Google has started automatically blocking emails sent by bulk senders who don't meet stricter spam thresholds and authenticate their messages as required by new guidelines to strengthen defenses against spam and phishing attacks.
As announced in October, the company now requires those who want to dispatch over 5,000 messages daily to Gmail accounts to set up SPF/DKIM and DMARC email authentication for their domains.
The new guidelines also require bulk email senders to avoid sending unsolicited or unwanted messages, provide a one-click unsubscribe option, and respond to unsubscription requests within two days.
Spam rates must also be maintained below 0.3%, and "From" headers must not impersonate Gmail. Non-compliance may result in email delivery issues, including rejected emails or emails being automatically sent to recipients' spam folders.
"Bulk senders who don't meet our sender requirements will start getting temporary errors with error codes on a small portion of messages that don't meet the requirements," Google says.
"These temporary errors help senders identify email that doesn't meet our guidelines so senders can resolve issues that prevent compliance."
"Starting in April 2024, we'll begin rejecting non-compliant traffic. Rejection will be gradual and will impact non-compliant traffic only. We strongly recommend senders use the temporary failure enforcement period to make any changes required to become compliant."
The company also plans to enforce these requirements starting in June, with an accelerated timetable for domains used to send bulk emails since January 1, 2024.
As Google claimed when the new guidelines were first announced, its AI-powered defenses can successfully block nearly 15 billion unwanted emails daily, preventing over 99.9% of spam, phishing attempts, and malware from infiltrating users' inboxes.
"You shouldn't need to worry about the intricacies of email security standards, but you should be able to confidently rely on an email's source," said Neil Kumaran, Group Product Manager for Gmail Security & Trust in October.
"Ultimately, this will close loopholes exploited by attackers that threaten everyone who uses email."
Comments
electrolite - 2 months ago
How freaking long did it take for a tech company to step up and implement some sort of burden on mass senders! Think of how many attacks could been prevented with just this vector alone being blocked.
As for Unsubscribing link, that is completely useless and only lets the sender know 'someone is at home' at the email address. Either that or they could redirect you to a malicious site anyway. The best thing to do is just report as spam.
U_Swimf - 2 months ago
The report is stating that what u just said has changed.
I had been trying to undubscribe from a website for years. Going through the usual links and channels never worked. Two days ago , related to what bleeps is reporting, i tried unsubscribing to the site (if at first you dont succeed right) and it finally worked! So far anyway. And it could be chance it's a different reason, i really dont know.
Seems to me Google NOT doing seemingly obvious things for security things has the effect of NOT hyper accelerating problems into an even worse state by invoking the game of cat and mouse.
By google combatting something trivial like email, it could have side effects opposite to their intentions. Often it does because creating attention to do anything always draws the attention of those whom wish to see you fail.
electrolite - 2 months ago
"The report is stating that what u just said has changed."
Has it really? Gmail has had the option to either Unsubscribe or Unsubscribe and Report Spam for years. What exactly has changed. How do you know you will not get spammed again, this report has only been out a few days now.
Trying to unsubscribe is like trying to tell spam phone calls not to call or the other useless DNC list that has never worked. The fact that you thought that constantly clicking on Unsubscribe would have helped means you don't understand good security principles. The best response to a phishing attempt is to not respond at all. That is what phishing is all about, someone taking the bait.
In regards to the cat and mouse, this is another moot point. There will always be a game of cat and mouse, good guys vs. bad guys since the dawn of humanity. Google could easily have had the From address verification in place for any gmail based address even before DKIM and DMARC was a thing. The other change to have restrictions for more than 5000 external recipients is also a no brainer. Implementing good security policies is better than doing nothing. This is what the tech industry is lacking severely has a whole.
JoeX51 - 2 months ago
They do this to external users, But most of the SPAM That I see and my clients get, usually comes from some made up name @gmail.com, and the reporting of the account is a giant Pain in the butt and sometimes doesn't work correctly.
electrolite - 2 months ago
The absolute worst is when some random gmail address adds your gmail address to their account. And there is no option to report it. Google says just to ignore the email if it wasn't 'you'. How about giving the user the option to report email address that are used for the sole purpose of linking a random email to your gmail address. Google should then take action against this type of spam where everyone wants to link to your gmail address.
theoldcoot - 2 months ago
I have seen nothing but spam on Gmail, especially since so many sites have been hacked over the years and you would have thought Gmail would have got TST ten years ago.. They still have other problem that the refuse to fix, especially the one that causes nothing but a hassle if you are trying to regain your control of an account. If you have changed you phone number and were dumb enough to enter it in your account (ya I did) and have changed your phone number since then, your SOL of getting it back.
fromFirefoxToVivaldi - 2 months ago
The laws need to catch up.
SFP+DKIM+DMARC should be mandated by law and all e-mail which do not pass these successfully, should be treated as spam and straight up discarded or put in a separate "malicious" mailbox folder automatically. This would fix a lot of issues, both with spam and with lazy admins.
tverweij - 2 months ago
That won't work for domains like outlook.com, gmail.com, etc.
Everyone of those mails have a valid SPF+DKIM+DMARC while these domains are responsible for a lot of malicious spam.