Have you ever received an email from a company like PayPal asking you to click through to a URL. The email looks like it’s from PayPal, sounds like it’s from PayPal, and even has a PayPal-esque sender—but BAM! you’ve been scammed. Email phishers have gotten more and more creative, so their emails are looking more and more like authentic emails from actual businesses.

The good news is Google has implemented new protections to minimize spam and ensure emails are coming from the actual sender and not an impersonator.

While these new requirements specifically apply to senders who send 5,000 or more emails a day to Gmail accounts, we strongly suggest implementing some recommended best practices including specific DNS entries, domain-matching, and one-click unsubscribes to ensure the best deliverability of your emails.

There are four entries your business can add to your Domain Name Server (DNS) to let Google know that emails are coming from your business and not an impersonator.

DNS Entries to Improve Email Authenticity

Sender Policy Framework (SPF)

Sender Policy Framework (SPF) authentication tells Google (and other internet service providers) which mail servers are allowed to send email for your domain. It has been around for a long time and is likely already implemented for your business. Those that use a shared IP (multiple businesses are using the same IP to send their emails) or a dedicated IP (your business is the only one using the IP) can implement this DNS entry.

DomainKeys Identified Mail (DKIM)

Implementing DomainKeys Identified Mail (DKIM) on your email-sending IP address adds a digital signature to emails that ISPs, such as Google, can use to verify that the email came from the sender and not an impersonator. Without DKIM, your message will go to spam. A dedicated IP is required for this DNS entry.

Domain-based Message Authentication, Reporting, and Conformance (DMARC)

What happens if SPF and/or DKIM fail? The Domain-based Message Authentication, Reporting, and Conformance (DMARC) enforcement policy entry tells Google what to do with these emails:

• Nothing: Allow delivery of the email
• Quarantine: Emails will go to spam unless your company has a quarantine configured, in which case they will go to quarantine.
• Reject: Emails will send a bounce message

You have the ability to set up DMARC to send out reports. This allows you to determine which one of your emails are not passing SPF and/ DKIM, as well as those emails that are trying to spoof your organization. It is recommended to start with a value of “Nothing” and work your way to “Reject”, using the reports to help you to determine when to move to the next stage.

Brand Indicators for Message Identification (BIMI)

Once you have DMARC set up, you now have the option to add a brand logo icon—known as Brand Indicators for Message Identification (BIMI)—that shows up next to your messages in a recipient’s inbox. This is a verified logo and lets the recipient know in one view that the email has been verified as coming from you. NOTE: You must have an enforcement policy of “Quarantine” or “Reject” to implement BIMI.

Besides these four DNS entries, there are two other items that should be implemented to improve the secure and reliable delivery of your emails.

Domain Matching Alignment

DMARC passes or fails emails based on how closely the from: address matches the envelope sender address specified by either SPF or DKIM in a process known as alignment.

In the DMARC record, you can select a domain matching alignment mode of strict or relaxed.

• Strict: The full subdomain of the envelope sender address (also known as a return-path address or bounceback address) must exactly match the full subdomain of the from: address. For example: A bounceback address of bounceback@business.aaa.com and a From: address of info@business.aaa.com.
• Relaxed: Only the main domains must match. For example: A bounceback address of bounceback@business.aaa.com and a From: address of info@aaa.com. In the relaxed example, the main domains match, while the bounceback address has an additional subdomain.

If mail is sent for your domain from a subdomain outside your control or you have subdomains that are managed by a separate entity, it is recommended to use strict alignment for increased protection against spoofing.

One-Click Unsubscribes

Google requires emails contain a single link that automatically unsubscribes the person when clicked. This means that you cannot use a link to a preference center to have them unsubscribe from there. Clicking the link itself must automatically unsubscribe the person.

You can easily implement one-click unsubscribes through list-unsubscribe headers. When sending emails with a link-unsubscribe header activated, an unsubscribe link will appear immediately next to the From: address at the top of your sent email. This makes it easier for someone to unsubscribe with one-click rather than having to search through the body and/or footer of an email for an unsubscribe link. If the header is not an option, place a very clear one-click unsubscribe link in the body of the email (don’t hide it in small print in the footer).

We are all tired of getting spammed with emails and getting scammed by authentic-looking emails is even worse. As Google continues to crack down on phishing attempts, it’s time to implement these best practices to ensure secure and reliable email distribution. If you need assistance in implementing these new protection requirements, please reach out to us at 1.855.658.4362.