2025 Email: Get Rid of the Training Wheels

Email authentication solves a fundamental problem: proving that messages actually come from who they claim to come from. As we move into 2025, this isn’t just about slapping some DNS records in place and calling it done – it’s about making certain that all of the pieces of your protection scheme are flawlessly working together.

Why 2025 Matters More Than You Think

Gone are the days when implementing authentication was optional. Yahoo¹ and Google² started enforcing new requirements for bulk senders in June.³ These requirements make one thing crystal clear – proper authentication isn’t a “nice to have” anymore; it’s table stakes for getting your email delivered.

The Big Three: Evolution in Action

SPF: Getting Your Guest List Right

SPF exists to tell the world exactly who can send mail for your domain. Not “probably” who can send mail. Not “maybe” who can send mail. Exactly who. Those permissive +all mechanisms you see floating around? They’re the email equivalent of leaving your front door wide open because keys are hard.

The lookup limit still matters (10 or bust),⁴ but it’s the precision of your records that really counts. One 2023 study of SPF records, for instance, revealed that 34.7% of domains allow emails to be sent from over 100,000 IP addresses.⁵

DKIM: Because Digital Signatures Shouldn’t Use Crayons

Your DKIM keys need to grow up. Those 1024-bit keys that seemed fine a few years ago? They’re the email equivalent of writing your signature in crayon. Google isn’t being subtle about this – they’ve explicitly stated their preference for 2048-bit keys.⁶ The days of weak keys and “we’ll rotate them eventually” are over.

Here’s where it gets interesting: Key rotation isn’t just a best practice anymore – it’s becoming a compliance requirement. Take PCI DSS 4.1, for example. Not only does it want you to protect against phishing (Requirement 5.4.1), but it points explicitly to DKIM as part of a solid anti-spoofing strategy. And before you think about skipping the rotation part, Requirement 3.7.4 says you need to rotate those keys when nearing the end of their cryptoperiod.⁷

DMARC: Time to Take Off the Training Wheels

Here’s the reality about p=none: it’s the email authentication equivalent of training wheels. Yet, the RFC indicates that it’s supposed to be a stepping stone to stricter policies.⁸

Yet here we are, nearly a decade later, with domains still cruising around in training mode. Why? Because when Yahoo and Google rolled out their authentication requirements for bulk senders earlier this year, they set a pretty low bar: “just have a working DMARC record.” And yes, p=none technically checks that box – it’s like getting credit for buying a gym membership without ever breaking a sweat.

But, while p=none might keep you compliant today, smart senders are already planning for tomorrow. The writing’s on the wall – or more accurately, between the lines of those sender requirements. We’re heading toward at least p=quarantine but probably p=reject, and the future tends to show up faster than anyone expects. Don’t be one of those senders who must scramble twice because they chose the bare minimum the first time.

Making It All Work Together

Authentication isn’t three separate systems – it’s one protection scheme with three crucial parts. Your SPF, DKIM, and DMARC all check different but related things.⁹ When they work together, it’s beautiful. When they don’t, your deliverability can suffer.

The Warning Signs

When your authentication fails, the internet doesn’t send you a polite note. Instead, you need to watch for:

Sudden changes in your DMARC aggregate reports? That’s like your car making a new noise – ignore it at your peril. Authentication failures that don’t match your sending patterns? Something’s wrong, and hoping it fixes itself isn’t a strategy.

The Path Forward

Perfect authentication isn’t about predicting the future. It’s about building systems that work today and can adapt to whatever tomorrow throws at us. The solution isn’t complicated, but it does require attention: Monitor your authentication actively, not reactively. Understand your mail flows completely, not approximately. And most importantly, keep your systems current – because the standards aren’t standing still.

Footnotes

1. Yahoo, Sender Best Practices for Mail Deliverability, Sender Hub (2024), https://senders.yahooinc.com/best-practices/ (last visited Dec 12, 2024). ↩︎
2. Neil Kumaran, New Gmail Protections for a Safer, Less Spammy Inbox, The Keyword (2023), https://blog.google/products/gmail/gmail-security-authentication-spam-protection/ (last visited Dec 12, 2024). ↩︎
3. Google, Email Sender Guidelines FAQ, “What is the timeline for enforcement of sender guidelines?”, Google Workspace Admin Help (2024), https://support.google.com/a/answer/14229414?hl=en (last visited Dec 12, 2024). ↩︎
4. Scott Kitterman, Sender Policy Framework (SPF) for Authorizing Use of Domains in Email, Version 1 16-17, (2014), https://datatracker.ietf.org/doc/rfc7208 (last visited Dec 12, 2024). ↩︎
5. Stefan Czybik, Micha Horlboge & Konrad Rieck, Lazy Gatekeepers: A Large-Scale Study on SPF Configuration in the Wild, in Proceedings of the 2023 ACM on Internet Measurement Conference 344 (2023), https://dl.acm.org/doi/10.1145/3618257.3624827 (last visited Dec 12, 2024). ↩︎
6. Google, Email Sender Guidelines, Google Workspace Admin Help, https://support.google.com/a/answer/81126?hl=en (last visited Dec 12, 2024). ↩︎
7. Payment Card Industry Data Security Standard, Section 5.4.1, (2024). ↩︎
8. Murray Kucherawy & Elizabeth Zwicky, Domain-Based Message Authentication, Reporting, and Conformance (DMARC), Abstract, (2015), https://datatracker.ietf.org/doc/rfc7489 (last visited Dec 12, 2024) (“DMARC is a mechanism for policy distribution that enables increasingly strict handling of messages that fail authentication checks, ranging from no action, through altered delivery, up to message rejection.”). ↩︎
9. Mickey Chandler, Authentication Failures, Spamtacular (Dec. 12, 2017), https://www.spamtacular.com/2017/12/12/authentication-failures/ (last visited Dec 12, 2024). ↩︎

• Author
• Recent Posts

Mickey Chandler

A recognized leader in the fight against online abuse, specializing in email anti-abuse, compliance, deliverability, privacy, and data protection. With over 20 years of experience tackling messaging abuse, I help organizations clean up their networks and maintain a safe, secure environment.

Latest posts by Mickey Chandler (see all)

• 2025 Email: Get Rid of the Training Wheels - 13 December 2024
• Introducing: Arcana - 22 November 2024
• Help me see if there is a need for that I can fill - 23 September 2024