New bulk send rules – the DMARC push we needed

| In SMX Blog |
11-2023 | Google DMARC Blog

We’ve been talking about the importance of DMARC for years now. First launching onto the scene in 2015, it could be a game-changer in cybersecurity. With 90% of successful cyberattacks in Australasia coming through email, DMARC protects people and brands by stopping those emails in the first place.  

Even so, according to our most recent survey, 40% of NZ’s top 100 organisations still don’t have DMARC in place, and ASX-listed companies have yet to hit 30% deployment. It’s likely that this lag is due to both a lack of mandates from the Australian or New Zealand governments and that properly implementing DMARC requires specialist skill.  

This slow pace to protect their domains has become unacceptable to Google, which said in a recent blog, “Many bulk senders don’t appropriately secure and configure their systems, allowing attackers to easily hide in their midst.” Starting in February 2024, if you’re sending more than 5,000 emails a day to Gmail accounts, you must have DMARC in place.  

It’s just one of several changes that Google calls a ‘tune-up for the email world’ – a way to improve security, reduce spam and make emails more useful. 

What you'll need to do by February 2024

While there’s a lot you’ll need to do to comply by February 2024, there’s help available. SMX starts with a more complete picture of your external risk exposure across web, email, domains and digital assets, to design human-centred solutions that deliver visibility, control and proactive risk mitigation. This will help ensure you:

Aren't spammy

Are you sending emails that will be of value to your audience or are you just spamming them? In an industry first, the new rules say that you need less than 0.3% of your emails marked as spam. You must avoid anyone on your database getting annoyed and hitting the ‘report spam’ button.  

Google also notes that it’ll get stricter on emails that seem a bit fishy – it’ll flag any emails that impersonate Gmail ‘From’ headers and have headers that don’t conform to RFC5322. In particular, Google checks for duplicate headers, a common tactic spammers use to circumvent email security filters.

Offer one-click, super-fast unsubscribes

Google has said recipients “shouldn’t have to jump through hoops to stop receiving unwanted messages.” So, if you send over 5,000 emails a day to Gmail accounts, you’ll need to get rid of those subscription preference screens and make it one click to unsubscribe. You must then process those requests in two days.

Don't use Microsoft 365 alone

In response to the announcement, Microsoft has encouraged users to get DMARC implemented. It also warned that Microsoft 365 service alone isn’t suitable for bulk emailing and recommends sending “through on-premises or a third-party provider instead.

What is DMARC?

DMARC validates every email with Domain Keys Identified Mail (DKIM) and Sender Policy Framework (SPF). DKIM signatures check that the content of the email lines up with the sending source, while SPF lets you as the domain owner decide which IP addresses can send from your domain. You can set your DMARC to quarantine or reject emails that fail authentication, while reports let you take action if you see your domain being spoofed. 

DMARC is a must-do

Google’s big move reinforces what we already know – DMARC is a must-do if you’re sending emails at scale. 

For many organisations, rolling out DMARC is in the too-hard-basket and that’s understandable. Unless it’s in the hands of a specialist, there’s too much risk of impacting email. Outsourced expertise is nearly always the best way forward, especially when the DMARC rollout follows a proven process and comes with ongoing management, like our Domain Protection Service. It’s how we can promise to get DMARC up and running in less than two months.  

Get in touch to learn more about how a proactive, human-centred approach to cyber safeguarding could set you up for success with DMARC and much more.

Contact us today