Inbox providers like Gmail and Yahoo! face a daily battle to protect their users’ inboxes. As Marcel Becker, Sr Director of Product Management at Yahoo!, says, “A key mission of Yahoo is to deliver messages that consumers want to receive and filter out the messages they don’t.”
Spammers and other bad actors are going nowhere.
In a new effort to further protect their users’ inboxes, both Gmail and Yahoo! introduced a new set of requirements senders must meet by February 2024 in order for mail to be delivered as expected to their subscribers. If a sender does not meet the requirements by February 2024, they will start to see temporary errors occurring on a small percentage of their non-compliant mail to Google recipients. In April 2024, a small percentage of the mail will be rejected and that percentage will gradually increase over time. The requirement for senders to implement one click unsubscribe will not be enforced until June 2024
Google provided an example in their blog post: If 75% of a sender’s traffic meets our requirements, we’ll start rejecting a percentage of the remaining 25% of traffic that isn’t compliant.
Now that the list of requirements has been released, let’s take a closer look at each requirement and what you need to do to make sure you are compliant.
Let’s start with some good news: the below list of requirements should already be familiar to you.
These have long been considered best practices in the email world and codified in documents like M3AAWG’s Best Common Practices. With this announcement, Gmail and Yahoo! are turning the ecosystems' known best practices into enforceable requirements. To date, Google has provided more specifics around these requirements, so we will focus on their list for now.
What does it mean? DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF) are the two foundational forms of email authentication. DKIM uses asymmetric encryption to sign and verify your email. SPF allows you to list all the IP addresses that are authorized to send email on behalf of your domain. When you opened your SendGrid account, you were prompted to set up your SPF and DKIM records. This is a standard component of our onboarding process, given the importance the industry puts on securing a sending domain.
What should I do if I didn’t set up an SPF or DKIM record?
You can create and update your SPF and DKIM records through the domain authentication process.
What does it mean? Reverse DNS allows mailbox providers to verify the sender when they do a reverse DNS lookup upon receipt of the emails you send. When you update your DNS provider with a DNS record provided by SendGrid, and then send mail over your IP, the recipient's email service provider performs a reverse DNS lookup (rDNS) using an A Record (address record).
An A Record maps your domain to your IP address. When a mailbox provider looks up your A Record, they see your SendGrid IP address. When they look at your IP address, they see the rDNS that matches your A Record. This circular checking proves your SendGrid IP association with your domain and your domain association with your SendGrid IP.
What should I do? We have step-by-step directions to set up reverse DNS on your sending IP address.
If you are using a shared IP, reverse DNS is already taken care of and you do not need to worry about this requirement.
What does it mean? Senders will need to maintain their spam complaint rate below 0.3% in Google Postmaster.
What should I do? Do you have Google Postmaster set up? If the answer is no, sign up today. Senders will find very valuable information—including your domain and IP reputation. You will also find your spam complaint rate with Google subscribers. Outside of Google, you can keep an eye on your complaint rates at Yahoo, Microsoft, etc., in Deliverability Insights.
If you notice you are exceeding the 0.3% threshold, take a look at these tips to reduce your complaint rate.
What does it mean? RFC 5322 is an Internet standard that defines the correct format for email messages. That covers the message headers, body, and attachments.
What should I do? SendGrid already blocks emails from deploying that don’t follow RFC 5322 compliance guidelines, such as if a ‘from header’ is not included. Look through the Internet Messaging Format and confirm each component (envelope, body, header, and attachments) meets the requirements.
What does it mean? Gmail will begin to utilize a DMARC policy of ‘quarantine.’If you attempt to impersonate a Gmail From: header, that will likely impact your email delivery.
What should I do? This one is quite simple. Don’t impersonate a Gmail From: header. In a nutshell, don’t send from ‘example@gmail.com’.
What does it mean? As Google helps explain in their blog post, ARC verifies previous authentication checks for forwarded messages and helps ensure forwarded messages are delivered to the final recipients.
How do you know if your mail is being forwarded? Your mail is being forwarded if you send to mailing list services that forward messages onto final destination inboxes or inbound gateways. It’s important not to confuse list-serv forwarding with an individual recipient forwarding an email from their inbox. List forwarding or List Serving is a specific routing challenge addressed by ARC.
What should I do? This requirement will impact a very small fraction of senders, as ARC is handled on the recipient server side when a message is forwarded. Read through Google’s blog post on ARC if you regularly forward mail.
What does it mean? DMARC (Domain-based Message Authentication, Reporting & Conformance) is a standard that builds on SPF and DKIM. DMARC communicates a policy to mailbox providers letting them know what they should do when they receive an email that fails an SPF, DKIM, or SPF and DKIM check purporting to be from your domain (possibly spoofed).
What should I do? If you’re not sure whether you already have a DMARC policy in place, you can verify through SendGrid’s Sender Authentication Page. We display a default record of v=DMARC1; p=none, however we will return a successful authentication if we identify any valid DMARC policy in your DNS records.
If you don’t already have a DMARC record in place, you will need to add one to your DNS.
Here are the steps to implement DMARC:
Go to SendGrid’s Sender Authentication and copy the host and value txt record with DMARC.
Go to your DNS hosting provider and create a record.
Select TXT DNS record type.
Add the host value you’ve copied from sender authentication ( _DMARC followed by your domain).
Paste the DMARC record (value column) copied from the sender authentication page. This should look like v=DMARC1; p=none; You can also include an rua tag such as rua=mailto:dmarc_agg@vali.email. The rua tag is used to define where the DMARC reports should be sent, however it is not required. Included in our example DMARC record is Valimail’s monitoring address, as they provide free monitoring.
Hit the save/submit button and verify your DMARC record has been added correctly to your DNS.
Each DMARC record needs to define a policy, which can be one of three options: none, quarantine, or reject. Although Gmail’s requirement for DMARC is to set it at p=none, this is the minimum. P=none instructs the receiving mailbox provider to take no action on an email that fails an SPF/DKIM check. If you are new to DMARC you should start with this policy.
The most secure setting is what’s called DMARC at enforcement, p=reject or p=quarantine. This requires additional work to ensure that this record incorporates all of the 3rd parties sending on behalf of your domain. Publishing the record incorrectly could cause your mail from these providers not to be delivered. Work with your technical personnel to ensure that your DMARC is properly formatted and affords you the greatest level of protection. For more resources on how to implement this type of DMARC policy refer to How to Implement DMARC and Everything About DMARC.
What does it mean? You need to pass DMARC alignment to satisfy this requirement. The domain you include in your From: header must align with either the SPF domain or the DKIM domain. Alignment refers to the verification that the DKIM and SPF signatures in your email headers align with the domain you've authenticated your SendGrid account with.
What should I do? In a simplified answer, you need to ensure the “from” address you are specifying in the “From: header” matches the domain you authenticated with SPF or DKIM. Beyond the simplified answer, there is strict alignment and relaxed alignment and several scenarios (including the use of subdomains) you need to consider. Thankfully, Google has an entire blog post on explaining those scenarios in great detail.
What does it mean? One-click unsubscribe (list unsubscribe) provides a second method for subscribers to easily remove themselves from your mailing list. The List-Unsubscribe header will insert an “unsubscribe” button, or link, next to the From address at the top of your email.
What should I do? If you enable SendGrid’s subscription tracking feature, SendGrid will automatically insert the List-Unsubscribe header in all of your text and HTML emails. Alternatively, if you do not want to use subscription tracking, there are steps you can take to implement list-unsubscribe. The FTC (Federal Trade Commission) recently provided a clear distinction between what classifies as a transactional email vs commercial email.
What does this Mean? Transport Layer Security (TLS) is a standard security protocol for communication over the internet that offers encryption and data privacy. Gmail and Yahoo will require any mail transmitted to them to have a secure TLS connection.
What should I do? Sendgrid handles the connection to the inbox providers and issues a TLS connection, so you don’t need to worry about this requirement.
Although most of these requirements apply to all senders, the last three in the list (DMARC record, alignment, and one-click unsubscribe) are new and only apply to senders that send over 5,000 messages per day.
If you find yourself overwhelmed looking at the list of requirements and don’t know where to start, we have you covered. Our Professional Services team is a group of experts here to help you navigate domain authentication, alignment, DMARC, complaint levels, etc. Contact us today to ensure you meet each requirement well ahead of the February 2024 deadline. Learn about Gmail and Yahoo!'s new sender requirements and what you should do to become compliant and protect your sending.
