Gmail DMARC Update 2016
Quick Answer
In June 2016, Gmail switched its DMARC policy from p=none to p=reject. Any message with a gmail.com From address that does not originate from Gmail's smtp.gmail.com servers will be rejected by receiving mail servers that honor DMARC. Impact: applications and websites that send messages on behalf of users using their gmail.com address will see those messages blocked or filtered. The fix is to send from your own domain and use a friendly From with the user's name, e.g. `"Example User" <message@yourdomain.com>` instead of `exampleuser@gmail.com`. Audit all mail streams for gmail.com From addresses before the cutover.
Google is constantly trying to fight both incoming and outgoing spam. Incoming spam is easy to combat because you can build tools and software at the gateway to manage and mitigate these vectors, however until now Google has allowed people to send email with an @gmail.com email address from any ISP’s server.
However Gmail’s upcoming DMARC changes will prohibit (meaning that they will ask other mail servers to reject email) that is sent From: and @gmail.com address without it going though the smtp.gmail.com servers.
Side Note: If DMARC is still a foreign concept to you, you aren’t alone. This article should give you a pretty good understanding of DMARC and why it is so important.
What is Gmail changing?
June of 2016 Gmail will change its DMARC policy from p=”none” to p=”reject.”
This means any message sent using gmail.com in the from address, will have to originate from Gmail’s infrastructure. Any messages the originate from outside the infrastructure will be rejected by the recipients email server if the From: is @gmail.com
What does this mean for me?
It depends. If you have any mail streams that send messages using gmail.com in the from address, you will have to make changes before June, or risk having those messages filtered or blocked outright.
If you only send email using your own domain or another domain that you control, you have nothing to worry about. However, it’s not uncommon for some applications or websites to send messages using their users’ email addresses.
For example, if a user wants to send a message to their friend using your platform, it could make sense to send the message using their personal email address. If their email address happens to be a gmail.com address, this message will no longer deliver once these changes take place. A good alternative to sending mail from your user’s email address is to use their name in the friendly from. A “friendly from” is when you use a name to appear as the from address, instead of the email address itself:
exampleuser@yahoo.com can be sent as “Example User” message@yourdomain.com
This way your recipients still recognize the individual that sent the message, and you’re no longer at risk of violating Gmail’s DMARC policy.
Action plan
Sending mail from an external domain, like gmail.com, is more common than you might think. Carefully audit all of your mail streams to ensure you aren’t using gmail.com in your from addresses. If you are, you have until June to get these changes in place or you risk having this portion of your email traffic filtered (or blocked completely). And while you’re at it, take a look at our blog post about Yahoo! and their recent DMARC policy changes.
General Manager
General Manager at DuoCircle. Product strategy and commercial lead across the email security portfolio.
Secure your email infrastructure
Protect, authenticate, and deliver. Contact our team to find the right solution.