Google Moving Gmail to Strict DMARC Implementation

iOS Gmail Certificate Pinning

Google said it will move to a policy of rejecting any messages that don’t pass the authentication checks spelled out in the DMARC specification.

By next summer, most of the major Web-based email providers will have implemented a policy of strictly adopting the DMARC protocol.

Google, in a statement published Tuesday by, said it will move to a policy of rejecting any messages that don’t pass the authentication checks spelled out in the DMARC specification.

DMARC, short for Domain-based Message Authentication, Reporting and Conformance, wards off email spoofing, which is central to most phishing attacks. The premise behind DMARC is that checks email against both the Domain Keys Identified Mail (DKIM) and Sender Policy Framework (SPF) validation systems. If a message satisfies these checks it is sent through to the recipient, otherwise it’s quarantined.

The move complements similar initiatives from Yahoo and AOL; Yahoo is expected to move its mail services to DMARC on Nov. 2 after announcing on Oct. 5 an expansion of its use of the protocol.

Phishing remains a constant and viable threat, not only from cybercriminals interested in fraud and financial crime, but also in targeted attacks by criminal and nation-state attackers.

DMARC has been especially effective in ferretting out email address spoofing. Attackers falsify a user’s email address and use it to send out phishing or spam messages.

Google’s John Rae-Grant, lead product manager for Gmail, said in a statement that Google will also support the Authenticated Received Chain (ARC) protocol. The ARC spec says the protocol adds a cryptographically signed header to an email that helps the message move along in the event DMARC is broken.

“When Yahoo and AOL began protecting their customers from abuse, there was a small percentage of users who were negatively impacted by the change,” DMARC said in its statement, adding that ARC will be presented for approval at an upcoming meeting of the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) in Atlanta.

Suggested articles

It’s Not the Trump Sex Tape, It’s a RAT

Criminals are using the end of the Trump presidency to deliver a new remote-access trojan (RAT) variant disguised as a sex video of the outgoing POTUS, researchers report.


  • Ricardo Aguilar on

    no comment for now
  • Cat on

    I'd like to know how it 'negatively impacted' these users. Also, I see no change in how many falsified yahoo addresses I see sending me spam. I tend to look at headers and see when a friend's address has been spoofed.
    • msw70 on

      Internet Engineering Council expert John R. Levine, a specialist in email infrastructure and spam filtering, said, 'Yahoo breaks every mailing list in the world including the IETF's' on the Internet Engineering Task Force (IETF) list. (
  • Karen Bemet-Nejat on

    I am OK with this--I could without phishing, sales pitches, ponzi schemes, etc.
  • ken on

    Its rewarding to read of the effort being used to help us with security whilst using the internet...Thank you...Ken Lomas

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.