Google today declared that after almost a decade of fighting phishing emails, the Internet-wide efforts are finally paying off. The company revealed that 91.4 percent of the authenticated non-spam emails sent to Gmail users come from senders that have adopted at least one of these two email authentication standards: DomainKey Identified Email (DKIM) or Sender Policy Framework (SPF).

The email industry has been working on email authentication standards that can prevent email impersonation, with the hope of making sure an email’s sending and receiving domains can check that the email came from the correct sender. This helps email providers like Gmail to filter billions of impersonating email messages a year, ensuring they never enter users’ inboxes in the first place.

Now Google has finally revealed figures to show the strategy is working. Here’s the breakdown:


Google also shared the following statistics today:

  • 76.9 percent of the emails Gmail receives are signed according to the DKIM standard. Over half a million domains (weekly active) have adopted this standard.
  • 89.1 percent of incoming emails Gmail receives comes from SMTP servers that are authenticated using the SPF standard. Over 3.5 million domains (weekly active) have adopted the SPF standard.
  • 74.7 percent of incoming emails Gmail receives is protected by both the DKIM and SPF standards. Over 80,000 domains have deployed domain-wide policies that allow Gmail to reject hundreds of millions of unauthenticated emails every week via the DMARC standard.

While these figures are certainly good news, this is by no means the end of the story. Phishers can still easily target domains that are not yet protected, and even when using these antiphishing standards, attackers can attempt to crack weak cryptographic keys (Google recommends using a public key of at least 1024 bits for DKIM, for example).

Those who own domains that are never used to send email can still help prevent abuse by creating a Domain-based Message Authentication, Reporting & Conformance (DMARC) policy that describes the domains as non-senders. Every little bit helps.

Top Image Credit: blzblz