DKIM, SPF, and DMARC: Acrimonious Acronyms
DKIM, SPF, and DMARC are acronyms that deal with security settings used to verify that email senders are who they say they are. That’s all well and good, but somehow, I believe Big Tech has overreacted and made a mountain range out of a mountain.
I’m convinced that Microsoft, Google, and Apple colluded to make email authentication a bigger issue than it needs to be. There’s no denying that phishers, hackers, ransomware hunters, and other evildoers spoof email addresses to do their dirty work, but we think Google has made it especially difficult for Outlook users with their own domains to send a single email message to multiple Gmail accounts.
The messages get returned as undeliverable because Gmail (Google) does not accept mail from bulk senders who have not updated DKIM, SPF, and DMARC settings to prove the senders are who they say they are. We’re not sure all those updates are necessary, but Google is doubling down on it for 2024. The changes are designed to rein in any bulk sender, which Google defines as those who send more than 5,000 messages to Gmail addresses in one day. But smaller companies who need to send emails to groups that include Gmail addresses will be affected. That includes Sterling Rose and any of our clients who rely on email to update their clients and customers. Google claims it blocks 15 billion unwanted emails per day.
One of our clients ran into this problem a few times ahead of all the changes. They use their business domain for their email, though they have alternate email addresses through their internet provider and Gmail. The rejection message from Microsoft Outlook read:
“Your message couldn’t be delivered. Despite repeated attempts to contact the recipient’s email system it didn’t respond.
Contact the recipient by some other means (by phone, for example) and ask them to tell their email admin that it appears that their email system isn’t accepting connection requests from your email system. Give them the error details shown below. It’s likely that the recipient’s email admin is the only one who can fix this problem.”
This is troubling on so many levels. It clearly puts the onus on Google for causing this problem and gives the impression that two major tech companies can’t work together to resolve an issue. The other troubling factor is that with so many people using Gmail, it can be difficult to send critical, timely information to Gmail users. I just can’t see someone calling all those Gmail users and telling them to contact Google.
The rejection email has a link to a Microsoft article that explains the issue in mostly technical terms and has links to reset DKIM, SPF, and DMARC settings working through your domain host. When you get into some advanced security settings, it’s not a DIY project. You can create more problems if you make a mistake, and you’ll need to call an IT pro to undo your mistakes before fixing everything.
For those of us who work in the field, we have to scroll down to the fine print to the section Diagnostic information for administrators to find the information we need to solve the problem. A Google support URL buried all the way down there tells what Google is looking for.
You can rant as I just did, but you need to update your settings.
For this client, we had to access their GoDaddy account and update their DKIM, SPF, and DMARC settings during a remote support session. It can take up to four days after the changes are made for Google to recognize the updates. It was a shorter timeframe for this client.
If you’re having similar problems reaching Gmail addresses from your corporate domain or haven’t had your email security looked at lately, call us – 973-433-6676 – or email us to get your security settings properly updated. With all the shenanigans going on with email, it’s essential that email systems know who the senders are.