Gmail & Yahoo's new email sender requirements

Do you understand email authentication?

To understand Google and Yahoo’s changes, you first need to understand email authentication itself.

If you use your domain (yourbusiness.co.uk) to send emails (something@yourbusiness.co.uk) there are steps you can take to verify the source and legitimacy of your email message. This helps email service providers like Gmail and Yahoo Mail verify the origin of your message and confirm that it has come from a trustworthy source, releasing it as safe to arrive in the inbox of your recipient.

SPF, DKIM and DMARC

The three most widely adopted email authentication methods are SPF, DKIM and DMARC. Here is a basic introduction to each practice:

1. SPF - Sender Policy Framework

Function: Establish the IPs that are allowed to send emails using your domain.

As the domain owner, you list the specific IPs and sources authorised to send mail. When a message is sent using an approved domain, the receiver can look up the authorised sending sources for that domain, ensuring the sending IP is authorised.

2. DKIM - Domain Keys Identified Mail

Function: Use cryptography to ‘sign’ email, verifying that the email was not altered in transit.

As the domain owner, you generate a public and private key pair. The private key is known only by the signing authority (typically your email service provider) and the public key is stored in your domain’s DNS.

When a message is sent, the signing authority generates a unique signature hash using the private key and specified content of the message, placing this signature in the message headers.

The receiver can then use the public key to verify that hash, which suggests that the content has not altered in transit. The signing domain takes responsibility for that content.

3. DMARC - Domain-based Message Authentication, Reporting & Conformance

Function: Tell receivers what to do in the event of an SPF or DKIM authentication failure.

As the domain owner, you publish a DMARC policy in your DNS with recommendations on how you would like receivers to process your mail, based on SPF and DKIM authentication results.

This policy applies to all mail using that domain in the From header of the email.

What are Gmail and Yahoo’s new email sender requirements?

SPF, DKIM, and DMARC are long-established practices, but the level of implementation has varied depending on the business’ expertise, resources, and general regard for email security.

In 2023, Google and Yahoo decided that robust email authentication is now a prerequisite. Consequently, this means that SPF, DKIM, DMARC and a range of other provisions, must be put in place to ensure that emails arrive in the inboxes of Gmail and Yahoo users.

The requirements are:

1. Implement full email authentication using SPF, DKIM and DMARC.
   
   Responsibility: Domain and email manager.
   ‍
2. Providing valid reverse DNS records for your sending server IP addresses. Reverse DNS allows mailbox providers to verify the sender when they do a reverse DNS lookup upon receipt of the emails you send.
   
   Responsibility: Domain manager.
   ‍
3. Maintaining a spam complaint rate under 0.3% in Google Postmaster Tools. If you haven’t signed up yet, Google Postmaster Tools provides valuable information including your domain and IP reputation.
   
   Responsibility: Email manager.
   ‍
4. Allowing recipients to unsubscribe by clicking just one link. Marketing messages and subscribed messages must support one-click unsubscribe, and include a visible unsubscribe link in the message body. These unsubscriptions must be honoured within two days.
   
   Responsibility: Email manager or the platform that you use to send emails.
   ‍
5. Creating email messages using a format according to the Internet Message Format standard RFC 5322, covering the message headers, body, and attachments.
   
   Responsibility: The platform that you use to send emails.
   ‍
6. Using a TLS connection for transmitting email. Transport Layer Security (TLS) is a standard security protocol for communication over the internet that offers encryption and data privacy.
   
   Responsibility: The platform that you use to send emails.

Why the change in requirements?

This move formalises email authentication ‘best practices’ into non-negotiable standards.

Historically, email service providers such as Gmail and Yahoo have been lenient regarding the authentication measures required from senders. Email authentication is a complex task, and not all senders possess the necessary tools or expertise to implement SPF, DKIM, and DMARC successfully.

The height of the pandemic saw a 220% increase in phishing incidents. In 2021, nearly 1 billion emails were exposed, affecting 1 in 5 internet users. As cybercrime continues to rise, there is a need to tighten security measures, safeguarding both the receiver and the sender.

Who does this affect?

The changes predominantly affect bulk senders. Google defines a bulk sender as:

A bulk sender is any email sender that sends close to 5,000 messages or more to personal Gmail accounts within 24 hours. Messages sent from the same primary domain count toward the 5,000 limit.

Google: Email sender guidelines FAQ

If you do not fall into the category of a bulk sender, we still recommend taking action promptly.

When do the changes come into effect?

The gradual rollout of enforcement for all requirements other than one-click unsubscribe begins this month - February 2024. The requirements will be enforced starting on April 1, 2024.

There are a handful of requirements that Venditan partner, Klaviyo, will automatically take care of for their users.