Monitoring DNS

DMARC Requirements for 2024

  • Date : 29 January 2024
  • Time : 5.5 Min Video

Key Concern

Gmail, Yahoo and others are making big changes in February 2024 that might prevent your customers from receiving marketing material and even invoices if your domain isn't correctly set up and managed.

ThreeShield's Approach

Our managed clients are all prepared for the new requirements because we:

  • Define a list of services that send email on their behalf
    (SPF and DKIM, which are discussed in more length below).
  • Monitor reports from email recipients to learn if any legitimate messages were sent on their behalf from other providers
    (DMARC, which is discussed in more length below).
  • Filter out known scammers and work with our clients to verify others, then quickly update the authorized list.
  • Lock down the authorized list and tell email recipients to quarantine or block scams that appear to come from our clients' domains.
  • Continually monitor the reports for any changes.

Technical Background

The Domain Name System (DNS) translates your domain (e.g. to the numbers that computers use to find their way around the Internet. A few years ago, the Internet community used this system to decrease spam and improve your email reputation to improve the chances that emails you send to your customers and prospects make it past the Spam or Junk Mail folders.

The key elements for this are SPF, DKIM, and DMARC.

SPF tells other servers what services are allowed to send email on your behalf. You can also use it to tell email recipients how confident you are in your list and instruct them to treat others with suspicion or completely block them.
This is an example:

v=spf1 ip4: ~all

The above example says that email servers that Microsoft has added to or from can send email on behalf of the domain that set this up.
The tilde (~) before all in ~all means that they aren't 100% confident, so don't automatically block emails from other sources. In contrast -all would show a strong confidence level and block all others.

DKIM allows your email provider to sign emails to give an additional confidence level that the messages are actually yours and haven't been tampered with from when they left your mail server to when they reached your recipient.
Typically, your service provider will provide this to you to add to your DNS.

DMARC brings this all together: it allows other email servers to report emails that it receives from service providers that aren't authorized in your DKIM or SPF. It also allows you to instruct email recipients to reject or quarantine messages from other email providers.
There are a few companies that process DMARC records. However, we became frustrated with the limited amount of information that they provided. Some would give the domain, some would give the host, but none seemed to dig deep into the country, ISP, host, and give us statistics on which seemed to be malicious and which weren't -- so we built our own.
This internal tool has been essential for us to make sure that our clients can confidently signal higher levels of confidence in their SPF and DMARC records to reduce the likelihood that their emails would get quarantined or fall into the spam folder.
As of February 2024, Google is just requiring DMARC records. They do not have to have to be set to block or quarantine messages. However, they are making the change to quarantine and block internally and will likely be enforcing it as a next step, so it's important to get your ducks lined up in advance.

February 2024

Google and Yahoo's new requirements:
  • Align SPF or DKIM with all emails. This will allow "relaxed" mode in DMARC. Some services don't provide good SPF results, but do provide DKIM and vice-versa.
  • Configure DMARC. They're currently allowing p=none, which means that you don't have to give quarantine or block instructions; however, these improve the likelihood of emails skipping spam.
  • Email server requirements. This doesn't apply to most people who use third parties for email; however, if you host your own email, Google requires PTR records, ARC and List-id headers (for forwarded email), and TLS connections.
  • Google has specified a maximum spam rate below 0.1% and Yahoo! requires under 0.3%. This requires some vigilance. We use the Google Postmaster Tools to monitor spam rates.
  • One-click unsubscribe for subscribed messages (Yahoo is requiring unsubscribes within 2 days).
For more information, see Gmail and Yahoo.

What about MSPs?

Given that our internal DMARC tool gathers statistics and flags potentially harmless and harmful email providers, the more organizations using the tool, the more powerful it is.
As such, we're making it available to accredited MSPs who want to use the same powerful technology with their clients through our Lavawall® platform.

What our clients say about ThreeShield


CTO, Tilia Inc. (Financial Technology and Online Payments)

" ThreeShield has employed a dynamic, risk-based approach to information security that is specific to our business needs but also provides comfort to our external stakeholders. I recommend their services. "


IT Architect, Financial Technology and Online Retail

" Collaborating with ThreeShield to ensure data security was an exciting and educational experience. As we exploded in growth, it was clear that we needed to rapidly mature on all fronts, and ThreeShield was integral to building our confidence with information, software, and infrastructure security. "


IT Security Director, Linden Lab (Virtual Reality)

" ThreeShield helped us focus our efforts, enhancing our security posture and verifying PCI compliance.

All of this was achieved with minimal disruption to the engineering organization as a whole.

The approach was smart. In a short time, we accomplished what much larger companies still struggle to achieve. "


Senior Director of Systems and Build Engineering

" ThreeShield very much values active and respectful collaboration, and went out of their way to get feedback on policies to make sure proposals balanced business needs while not making employees feel like they were dealing with unreasonable overhead. By doing so ThreeShield really helped change the culture around security mindfulness is positive ways. "

Ready to get started?
Popular Technical Articles
2024 DMARC requirements
2024 DMARC requirements

29 January 2024

VMware ESXiArgs Ransomware
VMware ESXiArgs Ransomware

13 February 2023

OneNote Phishing
OneNote Phishing

2 February 2023

Social sites