Google and Yahoo have introduced a brand new set of email authentication requirements for bulk message senders. The requirements impact those who send > 5000 emails per day. To follow the new requirements, bulk senders need to deploy SPF, DKIM, and DMARC, enable easy unsubscription, and focus on message relevance.
Google has been the pioneer in encouraging, exercising, and enforcing stringent privacy policies. These policies ensure end-to-end protection of email transactions and communication. Google’s new email authentication policies aim to reduce email fraud and spam in 2024.
Google and Yahoo Bulk Senders Will Need DMARC
In their latest email guidelines, Google has enforced email authentication deployments starting in Feb 2024. Domain owners who send bulk messages to Gmail addresses would be required to authenticate their emails with DMARC.
Gmail’s AI-powered integrated defenses already stop spam, phishing, and other forms of email fraud by 99.9%. These systems restrict nearly 15 billion undesired emails daily. In 2024, Google plans to take it one step further by making it mandatory for more than 5000/day message senders to validate their emails.
Yahoo isn’t far behind either. Yahoo described that their key objective is to provide an optimal emailing experience for receivers. This objective will ensure you only receive messages that interest you.
To meet this objective, Yahoo’s email guidelines declared that in 2024 bulk message senders will need to deploy DMARC. Senders must also implement one-click unsubscription, and send emails that are of value to Yahoo users.
Google and Yahoo Email Authentication Requirements for Bulk Email Senders
If you send more than 5000 emails per day:
1. Authenticate Your Emails with SPF, DKIM, and DMARC
Google and Yahoo required all bulk senders to implement email authentication protocols SPF, DKIM, and DMARC. This stops threat actors from impersonating legitimate domain names to send spam messages.
Sender Policy Framework, or SPF, will allow bulk email senders to authorize legitimate senders. SPF allows only permitted domains and IPs to send emails on behalf of their domain – thereby reducing spam complaints.
DomainKeys Identified Mail (DKIM) helps protect your email’s content from being altered. It adds digital signatures to message headers as a verification mark.
DMARC binds it all together by aligning messages against SPF and/or DKIM checkpoints. With DMARC, you can set up instructions for receiving servers to accept, quarantine, or reject misaligned emails. It helps protect your domain against phishing, spoofing, business email compromise, and more.
2. Easy One-click Unsubscription
Email users should be able to unsubscribe from receiving emails from a particular sender with just one click! One-click unsubscribe mechanism is another bulk email requirement declared by Google and Yahoo. This will make it easier for receivers to opt out of receiving messages that do not interest them. It also helps maintain a spam-free inbox.
3. Stay Under the 0.3% Spam Rate Threshold
Google uses several technical measures to block out spam messages from reaching users. They are now enforcing a clear threshold for spam that needs to be maintained. Spam rate should ideally be below 0.1%. This will ensure that their receivers can further avoid receiving unwanted or malicious messages. By all means, the spam rate shouldn’t be equal to or exceed 0.3%.
Yahoo recommends keeping the spam rate below 0.3% as well.
Google Email Sender Requirements for all Senders
If you are not a bulk email sender, you still need to follow some email authentication best practices for Gmail. Google has been encouraging users to follow safe-sender practices for a long time, irrespective of whether they send bulk emails or not.
If you send less than 5000 emails per day:
- Email Senders must enable SPF or DKIM
Note: In general, DMARC requires either SPF or DKIM domains to align for compliance. However, Google particularly mentions both SPF and DKIM alignment for only bulk senders. Bulk-sending sources that have DMARC and SPF without DKIM, will still fail their requirements.
- Sending domains and IP addresses must have valid PTR records
- Your message’s spam rate must be below 0.3% (Google recommends using Google Postmaster tools for running your spam rate check)
- Your message format must follow IMF specifications as mentioned under RFC 5322
- Impersonating Gmail From: headers is not allowed and can reduce your mail delivery rates
- The domain in the sender’s “From:” header must match the domain in either the return-path header (for SPF) or the DKIM signature header
- Forwarded emails must be signed by ARC
Learn more about these requirements in Google’s document.
Gmail General Vs Bulk Email Sender Guidelines
Requirement | General Email Senders | Bulk Senders (5,000+ messages/day) |
SPF/DKIM Email Authentication | Required | Both SPF and DKIM Required |
Forward and Reverse DNS Records | Required | Required |
TLS Connection for Transmitting Email | Required | Required |
Spam Rates in Postmaster Tools | Below 0.10%, avoid 0.30% or higher | Below 0.10%, avoid 0.30% or higher |
Message Format (RFC 5322) | Required | Required |
Impersonating Gmail From: Headers | Prohibited (may impact email delivery) | Prohibited (may impact email delivery) |
ARC Headers for Forwarded Email | Recommended for regular forwarders | Recommended for regular forwarders |
List-id Header for Mailing List Senders | Recommended | Recommended |
DMARC Email Authentication | Not mentioned | Required (DMARC enforcement policy can be set to none) |
Alignment of From: Header with SPF/DKIM Domain | Not mentioned | Required for direct mail to pass DMARC alignment |
One-Click Unsubscribe and Visible Unsubscribe Link | Not mentioned | Required for marketing and subscribed messages |
Yahoo Email Sender Requirements for All Senders
Yahoo requires all senders to authenticate with either SPF or DKIM. If you enable Yahoo DKIM, your messages will be signed with a cryptographic hash value to verify their authenticity. This also prevents messages from being altered by threat actors before delivery. Alternatively, you can also meet Yahoo email authentication requirements by implementing Yahoo SPF. This will help you define a safe sender list in your SPF DNS record for sources you want to allow to send emails on your behalf.
Note that unless you meet the Yahoo SPF requirement or Yahoo DKIM requirement, you cannot implement DMARC. DMARC needs either SPF or DKIM to function.
General email senders for Yahoo must adhere to the following requirements:
- Senders must enable SPF or DKIM email authentication
- Keep spam rate below 0.3%
- Have a valid forward and reverse DNS record for your sending IPs
- Follow RFCs 5321 and 5322
Slowly Enforcing Email Sender Requirements Over Time
Yahoo and Google are making constant updates to their email authentication requirements. They are hinting at the fact that enforcement will be gradual but progressive. This will help them monitor the compliance performance of email senders without a sudden blow to email deliverability. Here are the latest timelines for enforcement:
Google’s Timeline of Enforcement
- Google will start gradually enforcing guidelines for bulk senders from February 2024. Bulk senders are expected to configure SPF and DKIM for emails during this time.
- Non-compliant senders may expect to see temporary errors and sporadic delays in message delivery. Google encourages senders to take these temporary errors as a learning curve for achieving compliance.
- Starting in April 2024, the temporary errors will gradually transform into outright rejections for non-compliant email traffic only. You can expect to see the number of non-compliant emails steadily increase if you don’t comply with the requirements by April.
You can check your current state of compliance using Google’s Postmaster tools or our analyzer tool that is attached to this blog!
- The deadline for the one-click unsubscription feature has been extended to June 2024.
- Enforcement of DMARC policy (at a minimum of p=none) will also begin from June 2024.
- From June 2024, mitigations will be unavailable if a domain owner fails to meet one-click unsubscribe, email authentication, or less than 0.3 % spam rate requirements.
This means that certain measures to mitigate spam or unwanted emails will only be available if the sender meets specific requirements regarding email authentication, providing an easy unsubscribe option, and maintaining a low rate of user-reported spam. If these conditions are not met, the sender may not be able to access these mitigations, potentially leading to their emails being treated as spam or unwanted by recipients or email service providers.
Yahoo’s Timeline of Enforcement
- Yahoo will enforce some of their guidelines and requirements for all senders, from February 2024. This includes email authentication against SPF or DKIM and maintaining low spam rates.
- Also starting from February 2024, bulk sender requirements will be more strict. This includes email authentication (DMARC policy, SPF, and DKIM) mandates.
- For the one-click unsubscription feature, the deadline has been extended to June 2024.
Timelines and requirements may keep changing as Google and Yahoo add new mandates. They may even extend deadlines for enforcement to ensure no one is left out. This will ensure that every sender maintains the highest standards of email sending practices. We will keep updating this blog for interested readers to return to from time to time and observe the latest updates!
PowerDMARC Helps You Meet the New Email Requirements
Enabling email authentication protocols requires strong technical knowledge and deep understanding. Things are easier with PowerDMARC. PowerDMARC is formed by a team of experts that help you activate DMARC, SPF, and DKIM easily. Our hosted services enable monitoring and reporting on a single cloud interface.
Our Google and Yahoo Compliance Program help you take simple and actionable steps:
- Understand email authentication and DMARC policies
- Set up DMARC, SPF, and DKIM
- Check the correctness of your setups with a single click
- Monitor your authentication results and deliverability
- Gain access to a range of other tools for advanced email protection
We also provide 24/7 assistance with a commitment toward customer satisfaction. Our one-on-one support ensures a smooth transition to enforced policies. This mitigates the risk of email deliverability issues. Contact us today to get started!
In addition to this, it is important to enable a one-click unsubscribe header. Keep your spam rate to a minimum as well. This will help you adhere to Google and Yahoo’s latest requirements in 2024.
Additional Questions
When do these new requirements come into action?
The new requirements for Google and Yahoo are set to come into action by 1st February 2024.
Whom do these new requirements impact?
Any email sender who sends more than 5,000 emails per day is subject to these latest requirements. However, Google’s general email sender requirements are applicable to all senders whether or not they send bulk messages on a regular basis.
What if I fail to fulfill the requirements?
Failing to fulfill Google and Yahoo’s email security requirements before 1st February 2024 will negatively impact your email’s deliverability rate. Your emails are more likely to end up in your recipient’s spam folder or get discarded outright by their mail server.
- Travel Cybersecurity Threats and How to Stay Protected - December 18, 2024
- Cybersecurity Best Practices for Digital Nomads in Japan - December 17, 2024
- NCSC Mail Check Changes & Their Impact on UK Public Sector Email Security - December 13, 2024