{"id":640,"date":"2024-01-22T14:54:56","date_gmt":"2024-01-22T14:54:56","guid":{"rendered":"http:\/\/blogs-new.it.ox.ac.uk\/nexus\/?p=640"},"modified":"2024-01-22T14:58:05","modified_gmt":"2024-01-22T14:58:05","slug":"spf-dkim-dmarc-now-mandatory","status":"publish","type":"post","link":"https:\/\/blogs-new.it.ox.ac.uk\/nexus\/2024\/01\/22\/spf-dkim-dmarc-now-mandatory\/","title":{"rendered":"SPF, DKIM, and DMARC: no longer optional for bulk-sending"},"content":{"rendered":"<p>Last October <em><strong>Google<\/strong> <\/em>announced that they would be tightening up their standards for what is acceptable in terms of large quantities of email from a single sending domain. <em><strong>Yahoo!<\/strong><\/em>\u00a0made a similar announcement at the same time.<\/p>\n<p>The first key point to be aware of is that <a href=\"https:\/\/blog.google\/products\/gmail\/gmail-security-authentication-spam-protection\/\">Google <\/a>and <a href=\"https:\/\/blog.postmaster.yahooinc.com\/post\/730172167494483968\/more-secure-less-spam\">Yahoo <\/a>have chosen to publicly announce that they&#8217;re tightening up their email acceptance\u00a0 criteria.\u00a0Not every organisation will necessarily be issuing a press release announcing that fact &#8211; bulk-email\/spam can be such an annoyance to everybody. So we can be confident that other organisations will be making similar decisions, depending on their perceived scale of the problem, at a time that suits them. We have limited tools available to us to ensure consistent and reliable delivery to our recipients&#8217; inboxes, other than following industry best-practice (which is all they&#8217;re asking us to do). It is entirely possible for one part of the University bulk-sending email carelessly to\u00a0cause the rest of the collegiate University to have\u00a0<em>their\u00a0<\/em>outgoing email sent to spam folders, or rejected entirely. In theory only of course: we&#8217;re all far too professional for that to happen, right?<\/p>\n<p>It is therefore vital that all IT Support Staff, in all parts of Oxford, consider and account for these requirements, particularly where they are using any kind of private or third-party bulk sending method. The Email Security Project is endeavouring to apply settings on behalf of the widest possible scenarios and situations but we know that edge-cases exist that may fall outside our visibility, scope, and remit.<\/p>\n<h1><strong>Yahoo\u2019s published requirements for bulk-senders<\/strong><\/h1>\n<p>They have not specified a threshold above which these restrictions will apply. Email which fails these checks\/requirements will either go to the recipients\u2019 spam folders, or be rejected entirely. In that event a non-delivery report will be sent back to the sender. Spoofed email WILL count against their threshold.<\/p>\n<ul>\n<li>Email must be authenticated with SPF and DKIM.<\/li>\n<li>Your domain must have a published DMARC policy.<\/li>\n<li>\u2018From\u2019 headers in outgoing email must be aligned with either the values set in your SPF record, your DKIM record, or both.<\/li>\n<li>You must include a functional \u2018list-unsubscribe\u2019 header supporting one-click unsubscribing (<a href=\"https:\/\/datatracker.ietf.org\/doc\/html\/rfc8058\">RFC 8058<\/a> is recommended).<\/li>\n<li>A visible unsubscribe \u00a0link must be visible in the email\u2019s body text (which can direct to a mailing preferences page).<\/li>\n<li>Unsubscribe requests must be honoured within 48 hours.<\/li>\n<li>Spam complaint rates must be below 0.3% (based on Google\u2019s Complaint Feedback Loop service where users mark undesirable inbox content as spam).<\/li>\n<\/ul>\n<h1><strong>Google\u2019s published requirements for bulk-senders<\/strong><\/h1>\n<p><strong>\u00a0<\/strong>This is not an exhaustive list and Google\u2019s other standard anti-spam recommended actions still apply.<\/p>\n<ul>\n<li>A threshold of 5000 emails per day. In our case this will be totalled across all\u00a0<em>ox.ac.uk<\/em>\u00a0subdomains which send outbound email.<\/li>\n<li>Email must be authenticated with SPF and DKIM.<\/li>\n<li>Your DNS must contain PTR records for sending domains.<\/li>\n<li>Your domain must have a published DMARC policy.<\/li>\n<li>You must include a functional \u2018list-unsubscribe\u2019 header supporting one-click unsubscribing (<a href=\"https:\/\/datatracker.ietf.org\/doc\/html\/rfc8058\">RFC 8058<\/a> is recommended).<\/li>\n<li>Unsubscribe requests must be honoured within 48 hours.<\/li>\n<li>Senders must remain under a \u2018spam rate threshold\u2019 (0.1% in <a href=\"https:\/\/gmail.com\/postmaster\/\">Postmaster Tools<\/a>) to ensure delivery to Gmail recipients.<\/li>\n<li>TLS connections must be used for transmitting email.<\/li>\n<li>Messages must be IME-formatted (<a href=\"https:\/\/tools.ietf.org\/html\/rfc5322\">RFC 5322<\/a>).<\/li>\n<li>Don\u2019t hide HTML or CSS content within your emails.<\/li>\n<li>Message From headers should only include one email address.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p>The Email Security Project has already comprehensively tested DKIM and DMARC (with basic SPF records already extant), both in a test environment, and for one subdomain.<br \/>\nThe intention is to enable full DKIM and DMARC protection for the entire collegiate University in the next few days, well in advance of Google and Yahoo&#8217;s 1st February deadline.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Last October Google announced that they would be tightening up their standards for what is acceptable in terms of large quantities of email from a single sending domain. Yahoo!\u00a0made a similar announcement at the same time. The first key point &hellip; <a href=\"https:\/\/blogs-new.it.ox.ac.uk\/nexus\/2024\/01\/22\/spf-dkim-dmarc-now-mandatory\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":107,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-640","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/blogs-new.it.ox.ac.uk\/nexus\/wp-json\/wp\/v2\/posts\/640","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blogs-new.it.ox.ac.uk\/nexus\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs-new.it.ox.ac.uk\/nexus\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs-new.it.ox.ac.uk\/nexus\/wp-json\/wp\/v2\/users\/107"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs-new.it.ox.ac.uk\/nexus\/wp-json\/wp\/v2\/comments?post=640"}],"version-history":[{"count":4,"href":"https:\/\/blogs-new.it.ox.ac.uk\/nexus\/wp-json\/wp\/v2\/posts\/640\/revisions"}],"predecessor-version":[{"id":644,"href":"https:\/\/blogs-new.it.ox.ac.uk\/nexus\/wp-json\/wp\/v2\/posts\/640\/revisions\/644"}],"wp:attachment":[{"href":"https:\/\/blogs-new.it.ox.ac.uk\/nexus\/wp-json\/wp\/v2\/media?parent=640"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs-new.it.ox.ac.uk\/nexus\/wp-json\/wp\/v2\/categories?post=640"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs-new.it.ox.ac.uk\/nexus\/wp-json\/wp\/v2\/tags?post=640"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}