Google is not scared of making the big decisions when it comes to securing the 2.5 billion users of its Gmail email platform. Be that by way of purging account data, or making wholesale security policy changes. When you consider the security threats to Gmail users including do not click attacks and AI-driven prompt injection vulnerabilities, this is good news. As it was when I reported on Google’s critical decision to update Gmail security with new rules concerning email authentication. New research now suggests that this was one of the best security measures that Google has introduced for Gmail users in many a year, making the world’s biggest free email platform even safer to use for everyone as nine out of ten messages are spam, and 20% of those are malicious in intent. Here’s what you need to know.
It’s hard to believe that it was really a year ago that Google started updating Gmail security for the 2.5 billion users of the email platform by introducing a simple but, as it turns out, staggeringly effective measure: sender authentication, including the implementation of Domain-based Message Authentication, Reporting & Conformance. Just how effective that has been is now revealed within new statistics released to me by EasyDMARC.
A quick recap is probably in order. As Gmail’s group product manager, Neil Kumaran, said at the time, “Many bulk senders don’t appropriately secure and configure their systems, allowing attackers to easily hide in their midst.” This simple statement was at the heart of the new rules to update Gmail security measures as authenticating those sending email in volume, validating they are who they claim to be, is a crucial requirement for any email platform claiming to take security seriously. All bulk senders, those sending at least 5,000 emails to personal Gmail accounts a day, are now required to provide that authentication by way of the previously mentioned DMARC, as well as DomainKeys Identified Mail and Sender Policy Framework. “Ultimately, this will close loopholes exploited by attackers that threaten everyone who uses email,” Kumaran said.
The aim of these critical changes to the way that Gmail works, from both the recipient and sender perspectives, was simple enough:
On Oct. 8, 2024, I reported how, after just six months, the Gmail security update was impacting users. Kumaran said that Google had seen a 65% reduction in unauthenticated messages sent to Gmail users and an astonishing 265 billion fewer unauthenticated messages sent than in the previous year. Now, a year on from the changes, that impact has been revealed to be even more impactful.
It goes without saying that anyone who falls into the definition of a bulk sender would be unwise not to implement strict authentication protocols unless they are acting maliciously in some way or another. And that applies to email sent to any platform, not just Gmail. I would also recommend that anyone who sends emails from their own domain to Gmail users should implement the DMARC, DKIM and SPF trilogy to add confidence that they are a genuine sender. A great example as to why is to solve why email messages aren’t arriving at their destination correctly. Something else I have previously reported, and which a Gmail spokesperson said was caused by “the messages getting dropped before they even get to Gmail due to improper authentication.”
I’m not a bulk sender, but I do send emails to Gmail users using my own domain. I also took the time to set up strict sender authentication protocols to ensure that recipients can trust that it is me sending the email they get. There are plenty of services out there, including your domain or email provider, who can help with this process if you are not a technical person yourself.
I’m a user of the Proton Mail service so it was only natural I would look to the advice it offered for those looking to add sender authentication into the advanced security mix that it allows. A wizard approach was helpful, although I’d be fibbing if I were to say it was not all plain sailing. However, my experience should help others looking to add these protocols to their own email server setup. Proton has a support FAQ that is actually quite helpful no matter which email provider you are with. I would recommend reading this and any other advice you can find before setting out on your sender authentication journey. Don’t be afraid to ask questions, it will save you hassle later on during the proces
Before you can roll your sleeves up with DMARC, you will need to get to grips with the SPF and DKIM records first. SPF enables your mail server to determine if an email that claims to be from a specific domain came from a host that is authorized by that domain admin as per the Domain Name System record, while DKIM uses a text string hash value header attached to email messages, encrypted with a private key, to ensure domain-spoofing os as hard as a toffee hammer. All you really need to understand, however, is that it is this pairing of two records that provides actionable insight into the trustworthiness of who the sender is claiming to be. Now let’s look at DMARC which enters the equation by checking that your SPF and DKIM authentication records are a proper match and, critically, determining what happens to the email in question: whether it goes to your inbox, your spam folder or bounces it right back where it came from. When configuring your DMARC settings, it’s important to note the p= tag in the txt field as this instructs the mail server in receipt of the email whether a failure should be sent to the spam folder (p=quarantine) or bounced (p=reject). A third option, which is highly not recommended, of p=none indicates there is no policy, and so nothing is done.
Another new report, this time from Red Sift and published Feb. 5, has confirmed that DMARC adoption is shooting up. In February 2024, a stunning 91.38% of global email domains lacked any DMARC record, the report stated. Since then, however, and the move by Gmail to require DMARC sender authentication protocols in place for senders of bulk mail to its email platform users, Red Sift has confirmed a significant increase in the number of organizations adopting DMARC: Up 2.32 million as of 18 December 2024. “The rate of adoption has more than doubled compared to the same period in 2023,” Red Sift said, “a clear sign that organizations are moving in the right direction.”
One month after Google’s bulk sender requirements for Gmail, Red Sift found that countries were making “significant progress in their readiness for the new requirements, and now one year later, a global snapshot across a sample of 14 countries has revealed “all but one country increasing the adoption rate of DMARC implementation, with now less than a third of all domains sampled only achieving basic or no authentication.”
The statistics that EasyDMARC has shared with me come from research involving 1,000 IT decision-makers and the key findings were:
Google has set a strong precedent with the Gmail security update, proving that such influential email providers can improve best practices through sensible, iterative protocol improvements. “We must now as an industry convince businesses of their importance and ability to improve cybersecurity resilience,” Gerasim Hovhannisyan, CEO at EasyDMARC, said.
Source: Critical Gmail Security Update—2.5 Billion Users Get Attack Protection
