In February 2024, both Yahoo and Google will be releasing a major update that affects how you send email to Gmail and Yahoo/AOL inboxes. These new requirements affect free Gmail accounts, Google Workspace accounts, Yahoo Mail, and AOL.
Here's how Google described the update in their announcement:
Starting in 2024, we’ll require bulk senders to authenticate their emails, allow for easy unsubscription and stay under a reported spam threshold.
There are two sets of requirements for bulk senders: senders who send less than 5,000 emails per day to Gmail/Workspace inboxes, and those who send more. Here's what they'll require from all bulk senders:
- Set up SPF or DKIM authentication
- Ensure that sending domains and their respective sending IPs have valid forward and reverse DNS records
- Keep spam rates reported in Google Postmaster Tools below 0.3%
- Format messages according to the Internet Message Format standard (RFC 5322)
- Don't impersonate Gmail From: headers
- If you regularly forward email, add ARC headers to outgoing email
And if you send more than 5,000 emails per day, you also need to:
- Set up SPF and DKIM authentication
- Set up DMARC authentication and pass DMARC alignment
- Enable one-click unsubscribe with a clearly visible unsubscribe link
Note: while this article refers to Google, Yahoo’s requirements are stated to be the same.
When do I have to comply with the Google changes?
The update will be released February 1st, 2024. If you currently send over 5,000 emails per day to Gmail accounts, Google recommends working on these changes immediately.
To prevent potential deliverability problems in February, you should start looking at how to fulfil these requirements now.
What are the new requirements for sending to Gmail accounts?
1. Set up SPF and/or DKIM authentication
SPF and DKIM are two core email authentication methods. Not only do SPF and DKIM protect your emails individually, but they’re also needed for DMARC.
2. Have valid forward and reverse DNS records
Your sending domain and its respective sending IP(s) must have valid forward and reverse DNS records (also called PTR records). PTR records verify that the sending hostname is associated with the sending IP address.
You probably already have a valid forward DNS record, but you might need to set up a reverse DNS record if it hasn't already been done for you by an ESP (especially if you are using a dedicated IP). See your forward and reverse DNS records and test results in SendForensics' infrastructure analysis:
If both rDNS tests pass, your PTR record is valid. You can also check your PTR record with Google's Dig tool.
3. Keep your Google Postmaster Tools spam rate below 0.3%
Google Postmaster Tools is a free tool that monitors your Google reputation. If you’re already exceeding a 0.3% spam rate regularly, you’re probably already seeing some deliverability issues. Once the changes kick in, this will get worse.
Monitor your Google Postmaster Tools reports regularly, or integrate it with SendForensics to get alerts on your spam rate and other problematic thresholds.
3. Don't impersonate Gmail From: headers
In February, Google will begin enforcing a DMARC quarantine policy on at least gmail.com and googlemail.com email addresses. So if you send business emails using a @gmail.com email address from a sending system other than Gmail itself, these emails will very likely end up in spam (if they don't already).
If you send business emails using a @gmail.com email address, this is one more reason (of many) to switch to your own domain.
4. If you regularly forward email, add ARC headers to outgoing email
This is mostly applicable to receivers such as inbox providers, ISPs and the like, when they forward email to other destinations.
Authentic Received Chain (ARC) checks the previous email authentication results of forwarded emails. Without it, forwarded emails can result in authentication failures.
If a forwarded message passes SPF or DKIM authentication, but ARC shows it previously failed authentication, Gmail treats the message as unauthenticated.
5. Comply with DMARC authentication
Starting February, DMARC authentication is mandatory if you send over 5,000 emails per day to Gmail accounts and recommended even if you don't. Messages that aren't authenticated might be marked as spam or rejected with a 5.7.26 error.
While it is possible to implement and monitor DMARC on your own, the easiest way to get started with DMARC is using a tool like SendForensics.
Google only requires DMARC compliance, not a specific policy. p=none is enough to meet this requirement as long as your emails are DMARC compliant (though you should still look at upgrading to p=quarantine or p=reject eventually).
The topic of DMARC could be several articles on its own. Check out our beginner’s guide to DMARC, or this step-by-step guide to implementing DMARC.
6. Make sure the domain in your From: header is aligned with either the SPF or DKIM domain
This is required to pass DMARC alignment and become DMARC compliant.
While smaller senders technically only need to implement one of SPF or DKIM, this alignment requirement is why we recommend implementing both. If SPF alignment fails for whatever reason, at least you can fall back on DKIM alignment. When using an email service provider, this often means adding a second DKIM signature with your custom domain.
7. Support one-click unsubscribe and include a clearly visible unsubscribe link
If you send over 5,000 emails a day to Gmail accounts, marketing messages and subscribed messages must support one-click unsubscribe.
Your email service provider should handle this for you, so contact them for more information. If you manage your own email, add both of these headers in outgoing messages:
- List-Unsubscribe-Post: List-Unsubscribe=One-Click
- List-Unsubscribe: <https://acme.com/unsubscribe/example>
These are RFC 8058 and RFC 2369 respectively.
Your emails should already include a clear unsubscribe link that leads to a page that makes it easy for recipients to unsubscribe from all mail.
Some senders use a preferences center to let people choose what kind of messages they want to receive. In this case, you must also separately allow people to unsubscribe from all emails in one step.
Is there anything else I have to do?
Google has published a few other, smaller requirements.
- Format messages according to the Internet Format Standard (RFC 5322)
- Don't use HTML and CSS to hide content in your messages
An email testing platform like SendForensics can highlight issues with these requirements.
You can see the full list of requirements on Google support.
Special considerations for email service providers
If you're an ESP, you should:
- Provide an email address for reporting email abuse
- Make sure your contact information on your WHOIS record and on abuse.net is current
- Immediate remove any client using your service to send spam
SendForensics can help you automatically detect clients sending problematic emails before the emails leave your network. Contact us here for more information.