In an effort to enhance email security and combat spam, Google recently implemented a new policy requiring bulk senders to authenticate their emails. As of February 2024, Gmail users began receiving error messages, specifically the Gmail 550-5.7.26 error, indicating that the sender's email lacked authentication.
The policy was announced by Neil Kumaran, a group product manager responsible for Gmail security and trust, in October 2023. Kumaran emphasized the importance of email authentication to close loopholes exploited by attackers. With over 1.8 billion Gmail accounts, this policy aims to protect all users from potential threats.
Seth Blank, chief technology officer at Valimail and co-chair of the Domain-based Message Authentication, Reporting & Conformance working group, warned that unauthenticated emails would result in temporary errors, starting from February. By April, unauthenticated emails that fail to pass Domain-based Message Authentication, Reporting & Conformance (DMARC) would be rejected. Users have already reported encountering these authentication failure messages, causing confusion in their wake.
While Google's AI system already successfully filters out more than 99.9% of spam, phishing, and malware, Kumaran believes that additional measures are necessary. This led to the implementation of new requirements for bulk email senders.
Kumaran explained that bulk senders are defined as those who send more than 5,000 messages to Gmail addresses in a single day. Since many of these senders fail to secure their systems properly, malicious actors can exploit their email domains for nefarious purposes. To combat this, sender validation and strong email domain authentication are crucial. Google began requiring some form of email authentication for messages sent to Gmail addresses in 2022, resulting in a 75% decrease in unauthenticated messages and improved inbox cleanliness.
In addition to the authentication requirements for bulk mail senders, Google has also introduced accessible unsubscription features for Gmail users. A 'clear spam rate threshold' has been implemented as well, allowing throttling of senders who exceed this threshold. Kumaran assured users that this initiative significantly reduces the amount of spam in their inboxes.
To understand the meaning behind the unauthenticated sender error messages, Yunes Tarada, an expert in email authentication and security at PowerDMARC, offers valuable insights. Tarada breaks down a typical Gmail unauthenticated sender error message and explains its significance. In summary, Gmail may block messages from senders who do not have Sender Policy Framework or DomainKeys Identified Mail implemented, have a spam rate exceeding 0.3%, lack Transport Layer Security for email transmission, fail to enable Authenticated Received Chain for forwarded messages, have invalid DNS records, or impersonate Gmail in the message headers.
Blank has been working closely with Google to provide feedback and clarification on the authentication requirements, with the goal of helping both senders and recipients understand these measures. According to Blank, email authentication is not only about personal protection but also protects partners, consumers, and anyone receiving email. Blank believes that broader adoption of authentication among the largest bulk email senders is crucial to making exact domain spoofing economically unattractive.
Google's new policy represents a significant step towards a safer and less spam-ridden email experience for Gmail users. By requiring email authentication from bulk senders, Google aims to block unwanted and potentially harmful content, leading to a more secure and clutter-free inbox for all.