Inbox providers like Gmail and Yahoo! face a daily battle to protect their users’ inboxes. As Marcel Becker, Sr Director of Product Management at Yahoo!, says, “A key mission of Yahoo is to deliver messages that consumers want to receive and filter out the messages they don’t.”
Spammers and other bad actors are going nowhere.
In a new effort to further protect their users’ inboxes, both Gmail and Yahoo! introduced a new set of requirements senders must meet by February 2024 in order for mail to be delivered as expected to their subscribers.
Now that the list of requirements has been released, let’s take a closer look at each requirement and what you need to do to make sure you are compliant.
Best practices become requirements
Let’s start with some good news: the below list of requirements should already be familiar to you.
These have long been considered best practices in the email world and codified in documents like M3AAWG’s Best Common Practices. With this announcement, Gmail and Yahoo! are turning the ecosystems’ known best practices into enforceable requirements. To date, Google has provided more specifics around these requirements, so we will focus on their list for now.
Let’s dive in…
1. Set up SPF and DKIM email authentication for your domain.
What does it mean? DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF) are the two foundational forms of email authentication. DKIM uses asymmetric encryption to sign and verify your email. SPF allows you to list all the IP addresses that are authorized to send email on behalf of your domain.
When you opened your SendGrid account, you were prompted to set up your SPF and DKIM records. This is a standard component of our onboarding process, given the importance the industry puts on securing a sending domain.
What should I do if I didn’t set up an SPF or DKIM record?
You can create and update your SPF and DKIM records through the domain authentication process.
2. Ensure that sending domains or IPs have valid forward and reverse DNS records, also referred to as PTR records.
What does it mean? Reverse DNS allows mailbox providers to verify the sender when they do a reverse DNS lookup upon receipt of the emails you send. When you update your DNS provider with a DNS record provided by SendGrid, and then send mail over your IP, the recipient’s email service provider performs a reverse DNS lookup (rDNS) using an A Record (address record).
An A Record maps your domain to your IP address. When a mailbox provider looks up your A Record, they see your SendGrid IP address. When they look at your IP address, they see the rDNS that matches your A Record. This circular checking proves your SendGrid IP association with your domain and your domain association with your SendGrid IP.
What should I do? We have step-by-step directions to set up reverse DNS on your sending IP address.
3. Keep spam rates reported in Postmaster Tools below 0.3%.
What does it mean? Senders will need to maintain their spam complaint rate below 0.3% in Google Postmaster.
What should I do? Do you have Google Postmaster set up? If the answer is no, sign up today. Senders will find very valuable information—including your domain and IP reputation. You will also find your spam complaint rate with Google subscribers. Outside of Google, you can keep an eye on your complaint rates at Yahoo, Microsoft, etc., in Deliverability Insights.
If you notice you are exceeding the 0.3% threshold, take a look at these tips to reduce your complaint rate.
4. Format messages according to the Internet Message Format standard (RFC 5322).
What does it mean? RFC 5322 is an Internet standard that defines the correct format for email messages. That covers the message headers, body, and attachments.
What should I do? SendGrid already blocks emails from deploying that don’t follow RFC 5322 compliance guidelines, such as if a ‘from header’ is not included. Look through the Internet Messaging Format and confirm each component (envelope, body, header, and attachments) meets the requirements.
5. Don’t impersonate Gmail From: headers.
What does it mean? Gmail will begin to utilize a DMARC policy of ‘quarantine.’If you attempt to impersonate a Gmail From: header, that will likely impact your email delivery.
What should I do? This one is quite simple. Don’t impersonate a Gmail From: header. In a nutshell, don’t send from ‘email@example.com’.
6. If you regularly forward email (including using mailing lists or inbound gateways), add ARC headers to outgoing email.
What does it mean? As Google helps explain in their blog post, ARC verifies previous authentication checks for forwarded messages and helps ensure forwarded messages are delivered to the final recipients.
How do you know if your mail is being forwarded? Your mail is being forwarded if you send to mailing list services that forward messages onto final destination inboxes or inbound gateways. It’s important not to confuse list-serv forwarding with an individual recipient forwarding an email from their inbox. List forwarding or List Serving is a specific routing challenge addressed by ARC.
What should I do? This requirement will impact a very small fraction of senders, as ARC is handled on the recipient server side when a message is forwarded. Read through Google’s blog post on ARC if you regularly forward mail.
7. Set up DMARC email authentication for your sending domain.
What does it mean? DMARC (Domain-based Message Authentication, Reporting & Conformance) is a standard that builds on SPF and DKIM. DMARC communicates a policy to mailbox providers letting them know what they should do when they receive an email that fails an SPF, DKIM, or SPF and DKIM check purporting to be from your domain (possibly spoofed).
What should I do? If you don’t already have a DMARC record in place, you will need to add one to your DNS. If you’re not sure if you already have DMARC in place, you can check through Valimail for free.
Here are the steps to implement DMARC:
- Go to your DNS hosting provider and create a record.
- Select TXT DNS record type.
- Add the host value ‘_DMARC’. If your DNS provider does not automatically append your domain name, adjust the host value to include your domain ‘_dmarc.domain.com’.
- Create your DMARC record and add it to the DNS TXT value. A simple DMARC record should look like: ‘v=DMARC1; p=none; rua=mailto:firstname.lastname@example.org’. The rua tag is used to define where the DMARC reports should be sent. Included in our example DMARC record is Valimail’s monitoring address, as they provide free monitoring.
- Hit the save/ submit/ submit button and verify your DMARC record has been added correctly to your DNS.
Each DMARC record needs to define a policy, which can be one of three options: none, quarantine, or reject. Although Gmail’s requirement for DMARC is to set it at p=none, this is a minimum bar. P=none instructs the receiving mailbox provider to take no action on an email that fails an SPF/DKIM check.
The best, and most secure setting, is what’s called DMARC at enforcement, p=reject or p=quarantine. However, this requires additional work to ensure that this record incorporates all of the 3rd parties sending on behalf of your domain. Publishing the record incorrectly could cause your mail from these providers not to be delivered. Work with your technical personnel to ensure that your DMARC is properly formatted and affords you the greatest level of protection.
8. For direct mail, the domain in the sender’s From: header must be aligned with either the SPF domain or the DKIM domain.
What does it mean? You need to pass DMARC alignment to satisfy this requirement. The domain you include in your From: header must align with either the SPF domain or the DKIM domain. Alignment refers to the verification that the DKIM and SPF signatures in your email headers align with the domain you’ve authenticated your SendGrid account with.
What should I do? In a simplified answer, you need to ensure the “from” address you are specifying in the “From: header” matches the domain you authenticated with SPF or DKIM. Beyond the simplified answer, there is strict alignment and relaxed alignment and several scenarios (including the use of subdomains) you need to consider. Thankfully, Google has an entire blog post on explaining those scenarios in great detail.
9. For subscribed messages, enable one-click unsubscribe and include a clearly visible unsubscribe link in the message body. Learn more
What does it mean? One-click unsubscribe (list unsubscribe) provides a second method for subscribers to easily remove themselves from your mailing list. The List-Unsubscribe header will insert an “unsubscribe” button, or link, next to the From address at the top of your email.
What should I do? If you enable SendGrid’s subscription tracking feature, SendGrid will automatically insert the List-Unsubscribe header in all of your text and HTML emails. Alternatively, if you do not want to use subscription tracking, there are steps you can take to implement list-unsubscribe. The FTC (Federal Trade Commission) recently provided a clear distinction between what classifies as a transactional email vs commercial email.
Get the technical help you need
Although most of these requirements apply to all senders, the last three in the list (DMARC record, alignment, and one-click unsubscribe) are new and only apply to senders that send over 5,000 messages per day.
If you find yourself overwhelmed looking at the list of requirements and don’t know where to start, we have you covered. Our Professional Services team is a group of experts here to help you navigate domain authentication, alignment, DMARC, complaint levels, etc. Contact us today to ensure you meet each requirement well ahead of the February 2024 deadline.