In February 2024, Gmail and Yahoo Mail began enforcing new rules to protect email recipients and help keep their inboxes safer and less spammy.
These rules require all email senders to adhere to specific guidelines to ensure email deliverability.
This comprehensive guide explains what these new requirements are and how they affect your business.
We’ll cover:
Google & Yahoo’s New Email Sending Requirements
In October 2023, Gmail’s Security & Trust Group Product Manager Neil Kumaran announced on Google’s blog that from February 2024 email senders would need to authenticate their emails, allow for easy unsubscription (bulk senders), and stay under a reported spam threshold in order for their emails to be delivered to Gmail addresses.
As these requirements are now in effect, ignoring them will see your mail being automatically rejected or sent to the recipient’s spam folder.
According to Neil, although Gmail’s detection tools prevent 99.9% of spam, phishing and malware from reaching inboxes and block almost 15 billion unwanted emails every day, the service is now facing ever more complex threats than it did since the service launched in April of 2004.
As Neil states on Google’s blog…
“As basic as it sounds, it’s still sometimes impossible to verify who an email is from given the web of antiquated and inconsistent systems on the internet.”
The new email sending requirements are designed to help users keep their inbox safer and more spam-free.
This initiative to combat fraudulent or spammy email by placing more stringent requirements on email senders is not coming solely from Google, however. Industry partners like Yahoo have also joined in to work alongside Google and the rest of the email community to make these new requirements industry standard and a basic email hygiene practice.
Yahoo’s email sender best practices contains similar recommendations to Google’s and includes a link to a a comprehensive guide on Senders Best Common Practices from the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG), an organization committed to helping industries fight and prevent online abuse.
This document is aimed at anyone involved in the delivery and compliance of electronic communications, including marketing and management personnel. It is worth downloading and covers the latest and most effective recommended practices for sending commercial electronic messages.
So, what are these new requirements and how do they affect your business?
Essentially, the main requirements can be summarized as follows:
- Your spam complaint rate needs to be under 0.3%.
- Authentication using SPF, DKIM, and DMARC (Bulk email senders) is now required.
- You must have a one-click unsubscribe option and remove people requesting to be unsubscribed from your list within 1-2 days (Bulk email senders).
Additional requirements for all email senders include:
- Ensuring that sending domains or IPs have valid forward and reverse DNS records, also referred to as PTR records.
- Use a TLS connection for transmitting email.
- Format messages according to the Internet Message Format standard, RFC 5322
There are additional requirements for bulk email senders.
You can read Neil Kumaran’s post here and check out Google’s email sender guidelines and Yahoo’s email sender best practices to learn how to successfully send emails to personal Gmail and YahooMail accounts.
Understanding SPF, DKIM, and DMARC
Implementing SPF, DKIM, and DMARC protocols enhances email deliverability, safeguards sender reputation, and ensures that emails reach recipients’ inboxes securely.
If you are not familiar with SPF, DKIM, and DMARC, here’s an overview:
SPF
SPF (Sender Policy Framework) is a protocol that verifies sender authenticity by checking if an email originated from an authorized server.
It ensures the legitimacy of email senders by validating a sender’s identity through cross-referencing the IP address of the sending mail server with a predetermined list of authorized sending IP addresses contained within the DNS record.
DNS records essentially act as a directory that maps domain names to their respective IP addresses and can include instructions on handling requests directed towards that domain.
By verifying the authenticity of the sender’s identity against authorized sending IP addresses listed in the DNS record for a domain, SPF helps to prevent email spoofing and enhanced deliverability by reducing the likelihood of emails being blacklisted or marked as spam.
Here are the steps involved in creating an SPF record for email authentication:
1. Gather Information: Collect the IP addresses of all servers authorized to send emails on behalf of your domain. This includes your own mail servers, third-party email service providers, and any other servers used for sending emails.
2. Identify Sending Domains: Make a list of all domains used to send emails, even if not currently active. This prevents domain spoofing attempts.
3. Create SPF Record Syntax:
- Start with the version tag:
v=spf1
- Add authorized IP addresses: e.g.
ip4:192.0.2.0
- Include third-party senders:
include:thirdparty.com
- Specify SPF policy:
-all
(hard fail) or~all
(soft fail).
- Start with the version tag:
After following the above steps, your SPF record should look like the example shown below:
v=spf1 ip4:192.0.2.0 include:thirdparty.com -all
Note: SPF records should be under 255 characters and limited to no more than ten include statements.
4. Publish SPF Record to DNS: Access your DNS management console provided by your domain registrar or hosting provider, add a new TXT record with your domain’s hostname and the SPF record syntax, and save the changes.
5. Test SPF Record: Use SPF check tools (e.g. EasyDMARC’s SPF Record Checker) to check if the SPF record is present or not and ensure that all legitimate sending IP addresses are listed and correctly formatted.
DKIM
DKIM (DomainKeys Identified Mail) is an email authentication method that adds a digital signature to outgoing emails.
This signature is validated by the recipient’s mail server, ensuring the email’s integrity and authenticity. DKIM prevents email tampering and strengthens email deliverability by reducing the chance of emails being flagged as spam or phishing.
DKIM is like a digital signature for emails, a way for the sender (you) to prove they really sent the email and that it hasn’t been changed by anyone in between.
A DKIM Signature Header typically includes several elements represented by tag=value pairs.
Here’s an example that illustrates the essential components necessary for email authentication through DKIM:
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=example.com; s=dkim1; h=From:To:Subject:Date; bh=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX; b=YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY
Explanation of each element:
v=1
: Version of the DKIM specification being used.a=rsa-sha256
: The cryptographic algorithm used to generate the signature.c=relaxed/relaxed
: Canonicalization methods used for the header and body of the email.d=example.com
: The domain that owns the DKIM key pair.s=dkim1
: The DKIM selector, which indicates the specific key used for signing.h=From:To:Subject:Date
: List of header fields included in the signature.bh=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
: The hash of the body of the email.b=YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY
: The actual digital signature generated using the private key associated with the selector.
Here are the steps involved in creating a DKIM record:
1. Generate DKIM Keys: Use a DKIM key generator tool provided by your email service provider or a third-party service (see list below). This generates a public and private key pair.
2. Publish Public Key to DNS:
- Log in to your DNS management console provided by your domain registrar or hosting provider.
- Navigate to the DNS settings for your domain.
- Add a new TXT record with the DKIM selector as the subdomain name and the public key as the record value. The selector is usually provided by your email service provider and is specific to your DKIM configuration.
Example DKIM record:
selector._domainkey.example.com. IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC2h9gFo3... (long string)"
3. Verify DKIM Record: After adding the DKIM record, verify its correctness using DNS lookup tools and ensure that the TXT record contains the correct DKIM selector and public key.
4. Test DKIM: Send test emails from your domain and verify that they pass DKIM authentication checks using email authentication testing tools.
Here are some tools you can use to generate DKIM keys:
DMARC
DMARC (Domain-based Message Authentication, Reporting, and Conformance) is a protocol that helps protect email domains from being used for phishing, spoofing, and other malicious activities, and builds on SPF and DKIM to provide additional email authentication and reporting capabilities.
DMARC helps to make sure that the emails you send are really from you. If someone tries to fake your email address, DMARC helps block those phony messages from reaching others, keeping your email reputation safe and sound.
DMARC:
- Improves email deliverability by allowing senders to monitor and enforce email authentication policies.
- Allows domain owners to specify a handling policy for emails that fail SPF and DKIM checks, enhancing transparency and security, and reducing spoofing and phishing attempts.
- Allows domain owners to receive alerts when unauthorized parties misuse the domain for email spoofing, protecting their brand’s reputation.
To pass DMARC’s criteria, SPF and DKIM must be properly configured for the email’s From domain. The From domain must then match the authenticated domain by SPF or DKIM.
How to implement DMARC
1. Define DMARC Policy: Decide on the DMARC policy you want to enforce. DMARC offers 3 policy options:
- None: Monitoring mode only, no actions are taken if an email fails DMARC.
- Quarantine: Suspicious emails are sent to the spam/junk folder.
- Reject: Suspicious emails are rejected outright.
2. Generate DMARC Record: Create a DMARC TXT record with your chosen policy. Use the following syntax:
_dmarc.example.com. IN TXT "v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]"
- Replace
example.com
with your domain. v=DMARC1
: Indicates the DMARC version.p=none/quarantine/reject
: Defines the policy.rua
: Specifies the email address to receive aggregate reports.ruf
: Specifies the email address to receive forensic reports.
- Replace
3. Publish DMARC Record to DNS: Log in to your DNS provider’s dashboard.
- Navigate to your domain’s DNS management section.
- Add a new TXT record with the
host _dmarc
and the value as the DMARC record you generated.
4. Verify DMARC Record: Use DNS lookup tools to ensure the DMARC record is correctly published and propagated.
5. Monitor Reports: Regularly check the aggregate and forensic reports sent to the email addresses specified in the DMARC record. These reports provide insights into email authentication failures and help fine-tune your DMARC policy.
Notes:
- Be very careful when creating a DMARC record, as any misconfiguration will negatively impact your email delivery. We recommend following these guidelines from Google when starting out with DMARC.
- Make sure that SPF and DKIM are authenticating emails for at least 48 hours BEFORE enabling DMARC.
Here are some free tools you can use to create, verify and validate DMARC records:
- DMARC Tools by dmarcian.
- DMARC Record Lookup and Checker by EasyDMARC
- DMARC Digests – If you set up a DMARC reporting address, using your personal or business address is not recommended, as your inbox will be flooded with unintelligible emails. Instead, consider signing up for a DMARC reporting tool to ensure that you have properly authenticated all the tools you use to send email.
Email Verification Examples
Now that we have defined what SPF, DKIM, and DMARC mean, let’s look at some actual examples of these protocols in action, so you can better understand why your emails may or may not be reaching their intended recipients.
Emails Not Reaching Recipients
First up, let’s look at an obvious spam email sent to a Gmail address. This will help us understand how Gmail and other email providers automatically filter out junk email.
Here’s an email sent to my personal Gmail address that never even made it to my inbox. Gmail filtered it and sent it directly to my SPAM folder.
Let’s ignore the fact that this is an obvious spam email and look at the email header to see why Gmail’s automated tools detected and flagged it as spam.
FREE EBOOK
Your step-by-step roadmap to a profitable web dev business. From landing more clients to scaling like crazy.
FREE EBOOK
Plan, build, and launch your next WP site without a hitch. Our checklist makes the process easy and repeatable.
To do this, view the email in your Gmail account (don’t click on any links in the email, of course!), click on the vertical ellipsis icon, and select Show original from the menu options …
As you can see, this email did not meet Gmail’s DKIM policy requirements.
Compliant Emails
For comparison, here’s the header of an email sent to my business Gmail address by a compliant sender. As you can see, this company has met all of Gmail’s requirements for safe email delivery.
Using Verification Tools
As mentioned earlier, there are a number of great tools you can use to check and/or troubleshoot whether your email domain (or the email domain of a client or third-party service) meets the required protocols compliance with email sender guidelines.
Check SPF, DKIM & DMARC
For the examples in this section, we’ll use the free tools from dmarcian.com.
Head on over to dmarcian’s free tools section, and click on their Domain Checker tool…
Enter the email domain name into the field (only the domain, no address@) and click Check Domain …
The tool performs checks similar to those done by mailbox providers like Google, Yahoo, and Microsoft and displays results that show if the email domain’s records meet SPF, DKIM, and DMARC requirements or not.
If an email domain fails to meet the checks, you will see a result similar to the one shown below.
Occasionally, you may get a message similar to the one shown below. The message below infers that your emails meet the check and will still get delivered, but you may want to use the company’s services to ensure full compliance.
Here’s one more useful tip to keep in mind if you run a test on your email domains and get a DKIM check result as shown in the screenshot below…
In the above check, the tool couldn’t find DKIM records for the email domain because there’s a missing selector. A selector is normally included in the DKIM record when a compliant email is sent.
To find a selector to complete this check, do the following:
- Fire up your email account and find an email sent by the domain you are checking. In this example, we’ll use Gmail.
- Click on the vertical ellipsis icon, and select Show original from the menu options
- Scroll down past the Internet headers section until you get to the jumble of code.
- Look for the
s=
part of the DKIM Signature Header. This is your selector
Copy the selector portion and paste it into the DKIM checking tool, then click the Inspect DKIM button.
That should fix it and get your email to pass the DKIM check.
Click the Details link to view more details about the results.
Check PTR
A DNS pointer record, abbreviated as PTR, serves to link an IP address with its corresponding domain name. Unlike the ‘A’ record, which maps domain names to IP addresses, the PTR record performs the reverse function by associating IP addresses with domain names.
To check that sending domains or IPs have valid forward and reverse DNS records as required, first locate and copy the sending email domain’s IP address in the email header …
Then paste it into a Reverse DNS lookup tool, like MXToolbox.com to check if the PTR is valid …
While the above checks will give you the right information, we also recommend testing your email for spammyness. This will help to ensure optimal deliverability for your emails.
We recommend using a service like Mail Tester (they also have an SPF & DKIM checking tool).
Hopefully, this guide has given you a basic grasp of what SPF, DKIM, and DMARC mean and how to use tools to check the validity of email domains and troubleshoot potential issues.
If you use (or plan to use) WPMU DEV’s Webmail or Email Hosting services, then check out our guide on how to optimize email deliverability using WPMU DEV’s email services.
Best Email Sending Practices
If you plan to do any kind of bulk mailing, here’s an overview of key email sending practices to follow to stay compliant with the new guidelines:
- Subscriptions: Only send emails to those who have opted in. If you are a qualified bulk email sender, you can use a free tool like Google’s Postmaster Tools to avoid spam markings and regularly access data and diagnostics about Gmail delivery errors, spam reports, feedback loop, and more to ensure that any complaint rates remain under 0.3% .
- Subscription Management: Enable one-click unsubscribe for efficient opt-outs. Allow recipients to review and unsubscribe from specific mailing lists.
- Message Formatting: Format emails according to RFC 5322 and HTML standards. Avoid hiding content and ensure clear sender information.
- Sending Guidelines: Authenticate emails with SPF and DKIM. Maintain consistent sending IPs and categorize messages. Use a TLS connection for transmitting email.
- Avoid Sending Practices: Do not mix content types, impersonate others, or purchase email lists.
- Increase Sending Volume Slowly: Gradually increase volume and monitor delivery metrics.
- Special Considerations: Ensure compliance with guidelines, especially for third-party providers.
- Affiliate Marketing & Phishing Exercises: Regularly monitor affiliates and avoid sending test phishing emails.
For more detailed email sender guidelines, see: Google Help: Email Sender Guidelines
Additional Points & Useful Information
Covering all there is to know about email deliverability is beyond the scope of this article. However, we thought we would include some additional helpful information here to save you hours of research.
Bulk Emailing
Here are some things to keep in mind in you plan to do any bulk emailing:
- Spoofed emails count toward the bulk sender limit of 5,000. According to Yahoo, “Spoofed emails will count toward the mail we look at for enforcement. If you have a spoofing problem, you should be implementing a DMARC enforcement policy (p=quarantine or p=reject) regardless.”
- Subdomains are also subject to the requirements. Non-compliant emails sent from the subdomain of an organizational level domain that is subject to DMARC verification will be impacted.
Misconceptions about SPF (Sender Policy Framework)
Understanding SPF’s role in email authentication is important, but the protocol also has limitations. Here are some popular misconceptions about SPF:
- SPF will fully protect my domain from spoofing: SPF does not entirely protect the sender’s address visible to the user. It verifies the domain’s authorization but doesn’t secure the sender’s address. Use DMARC to protect visible domain names from spoofing.
- Implementing SPF is sufficient to prevent all spoofing and phishing attempts: While SPF is a crucial measure, it is not a complete solution against spoofing and phishing. Other email authentication methods (e.g. DMARC) are necessary for comprehensive protection.
- Including a company’s SPF record in emails ensures proper authentication: Companies sometimes mistakenly instruct customers to include their SPF record. However, this may not effectively authenticate emails and can lead to misconfigurations.
Misconceptions about DKIM (DomainKeys Identified Mail)
As with SPF, it’s also important to understand the role DKIM plays in getting your emails sent out and delivered, but there are some misconceptions to be aware of:
- Encryption Misunderstanding: Contrary to popular belief, DKIM doesn’t encrypt emails. Instead, it focuses on verifying message integrity through hashes under “bh” and “b” tags, providing protection against modification and replay attacks, albeit only partially safeguarding against identity theft and forgery. A successful DKIM verification indicates the sender’s authorization and ensures message content integrity during transit.
- Forgery Fallacy: There’s a misconception that DKIM signatures can be forged since their details are publicly available in DNS records. However, DKIM relies on a Public Key Infrastructure (PKI) with a pair of keys – public and private. While the public key is accessible in DNS records, the private key resides securely on the email service provider’s server, ensuring message authenticity. Therefore, DKIM signatures cannot be forged as the private key is kept confidential and solely used for message signing.
- Spam Solution Illusion: While DKIM aids in verifying sender authorization and message integrity, it doesn’t provide a definitive solution to spam. While it reduces the likelihood of spammers using forged or stolen email addresses, it doesn’t prevent them from purchasing domains and setting up DKIM records to continue their activities. Consequently, this may inadvertently legitimize spam to some extent. However, authentic domain usage can mitigate phishing attacks, enhancing email security against malicious attempts, such as fraudulent emails purportedly from legitimate companies.
For the latest updates on Google’s guidelines for sending emails to personal Gmail accounts and bulk emailing requirements, check out Google’s Email Sender Guidelines FAQ
Have You Got The Message Yet?
As the increasingly complex and ongoing battle against email spam and phishing from sophisticated malicious actors continues to escalate, major providers like Google, Yahoo, Microsoft, and others have begun enforcing stringent email sending requirements for all users to ensure the safe delivery of emails to intended recipients.
Hopefully, this article has given you all the information you need to understand and comply with all guidelines and requirements for sending emails that will reach your recipients’ inboxes.
Refer to our guide on how to optimize email deliverability using WPMU DEV’s email services to learn how your business can easily comply with these new email sending rules.