New Gmail Rules Start Blocking Email For 1.8 Billion Users

In an announcement by Google on October 3, 2023, Neil Kumaran, a group product manager responsible for Gmail security and trust, confirmed that starting February 2024, Gmail will require bulk senders to authenticate their email.

As February has arrived, this policy is now in effect. Users have begun to report receiving Gmail 550-5.7.26 errors, indicating that email has been blocked due to the sender’s lack of authentication.

The October announcement, titled New Gmail protections for a safer, less spammy inbox, stated that users shouldn’t need to “worry about the intricacies of email security standards,” and instead be able to “confidently rely on an email’s source.” You won’t find me complaining about that; it’s bang on. From Google’s end, the solution is to require all Gmail users who send “significant volumes” to use a robust email authentication method to close what it calls “loopholes exploited by attackers” that threaten all of us. All 1.8 billion of us, as that’s how many Gmail accounts there are.

Seth Blank is chief technology officer at email domain validations platform Valimail and co-chair of the Domain-based Message Authentication, Reporting & Conformance working group. As from the start of February, Blank warns, “you will start to see temporary errors for unauthenticated mail, and starting in April, unauthenticated mail that does not pass DMARC will start to be rejected.” Blank was not wrong: those authentication failure messages are already being reported by users, and while temporary for now, the confusion they leave behind will likely be more long-lived. So, let’s try to clear that up.

Google’s Kumaran says that while Gmail AI stops more than 99.9% of spam, phishing and malware from hitting your inbox, including some 15 billion emails every day, that’s not enough, which is why the new bulk email senders requirements have been implemented.

Firstly, Kumaran says, bulk senders are “those who send more than 5,000 messages to Gmail addresses in one day.” Because many fail to secure their systems properly, malicious actors can hijack email domains for nefarious purposes. Sender validation and strong email domain authentication are essential in filtering out much of this security-weakening material. “Last year (2022), we started requiring that emails sent to a Gmail address must have some form of authentication”

Kumaran says, “and we’ve seen the number of unauthenticated messages Gmail users receive plummet by 75%.” This, in turn, led to less cluttered Gmail inboxes and billions of messages with malicious intent being blocked before delivery.

As well as the new bulk mail sending authentication requirements, Google has also enabled accessible unsubscription features for Gmail users. Google also implements a “clear spam rate threshold,” so senders who break this are throttled. “This is an industry first, and as a result, you should see even less spam in your inbox,” Kumaran confirmed.

The best resource I have found for getting to grips with what these errors mean is from another email domain verification specialist, PowerDMARC. The operations team lead with particular expertise in email authentication and security, Yunes Tarada, breaks down a typical Gmail unauthenticated sender error message and explains precisely what it means. Tarada also explains that users sending less than 500 emails per day could also find their messages getting blocked by Gmail if they don’t have Sender Policy Framework or DomainKeys Identified Mail implemented, a spam rate greater than 0.3%, no Transport Layer Security connection for transmitting emails, no Authenticated Received Chain enabled to forwarded messages, invalid DNS records or are impersonating Gmail from headers.

Blank has been providing customer feedback directly to Google regarding the guidance to hopefully clarify what it means and help senders and recipients understand the authentication requirements. “This isn’t just about protecting yourself,” Blank says, “done right, email authentication protects partners, consumers, and anyone receiving email.” Blank reckons that a herd-immunity percentage of 70% of the largest bulk email senders using string authentication must be reached to make exact domain spoofing “economically uninteresting.”

“Just like we adapted to HTTPS as the standard for the World Wide Web, and like MFA is becoming the standard for our online accounts, every business will need to become familiar with standards like SPF, DKIM, and DMARC,” Gerasim Hovhannisyan, CEO at EasyDMARC, says. “As we navigate the evolving cyber landscape,” Hovhannisyan continues, “staying proactive in adopting and adapting to these security trends will be paramount for businesses to maintain effective communication channels and uphold their digital reputation.”