Explained. New Gmail and Yahoo! sending requirements.

In a move to help protect recipients from unwanted emails, Google announced new requirements that will be enforced in April 2024, impacting senders with volumes greater than 5,000 emails a day to Gmail users. But it’s not just Google, Yahoo has also announced the same set of requirements that will help better protect their email users.

The new requirements are turning what were previously email authentication and unsubscribe recommendations and best practices into an enforceable set of requirements. Bulk senders must ensure they follow these rules around authentication and unsubscribe processes, adjusting their sending practices and domain architecture to stay compliant.

Why new requirements for bulk senders?

The announcement of new requirements forms part of Google and Yahoo's continued effort to make email more secure. Just last year, Google added requirements that emails sent to Gmail address must have some sort of authentication, which has helped to declutter inboxes and block malicious messages. So, while progress has been made, here comes a new set of regulations to help create a safer and healthier email ecosystem.

Understanding the new Gmail and Yahoo! requirements

By April 2024, Gmail and Yahoo will start rejecting a percentage of emails from bulk senders that do not meet the requirements below and then will continue to ramp up enforcement:

Add email authentication methods to domains

Google and Yahoo! don’t want users worrying about email security, but they should be able to rely on an email’s source with confidence. They now require senders set up authentication methods for your domain to help combat phishing messages and protect businesses from being impersonated. As part of this, Google and Yahoo! will perform a number of checks on messages sent to inboxes.

To improve email delivery, senders must set up and be able to publish Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) records which help to create a more protected inbox. SPF allows senders to list all the IP addresses that are authorized to send email on behalf of their domain, so that the inbox providers can filter out illegitimate emails acting like they are coming from your domain and receiving servers use DKIM to verify that the domain owner sent the message, and the email has not been changed during transmission.

The next step is to set up a DMARC policy for your sending domain. DMARC lets you publish a record that tells receiving servers what to do with messages from your domain that don’t pass SPF or DKIM checks. The actions can be reject, quarantine, or none (meaning take no action). The requirement is to publish a DMARC record even if it instructs the receiving mailbox provider to take no action, which is the friendliest action, on emails that fail SPF and DKIM.

Ensure alignment of sender domains

Following on from the requirements mentioned above, your sending IP address must have a Pointer record (also referred to as PTR record). This method of authentication verifies the domain in a sender’s ‘From’ header matches with either the SPF domain or the DKIM domain. In summary, senders must ensure the sending domains or IP addresses have valid forward and reverse DNS records.

Enable one-click unsubscribe for subscription-based messages

Google and Yahoo want to ensure users always have an easy way to unsubscribe from a particular email sender. They now require large senders support the ability to unsubscribe from an email in one click, and requests should be processed in two days. This seamless method is a must have because if a user marks your message as spam, this will negatively impact a domain’s sender score which can affect a sender’s ability to deliver emails to inboxes but an unsubscribe only affects one user.

Keep spam rates low

To stop users being bombarded with unwanted messages, Google and Yahoo will be enforcing clear spam rate thresholds that senders must comply to. Moving forwards, keeping your spam complaint level to a minimum is even more essential to ensuring your emails arrive to the inbox successfully. You should regularly monitor your domain’s spam rate in Postmaster Tools, keeping your rate spam below 0.10% and avoid ever reaching a rate of 0.30%.

Making compliance easy

The message from Google and Yahoo is clear: the industry must elevate its security standards! Therefore, while this blog is focused on the Gmail and Yahoo requirements, this is a sign of the approaching regulations becoming the new normal and we could expect to see requirements introduced by the likes of Microsoft, Apple. And while there will be some challenges, they pave the way for a more secure, efficient, and trustworthy email landscape.

Our team at Webex CPaaS is committed to equipping our clients with the necessary tools and knowledge to navigate these changes effectively. Look out for our upcoming blog on how we will be enhancing Webex Connect and Webex Campaign to respond to these new requirements from Google.