If you rely your digital marketing strategy heavily on email marketing, consider sticking around for this grounding news. Find all about the Gmail & Yahoo new sender requirements and have enforced stricter requirements to authenticate emails. You might be interested if your goal is for your campaigns to land in the inbox of your audience.
Starting February 2024, in a move to fortify email security and enhance user experience, Google and Yahoo, have made mandatory what before were merely ‘best email marketing practices’.
Under the premise of developing ‘new protections for a safer, less spammy inbox’, Google, and Yahoo have created an inflexion point in what we have been calling the “cookieless era”.
In this guide, we will walk you through the major impact and challenges of this new email authentication requirements, as well as practical guidance for you to comply with the new email deliverability rules. ⬇️
What are the must-known Gmail & Yahoo new sender requirements and email changes, and what does it mean to me?
As we mentioned before, the email landscape is facing an inflexion point in what concerns user’s experience and security measures.
Resulting in Google and Yahoo declaring a new era of stringent rules for email authentication.
By this point, you’ve likely encountered a barrage of reminders of your service providers urging you to comply, but the process can be daunting.
Especially when different technologies are involved, leading to potential conflicts that might temporarily disrupt your domain or email services.
In order to prevent this, we are here to guide you through the process, we have gathered the new email requirements to comply:
1. Authentication Matters: If you’re sending emails, get ready to set up SPF, DKIM, and DMARC. — and familiar with these terms.
DKIM (Domain Keys Identified Mail):
DKIM is like a digital signature for emails. It adds a unique mark to your messages, showing they come from you and haven’t been tampered with. It’s like signing a letter to prove it’s genuinely from you.
SPF (Sender Policy Framework):
SPF domain authentication is key, as it is your email’s bodyguard. It specifies which servers are authorised to send emails on behalf of your domain. It’s like a VIP list for your emails, ensuring they are sent only from trusted servers.
DMARC (Domain-based Message Authentication, Reporting, and Conformance):
DMARC is the chief of email security. It tells email receivers how to handle emails that fail authentication checks. It’s like setting the rules for accepting or rejecting emails – a powerful tool to keep up the security in your inbox.
2. Seamless Unsubscribes:
Simplify life for your subscribers. This requirement enforces email senders to embed a one click unsubscribe option in your emails that should be visible both in the list-unsubscribe header and in the body of the email, so opting-out becomes easier now.
However, it doesn’t stop there. You are required now to handle the situation and process it within two days. Keep in mind that global legislation can vary on each case, but in order to avoid affecting your sending reputation, we advise you to move forward with the sender’s request as soon as possible.
Remember, no one enjoys lingering in emails they no longer desire.
3. It’s all about being less spammy: Make sure to deliver content and emails that genuinely interest your subscribers
A friendly reminder from us: it’s 2024 and segmentation and filtering is no longer a ‘nice-to-have’. By doing so, your email subscribers receive what they want, and you minimise the risk of spam complaints. A win-win situation!
Why does this matter?
Both Yahoo and Gmail are implementing a spam complaint threshold of 0.3%, aiming to reduce unwanted emails in their users’ inboxes. Surpassing this threshold may lead to increased blocking or redirection to the bulk folder.
A quick theory note on Spam complaints: Spam complaints are calculated when subscribers click on the “Spam” button or relocate emails to the spam folder.
For those sending to Gmail, signing up for Google Postmaster Tools is recommended to closely monitor the spam complaint rate and reputation directly from Gmail.
Now, who’s affected? We tell you all about it in the next section.
4. I’m not a bulk sender, so I don’t need this… or am I?
So, what happens if you are not sending emails to more than 5000 recipients, or if in fact you only did it once because you were running a special campaign?
The biggest misconception around this topic is that authentication solely for bulk email senders. We hate to break it to you, but the truth is, it applies to all emails.
But here’s the trick: the distinction lies in the level of authentication, now more stringent for bulk senders.
Let’s revise what Google understands for bulk senders. According to Google’s Documentation it is defined as:
“A bulk sender is any email sender that sends close to 5,000 messages or more to personal Gmail accounts within a 24-hour period. Messages sent from the same primary domain count toward the 5,000 limit.”
What else is there to note about this definition, and most importantly, why does it matter even if you aren’t a constant email user?
Once labelled a bulk sender, the classification is permanent. Even if you reduce your daily email volume, the bulk sender status remains. Welcome to the bulk sender club!
Okay, and if I’m not a bulk sender, can I ignore the changes?
For those not yet considered bulk senders, don’t rest easy. Full authentication is still crucial to ensure your emails land in inboxes.
Industry experts anticipate that Google and Yahoo may extend this requirement to non-bulk senders in the future, making early compliance a wise move. However, for bulk senders, this is a mandatory requirement, and the providers are firm in their enforcement.
We have prepared a table that summarises this:
Authentication Requirements | Compliance level | |
Bulk senders | SPF, DKIM, AND DMARC | Full authentication mandatory |
Non-bulk senders | SPF or DKIM | Full authentication advised |
Follow our how-to authenticate your email. — Yes, even if you don’t have records available
At this point, we have already gone through the context of the situation, key security concepts, as well as establishing whether you need to comply or not with the new email changes.
Now, we want to show you how you can authenticate your email successfully to comply with Gmail & Yahoo new sender requirements.
Keep reading to find our recommended resources.
Step 1: Understand your current compliance status
Before diving into the authentication process, it’s crucial to know where you stand. We have compiled two methods to analyse and understand what would be your next steps.
Gmail Verification Method
1. Send a Test Email
- Log in to your Email Service Provider (ESP), whether it’s Flodesk, ConvertKit, Kajabi, or any other.
- Send a test email to your personal Gmail account
2. Check Delivery Domain:
- Upon receiving the email in your personal Gmail account, inspect the delivery domain.
- Click on the ellipses icon in the top right of your email and select the option to “Show Original” (do not click “Report Spam or Phishing” to avoid affecting your sender reputation).
3. Inspect Email Header:
- The “Show Original” option will display the email header, where you need to look for the three authentication records.
- Check for the presence of SPF, DKIM, and DMARC records, and ensure that each record has a value of “Pass.”
Now, what happens if by any chance you can’t access any personal gmail account for verification?
Don’t worry, we got you covered with the external verification method.
External Verification Method
Head over to Dmarcian’s domain’s checker website to assess your current level of authentication.
A compliant status shows you’re on the right track, while any issues indicate further action is required.
This is how it should look if there’s no action required on your end:
And, unfortunately, this is how it can look if you need to start looking into it right away:
If your case falls into the latter category, read on for troubleshooting tips.
Step 2: Troubleshoot — DKIM is not authenticated
DKM, or DomainKeys Identified Mail, is a critical authentication method. If you don’t have a DKIM record, there’s no need to panic.
Start by understanding your selector:
- Open an email and view the “original message” or “full headers.”
- Search for “DKIM-signature” to find the DKIM signature with your domain.
- Identify the “s=” selector attribute; for example, “ S200608.”
Now, that we have the details that we need ready, head over to EasyDmarc’s website to start generating the DKIM.
It’s located under Products – DKIM – DKIM Generator. Simply click “Generate,” fill in your domain name, selector, and select 2048 for key length.*
*About the key length: In the past, the norm was to use 1024-bit DKIM keys. However, with hackers constantly devising new methods to compromise these keys, the National Institute of Standards and Technology (NIST) now advocates for the use of 2048-bit keys to enhance security.
This generates a custom DKIM setup, requiring you to add a TXT record to your domain’s DNS.
Step 3: Troubleshoot – SPF is not authenticated
Sender Policy Framework (SPF) authentication is vital for building domain reputation. If you lack SPF records, visit EasyDmarc’s website, select “SPF Generator,” and:
1. Enter your domain name and click on check SPF
2. Move to the SPF Record Generator tab and leave the source values as default
3. Click on Generate
4. Finish by adding a TXT record to your DNS, then write the name of the domain in the “Host” field and enter the generated SPF record in the “Value” or “Target” column.
Frizbit tip: In order to get the right source values for your case, make sure that domain is displayed in the URL of the generator.
Step 4: Troubleshoot – DMARC is not authenticated
DMARC, an email security standard, empowers domain owners to oversee the senders using their domain and provides instructions to email receivers (like Gmail) to either approve, quarantine, or reject emails that lack authentication.
Here’s a step-by-step guide on how to set up DMARC for your domain. Notably, Gmail and Yahoo don’t demand stringent DMARC policies, allowing you to begin with a “p=none” policy, or in other words, leaving it as default.
Once this policy is implemented, you can initiate monitoring the senders using your domain, and recipients won’t take any immediate action.
Okay, and “what happens if I don’t have a DMARC record?”
Naturally, the tool that we have been using has a DMARC generator too. You can locate it under Products – DMARC – DMARC generator.
When using the generator, fill in your details. Here’s an example of how we recommend doing it:
Frizbit tip: Create an email specifically for this purpose. In our case, we’ve established dmarc@frizbit.com for this task. Lasly, in the failure reporting options, we recommend selecting the values “0” and “1,” indicating that you will receive reports if DKIM and/or SPF fails to pass or align.
Once the record has been generated, copy it and go to the DNS zone of your domain. Add a new TXT or CNAME record and paste the provided information.
Note: With the majority of DNS providers (e.g., GoDaddy), the domain part will be automatically added in the Host/Name field, so including only “_dmarc” is sufficient.
Step 5: Remember, we talk about being less spammy
The first action that you can take is to register your domain for Google Postmaster Tools and keep your spam complaint rates under 0.3%
To monitor your spam report data from Gmail users, it’s essential to register your domain with Google’s dedicated service, Postmaster Tools. The registration is free, quick, and once set up, Google collects email data, providing aggregated spam report information in your Postmaster account.
Okay, and what happens if I don’t meet the spam complaint requirement?
If a significant number of your recipients label your emails as spam, your sender reputation will suffer, making it more challenging to land in the inbox.
We advise you to keep an eye on your user-reported spam rate. If it surpasses 0.1%, it signals room for improvement. As it approaches 0.3%, it’s a clear sign that urgent action is needed.
Understanding how can the Gmail & Yahoo new sender requirements and email deliverability can affect marketers
Businesses committed to effective email marketing practices may find aligning with these new rules relatively straightforward.
However, let’s face a worst-case scenario: What happens if you don’t comply?
Bulk senders who neglect crucial measures like email authentication, omit user-friendly one-click unsubscribe features, delay processing unsubscribe requests, or surpass spam rate thresholds set by Google and Yahoo risk significant drawbacks in their email marketing performance.
This includes higher bounce rates, potentially causing delays in email deliveries or complete non-delivery of campaigns.
Even well-crafted, solicited emails might end up in the spam folder, missing the intended recipients and resulting in reduced conversions. — damaging, right?
Following Google’s guidelines for email senders, non-compliance from bulk senders might result in the outright rejection of a brand’s emails or their direct placement in customers’ spam folders.
Gmail and Google email changes + new requirements FAQS
1. Are the requirements applicable to subdomains?
Absolutely. Every subdomain under an organizational-level domain with a published DMARC policy falls under DMARC verification. Non-compliance in emails sent from these subdomains will have consequences. It’s crucial to address subdomains in the DMARC deployment process and not overlook their significance.
2. Do fraudulent emails contribute to the 5k bulk sender limit?
Unfortunately, they do. Fraudulent emails add to the overall count of mails scrutinised for enforcement within the 5k limit. If dealing with fraudulent emails is a concern, implementing a DMARC enforcement policy (p=quarantine or p=reject) is recommended, as per Yahoo’s guidance.
3. How does DMARC enhance deliverability?
DMARC empowers senders to dictate how receivers should handle emails that may not originate from their domains. Depending on the sender’s policy, such emails might be rejected, directed to the spam folder, or receive no specific action. The primary benefit of DMARC lies in safeguarding against third parties forging your domain, which can significantly improve overall deliverability.
4. How can I determine my Spam rate or the spam complaint rate?
Google’s convenient Postmaster tools offer a free solution for tracking your Spam rate effectively.
5. Are there specific requirements for non-bulk senders?
Yes there are and according to Google they read as:
“Starting February 1, 2024, all senders who send email to Gmail accounts must meet the requirements in this section.
1. Set up SPF or DKIM email authentication for your domain.
2. Ensure that sending domains or IPs have valid forward and reverse DNS records, also referred to as PTR records. Learn more
3. Use a TLS connection for transmitting email. For steps to set up TLS in Google Workspace, visit Require a secure connection for email.
4. Keep spam rates reported in Postmaster Tools below 0.10% and avoid ever reaching a spam rate of 0.30% or higher. Learn more about spam rates.
5. Format messages according to the Internet Message Format standard (RFC 5322).
6. Don’t impersonate Gmail From: headers. Gmail will begin using a DMARC quarantine enforcement policy, and impersonating Gmail From: headers might impact your email delivery.7. If you regularly forward email, including using mailing lists or inbound gateways, add ARC headers to outgoing email. ARC headers indicate the message was forwarded and identify you as the forwarder. Mailing list senders should also add a List-id: header, which specifies the mailing list, to outgoing messages.
Conclusion: Complying to Gmail & Yahoo new email sender requirements
Getting started and adapting to the imminent changes in Gmail and Yahoo Mail may feel like a daunting task initially.
However, these adjustments are crafted to ensure the safety of your emails and their successful delivery to the inboxes of those genuinely interested in your content. Ultimately, these changes work to the advantage of both you and your subscribers.
In essence, these modifications primarily reinforce the positive email marketing practices you likely already have in place. The focus is on emphasizing transparency, enhancing security, and delivering content that resonates with your audience.
In today’s evolving digital landscape, having a diversified marketing strategy that extends beyond emails is becoming increasingly crucial. The cookieless era is approaching swiftly, emphasizing the need for innovative solutions.
Need extra help?
If you’re looking to enhance or implement cross-channel strategies for a comprehensive 360º customer experience, including email marketing, web push notifications, SMS, and WhatsApp marketing, our team is here to guide you.
Enquire with our team today to request a free demo for 1 month and get a customised plan to cater your needs.