The IT Nerd

 Valimail, the leading DMARC vendor and provider of automated email authentication and anti-phishing solutions, today announced the close of a highly successful fiscal year ending January 31, 2024. The past year was highlighted by being the first-to-market to meet the new email requirements from Google and Yahoo with Valimail Align, significant partnerships including Microsoft, and a notable client base growth rate of 40 percent.  

2024 Fiscal Year Achievements Included: 

Product Innovation: 

• Launched Valimail Align – Align is the first to market, innovative solution that simplifies the process for companies of all sizes to meet new sender authentication standards set by Google and Yahoo, facilitating a swift path towards overall DMARC compliance.
• Continued to Evolve its DNS Infrastructure – Valimail solidified its position as the leader in DMARC-as-a-service with significant updates to its DNS infrastructure, furthering its commitment to delivering innovative, market-leading technology its customers need. 
• Added 5 new U.S. patents, including 3 new DMARC patents. 

Market Momentum: 

Over the last fiscal year, Valimail has seen tremendous growth and adoption of its DMARC as a service platform. After passing 30,000 customers in June 2023, Valimail now has more than 38,000 customer accounts, including organizations of all types and sizes, from higher education to global consumer brands. While growing at an exceptional rate, the company has also maintained a world-class Net Promoter Score (NPS), with Enforce Customers reflecting their satisfaction with the product by scoring Valimail at 83, and across all products, Valimail was scored at 72. The high NPS scores are a reflection of the Company’s patented Precision Sending Services and world-class support.

• Secured awards and accolades from G2, including: 
• Remained the Leader in G2’s DMARC category and #1 Momentum and Grid Leader for the Space 

Strategic Partnerships: 

• Valimail and Microsoft Partnered to Provide Valimail Monitor for Microsoft Office 365– Valimail’s industry-leading DMARC monitoring, DMARC analysis, and reporting tool is available to Microsoft customers through seamless integration with Office 365.
• Valimail and Pax8 Teamed Up to Protect MSPs and Their Customers From Email-based Attacks – IT and security departments can now leverage Valimail’s anti-phishing and email fraud protection within the Pax8 Marketplace for Managed Service Providers (MSPs).
• Valimail and .BANK Partnered to Provide Banks with the Best Protection Against Phishing and BEC Attacks – Using email authentication from Valimail and a .BANK domain will now secure your bank’s email channel to prevent losses from business email compromise (BEC) and stop phishing attacks.

Company Growth and Recognition: 

• Strategic leaders with experience leading high-growth companies and product strategies joined Valimail’s executive team, including: 
• Steve Biagioni, Head of Finance
• Scott Ziegler, VP of Product 
• Recognized As A Great Place to Work: 
• Chief People & Performance Officer, Elaine Mak, Won 2024 BIG Innovation Award – She was recognized for leading transformative innovation at Valimail, which involved collaboration and a learner’s mindset among employees to tackle new challenges and achieve values-driven business performance. 
• Built In Honored Valimail in Its Esteemed 2024 Best Places to Work Awards – Valimail was recognized for a culture that intentionally weaves together its employees’ unique perspectives, voices, and strengths to create a high-performance workplace.
• Valimail Named on Fast Company’s Fifth Annual List of the 100 Best Workplaces for Innovators – Came in at number 37 for its From Perks to Performance initiative that transformed the organization from startup to scaleup by putting people first.

By Seth Blank, CTO Valimail

Back in October 2023, Google and Yahoo jointly announced new email sender requirements for inbound mail to their domains that they would be putting in place early in 2024, requirements that, for now, are focused on bulk senders. 

This announcement and its subsequent updates have rightly gotten the full attention of the email industry. However, there was one other item buried in Google’s announcement that we don’t think people are talking about enough. One of the bullet items in Gmail’s guidelines for all senders reads as follows:

Don’t impersonate Gmail From: headers. Gmail will begin using a DMARC quarantine enforcement policy, and impersonating Gmail From: headers might impact your email delivery.

Long story short: If you have a small business, and you use an email sending service to email contacts, but your From address is NameOfSmallBusiness@gmail.com instead of something like hello@NameOfSmallBusiness.com, your email may be sent to the spam folder beginning in February 2024.

If you’re sending with a From address ending in gmail.com from any platform other than Google, you’re likely going to run into some issues.

What Does It Mean to Impersonate Gmail From: Headers?

Sending mail from any platform other than a Google platform with a From address in the gmail.com domain is impersonating Gmail From: headers. 

A typical example would be a small business sending from a platform like Mailchimp, Braze, or Klaviyo using a From address like: “NameOfSmallBusiness@gmail.com”.

This type of email could never pass DMARC authentication because the platform’s servers are not in the SPF record for gmail.com, and the platform cannot DKIM sign such messages using the domain gmail.com. 

By definition, a message that can’t pass DMARC authentication is deemed an impersonation of that domain, and so sending mail in such a manner is impersonating Gmail From: headers.

What Action Is Google Taking Here?

For years now, there has been a DMARC policy record for gmail.com, one that has had “p=none” as its policy statement. In DMARC jargon, this means “The domain owner requests that the DMARC validation results for any message using this domain do not influence the message’s disposition.” 

Because there has been a DMARC policy record in place for a long time, messages that impersonate Gmail From: headers have been failing DMARC for a long time; however, because the policy statement up until now has been p=none, these failures have had little to no impact on these messages.

Starting on February 1, 2024, Google will be changing this policy statement to “p=quarantine”, which means that they’re requesting that messages using gmail.com in From domain that fail DMARC be placed in the spam folder. What this means is that messages that impersonate Gmail From: headers are likely to end up in recipients’ spam folders, rather than their inboxes.

Am I Affected By This?

If you’re in the habit of sending email from a platform that isn’t Gmail while using a From email address that ends in gmail.com, then you’re going to be affected by this.

In the above example, if you’re sending emails to contacts from an email platform using  “NameOfSmallBusiness@gmail.com”, any mail you send will likely be delivered to the spam folder at any mailbox provider that honors DMARC policies. 

I’m Affected! What Do I Do?

The short answer here is that if you’re sending mail from a third-party platform, especially mail that’s related to your business, you should use a domain that can properly authenticate on that platform. 

The best choice for this would be a domain that you own. Many small businesses have their own domain for a website; they just never bothered setting up the domain for email. There are lots of small businesses out there sending email as “NameOfSmallBusiness@gmail.com” telling their customers to check out their website at www.NameOfSmallBusiness.com. Instead, you should use something like “hello@NameOfSmallBusiness.com.” 

If you don’t currently have your own domain for your business, you should get one. Registering a domain only costs a few dollars per year, and it’s industry best practice to send business-related emails using a domain name that is clearly and recognizably associated with the business. Your customers are much more likely to engage with your email if it’s sent from an email address using your own domain rather than Gmail’s.

Once you’ve decided on a domain to use, contact your ESP for help not only with setting up sending mail using your domain, but also making sure that you transition properly to doing so. 

They can advise you on how best to notify your customers to update their address books or email filters, how to make sure that your domain’s mail properly authenticates using DMARC (something Valimail can certainly help with), and how to warm up your domain for sending to get best results.

If you’re still unsure of what all this means and where to get started, check out our new eBook: The Email Marketer’s Guide to DMARC. Here you’ll learn what DMARC is, what the benefits are, and how to implement it correctly.

LEARN MORE ABOUT DMARC

Valimail today launches Valimail Align, a tailored solution for quickly validating compliance status to meet the new sender authentication requirements from Google and Yahoo, and streamlining the path towards overall DMARC compliance for companies of all sizes. 

Today’s email ecosystem is evolving. Recently, Gmail and Yahoo released email sender guidelines to reduce spam, prevent email spoofing, and enhance security for their customers.

Starting in February 2024, the guidelines require authentication of outgoing email by bulk senders (senders who have sent at least 5,000 emails in a 24-hour period). By April 2024, organizations need to ensure their email authentication complies with the new rules or risk email being blocked. 

The first-to-market, comprehensive solution, Align ensures SPF and DKIM alignment to meet the delivery requirements set by Google and Yahoo. With Valimail’s market-leading, advanced, and patented automation suite, users can quickly and easily reach compliance across all services to prevent emails from getting blocked. Align ensures full compliance in days, not months.

Valimail Align simplifies email compliance for marketers in these simple steps: 

• Streamlined Compliance Reporting: Rapid assessment of adherence status across all sending services to ensure emails don’t end up being blocked. 
• Automated Configuration: Utilize guided workflows to authorize all senders with a single click, eliminating the need for manual decoding of DMARC reports, IP address lookups, or DNS change management.
• Intelligent Task List: Step-by-step instructions to help configure or troubleshoot alignment issues for lightning-fast compliance with authentication requirements. 

Valimail’s compliance features enable customers to configure services or troubleshoot alignment issues quickly and easily across the company’s broad product portfolio. These features are available within Align, as well as Enforce, which provides organizations with compliance as well as complete brand protection, user management, reports, custom alerts, and more. Valimail Align is available today at an introductory price to ensure customers can meet these new requirements in time and without issue.

Visit https://www.valimail.com/products/align for more information. 

In 2024, we can expect to see a dramatic escalation in AI-fueled disinformation and sophisticated cyber threats, especially during the U.S. election year!

With disinformation spreading more rapidly due to advanced AI tools, email authentication will become critical to safeguard against false narratives. The election season will likely see intensified information attacks, highlighting the need for stringent verification of digital communications. As cyber threats grow more sophisticated with AI advancements, robust authentication will emerge as a key defense necessary to discern real interactions from AI-generated deceptions. This evolving cyber landscape underscores the urgency of adapting security strategies to outpace these emerging challenges.

Valimail’s Alexander Garcia-Tobar, CEO and Co-Founder, and Seth Blank, Chief Technology Officer (CTO), had this to say:  

Alexander Garcia-Tobar, CEO and Co-Founder, Valimail: 

A Rise in Disinformation Influenced by Global Events and AI: 

“In 2024, there will be an acceleration in disinformation, exacerbated by ongoing global conflicts and the growing availability of AI tools that will create and/or spread false narratives more rapidly and convincingly. This trend will be viewed against a backdrop of declining public trust in institutions, a phenomenon intensified by the US election year. With email being the primary communication tool used, validating sender authentication will become increasingly more important.”

Election Year Vulnerabilities and State Actor Threats: 

“2024 brings a national election, which will bring a heightened risk of targeted information attacks, especially given explicit warnings from foreign state actors about their intentions to disrupt or influence the electoral process through information warfare. With email and social networks as primary attack vectors, there will be an increased need to know the authenticity of the sender/originator of the communication.”

A Rise in the Importance of Email Authentication and Transparency in Digital Communication: 

“Email authentication will play a crucial role in maintaining the integrity of digital communications, especially as disinformation becomes more prevalent. Ensuring the authenticity of the sender will gain acceptance as a vital first step in building trust and accountability online. This will include the need for transparency in content creation, where the source or authorship of information must be verifiable, reducing the potential for impersonation and misinformation.”

Seth Blank, Chief Technology Officer (CTO), Valimail: 

Increased sophistication and pervasiveness of cyber threats with AI: 

“There will be a significant rise in the sophistication of cyber threats, primarily due to the advancement and widespread use of AI and generative AI. This will lead to an increase in the challenges in determining the authenticity of communications as AI technologies become more capable of imitating real human interactions. The potential for more realistic phishing attacks and the spread of disinformation, leveraging AI’s ability to mimic different personas convincingly, will be a part of this. It’s important to underscore that AI can be used not only for beneficial purposes but also maliciously, making it increasingly difficult to discern genuine communications from fraudulent ones. As email has been abused by generative content for decades, the ecosystem should look at email’s existing protections as a way to protect itself from the new threats of generative AI.”

Authentication Will Be the Key Defense Strategy: 

“Authentication will become the first line of defense against sophisticated cyber threats. And any communication lacking proper authentication will be treated with suspicion. This approach will become an accepted crucial measure in filtering out potential threats and reducing the risk of falling prey to AI-generated frauds or disinformation campaigns. Emphasis will be put on the need for more robust and sophisticated authentication mechanisms to keep pace with the evolving nature of cyber threats.”

A Shift in Threat Landscape Due to Improved Email Security: 

“With advancements in email security, particularly through stringent authentication requirements, there will be a shift in the threat landscape. As email becomes more secure and less susceptible to attacks, attackers will pivot to other, less secure communication channels, such as SMS, phone calls, and IOT communications. This shift will reflect the adaptive nature of cyber-criminals, who continually seek out the weakest points in the security infrastructure, and highlight the ongoing challenge of maintaining a comprehensive security posture that evolves in response to the changing tactics of cyber attackers.”

By  Seth Blank, CTO, Valimail

Google’s announcement on October 3, 2023, is a massive change that is intended to impact email senders who send more than 5,000 emails to Gmail inboxes each day. 

In order to make Gmail inboxes trusted and safe spaces for recipients, Google will be enforcing a handful of new requirements for these types of senders. Beginning in February 2024, email senders will need to have the following requirements in place in order to get email delivered: 

• Implement both SPF + DKIM
• Send from a domain with a DMARC policy of at least p=none 
• Send with an aligned From domain
• Valid forward and reverse DNS
• One-click unsubscribe
• Low spam rate

For many email senders, these new requirements won’t impact their email programs, but for others, these changes will mean they’ll need to re-examine their current email authentication and sending practices. 

Below, we’ll dive into the details of each new requirement, what this means for senders and recipients, the reasoning behind making this policy change, and what we think it means for the future of email. 

The new requirements

Implement SPF and DKIM 

SPF and DKIM are mature, robust email authentication protocols that have been in existence for over a decade each. SPF and DKIM provide two different methods not only for authorizing the use of a domain name in an email message, but also for helping to ensure that a domain owner gets proper credit for their sending practices.

Send from a domain with a DMARC policy of at least p=none

DMARC is a protocol that builds on SPF and DKIM:

• To authorize the use of a domain in the visible From header
• Give the domain owner insight into the authentication practices of mail streams using that domain
• Provide the domain owner a mechanism to request handling of messages that fail authentication checks (referred to as a policy preference)

A DMARC DNS record with a policy preference of p=none is the lowest bar for participating in DMARC, as it requests no special handling for messages that fail authentication, but at the same time, gives the domain owner full visibility into its mail streams. The data collected at this step allows the domain owner to make any adjustments to authentication practices necessary before moving on to stronger policy preferences.

Send with an aligned From domain 

With this requirement, Google is asking for each message to have a visible From domain that aligns with either the SPF or DKIM domain, with a preference for alignment with the DKIM domain. 

For those unfamiliar with the concept, the term “alignment” here comes straight from the DMARC protocol, and per that protocol, two domains are in alignment if they’re identical or at least share an organizational domain (i.e., the domain that is registered when an organization wishes to establish a presence on the public Internet). 

For example, “valimail.com” is our organizational domain, and the domains “sales.valimail.com” and “auth.valimail.com” are in alignment with each other because they share the same organizational domain. 

Valid forward and reverse DNS

Among other records in the DNS, there are two types that are specifically keyed around IP addresses. The DNS “A” record is used to map hostnames to IP addresses (sometimes called “forward DNS”), and the DNS “PTR” record is used to map IP addresses to hostnames (sometimes called “reverse DNS”). 

It has long been a best practice for inbound mail servers to require that sending servers connect from IP addresses that have existing PTR records, but Google is going one step further here and requiring not only that the connecting IP address have a PTR record, but also that the PTR record resolves to a hostname that then resolves back to that same IP address.

The reason for this requirement is that anyone with control over DNS can publish PTR records resolving to any name they choose, so it’s very easy to attempt to spoof ownership. 

As an example, if there were an IP address 12.34.56.78 which had its PTR resolve to mailServer.knownbrand.com, Google would require the A record for mailServer.knownbrand.com also resolves to the IP address 12.34.56.78, a technique sometimes called Forward Confirmed reverse DNS or just “FCrDNS.”

One-click unsubscribe

As defined in RFC 8058, when a sender inserts specially crafted headers in a message, it signals to the mail client that the recipient can unsubscribe from that sender’s messages with just one click if the mail client supports the functionality. Gmail supports this functionality, which can be seen in any number of messages you might see in the Promotions tab or elsewhere from B2C emails: 

The image above is a notification from Lattice. The “Unsubscribe” link next to the sender’s email address in this example is the One-Click Unsubscribe that Google is requiring here.

Low spam rate 

When Gmail users report unwanted messages as spam, its filters use those reports and other heuristics to identify mail that is likely to be unwanted.

This “Low Spam Rate” requirement doesn’t come with any numbers publicly attached to it, but their intention seems pretty clear; domain owners must send wanted mail to people who demonstrate that it’s wanted (through engaging with those messages) or else the domain owners will lose the privilege of sending mail to Gmail.

What this means for senders and recipients

It’s important to note here that this policy change from Google is meant to benefit the end recipient. Google wants to ensure that Gmail users can trust the mail they receive, and by making SPF, DKIM, and DMARC requirements, they’re taking an excellent first step. 

These requirements are a pretty low bar for most email senders, but they’re things that bad actors usually fail to implement. With this requirement, Gmail users can be a bit more confident that the messages they’re receiving are at least getting past basic email authentication. 

“While it’s easy to think this policy change will only impact marketing and other commercial emails, the fact is there are many other types of email that organizations send. These changes impact all email coming from a domain, and while that might include mail being sent through Mailchimp or SendGrid, there are many other emails flowing through the organization’s ecosystem.”

• Seth Blank, CTO of Valimail

Without ensuring all email coming from your domain is following these requirements, your HR team might not be able to get payroll emails delivered, or the sales team sending outreach messages to prospects might get email blocked. 

For senders of legitimate email, these requirements shouldn’t be revolutionary, but organizations should at least double-check that they have their bases covered. If you’re curious about the email coming from your domain, sign up for Monitor for free today to get visibility into your SPF, DKIM, and DMARC records.  

Why make this policy change?

The benefit of requiring authentication is increased trust and safety throughout the entire ecosystem, at every mailbox provider that validates email authentication (hint: it’s all of them). For businesses sending email, this means protecting their employees, their customers, their executives, and their brand.

At Valimail, we believe that authentication is foundational, and doing it the right way is critical. Email is rife with abuse, and we must do better as an ecosystem to protect everyone. You should be able to trust your email– the email in your inbox should be from who it says it’s from, not a malicious actor pretending to be someone else. When a sender properly authenticates their email, it ensures that no one else can send fake email using their authenticated domains.

“Google’s policy is a great first start; requiring aligned SPF or DKIM with a DMARC policy of at least p=none is a phenomenal low bar, and more is needed. Until all senders utilize the strongest authentication — DMARC at enforcement — their domains are spoofable, and bad actors can continue to defraud users at an accelerating rate.

DMARC at enforcement is not well deployed enough in the market for this to be a realistic requirement today. We hope Google can get aggressive at raising the bar, so strong authentication becomes the norm for everyone in the near future. This is where the real protection for everyone kicks in.

This policy update from Google is a huge step towards a safer world in email for everyone.”

• Seth Blank, CTO of Valimail

At its core, this announcement is Google’s way of telling legitimate senders that if they don’t follow these well-established best practices, their email is not going to be delivered.

“Many bulk senders don’t appropriately secure and configure their systems, allowing attackers to easily hide in their midst. To help fix that, we’ve focused on a crucial aspect of email security: the validation that a sender is who they claim to be.”

Google’s Announcement

This announcement is huge as it will impact nearly every Gmail mailbox holder. This policy is the first time any email inbox provider has placed requirements for widely adopted email sending and email authentication best practices.

What does this update mean for the future?

This policy update is a great first step in the right direction, and it’s just the beginning. Google is likely going to evolve from here, and at some point in the future, we expect Google to require DMARC enforcement in order for email to get delivered correctly. 

Over the past few years, we’ve seen an incredible increase in businesses and other organizations adopting DMARC. Unfortunately, the vast majority of those senders aren’t enforcing DMARC with policies of p=quarantine or p=reject. We believe this means the ecosystem isn’t quite ready for Gmail, or any other inbox provider, to implement a strict DMARC requirement. 

The writing is on the wall though. 

This update from Goole is a sign that SPF, DKIM, DMARC, and all the other sending best practices are making the shift from recommendations to requirements. Once Gmail requires any sort of DMARC record, it’s likely only time before their recommendation that senders set their policy at p=quarantine or p=reject becomes another requirement. 

If you’re reading this, it means you’re already ahead of the curve when it comes to running a successful email ecosystem. No matter what tool you use, it’s important that you take the steps to ensure your email gets delivered as intended.