🚨 Meet Google and Yahoo's new bulk email DNS requirements - Learn more

The state of email security - and what it means for SaaS builders


"Skate to where the puck is going to be, not where it has been."

– Wayne Gretzky

Email is one of the riskiest digital services that we use.

Ninety-one percent of cyber attacks start with an email. Email is the preferred delivery method for spam, malware, data exfiltration, phishing, impersonation, scamming, extortion, hijacking, and account takeover.

But in some ways, that’s nothing new. Every day, we receive email threats, and our email clients protect us, whether through spam filtering or link warnings.


Well, they try.

In a 2023 research report, organizations reported that:

  • 94% of them experienced security incidents via email 

  • 94% of them fell victim to phishing

  • 91% of them experienced data loss and exfiltration

This situation can’t continue. 

Everyone (except criminals) wants to make email a secure platform for every user on the planet. Now that email is the biggest threat to users, email providers are on the lookout for ways to crack down on email security. After all, any intervention that could cut down on spam and phishing solves millions of problems a year.

The industry has come up with a set of policy changes to improve email security, and it’s going to change the game for anyone who sends email.

One of the fundamental problems with email is that senders can blast thousands of emails without verifying that they are legitimate senders. That gap in email security allows dishonest actors – criminals – to use email to pretend to be trusted brands. Today, they can spoof domains to get under the radar of spam filters and phishing protections. 

That’s why Google and Yahoo have recently announced that they will, starting this month, begin requiring email authentication for any bulk sender – in perpetuity. Anyone who sends a few thousand emails a month to @Gmail or @Yahoo recipients must have SPF and DKIM authentication methods implemented through DNS configuration, and a DMARC policy set up to verify the legitimacy of the sender domain. Shortly after the Google and Yahoo announcements, Apple announced similar changes.

This shift is enormous, and it’s great news for email recipients. 

Having these records set up has been a best practice for some time now, but three of the biggest email services in the world have now said that if the records aren’t correct, the assumption is that you’re not a trustworthy sender. Because of these providers' clout, we expect a solid push for email domain authentication to become a universal, base-level best practice. As Leslie Boultbee, our Head of Strategic Accounts, recently said:

“Let’s assume that Yahoo and Google are setting the industry standards, and everyone else in the industry is going to follow suit.”

And there’s precedent for that.

For example, let’s look at the history of securing web traffic. 

SSL emerged in 1995 to secure data transmitted across the web. By 2004, widespread phishing highlighted the need for stronger website authentication, and in 2005, Google announced a preference for HTTPS websites in search rankings. In 2011, Google started displaying warnings for non-HTTPS websites. Today, HTTPS is virtually mandatory for any website handling sensitive data or aiming for good search engine ranking and user trust.

(Sidebar: Did you know Entri handles SSL provisioning for SaaS companies? You can learn more - and save 40% - here.)

On the one hand, requiring email domain authentication is good news. Better email security is what everyone wants. 

On the other hand, the DNS configuration requirement has significant implications for end users of email platforms. Simply put, if users of these tools haven’t brought their email domains into compliance with the necessary DNS records, email deliverability – and business performance – might be at risk.

As Leslie puts it, “A company that doesn't implement these security precautions is more likely to have compromised accounts, leading to issues which can impact both revenue and user retention.

DNS configuration not only impacts delivery, but also deliverability. Email accounts from non-compliant senders may end up in the wrong place, i.e. Spam, or an outright rejection from the receiving email client.”

Let’s consider a couple of scenarios.

You're an email marketer working for a brand, and once a month, you’re sending an email newsletter to 10,000 consumers using an off-the-shelf marketing bulk email app. This newsletter is a major tool in your company’s arsenal for announcing new products, driving demand, and retaining customers. It’s the most lucrative marketing tool you have.

One day, you send your newsletter. Instead of opens, clicks, and new sales, because the email domain configuration isn’t correct…nothing happens. 

Email, your organization's most lucrative marketing channel, becomes an overnight bust.

Would you be happy? Would your leaders be happy?

Of course not.

Let’s consider another scenario. 

Imagine that you owned the email marketing platform. One day, thousands of users, with thousands of domains, all sending their newsletters, suddenly discover that email delivery is compromised.

What would user sentiment be like? What would happen to your user retention, your monthly active users (MAUs)? 

How much pressure would that put on your support team? DNS configuration is complicated and often requires escalated technical support, a finite resource in most companies. Most support teams aren’t prepared for hundreds or thousands of requests for help in a few minutes.

We’ll make a prediction here: any email platform that has not thoroughly enabled its users to solve this problem themselves will experience a massive backlog of highly technical support tickets, a sudden spike in user churn, and lost sales as word gets out.

Not ideal.

It’s also important to note that this issue will impact companies that aren’t just marketing ESPs (marketing email service providers). Any SaaS platform that allows their customers to send emails – even if they’re just transactional – is affected. Compromised email will be a reality for your users unless you provide a way to solve DNS configuration issues. 

No email domain DNS configuration = no delivery to personal Gmail, iCloud, and Yahoo email addresses. That’s over ninety percent of email recipients, according to this data from Litmus. 

You can see where the puck is heading – it’s heading toward mandatory DNS email domain authentication. It’s heading toward empowering users who discover their emails aren’t being delivered to solve the problem with a self-service interface. It’s heading toward the need to solve this challenge at scale, quickly, in a way that doesn’t impact your support organization and doesn’t require you to rework your application.

Entri makes it easy to skate to where the puck is heading (tighter email security) because we empower non-technical users to configure DNS records for email domains automatically. Using a few lines of code, Entri Connect solves deliverability problems, without overwhelming support organizations. Here’s how:

  • Entri Connect automatically configures DNS records for SaaS users, for even the most complex email DNS requirements, and supports an ever-growing number of DNS providers

  • Entri can be integrated directly with email tools for in-app configuration, or launched from support bots and knowledgebase docs via API share links

  • Platforms can use webhooks and API customization, such as DMARC validation, to show successful configuration statuses post-propagation to their users, right within their product dashboard.

Entri Connect allows developers to solve the DNS configuration challenge elegantly. Implementing Entri Connect solves the email authentication requirement in minutes, without confusion or complexity – in a way that can cover every user without support intervention, or worse, having to add a bulky release to your product roadmap. It’s an innovative solution for an intractable problem.

Or, to put it another way, it gives you a better way to skate where the puck is heading 🏒