can be s (strict) or r (relaxed). Relaxed is the default.
    ruaThe email address (preceded by mailto:) to which DMARC reports should be sent.

    3. From the domain host management console, locate the place where the DNS record can be updated. Enter the name of the organization’s DMARC TXT record as “dmarc” followed by a period and the organization’s domain name. Some hosts will automatically append the domain name. Upload the record and save the changes. Repeat this process for each domain.

    Looming Additional Requirements for Credit Card Payments

    The credit card industry will soon implement DMARC requirements of their own. The Payment Card Industry Security Standards Council (PCI SSC) has mandated DMARC use by 2025 for any company handling credit cards and other payments, as well as for financial services providers. DMARC is officially part of the newest PCI Data Security Standard, version 4 (PCI DSS v4.0).

    The DMARC requirement is meant to help organizations operate more securely in an economic landscape that has seen data breaches and credit card thefts continue to mount in number and cost, according to recent cybersecurity statistics. It is also expected to accelerate DMARC adoption, since failure to comply with PCI DSS could lead to fines and penalties up to a business losing its right to handle payments. On the other hand, most companies — especially small and medium-sized businesses (SMBs) — are challenged to adopt the email authentication standard because DMARC tools have proven complicated to deploy.

    Get Help from Mimecast

    If the Google Workspace DMARC process or implementing DMARC to meet the upcoming PCI DSS requirements seems a little daunting, the good news is that security service providers like Mimecast offer cloud-based DMARC tools. Such tools simplify DMARC implementation — for example, by providing setup wizards for creating DMARC records for all domains. Other tools validate DMARC records and create user-friendly reports and charts for analyzing messages that failed authentication, as well as forensic reports for finding the source of malicious email messages.

    As online brand impersonation continues to grow, sites like Google and Yahoo! will continue to implement stricter standards for senders, especially those that send thousands of emails per day. Mimecast stands ready to help with DMARC Analyzer and the expertise needed to meet existing and new DMARC guidelines.

    A SaaS solution, Mimecast’s DMARC Analyzer empowers customers to easily manage complex deployment projects and provides 360° visibility and governance. It provides fast and simple enforcement using intuitive self-service tools, including integrated project management, delivering low risk enforcement.

    Mimecast’s DMARC Analyzer solution protects brands by providing the tools needed to stop spoofing and misuse of owned domains. Designed to help reduce the time and resources required to become successfully DMARC compliant, Mimecast’s self-service solution provides the reporting and analytics needed to gain full visibility of all email channels. Using DMARC to stop direct domain spoofing protects against brand abuse and scams that tarnish reputation and cause direct losses for an organization as well as its customers and partners. 

    In addition to the self-service capability within DMARC Analyzer, Mimecast offers Managed Services to proactively guide organizations through each stage of the DMARC deployment and maintenance, ensuring strong benefits from the full range of DMARC capabilities. Many organizations face challenges implementing DMARC on their own, which is understandable because of the complexity of the solution, so Mimecast has developed a comprehensive managed services solution to help those organizations.

    Get a free trial of Mimecast’s DMARC Analyzer here.

     

     

    1 See Google DMARC instructions

    Subscribe to Cyber Resilience Insights for more articles like these

    Get all the latest news and cybersecurity industry analysis delivered right to your inbox

    Sign up successful

    Thank you for signing up to receive updates from our blog

    We will be in touch!

    Haut de la page