The Google & Yahoo Requirements and BIMI: Where email security and email marketers meet.

23 May 2024

Ever since Google and Yahoo announced their new requirements for email senders, they have been the talk of the town. In addition, they also act a bit as a connector between worlds that otherwise are so far apart.

Because maybe for the first time, even email marketers begin to be concerned about email security. And you should be. The effectiveness of your email campaigns depends on it.

Although email security and email marketers both deal with the aspect of email management, their focuses are different. So we from DMARC Advisor are very excited that both worlds are now forced to communicate and work together, which is awesome news for the safety of the email ecosystem!

In this article, we’ll explore the email authentication protocols that are relevant to email marketers and explain why implementing them is essential for the success of your email marketing campaigns.

Email security

Email security protects email systems, networks, and data from various threats. These threats vary from malware, phishing attacks, spam, spoofing and other forms of unauthorised access. Each of these can seriously harm the brand reputation your organisation has worked so hard for to achieve. The main objectives are to ensure email communications’ confidentiality, integrity, and availability, safeguard sensitive information, and prevent data breaches.

Implementing encryption, spam filters, anti-virus software, and firewalls are measures to ensure the objectives above. But also — and this is where we are most excited about — email authentication protocols, such as SPF, DKIM, and DMARC.

Email authentication protocols: How do they work?

SPF, DKIM, and DMARC are open standards anyone can implement for free online. The image below provides a quick view of where to find each authentication method within an email.

The ‘From:’ domain, also known as the DMARC domain, is shown in an email. This is what everyone sees as being the ‘sender’. But this is exactly the domain that is used in phishing campaigns. So even though SPF and DKIM can pass a validation check, that doesn’t mean DMARC passes. The DMARC domain needs to be aligned with the SPF and DKIM domains to protect them from phishing or email abuse.

Sender Policy Framework – the mailman

SPF stands for Sender Policy Framework, and it allows the domain owner to specify which email servers are authorised to send emails on behalf of that domain.

The easiest way to explain SPF is that you are sending a package to your friend and have authorized DHL to deliver it. Any other postal service is not authorized.

DomainKeys Identified Mail – the postal stamp

DKIM stands for DomainKeys Identified Mail and works by adding a digital signature to the header of an email message.

The easiest way to explain DKIM is to add a seal to the package you sent. The seal should be intact upon arrival. If the seal is broken, you know the content can be tampered with.

Domain-based Messaging Authentication Reporting & Conformance

DMARC stands for Domain-based Messaging Authentication Reporting & Conformance. It is an open standard built on top of SPF and DKIM. DMARC allows a domain owner to specify how their emails should be handled if they fail SPF or DKIM checks + the alignment checks. The domain owner can have the email rejected, marked as spam, or delivered as usual.

Without DMARC, domain owners cannot see who or what emails are being sent on behalf of their domains. DMARC also provides feedback about how other email servers are handling their emails.

DMARC allows a domain owner to choose a policy that tells the email-receiving server what to do with an email if it fails the DMARC verification check. DMARC offers three policies to choose from, which are:

  • p=none: monitors email flows. No further actions are taken.
  • p=quarantine: handles email that doesn’t pass the DMARC check as spam and sends it to the spam folder.
  • p=reject: blocks email that doesn’t pass the DMARC check. Emails simply don’t arrive at the inbox. P=reject should always be the goal when implementing DMARC.

Email Marketers

Email marketers mainly use email as a marketing tool to reach and engage with prospects, customers, or subscribers for promotional or informational purposes. Their primary goal is to create and execute email campaigns that drive specific actions, such as purchasing, signing up for a service, engaging with content or attending an event.

A fair chunk of email marketers measure the success of their campaigns by metrics like open rates, click-through rates, conversion rates and overall campaign ROI. With wrongly configured authentication, emails will not be delivered, which results in zero opens. So make sure you’ve properly authenticated your mail flows to get the best deliverability results!

But what if there’s a way to even show your company’s logo in your target audience’s inbox and improve your valuable metrics? Meet BIMI, the authentication protocol that is built on top of DMARC.

Brand Indicators for Message Identification

BIMI stands for Brand Indicators for Message Identification and is one of the latest email authentication protocols. It has gained a fair share of attention from email marketers. BIMI allows a company’s email to stand out from the crowd in a crowded inbox.

PostNL being one of the first to implement BIMI in The Netherlands with DMARC Advisor

When the recipient server checks your domain for DMARC, it also looks for a BIMI record (in the DNS). If the records match, your company’s logo is displayed. The logo is not part of the email message but appears on the mail server, inaccessible to scammers. This feature distinguishes emails from phishing attempts, enhancing email security and trust.

Why implement BIMI?

From a security perspective, BIMI can only be implemented when the DMARC policy for that particular domain is set to either p=quarantine or p=reject. That’s simply the requirement. So, the domain needs to be protected in a certain way to be eligible for BIMI.

From a marketing perspective, BIMI allows you to:

  • Show your logo in your email messages;
  • Create more visibility within the inbox of the receiver;
  • Gain trust amongst your receivers;
  • Generate more opens and, therefore, clicks!

The first collaboration between security and marketing

BIMI is the first open standard that brings email security and marketers together. For email marketers to have greater success with their campaigns with BIMI, security must first implement the open standards SPF, DKIM, and DMARC. WIN—WIN for everybody!

At DMARC Advisor, we have been talking internally for quite some time about

the marketing department being responsible for a lot within an organisation. The brand image, the tone of voice, content, events, etc. But why not the reputation of a domain? Whenever an organisation is being attacked by cyber criminals via domain spoofing, the marketing team gets to clean up the mess by making public statements. So why aren’t they more involved in preventing the attack from happening in the first place?

Google & Yahoo Sender Requirements

Email giants Google and Yahoo have announced stricter requirements for bulk email senders. These new terms, although email authentication is not new at all, which went into effect on February 1, 2024, are expected to keep more spam messages out of their users’ inboxes. The enforcement of their requirements has been rolled out partially.

Finally these email giants recognise their responsibility and impact on the safety of the entire ecosystem. So while we may call this a gigantic and positive shift in the battle against spam and phishing, it does put many companies under significant time pressure. But in our honest opinion, organisations had more than enough time to get started in the first place.

This will seriously affect your emails, especially if you are a bulk email sender and have not yet complied with these rules. Then, they are either marked as spam or blocked completely.

A bulk email sender is considered a domain that sends more than 5,000 emails in a day from one “From: domain” to Google or Yahoo. You are permanently labelled as a bulk sender if you send over 5,000 emails a day just once.

We have created an image that shows an overview of these requirements for both bulk email senders and non-bulk senders.

This is very important for email marketers: starting June 1st, 2024, the one-click unsubscribe link is mandatory for all non-transactional emails.

To Summarise

In the past, email marketers weren’t involved in email authentication protocols like they should have been. BIMI created traction with email marketers by adding value to the inbox placement. The only downside is that BIMI can only be implemented when DMARC has been added to the domain with either p=quarantine or the p=reject policy.

This meant that email marketers were now forced to work with the company’s IT security departments to start with DMARC.

At DMARC Advisor, we saw many organisations still struggling to start with DMARC and get all their domains to stricter DMARC policies. But now, with the Google and Yahoo requirements for (bulk) email senders, email marketers and security are feeling the pressure to start. Nobody exactly knows the impact of the enforcement of the requirements, and it’s still too early to draw any conclusions.

If you want to start or are working on getting your organisational domains to DMARC with a strict policy, take your time and start gathering data first before jumping straight to p=quarantine or p=reject.


Joost Brand
Marketing Coordinator | DMARC Advisor