Back in 2024, Google and Yahoo changed the course of email communication. The two giants released a set of regulations that made it compulsory for bulk senders to authenticate their outgoing emails with three key protocols—SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting & Conformance).
It’s not like these protocols weren’t around before 2024, but let’s be honest: Unless something is made mandatory, most organizations don’t prioritize it. But the new email-sending policies have certainly brought about a change in the perspectives of brand owners and email marketers. That’s not all! It has finally compelled teams to look at the technical side of email communication. It is no longer about sending emails with catchy subject lines or captivating designs; it’s more about making them safe and secure for your recipients.
Just 6 months after this new security update, Google noted a 65% drop in unauthenticated messages sent to Gmail users, that is, 265 billion fewer than the previous year!
Yes, things have changed, and we have come a long way. But there’s a catch!
- There are still gaps in the adoption of these authentication protocols.
- For those who have adopted them, it doesn’t necessarily mean they have implemented them properly.
In this article, we will understand how far we have come since the introduction of the latest email-sending policies and what existing gaps we must fill.
The adoption is still staggered
Immediately after Google and Yahoo rolled out their latest policies, we certainly saw a tangential growth in the adoption of these protocols, particularly DMARC. While it was only 55,000 new domains per month that actively adopted DMARC in early 2023, by the third quarter of 2024, this number shot up to 110,000 new domains per month. This upward trend clearly shows that there has been a shift in awareness, but that’s not the whole story!
Yes, organizations are deploying DMARC, but most of them— almost 68% have set the policy to “p=none”, which basically offers no protection as such. What this means is that they are just keeping a watch on what’s happening with their domain but not really doing anything to protect it from phishing or spoofing attacks.
Also, many domains haven’t properly set up SPF and DKIM to work with DMARC, which is necessary for it to be effective. So, even though adoption is increasing, the protection it offers is still limited in many cases.
But despite all this, as ESPs are getting stricter with their norms, it looks like the adoption of email authentication protocols is likely to pick up its pace.
Subdomains are often overlooked
Subdomains usually fall under the radar in email security setups, and attackers often target this blind spot. While you might enable DMARC on your primary domains, you might sometimes miss updating inactive or poorly configured subdomains in the DNS, which leave them exposed.
These subdomains might be out of your sight, but they certainly aren’t out of the attacker’s mind. To exploit these overlooked domains, attackers use a strategy called “SubdoMailing,” wherein they take over such abandoned subdomains to send fake emails that pretend to be legitimate.
In early 2024, Guardio Labs reported that over 8,000 domains and 13,000 subdomains had been taken over by attackers, who sent millions of phishing emails via these means. These emails usually come from subdomains that belong to reputed brands, thus making it more likely for recipients to trust and open them.
This makes the attack even harder to spot because everything looks technically correct to the email provider. The sender passes all the usual checks, so the email lands right in your inbox. That’s why we say email authentication isn’t about deploying the protocols and forgetting about them; you must be on top of things at all times, especially when it comes to managing your DNS settings and monitoring subdomains.
BIMI for added protection
DMARC helps you prove that your emails are really coming from you. However, if you want to take it one step further, Brand Indicators for Message Identification (BIMI) is the way to go!
It lets you show your brand’s logo right next to your email in the inbox. So when someone sees your email, they also see your official logo, which builds trust and makes it easier for people to recognize that it’s really from your company. It’s like putting a name and face to your emails.
Yes, more companies are starting to use BIMI. Its adoption went up by about 28% in just a few months, from around 7,500 domains in May 2024 to nearly 9,700 in January 2025. That’s great progress. But here’s the problem—over half of those setups have some kind of error. The number of BIMI records with mistakes grew a lot, too, by about 64%. So even though adoption is growing, a lot of companies still aren’t getting it right, which means they might not get the full benefits BIMI is supposed to offer.
Certainly, we have come a long way since Google and Yahoo rolled out their new email-sending policies, but let’s face it, email authentication isn’t about mere implementation; it’s more about doing it right! Unless you go beyond ticking off the compliance boxes, you will not be able to fully protect your organization from email-based threats. Not to mention the time and resources wasted only to give you a false sense of security. Real protection comes from proper setup, regular audits, and staying one step ahead of how attackers adapt.
Think that your audience would connect with content like this?
I’m Daksh Kaur, a freelance writer who believes cybersecurity blogs don’t have to sound complex or dull. I help brands break down technical topics into content that’s clear, approachable, and genuinely useful.
If you’re looking to make your content more relatable and something that drives action, email me at daksh@turtlewords.com. I’d love to talk about how we can work together on your blog section and turn your prospects into active clients!
Let’s turn complex ideas into content your audience actually gets—and remembers.
