Google and Yahoo are turning what was once considered best practices for email authentication into mandatory requirements—and senders who don’t comply with the new requirements will start to see issues getting their emails delivered in 2024. If you want to make sure your emails keep making it to the inbox, follow these 5 steps.
Since the announcement in October, 2023, the email industry has been buzzing about these collaborative announcements from Google and Yahoo. These two receivers have agreed it's time to start enforcing new rules to help protect recipients from unwanted emails.
Why Google and Yahoo are changing the rules for email senders #
Properly authenticating your emails has always been a best practice, but not all senders are using the tools available to protect their emails. And that’s a major problem: If senders don’t properly authenticate their emails, they’re making it incredibly easy for bad actors to impersonate domains and to send phishing—and that will damage your sending reputation.
Gmail and Yahoo are on a mission to protect their users from spam and unwanted emails, but if senders fail to properly secure their systems and leave the door for exploitation wide open, that job is a whole lot harder. That’s why Gmail and Yahoo decided that proper email authentication and following deliverability best practices are no longer a nice-to-have. If you want to ensure your emails continue to make it to the inbox, you’ll have to comply with key best practices for email authentication and spam prevention. According to the inbox providers, that means:
Authenticating your emails using DKIM, SPF, and DMARC.
We'll show you how to do that.
Reducing spam and maintaining a spam complaint rate under 0.3%.
Here's how you can keep an eye on that.
Allowing people to unsubscribe by clicking just one link, and honor unsubscribes within two days.
Postmark handles unsubscribes for Broadcast messages for you so you don't have to worry about that.
RFC 5322 compliance, PTR records, rDNS
Postmark has you covered here.
Making sure your sending server IP addresses have valid reverse DNS records.
Postmark has you covered here.
Use a TLS connection for transmitting email.
Out of the box, Postmark supports opportunistic TLS for all outbound email, ensuring messages are encrypted in transit.
Our take: These changes matter for every email sender #
Gmail and Yahoo’s new requirements primarily target large bulk senders, and if you’re diving into their requirements in detail, you’ll see that some of them will only apply to high-volume senders who send more than 5,000 emails a day. If you’re a smaller sender or only send transactional email, you’re less likely to be impacted by the changes—but that doesn’t mean you can ignore them.
What’s required for large senders today will likely become a requirement for all senders in the future. Plus, operating in the “barely compliant” zone, hoping the authorities don’t look at you too closely because you’re a small fish is rarely a good strategy. We believe this isn’t just true when you do your taxes, but for sending email, too.
So whether you send one email or a few million, protecting your domains, avoiding spam, and following deliverability best practices is the key to keeping your subscribers safe and your email program healthy.
Get ready for the Gmail and Yahoo changes in 5 steps #
If you’re a Postmark customer, here are the top 5 steps we recommend you take now to make sure your emails keep making it to Google and Yahoo inboxes in 2024:
1. Understand what domains you use for email sending today (and whether they’re already authenticated) #
Before you can start sending email with Postmark, we ensure you own the mailboxes you want to send from. You can either validate a single email address (i.e. we just send you a confirmation link via email that you need to click on), or you can validate an entire domain by making some tweaks to your DNS records.
The first option is simpler, but as Gmail and Yahoo tighten their requirements, we encourage you to fully authenticate your sending domains.
Head over to the Sender Signatures tab in your Postmark account to see what email addresses and domains are set up in your Postmark account—and to see the status of each domain.
If you’ve only verified individual email addresses, you’ll see that you still need to take action to properly authenticate your domain:
Click on the DNS settings for a more detailed overview of your domain’s status. If you see a row of green check marks here, your domain is properly authenticated (and you can jump ahead to task #4). If your domain details look like this though, you’ll want to take action to properly authenticate your sending domain:
2. Authenticate your mail with custom DKIM #
DKIM (DomainKeys Identified Mail) is an email authentication method that confirms your legitimacy and trustworthiness as a sender and verifies that the messages were not altered in transit. Going forward, Yahoo! and Gmail will require all email to be DKIM signed, so if you haven’t already, now is the time to implement your custom DKIM signature.
This custom DKIM setup will require you (or whoever manages your domain) to add a TXT record to your domain’s DNS. We show you what values you should include when you visit your domain’s DNS setting in Postmark:
For step-by-step instructions on how to validate your domain using DKIM, check out our support article here.
3. Authenticate your mail with custom SPF #
The Return-Path (also known as the "envelope-from") is the address where bounces and other email feedback are sent, and it's also the domain used for SPF authentication. It is specified by the Return-Path header in an email, and by default, the Return-Path for emails sent through Postmark is:
Replacing Postmark’s default Return-Path domain with your own sending domain means your messages are now SPF authenticated with your sending domain. This helps build your domain's reputation while also providing SPF domain alignment for your domain's DMARC policy.
You can set up a custom Return-Path by adding a CNAME record to your DNS that points to pm.mtasv.net. This is so that Postmark is still able to collect bounces and other feedback sent to that address.
4. Set up DMARC #
DMARC is an email security standard that allows domain owners to monitor who’s sending email using their domain and instructs email receivers (like Gmail) to approve, quarantine, or reject emails that aren’t sent from an authenticated source.
Gmail and Yahoo will start requiring DMARC for all bulk senders who send more than 5,000 messages a day, but even if you aren’t sending at that volume, we encourage you to set up DMARC anyway. Here’s a step-by-step walkthrough of how you can set up DMARC for your domain. Gmail and Yahoo don't require strict DMARC policies, so you can get started with a “p=none” policy. With that policy in place, you can start monitoring who’s sending email using your domain without receivers taking any action just yet.
DMARC monitoring for humans
If you’re looking for a simple DMARC monitoring tool, try Postmark’s DMARC Digests
If you visit your domain details in Postmark at this point, you should be able to see what we call the magic trifecta of email authentication 🔐🔐🔐.
5. Register your domain for Google Postmaster Tools and keep your spam complaint rates under 0.3% #
Gmail will require senders to keep the spam complaint rate below 0.3%. If a larger share of your recipients mark your emails as spam, your sender reputation will decrease—and you’ll have a harder time reaching the inbox.
If you’re a Postmark customer, you can see spam reports from most inbox providers in your Postmark account, but Gmail is a bit of a special case. Since Gmail doesn’t provide a feedback loop—that’s the process for sharing spam report data with email providers—you can’t see spam reports from Gmail users in your Postmark account.
To keep an eye on your spam report data from Gmail users, you’ll have to register your domain with a dedicated service, Google’s Postmaster Tools. Registering your domain is free, only takes a minute, and once you’re set up and Google has collected some email data, you can see aggregated spam report information in your Postmaster account.
If you see your user-reported spam rate grow beyond 0.1%, that shows that there’s room for improvement. If you see your spam rate approach 0.3%, that’s a sign you should urgently take action.
Follow these best practices to reduce your spam rate
If you have any additional questions about these changes, check out our FAQ below—and if you don’t find the answer to your question there, please reach out! We’re here to help.
Q. What happens if I send mail that doesn't meet these requirements? #
A. “If senders don’t meet these requirements, messages might be rejected or delivered to recipients’ spam folders,” say the folks at Gmail.
Q. When will these changes take place? #
A. Changes are set to roll out gradually from February 2024, allowing for optimization and adjustments based on industry feedback.
Q. Yahoo and Gmail mention additional requirements in their documents that you don’t mention in the blog post above. Why do you not include them in your tips for senders? #
A. If you’re sending email with Postmark, we automatically take care of some of the crucial requirements that the inbox providers will be enforcing. For example, we automatically include a list-unsubscribe header to all Broadcast emails you might send with Postmark and handle FCrDNS (Forward-Confirmed Reverse DNS) for all our sending IPs.
Q. How will this affect transactional senders? #
A. While the changes primarily target bulk mail, transactional senders—and especially those that are sending over 5000 messages a day—should comply with requirements for enhanced deliverability and engagement. Distinguishing transactional and bulk mail is crucial, and Postmark makes that easy through Message Streams.
Q. What is the bulk threshold for anti-spam policy?
A. Google will be requiring specific rules for users who send over 5,000 messages a day. However, users who send less than 5,000 messages will still need to authenticate their messages with SPF and DKIM.
Yahoo doesn't yet specify any particular volume for these categories of senders, nor do they specify a spam complaint rate threshold.
Q. Could these requirements and our understanding of them change? #
A. Absolutely - in fact, let's expect them to!