Summary
The landscape of email authentication is evolving, with recent mandates from major mailbox providers like Google and Yahoo signaling a significant shift. While not currently requiring 2048-bit DKIM keys or DMARC policies set to p=reject for all bulk senders, these measures are increasingly recognized as essential best practices. The industry consensus points towards a future where such robust authentication will become de facto, if not explicit, requirements for optimal deliverability and security.
Key findings
- DMARC Policy Baseline: Google and Yahoo now require all bulk email senders to have a DMARC policy in place for their sending domains, though an initial policy of p=none is currently acceptable for compliance.
- Enhanced DKIM Standard: While 1024-bit DKIM keys remain technically functional, 2048-bit keys are broadly recommended as the current industry standard and best practice for new deployments, offering superior cryptographic security and resilience.
- Stricter DMARC Evolution: Although p=reject DMARC policies are not universally mandated as a strict requirement by major mailbox providers, there is a strong industry trend and expectation that more restrictive DMARC policies will become necessary for comprehensive protection against spoofing and phishing.
- Foundational Authentication: Mandatory authentication measures for bulk senders now include proper SPF and DKIM configurations, along with maintaining a very low spam rate, reinforcing the importance of a well-authenticated sending infrastructure.
Key considerations
- Future-Proofing Deliverability: Senders should proactively adopt 2048-bit DKIM keys and plan a progressive implementation of stricter DMARC policies, moving from p=none to p=quarantine or p=reject, to align with anticipated industry demands and ensure long-term inbox placement.
- Navigating Implementation Challenges: Organizations should be aware of potential complexities in moving to p=reject DMARC, particularly concerning indirect mail flows and the limitations of some SaaS providers in supporting custom domain authentication.
- Leveraging Monitoring and Reporting: It is advisable to utilize DMARC reporting (RUA tags) even with p=none policies. This allows senders to monitor their email ecosystem and identify authentication issues before enforcing stricter DMARC actions, facilitating a smooth transition.
- Prioritizing Brand Security: Implementing robust authentication, including stronger DKIM keys and DMARC enforcement, is crucial not only for deliverability but also for safeguarding brand reputation against impersonation and phishing attacks, fostering recipient trust.
What email marketers say
11 marketer opinions
While not explicitly mandated by major mailbox providers like Google and Yahoo for 2024, the adoption of 2048-bit DKIM keys and DMARC policies set to p=reject is widely seen as the inevitable future for email authentication. These robust measures are consistently recommended as best practices, crucial for enhancing security, protecting brand reputation, and ensuring optimal deliverability. The current foundational requirements for DMARC presence are considered catalysts, propelling the industry towards stricter, more secure email standards.
Key opinions
- No Immediate Mandate: Major mailbox providers like Google and Yahoo do not currently mandate 2048-bit DKIM keys or a DMARC p=reject policy for 2024 compliance, though they are strongly recommended.
- Future Inevitability: Experts agree that 2048-bit DKIM keys and stricter DMARC policies, such as p=reject, will eventually become de facto requirements for email deliverability and security.
- 2048-bit DKIM as Standard: While older 1024-bit DKIM keys still function, 2048-bit keys are now widely considered the best practice and de facto standard for new implementations due to their enhanced security.
- DMARC Policy Progression: The current requirement for a DMARC record, even at p=none, is viewed as a foundational step that will drive organizations to progressively adopt stricter policies for comprehensive domain protection.
Key considerations
- Proactive Security Adoption: Adopt 2048-bit DKIM keys and plan for stricter DMARC policies now, even if not mandatory, to stay ahead of evolving security standards and ensure long-term deliverability.
- Strengthen Brand Protection: Embracing stronger authentication methods like 2048-bit DKIM and p=reject DMARC is vital for protecting your brand from spoofing and phishing attacks, thereby building greater recipient trust.
- Optimize Deliverability: As mailbox providers increasingly favor well-authenticated domains, moving to these advanced security measures will significantly improve inbox placement and overall email success.
- Phased DMARC Enforcement: Even when starting with a p=none DMARC policy, include a 'rua' tag to monitor email authentication, gather insights, and prepare for a confident transition to p=quarantine or p=reject.
Marketer view
Email marketer from Email Geeks responds that stricter DMARC policies and 2048-bit DKIM keys are not strictly required for Yahooglesoft compliance at this time.
11 Sep 2022 - Email Geeks
Marketer view
Email marketer from Email Geeks shares that no one currently requires a DMARC policy other than p=none, but encourages enforcing a DMARC policy once all mail systems test out as passing with p=none.
20 Jul 2021 - Email Geeks
What the experts say
4 expert opinions
A notable change in email authentication requirements for bulk senders has emerged, with Google and Yahoo now mandating stricter DMARC policies such as 'p=quarantine' or 'p=reject'. While 2048-bit DKIM keys are not a direct requirement, they are highly recommended for their enhanced security and future-proofing benefits, with 1024-bit remaining the minimum acceptable standard. This shift highlights a growing emphasis on robust authentication for optimal email deliverability and security.
Key opinions
- Stricter DMARC Mandate: Google and Yahoo now require bulk senders to implement DMARC policies of 'p=quarantine' or 'p=reject', a significant shift from previous, more lenient standards.
- DKIM Key Recommendation: While 1024-bit DKIM keys are currently the minimum acceptable standard, 2048-bit keys are strongly recommended by experts for their enhanced security and future-proofing benefits.
- DMARC Implementation Challenges: Widespread adoption of 'p=reject' DMARC policies faces challenges, including managing indirect mail flows and limitations where some SaaS providers do not allow customer domain usage.
- RUA Tag Status: Emails are currently not being rejected for lacking a RUA (reporting URI for aggregate reports) tag when a DMARC policy of 'p=none' is in place, though monitoring is still advised.
Key considerations
- Comply with New DMARC Rules: Bulk senders must promptly update their DMARC policies to 'p=quarantine' or 'p=reject' to meet Google and Yahoo's new requirements for enhanced deliverability.
- Enhance DKIM Security: Transition to 2048-bit DKIM keys for all new and existing setups to bolster email security and future-proof authentication efforts, even though 1024-bit remains the minimum.
- Address DMARC Flow Issues: Thoroughly assess and plan for potential issues related to indirect mail flows and limitations with certain SaaS providers when implementing stricter DMARC policies like 'p=reject'.
- Continue DMARC Monitoring: Even with a 'p=none' DMARC policy, leverage RUA reports to continuously monitor authentication performance and identify issues, preparing for eventual stricter policy enforcement.
Expert view
Expert from Email Geeks explains that currently 1024-bit is the minimum DKIM key requirement and p=none is the standard DMARC policy, with no rejections observed for lacking a RUA tag.
13 Aug 2024 - Email Geeks
Expert view
Expert from Email Geeks explains that mailbox providers are monitoring DMARC adoption and failures, and two major issues need addressing before p=reject becomes possible: indirect mail flows and SaaS companies not allowing customer domain usage. She also confirms that emails are not currently being rejected for lacking a RUA tag with p=none.
2 Sep 2022 - Email Geeks
What the documentation says
4 technical articles
While Google and Yahoo's updated requirements for bulk email senders primarily mandate SPF and DKIM authentication, along with a DMARC policy (even if set to p=none) and low spam rates, they implicitly encourage stronger security measures. Though not strict requirements, 2048-bit DKIM keys and DMARC policies set to p=reject are widely regarded as industry best practices for enhanced cryptographic security, better protection against threats, and future-proofing email authentication. This trend suggests these robust standards are becoming the de facto norm for optimal deliverability.
Key findings
- Initial Mandates: Google and Yahoo's new requirements for bulk senders include SPF, DKIM, and a DMARC policy (p=none acceptable), along with a spam rate below 0.1%.
- 2048-bit DKIM Standard: 2048-bit DKIM keys are considered the industry standard and best practice for new deployments due to their superior cryptographic strength and resilience against attacks.
- DMARC Policy Evolution: While p=reject is not explicitly mandated, industry best practices advocate for a progressive DMARC implementation from p=none to p=quarantine and ultimately p=reject, to maximize protection.
- Industry Push: Major mailbox providers, by emphasizing robust authentication, are driving senders toward adopting stronger standards like 2048-bit DKIM and more restrictive DMARC policies for improved deliverability and security.
Key considerations
- Proactive Security Upgrade: Senders should proactively transition to 2048-bit DKIM keys and plan for a phased move towards stricter DMARC policies, even beyond initial p=none requirements, to stay ahead of evolving standards.
- Enhanced Protection: Stronger DKIM keys and DMARC enforcement provide greater protection against spoofing, phishing, and cryptographic vulnerabilities, enhancing trust and brand security.
- Future-Proofing Authentication: Adopting 2048-bit DKIM helps ensure long-term email authentication robustness and compliance with evolving security expectations.
- Optimizing Deliverability: Aligning with these increasingly recommended best practices will significantly contribute to better inbox placement and overall email program success.
Technical article
Documentation from Google Workspace Updates explains that for February 2024, Google's new requirements for sending email to Gmail accounts will mandate bulk senders to authenticate email with SPF and DKIM, maintain a DMARC policy for their sending domain (even if it's p=none), and keep spam rates below 0.1%. While 2048-bit DKIM keys or a p=reject DMARC policy are not explicitly required, the emphasis on robust authentication encourages adoption of stronger standards.
8 Oct 2021 - Google Workspace Updates
Technical article
Documentation from AOL Postmaster Blog shares that in alignment with Gmail, Yahoo Mail will also require bulk senders to use a DMARC policy, alongside SPF and DKIM authentication. While not mandating 2048-bit DKIM or p=reject DMARC policies as strict requirements, the move highlights a significant step towards industry-wide stricter email authentication, pushing senders towards adopting best practices for better deliverability and security.
6 Oct 2022 - AOL Postmaster Blog
Are people using 4096-bit DKIM keys, and what is the recommended DKIM key length?
Is DKIM domain alignment required for Google and Yahoo's new email sending requirements?
What are the pros and cons of 1024-bit vs 2048-bit DKIM keys?
What DMARC/DKIM/SPF updates are needed for new Gmail/Yahoo requirements?
What is double DKIM signing and when is it necessary for email authentication?
Will Yahoo and Google require DMARC p=quarantine or p=reject in 2025?
