Newly enforced Google policy starts sending error messages to Gmail users
In an announcement by Google on October 3, 2023, Neil Kumaran, a group product manager responsible for Gmail security and trust, confirmed that starting February 2024, Gmail will require bulk senders to authenticate their email. As February has arrived, this policy is now in effect. Users have begun to report receiving Gmail errors, indicating that email has been blocked due to the sender’s lack of authentication.
02/08 updates below. This article was originally published on February 6.
Gmail Attacker Loophole To Be Closed By New Google Policy
The October announcement, titled New Gmail protections for a safer, less spammy inbox, stated that users shouldn’t need to “worry about the intricacies of email security standards,” and instead be able to “confidently rely on an email’s source.” You won’t find me complaining about that; it’s bang on. From Google’s end, the solution is to require all Gmail users who send “significant volumes” to use a robust email authentication method to close what it calls “loopholes exploited by attackers” that threaten all of us. All 1.8 billion of us, as that’s how many Gmail accounts there are.
Authentication Errors Reported By Gmail Users
Seth Blank is chief technology officer at email domain validations platform Valimail and co-chair of the Domain-based Message Authentication, Reporting & Conformance working group. As from the start of February, Blank warns, “you will start to see temporary errors for unauthenticated mail, and starting in April, unauthenticated mail that does not pass DMARC will start to be rejected.” Blank was not wrong: those authentication failure messages are already being reported by users, and while temporary for now, the confusion they leave behind will likely be more long-lived. So, let’s try to clear that up.
Google states that “In February 2024, bulk senders who don’t meet sender requirements will start getting temporary errors (with error codes) on a small percentage of their non-compliant email traffic. These temporary errors are meant to help senders identify email traffic that doesn’t meet our guidelines so that senders can resolve issues that result in non-compliance.”
When 15 Billion Daily Blocked Emails And A 99.9% AI Spam Filtering Rate Are Not Enough
Google’s Kumaran says that while Gmail AI stops more than 99.9% of spam, phishing and malware from hitting your inbox, including some 15 billion emails every day, that’s not enough, which is why the new bulk email senders requirements have been implemented.
Firstly, Kumaran says, bulk senders are “those who send more than 5,000 messages to Gmail addresses in one day.” Because many fail to secure their systems properly, malicious actors can hijack email domains for nefarious purposes. Sender validation and strong email domain authentication are essential in filtering out much of this security-weakening material. “Last year (2022), we started requiring that emails sent to a Gmail address must have some form of authentication’” Kumaran says, “and we’ve seen the number of unauthenticated messages Gmail users receive plummet by 75%.” This, in turn, led to less cluttered Gmail inboxes and billions of messages with malicious intent being blocked before delivery.
As well as the new bulk mail sending authentication requirements, Google has also enabled accessible unsubscription features for Gmail users. Google also implements a “clear spam rate threshold,” so senders who break this are throttled. “This is an industry first, and as a result, you should see even less spam in your inbox,” Kumaran confirmed.
What Do Gmail Unauthentication Errors Mean?
The best resource I have found for getting to grips with what these errors mean is from another email domain verification specialist, PowerDMARC. The operations team lead with particular expertise in email authentication and security, Yunes Tarada, breaks down a typical Gmail unauthenticated sender error message and explains precisely what it means. Tarada also explains that users sending less than 500 emails per day could also find their messages getting blocked by Gmail if they don’t have Sender Policy Framework or DomainKeys Identified Mail implemented, a spam rate greater than 0.3%, no Transport Layer Security connection for transmitting emails, no Authenticated Received Chain enabled to forwarded messages, invalid DNS records or are impersonating Gmail from headers.
Expert Says Herd-Immunity For Bulk Email Is Required
Blank has been providing customer feedback directly to Google regarding the guidance to hopefully clarify what it means and help senders and recipients understand the authentication requirements. “This isn’t just about protecting yourself,” Blank says, “done right, email authentication protects partners, consumers, and anyone receiving email.” Blank reckons that a herd-immunity percentage of 70% of the largest bulk email senders using string authentication must be reached to make exact domain spoofing “economically uninteresting.”
“Just like we adapted to HTTPS as the standard for the World Wide Web, and like MFA is becoming the standard for our online accounts, every business will need to become familiar with standards like SPF, DKIM, and DMARC,” Gerasim Hovhannisyan, CEO at EasyDMARC, says. “As we navigate the evolving cyber landscape,” Hovhannisyan continues, “staying proactive in adopting and adapting to these security trends will be paramount for businesses to maintain effective communication channels and uphold their digital reputation.”
02/08 update: It’s not just emails that are getting blocked by Google in an attempt to weed out spam and malicious activity. Google has just announced that it is trialing a new feature to block the side-loading of potentially malicious apps for Android users.
Eugene Liderman, the director of mobile security strategy at Google, says that as “part of a continued strategic partnership with the Cyber Security Agency of Singapore,” the company is to start piloting an enhanced fraud protection program for Android users in Singapore in the coming weeks. Liderman says that the enhanced fraud protection program has “undergone testing by the Singapore government” and explains that it will work by analyzing and blocking apps that might otherwise abuse sensitive runtime permissions.
The analysis will be undertaken in the background when an Android user attempts to install an app from outside of an official Play Store environment. This could include using web browsers, messaging apps and file managers as an internet-side loading source, the Google announcement states. Specifically, the enhanced fraud protection pilot will inspect app permissions being declared in real-time and flag any of four runtime permissions, namely RECIEVE_SMS, READ_SMS, BIND_Notifications and Accessibility.
This is understandable as these are, Liderman says, “frequently abused by fraudsters to intercept one-time passwords via SMS or notifications, as well as spy on screen content.” Google analysis of fraud malware families exploiting these runtime permissions suggests that “95 percent of installations came from Internet-sideloading sources.”
Developers are advised, Liderman says, to review device permissions being requested by their apps to ensure that the process follows the Android privacy best practices guidelines. The first item on the checklist is to minimize permissions requests. “Your app should only request permissions that the app needs to complete an action,” Linderman says, “and ensure it does not violate the Mobile Unwanted Software principles.” Google will provide tips to help fix any potential issues, and if an app has been blocked by the enhanced fraud protection program, an appeals system will be available. The main message from Google to developers is: “Always ensure that your app does not engage in behavior that could be considered potentially harmful or malware.”
Chua Kuan Seah, deputy chief executive of Singapore’s CSA, says “The fight against online scams is a dynamic one. As cybercriminals refine their methods, we must collaborate and innovate to stay ahead.” Liderman concludes by assuring Android developers and Google users alike that “we will be closely monitoring the results of the pilot program to assess its impact and make adjustments as needed.”
