Google, Yahoo to Put Tighter Spam Restrictions on Bulk Senders – Source: securityboulevard.com

Email giants Google and Yahoo are putting tighter requirements on bulk email senders in hopes of reducing the massive amounts of spam that hammer inboxes every day and deflecting the phishing and other cyberthreats that hide within it.

Google’s AI-enabled email defense systems every day block almost 15 billion unwanted emails and stop more than 99.9% from getting into inboxes, according to Neil Kumaran, group product manager of Google’s Gmail Security and Trust team

“But now, nearly 20 years after Gmail launched, the threats we face are more complex and pressing than ever,” Kumaran wrote in a blog post this week.

Similarly, Marcel Becker, senior director of product management at Yahoo, wrote in a blog post that the company has made strides in the past to reduce the amount of spam reaching inboxes, going so far as to list best practices for those sending email and posting the list to its Sender Hub.

Included on the list are such admonitions as sending only emails that customers want, authenticating through such tools as a DMARC (Domain-based Message, Authentication, Reporting, and Conformance) policy, DKIM (Domain Keys Identified Mail) to create a signature of the content on the message, and SPF (Sender Policy Framework) record so a sender can specify the list of Ips that are allowed to send mail for that domain, and allowing for customer to opt in to a mailing list and to easily opt out.

“Yet, numerous bulk senders fail to secure and set up their systems correctly, allowing malicious actors to exploit their resources without detection,” Becker wrote. “A pivotal aspect of addressing these concerns involves sender validation, leveraging email authentication standards to guarantee the verification of the email sender’s identity.”

New Rules are Coming

With a more complex threat environment and bulk email senders that aren’t following the rules, both companies early next year are imposing similar validation rules on those that send 5,000 or more messages to recipients in one day.

For Yahoo and Google, it means creating rules that right now are only best practices, including have bulk senders authenticate their email.

“You shouldn’t need to worry about the intricacies of email security standards, but you should be able to confidently rely on an email’s source,” Google’s Kumaran wrote, adding that the IT giant is requiring those sending large volumes of message to “strongly authenticate their emails.”

For Google, that means using DKIM or SPF to protect against spoofing and phishing threats and to ensure that the sender’s email isn’t marked as spam. Yahoo will require them to use industry standards like DKIM, SPF, or DMARC.

Give Them Only What They Want

Both also want the bulk senders to only send email that the recipients want and will ensure this happens by establishing a threshold on the spam rate that they can’t go beyond.

“We want to ensure our users’ inboxes are not cluttered with unsolicited or irrelevant emails,” Yahoo’s Becker wrote.

Kumaran wrote the threshold is another tool in Google’s existing toolbox to keep unwanted messages out of customers’ inboxes.

Google and Yahoo also will require bulk senders to make it easy for users to unsubscribe from unwanted emails.

“It should take one click,” Kumaran wrote. “We’re requiring that large senders give Gmail recipients the ability to unsubscribe from commercial email in one click, and that they process unsubscription requests within two days. We’ve built these requirements on open standards so that once senders implement them, everyone who uses email benefits.”

Yahoo will have a similar one-click rule, adding that such senders will have to honor the user’s request within two days.

Basic but Necessary

The rules – which are being incorporated into Google’s guidelines – are basic but necessary, according to Kumaran.

“Many bulk senders don’t appropriately secure and configure their systems, allowing attackers to easily hide in their midst,” he wrote. “To help fix that, we’ve focused on a crucial aspect of email security: the validation that a sender is who they claim to be. … It’s still sometimes impossible to verify who an email is from given the web of antiquated and inconsistent systems on the internet.”

He added that Google saw the number of unauthenticated email Gmail users received fall by 75% after last year requiring that emails sent to Gmail addresses must come with some form of authentication. Putting the requirements on bulk senders should drop that even more.

The changes should be welcomed news for both corporations and consumers. According to Statista, spam accounted for 48.6% of all email sent last year, a bump up from the 45.5% in 2021 and a significant drop from the 80.2% in 2011. In addition, email spam costs businesses about $20.5 billion in lost productivity every year.

More protections should also slow the number of cyberattacks that are launch via email. According to UCLA’s CISO office, 96% of phishing attacks come via email, while email marketing firm Mailmodo said 2.5% of spam mail is scams or fraud. Of that, 73% are phishing emails.