Google and Yahoo have introduced new emailing standards to reduce phishing and spam. Three requirements apply to bulk senders who send out 5,000 or more emails within 24 hours to Gmail or Yahoo email addresses. If email senders don’t meet these three requirements, their emails will be rejected, those rejections will have a negative impact on the sender’s reputation, and that will make email deliverability progressively more difficult so it is important to meet these standards.
When do the new Google and Yahoo email standards go into effect?
The new standards technically went into effect at the beginning of February but there won’t be widespread penalties for failing to meet them for a couple of months. In April 2024, Google plans to begin rejecting a percentage of bulk sender emails that don’t meet their requirements. The rejection rate will gradually increase over time.
What are the new requirements for bulk senders?
- Email authentication is required using SPF, DKIM, and DMARC
- A one-click unsubscribe option is required to be included in all bulk emails sent
- Maintain a spam complaint rate of 0.3% or less.
Yahoo Bulk Email Sender Requirements:
- Email authentication is required using SPF, DKIM, and DMARC
- A one-click unsubscribe option is required to be included in all bulk emails sent
- Low spam complaint threshold will be required (At this point, Yahoo isn’t specifying a complaint rate)
The only difference between the Gmail and Yahoo requirements is that Yahoo doesn’t specify a spam complaint rate. Other than that, the requirements are the same.
What is a “spam complaint rate”
A spam complaint rate measures the number of people who report an email as spam out of the total number of messages sent. For example, if you send 1,000 messages and 10 people mark them as spam, your complaint rate is .01% (10/1000).
How do I meet the new Gmail and Yahoo bulk email requirements?
To meet the new requirements, you must implement three authentication protocols on your domain that help ensure emails coming from you are actually coming from you and make it easy for email recipients to unsubscribe from your email list.
The three required authentication protocols are SPF, DKIM, and DMARC. Adding these protocols involves accessing DNS settings so you’ll want to have someone who understands DNS records implement them.
What are the Gmail and Yahoo required authentication protocols?
Sender Policy Framework (SPF)
This specifies where emails from your domain are authorized to be sent.
How to implement SPF:
Implementing SPF involves adding a txt record to the DNS for your domain. This record would be added wherever your DNS is hosted. The exact record and how it is added will depend on your DNS provider and sending email application.
A domain can only have one SPF record.
DomainKeys Identified Mail (DKIM)
This digitally signs outgoing emails verifying their origin.
How to implement DKIM:
Implementing DKIM also involves adding a txt record to the DNS records for your domain. The exact record will be provided by the email service provider used. A single domain can have multiple DKIM records if multiple email-sending applications send out emails using the domain. DKIM records are used to identify each sending application that is authorized to send emails using a domain, so you would have one DKIM record for each of your email service providers (different sending sources or third-party emailing services).
The DKIM record is the primary way to prevent “spoofing”, which is when someone sends an email that looks like it is coming from you but it is not actually coming from you. That is usually done as part of a phishing attempt to fool a recipient into thinking the message comes from a trusted source.
Domain-based Message Authentication, Reporting & Conformance (DMARC)
DMARC establishes a policy outlining how the servers receiving your emails should handle unauthenticated emails from your domain.
How to implement DMARC:
The existence of SPF and DKIM records is required for DMARC to function. If those records are missing from your DNS, DMARC won’t work. DMARC passes or fails an email based on the email’s alignment with SPF and DKIM records.
The value part of a DMARC record will look similar to this:
v=DMARC1; p=reject; rua=mailto:message@example.com;
Here’s a breakdown of what all of this means:
v=DMARC1 – This is the version number which will always be 1 since there is only one version of DMARC right now (this could change in the future).
p=reject – This tells a server what to do with a message if SPF and DKIM don’t check out. In this case it is instructing the server to reject the message. There are two other potential settings for this that you could use or might see and they are “None” which tells the server to log the entry but take no action and “Quarantine” which tells the server to bounce the email message back to the server it originated from.
rua= message@example.com – This is where the DMARC reports are sent. The reports contain information about which servers or third parties are sending mail from your domain, whether they are passing or failing checks, how receiving email servers react to unauthenticated messages and the DMARC pass rate percentage. These reports should be set to a dedicated email mailbox to avoid inundating a user or general contact email with these report messages.
Many other tags and associated settings could appear in a DMARC record, but we won’t get into all of those here.
A domain can only have one DMARC record.
Is anything required to continue to meet these requirements?
After implementing the required authentication protocols, monitor your spam complaint rate to ensure it remains below 0.3%, and be sure to continue to include an easy opt-out so email recipients can easily remove themselves from your email lists.
