Today, Google announced a new set of requirements they are planning to begin enforcing in February 2024 for impacting senders with volumes greater than 5,000 emails a day to Gmail. Simultaneously, Yahoo! has announced a similar set of requirements without the level of detail.
This article will focus on the Gmail requirements, but with Yahoo!’s news as well, you can consider this the new normal. The new requirements mark a change in how the industry views email authentication and best practices: what was once a set of recommendations is now becoming an enforceable set of requirements.
Email authentication was once seen simply as a recommended set of best practices to safeguard sending domains and prevent ecosystem abuse. Gmail’s announcement shifts that narrative from one of suggestion and recommendation to one of enforcement. The message is clear: the ecosystem needs to take authentication more seriously and adjust its sending practices and domain architecture accordingly.
SendGrid has been advising our customers for many years, not to mention building tools to ease the process, to publish SPF and DKIM records to create a more secure sending domain and foster a healthier email ecosystem. Senders will now have to publish a DMARC record to comply with Gmail’s new requirements.
Let’s pause there—the requirement is to publish a DMARC record, but the record doesn’t have to be at enforcement (p=reject or p=quarantine). This suggests that Gmail is aware and acknowledges the complexity of DMARC at scale—if done wrong, it could block senders sending on behalf of a domain.
This has always been one of the complexities and challenges with enabling DMARC. However, let’s be clear: publishing a DMARC record at enforcement has and will remain a best practice and clear strategy for preventing spoofing and other forms of domain-based abuse. We encourage all of our senders to publish DMARC at enforcement.
List of Requirements
Let’s take a closer look at the full list of requirements:
- Set up SPF and DKIM email authentication for your sending domain.
- Set up a DMARC policy for your sending domain.
- As mentioned above, setting up a DMARC policy is more complex than setting up SPF and DKIM. Luckily there are tools out there like Valimail, in addition to others, that can help build DMARC records and help senders reach enforcement. We’d like to think that if you’re already going to spend the time to create the necessary records to achieve compliance, then taking the next step and ensuring your sending domain is secure from abuse is an easy lift. Keep in mind that BIMI and other inbox experiences require domain owners to have DMARC at enforcement.
- The domain in the sender’s From header must be aligned with either the SPF domain or the DKIM domain.
- Ensure that sending domains or IPs have valid forward and reverse DNS records, also referred to as PTR records.
- For subscribed messages, enable one-click unsubscribe (list unsubscribe) with a clearly visible unsubscribe link in the message body.
- Enabling one-click list unsubscribe has long been considered a strong way of avoiding someone marking your email as spam. Keep in mind that when someone marks your message as spam, that’s a hit against your entire mail stream—but a one-click unsubscribe simply affects a single recipient. This is the equivalent of someone saying, “its not you, it’s me” vs. reporting you for bad inbox etiquette.
- Keep spam rates reported in Google Postmaster Tools below 0.3%.
- As mentioned above, keeping your spam complaint levels to a minimum has always been crucial when it comes to ensuring your emails have a chance of landing in the inbox. If you haven’t already, set up Google Postmaster today and start monitoring your complaint level. You can also monitor your performance using our Deliverability Insights to see all of your critical stats in one place.
- Format messages according to the Internet Message Format standard (RFC 5322).
Looking over the new list of requirements, it becomes clear that what we previously took for granted as something that all senders did (or aspirationally tried to do) is now regarded as table stakes—and Gmail will enforce against those senders that are not doing it. However, the good news is that enforcement is still a ways off, and Twilio SendGrid is working to ensure that everyone using our platform to send email has the guidance, resources, and technology to meet these requirements.
Google and Yahoo! are pushing the industry to take security more seriously—for that, we applaud them. Like any change that affects a channel with 50+ years of history behind it, and represents the most pervasive form of digital communication, there will be friction and discomfort. However, it is our firm belief that in the long run, we are starting a march toward a more secure and richer inbox experience.