Who Did Not Implement Email Security Measures After Google's New Email Sender Guidelines?: A Large-Scale Measurement Study

The new email sender guidelines introduced by Google on October 3, 2023, mandate sender authentication protocols, such as Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC), to minimize unsolicited emails to Gmail addresses. Google asserted that these guidelines would improve email security. However, an August 2024 report indicated that 8 million of the top 10 million domains ranked by web traffic had not implemented DMARC. This large-scale measurement study analyzes entities that did not implement the required email security measures. Our findings demonstrate low SPF, DKIM, and DMARC adoption among domains associated with China, South Korea, and Japan. Gmail is blocked in China owing to censorship. NAVER, which is a prominent search engine, offers free email addresses, diminishing the need for compliance in South Korea. Despite the search engine dominance of Google in Japan, the lagging adoption suggests that non-compliance arises from other constraints, and not necessarily intent. In addition, business-to-business sectors exhibited limited adoption, likely because Gmail addresses hold less operational relevance. While some entities are exempt from the guidelines, others did not comply for certain reasons, notwithstanding enforcement by a powerful organization. Ultimately, if nothing changes with such an organization, it is necessary to discuss how email security should be approached, whether ensuring security requires enforcement power, such as national regulations, or whether there is still room for technical approaches within the Internet community.

• Publication year

  2025

• Venue

  Traffic Monitoring and Analysis

• Publication date

  2025-06-10

• Fields of study

  Computer Science

• Identifiers
  DOI 10.23919/TMA66427.2025.11097004
• External record

  Open on Semantic Scholar

• Source metadata

  Semantic Scholar

• No claims are published for this paper.

• No concepts are published for this paper.

• Lazy Gatekeepers: A Large-Scale Study on SPF Configuration in the Wild

  2023cited by this paper
• You've Got Report: Measurement and Security Implications of DMARC Reporting

  2023cited by this paper
• Internet Service Providers' and Individuals' Attitudes, Barriers, and Incentives to Secure IoT

  2022cited by this paper
• A Large-scale and Longitudinal Measurement Study of DKIM Deployment

  2022cited by this paper
• Extended Abstract: A First Large-Scale Analysis on Usage of MTA-STS

  2021cited by this paper
• Measuring email sender validation in the wild

  2021cited by this paper
• What Email Servers Can Tell to Johnny: An Empirical Study of Provider-to-Provider Email Security

  2020cited by this paper
• The Authenticated Received Chain (ARC) Protocol

  2019cited by this paper
• Tranco: A Research-Oriented Top Sites Ranking Hardened Against Manipulation

  2018cited by this paper
• Corporate Information Security Investment Decisions: A Qualitative Data Analysis Approach

  2018cited by this paper
• SMTP MTA Strict Transport Security (MTA-STS)

  2018cited by this paper
• SMTP TLS Reporting

  2018cited by this paper
• Signaling One-Click Functionality for List Email Headers

  2017cited by this paper
• Deciding between information security and usability: Developing value based objectives

  2016cited by this paper
• Domain-based Message Authentication, Reporting, and Conformance (DMARC)

  2015cited by this paper
• Why Johnny Still, Still Can't Encrypt: Evaluating the Usability of a Modern PGP Client

  2015cited by this paper
• Identifying How Firms Manage Cybersecurity Investment

  2015cited by this paper
• Sender Policy Framework (SPF) for Authorizing Use of Domains in Email, Version 1

  2014cited by this paper
• DomainKeys Identified Mail (DKIM) Signatures

  2011cited by this paper
• Public Suffix List

  2010cited by this paper
• The psychology of security

  2008cited by this paper
• The Economics of Information Security

  2006cited by this paper
• DNS Security Introduction and Requirements

  2005cited by this paper
• Security and usability engineering with particular attention to electronic mail

  2005cited by this paper
• Johnny 2: a user test of key continuity management with S/MIME and Outlook Express

  2005cited by this paper
• How to make secure email easier to use

  2005cited by this paper
• Computer Security in the Real World

  2004cited by this paper
• Safe Staging for Computer Security

  2003cited by this paper
• Good-Enough Security: Toward a Pragmatic Business-Driven Discipline

  2003cited by this paper
• Moving from the design of usable security technologies to the design of useful secure applications

  2002cited by this paper
• SMTP Service Extension for Secure SMTP over Transport Layer Security

  2002cited by this paper
• Internet Message Format

  2001cited by this paper
• The Use of URLs as Meta-Syntax for Core Mail List Commands and their Transport through Message Header Fields

  1998cited by this paper
• Why cryptosystems fail

  1994cited by this paper
• Mail Transfer Protocol

  1980cited by this paper

• No citing papers are available for this paper.