Tuesday, January 30, 2024

Is your email system ready to keep delivering email as the spam wars escalate?

Google's new restrictions on the email they will accept starting February 1st 2024 are just good practices we should be following.  But what are they really, and how can we make sure they are in place?

This applies to any sending email system, whether on your own servers, or hosted in the cloud such as with Microsoft or Google, to be successfully delivered. 

The pieces have all been here for a while as good optional settings, but now Google is just the first enforcing them:

  1. The IP address of the server(s) your mail comes from must-have a reverse lookup.  PTR
  2. The server must have a functioning encryption running.  STARTTLS
  3. You must have published where your domain's mail is coming from.  SPF
  4. Your server has to sign the message (like a wax seal).  DKIM
  5. You have to publish your domain's alignment rules for #3 & #4, and where to send reports. DMARC
Note:
#3 & #4 are either/or for low volume senders, but both must be there for high volume senders.
#5 is mandatory for large volume senders.

It is a good idea to get all of them working, as inevitably, we will need to have this for all systems. #5 is the part that ties SPF and DKIM together to close the loop holes the spammers found in them. 

How to check:

Much of this is checked in DNS, checking the header/source of an email from the system, and talking directly to your mail server from another "mail server".  

  • You can see if your system is good to go, or if you have problems by sending an email to a Gmail account you can log into. For each message in Gmail, you can check much of the status of a message that was sent to you, as to how the sending system was working or not at the new levels, at the time the message was sent.
  • in Gmail, open the message,  then from the message 'more' stacked dots, select "<> Show original
  • This view will show any results for any SPF, DKIM, or DMARC settings that are in place. If doesn't show, then that protection level doesn't yet exist for that internet domain or mailserver (i.e. it needs to be added).
  • To check if it was encrypted, Ctl-F(search) for TLS, and there should be at least one (such as TLS1_3 or TLS1_2) for the connection from the sending server to Gmail's first server in.   

Summary:

Google is just the first, Yahoo! and AOL have committed to doing the same thing very soon, and Microsoft won't be far behind (looks like they may just be letting the others take the heat for being more secure)

These are also all good things to check and filter at your inbound / receiving mail systems.

Offering:

Would you like someone from outside your organization to validate how ready your organization is for these upcoming changes. Konecny Consulting for $99CDN + HST (payment via credit card) will do this checking for you. To engage with us please complete the contact form and we will get back to you. This offer is available to organizations within North America.

 


 

Thursday, January 18, 2024

Google making major changes to email acceptance requirements

Will your email be blocked by Google, or are you ready for the changes they are making? Google will be blocking emails from weakly configured systems as of February 1st, 2024. Make sure your system isn’t one of them that will be blocked.

Starting February 1st, Google will be imposing requirements on any emails being sent to a Gmail account.  They are asking for you to have some basic email system hygiene in place for your mail system.  If you are at all responsible for your own domain (the part after the @ symbol, such as username@gmail.com), then you must pay attention, whether you have an email server in your own data centre, or your email is hosted such as with 365 or Google.

Two other large email systems (Yahoo! and AOL) have already stated they are following in Google's footsteps, Microsoft is expected to follow before long.

These are Googles new requirements as of February 1st, 2024, and your email administrators need to make sure they are in place:

  • All your outbound email servers must now do TLS encryption.  Without this, your email can be intercepted and read, or worse. There are still so many systems running without this, as it is Not a default on most of the ones you setup yourself.  Most hosted solutions do have this already, but not a bad thing to check.
  • For systems with lower send rate, you need at least one of SPF and/or DKIM setup and working correctly.
  • For systems that sometimes send more than 5,000 messages a day to Google Mail servers (including their customer domains they are hosting), then you must have both SPF AND DKIM working correctly AND DMARC setup.

 The most basic SPF and DMARC records you can setup for you domain is (in standard BIND notation):

@ TXT "v=spf1 a mx ~all"

_dmarc TXT "v=DMARC1; p=none; rua=mailto:{emailAddress2processReports}"

That SPF record is NOT guaranteed to work, as it must identify your email server(s). That DMARC record is very safe with an email address that does accept mail. Checking DKIM requires a proper analysis of those DMARC reports, though some spot checking can be done looking at the source header of received messages. 

For more details of Google’s current requirements, including the other 'little' details, read their "Email sender guidelines." https://support.google.com/a/answer/81126

Expect Google and others to increase their requirements in the future, such as the number of messages per day trigger point to be reduced, as well as requiring DMARC enforcement (not just reporting).

Yes, this can seem overwhelming. If you would like some assistance checking to see if your email system is ready for this major change, we may be able to assist you. Please reach out to us and we can discuss this with you.