Google and Yahoo’s new requirements
Starting in 2024, Google and Yahoo implemented new email authentication requirements for bulk senders, those sending more than 5,000 emails per day. These requirements aim to improve email deliverability and prevent phishing and other email-based attacks. Here’s a breakdown of the key points:
Mandatory for Bulk Senders:
DMARC Policy: You must have a DMARC policy in place for your domain. This policy dictates how receiving mail servers should handle emails that fail authentication for your domain.
SPF and DKIM Authentication: Both SPF and DKIM protocols must be implemented for your domain. SPF verifies the authorized senders for your domain, while DKIM digitally signs your emails to ensure content hasn’t been tampered with.
From: Header Alignment: The domain in the “From:” header of your emails must align with either the SPF domain or the DKIM signing domain. This prevents spoofing attempts.
One-Click Unsubscribe (June 1st, 2024): All commercial and promotional emails must include a clear and easy-to-use one-click unsubscribe option.
Timeline:
January 2024: All requirements except DMARC policy should be in place (recommended for all senders).
February 2024: Initial deadline for bulk senders to comply with all requirements.
April 2024: Google starts rejecting a percentage of non-compliant emails, gradually increasing over time.
How this affects Dental and Medical Practices and their Patients
The new Google and Yahoo email policy regarding DMARC and DKIM primarily affects bulk email senders, those sending more than 5,000 emails per day. However, it indirectly impacts:
1. Medical practices relying on email communication: Even if practices fall below the 5,000 daily email threshold, implementing DMARC is highly recommended. This is because:
It strengthens overall email security: DMARC protects against spoofing attempts, which can be used to impersonate the practice and potentially access sensitive patient information.
Improves email deliverability: Emails without proper authentication have a higher chance of landing in spam folders or being rejected entirely. DMARC ensures legitimate emails reach intended recipients.
Demonstrates commitment to data security: Implementing DMARC showcases the practice’s proactive approach to data protection, potentially fostering patient trust and confidence.
2. Patients receiving emails from medical practices: While patients themselves aren’t directly affected by the policy, they ultimately benefit from its implementation. DMARC helps ensure they receive genuine emails from their healthcare providers, minimizing the risk of phishing scams and protecting their personal information.
In summary, although primarily directed at bulk senders, the new Google and Yahoo policy has broader implications for medical practices and their patients, promoting enhanced security, trust, and communication effectiveness.
What is DMARC?
DMARC “Domain-based Message Authentication, Reporting & Conformance,”: is like a gatekeeper for your email domain. It checks incoming emails against secret passwords (SPF & DKIM) to ensure they’re not fake (“spoofed”). If an email fails the check, DMARC tells other email servers to quarantine or even delete it, protecting you from phishing and scams. Think of it as an extra layer of security for your inbox! If configured, DMARC may also provide receiving servers to send reports back to you about emails that failed authentication, providing valuable insights into potential misuse of your domain.
Remember: While currently required for bulk senders by Google and Yahoo, implementing DMARC is essential for all email senders to protect their domains and improve email security.
What is DKIM?
DKIM “DomainKeys Identified Mail” acts like a secure digital fingerprint for your medical practice’s emails. Imagine each email carrying a unique, tamper-proof code linked to your domain, like a doctor’s personalized signature. Recipients can instantly verify its authenticity, preventing forgery and safeguarding patient information. Think of it as an extra layer of defense against phishing scams and unauthorized access, ensuring critical communications reach the right hands securely. It adds a special signature to your email using a secret key only you have. The recipient’s email server then uses a public key associated with your domain to verify the signature. If they match, it confirms the email truly came from you and hasn’t been tampered with in transit. Implementing DKIM demonstrates your commitment to data protection and reinforces patient trust in your practice’s digital communication.
What action needs to be taken
Adding DKIM and DMARC to your domain requires some technical steps, but the specific actions will depend on your setup. Here’s what you need to consider:
1. Identify who manages your DNS and who manages your Email Services
- DNS: For our customers’ this DNS is primarily managed by Firm Media or the practices’ IT support person/company
- Email Services Provider: Generally the emails associated with your domain are managed by the IT professional/Company that supports a medical or dental practice. Access will be needed to the account where this service is managed, example: Google Workspace, Outlook, Zoho, etc.
This information is crucial for finding the correct settings and instructions.
2. Choose your Implementation method:
Method 1: Have your IT professional/company configure DKIM and DMARC records.
*If they manage Both your DNS and your Email Service Provider account they can complete this task on their own.
Method 2: Have your IT professional/Company collaborate with your Hosting/DNS service provider (Firm Media) to configure the required DNS records
3. Gather the required DNS records:
DKIM: Your email provider usually generates the necessary DKIM keys and provides instructions on adding them to your domain’s DNS records. (this can be gathered by the IT or Email service account manager)
DMARC: Decide on your DMARC policy (e.g., quarantine or reject unauthenticated emails) and use a DMARC record generator tool to create the record based on your policy and domain information. Choose an email recipient to receive DMARC audits and reports.
(Ideally this will be your IT or Email account manager’s email address. )
SPF: This will be a TXT record that notes the Sender Policy Framework, it will be available in your email services account documentation
4. Add the records:
Follow your email service provider’s instructions to add the generated DKIM and DMARC records to your domain’s DNS zone. Depending on the Method you choose in step 2, these records will either be applied by the IT/Email service account manager or by you Hosting/DNS service provider (Firm Media)
5. Verify and monitor:
Use online tools to verify if your DKIM and DMARC records are configured correctly.
Monitor reports generated by DMARC to understand how email authentication is working and adjust your policy if needed. *This task must be managed by the person or organization responsible for managing your email services.
Reference:
Google and Yahoo Email Authentication Requirements 2024:
