In February 2024 Google and Yahoo enforced mail authentication for domains sending emails to Gmail or Yahoo addresses.
What does this mean for me?
If you send emails from a custom domain name i.e. a domain you own then you are required to setup DNS records on your domain called SPF, DKIM and DMARC.
What happens if I do not setup the DNS records?
If you or your IT provider do not setup the DNS records, you will start to experience email delivery issues to Gmail and Yahoo. Other email service providers are likely to follow this security measure shortly afterwards so it is something that should be resolved.
Some of the errors and Non-Delivery Reports (NDRs) you will likely receive are:
Google / Gmail
550, "5.7.26" – Unauthenticated email from domain-name is not accepted due to domain’s DMARC policy. Please contact the administrator of the domain. If this was legitimate mail, visit Control unauthenticated mail from your domain to learn about the DMARC initiative. If the messages are valid and aren’t spam, contact the administrator of the receiving mail server to determine why your outgoing messages don’t pass authentication checks.550, "5.7.26" – This message does not have authentication information or fails to pass authentication checks (SPF or DKIM). To best protect our users from spam, the message has been blocked. Visit Prevent mail to Gmail users from being blocked or sent to spam for more information.550, "5.7.26" – This message fails to pass SPF checks for an SPF record with a hard fail policy (-all). To best protect our users from spam and phishing, the message has been blocked. Visit Prevent mail to Gmail users from being blocked or sent to spam for more information.550, "5.7.26" – This message does not have authentication information or fails to pass authentication checks (SPF or DKIM). To best protect our users from spam, the message has been blocked. Visit Prevent mail to Gmail users from being blocked or sent to spam for more information.Yahoo
- A 553 or 554 SMTP error indicates an email could not be delivered due to a permanent problem. Message delivery can be permanently deferred because:
- You’re trying to send a message to an invalid email address.
- Your message failed authentication checks against your sending domain’s DMARC or DKIM policy.
- The message contains characteristics that Yahoo won’t accept for policy reasons.
- Other suspicious behavior which leads Yahoo to issue a permanent rejection for your SMTP connection.
- Your IP is listed by Spamhaus. Please check with https://www.spamhaus.org.
- If you consistently receive 5xx errors when sending to Yahoo, we encourage you to review our Sender Requirements & Recommendations, since 5xx errors can be a symptom of a more widespread, general problem.
- You should not retry sending an email that comes back with with a 5xx error. List managers should have a policy for removing email addresses that generate 5xx errors/bounces.
What are SPF records?
SPF records are simple TXT records that advertise which servers are allowed to send emails from your custom domain. The record can contain IP addresses, A record, MX record and the option to include third-party SPF records e.g. Microsoft 365.
Google provide information on how to setup SPF records here: https://support.google.com/a/answer/10683907?hl=en
What are DKIM records?
DKIM is more complex than SPF in that it is more than just creating a DNS record. The email system you send from must sign the email headers with a private key, the DKIM record contains the public key. The server that receives the email can then decrypt the header using the public key, this confirms that it was you that sent the email and not a spoofed email from someone else.
What is DMARC?
DMARC works with SPF and DKIM, the DMARC record informs other servers what to do with emails based on the results of SPF and DKIM.
There is also an option to send reports to a DMARC reporting service so you can monitor where emails from your domain are being sent from, this can be useful if you are unaware of all the systems in the cloud that may send emails from your domain. You can then monitor this and adjust SPF and setup DKIM for the remaining services. Once you are happy with the setup you can configure the DMARC record to block emails from sources that are not your servers.
Why are SPF, DKIM and DMARC records now required?
There are good reasons for Gmail and Yahoo forcing this requirement. If this was implemented on all email systems we would not only have a lot less spam but we also protect our selves and others from spoofed emails which is a major issue.
Emails reporting to be from the “CEO” or from an “Employee” reporting to change bank details or requesting an urgent payment to be sent are increasing all the time. Many thousands of Euros at a time can be lost through spoofing, if this can be stopped then that alone is a good reason for this change.
What next?
We understand that it may be overwhelming to configure these records and the email system for them. If you require assistance in configuring your email system for the changes then please contact us.
