In the tech industry, creating convincing pranks on April 1 is commonplace. However, this April Fool’s Day, news of mass rejection of emails sent to Gmail account holders will be no joke. In just 14 days, new Google rules will begin in earnest that could see swathes of incoming mail blocked. Here’s what you need to know about this impending, and important, change.

03/19 updates below. This article was originally published on March 18.

Mass Email Senders Have 14 Days To Comply

Google has been making it explicit since October 2023 that new email sender authentication rules will result in some messages to Gmail accounts being rejected and bounced back to the sender en masse. Neil Kumaran, a Google group product manager responsible for Gmail security and trust, announced that “starting in 2024, we’ll require bulk senders to authenticate their emails, allow for easy unsubscription and stay under a reported spam threshold.” Some of these new protections are scheduled to start in 14 days and will impact every holder of a personal Gmail account in a very positive way.

According to Google’s internal statistics, Gmail’s AI protections stop more than 99.9% of spam, phishing and malware-carrying emails from reaching users’ inboxes. To put that into context, that equates to around 15 billion daily emails. So, why is there any need for new rules impacting the mail that reaches Gmail accounts then? Those numbers are not good enough and still allow unwanted and potentially dangerous emails to slip the net.

New Google Bulk Sender Rules Require Email Authentication

The new rules are aimed squarely at bulk senders, which Google defines as those sending at least 5,000 messages daily to Gmail addresses. That number is calculated based on emails that are sent from the same primary domain regardless of the number of subdomains used. Importantly, to be labeled as a bulk sender, that 5,000 limit only has to be reached once in 24 hours for the attribution to become permanent.

Although Google does appear to be taking a slow and steady approach to the new rules for bulk email senders to Gmail accounts, you can expect things to start ramping up from April 1. “Starting in April 2024, we’ll begin rejecting non-compliant traffic,” Google has stated in an email sender guidelines FAQ, continuing, “we strongly recommend senders use the temporary failure enforcement period to make any changes required to become compliant.”

Although the guidelines do not apply to emails sent to Google Workspace accounts, only personal Gmail accounts, they apply to all senders, including those who use Google Workspace.

Act Now To Boost Sender-Side Security Or Face Mass Email Rejections

The new rules aim to “boost sender-side security and increase the control users have over what gets into their inbox even more. If anything, meeting these requirements should help senders reach those who want their messages more effectively, with diminished risk of spoofing and hijacking from bad actors,” a Google spokesperson said.

Responsible email marketing specialists will already be aware of protocols such as Domain-based Message Authentication, Reporting & Conformance, DomainKeys Identified Mail and Sender Policy Framework, but now any organization considering a mass-email marketing campaign needs to ensure they are as well, or they could be made to look like fools come April.

Starting June 1, Google will also start implementing the requirement that all commercial and promotional emails have a one-click unsubscribe function for recipients. The clock is ticking.

03/19 update: Security researchers at Guardio Labs have uncovered a “sprawling campaign of subdomain hijacking” that could undermine Google’s attempt to protect Gmail users from malicious mass emailing campaigns. The research reveals millions of malicious emails being sent each day using a network of compromised subdomains.

“This is a vast campaign that has been ongoing for 2+ years,” Nati Tal, head of Guardio Labs, says, “prepping for Google’s plans to harden email authentication policies.” The hackers inject Sender Policy Framework records to authenticate their Simple Mail Transfer Protocol servers and host unsubscribe functions on hijacked subdomains. Guardio uncovered a network of more than 8,000 domains, including hugely well-known brands such as CBS, eBay, Marvel, McAfee, and MSN, being used in the ‘SubdoMailing’ campaign.

Sadly, it’s pretty easy to pull off. The research shows how malicious actors bought a long-since forgotten domain once used and linked to MSN, for example, that could then leverage the subdomain record. In this case, they could send authenticated emails as if they were originating from msn.com rather than the sender’s domain.

“Despite Gmail’s latest anti-spam efforts, the SubdoMailing tactic shows how determined cybercriminals can once again bypass such measures, exposing the significant security gap in online services we rely on daily,” Tal warns. “These bad actors’ advanced strategies suggest a notable edge over current defenses, turning minor spam into serious threats.”

A Google spokesperson told me, “Gmail has multiple layers of protections, and we’re constantly adding more to defend against this attack vector. However, this report underscores how important it is that we improve email authentication for the entire email ecosystem. That’s why we’re instituting requirements for bulk Gmail senders that help close authentication loopholes to the benefit of the entire email-sending community.”

These DMARC requirements being implemented by Google for bulk senders are an “effective and economical way to significantly improve email security for the average organization or person,” Gerasim Hovhannisyan, CEO of EasyDMARC, says. “Their leadership in pushing forward with these changes will protect thousands from malicious emails hitting their inboxes.”

The Guardio report itself also doffs its cap towards Google on this matter: “The Fight against spammers and impersonators introduced several security and authentication methods… All of those remained optional until Google stepped up last year, requiring at least one of the optional authentication methods to pass. This will also become mandatory for mass mailers (sending more than 5000 emails daily) later this year.”

Rahul Powar, CEO at Red Sift, says that organizations must acknowledge the evolving landscape of cyber threats in response to the alarming trend of hijacked subdomains from major brands being exploited in extensive spam campaigns. “The recent enforcement of stringent bulk sender requirements by major email service providers has undeniably escalated the complexity of maintaining email security,” Powar says, “compelling malicious actors to pivot their strategies towards exploiting the reputable stature of established brands through subdomain hijacking.” Powar concludes that this “underscores the critical vulnerabilities that can arise from misconfigurations and the dynamic nature of technical controls within digital infrastructures.”

The discovery of complex SubdoMailing operations reminds us that in the cybersecurity field, the goalposts are constantly moving; Hovhannisyan says, “The use of abandoned domains capable of passing DMARC checks should be a concern to any organization that relies on email authentication technology to protect their customers and data.” Hovhannisyan also warns that sensible DMARC protocols preventing unwelcome inbox intrusions will be crucial in the coming decade as AI helps develop increasingly convincing phishing emails. “Organizations should also remain vigilant and be aware of the subdomains associated with their own, understanding how these necessary regulations can be exploited and used for malicious purposes.”