Click here to sign up for the Spam Resource newsletter

Gmail and Yahoo: New deliverability requirements coming in 2024

On Tuesday, October 3, Google and Yahoo announced updated sender requirements for those who wish to send mail to Gmail or Yahoo Mail successfully and in volume. Marcel Becker from Yahoo and Neil Kumaran from Google explain in detail what senders will have to do if they don't want to find their mail blocked at either mailbox provider. They warn that failure to comply will result in rejected mail in early 2024.

Any changes here really are evolutionary more than revolutionary. These have been solid "best practice" recommendations for a good long while; so I think of this as both "documenting what everybody knows" and laying the groundwork for reasoned, documented policy-based blocking of non-conforming mail.  

Those requirements boil down to this:

  1. Authenticate email. We were moving to a point where you basically already had to authenticate your email messages if you wanted inbox placement success; now it's fair to say that it is indeed required if you want to get your mail delivered. This shouldn't be too hard for most; marketers using just about any platform should be able to implement DKIM using their own domain name. As I said, it was already a best practice.
  2. Make it VERY easy to unsubscribe. Send platforms, implement list-unsubscribe. If you haven't implemented list-unsusbcribe-post (as defined in RFC 8058) yet, it's time to get that done, too. It's not clear to me if post support is mandated here, but it seems at least implied and you might want to stay ahead of the curve. Make sure messages have a clear and easy unsub link in the body, as well.
  3. Ensure that you're sending wanted mail. This effectively means: keep spam complaint rates down. Google, in particular, is warning you that high spam complaint rates will now result in blocking at Gmail. Yahoo Mail was already known to block some mail based on an elevated complaint rate; this could be an adjustment of that policy or just that they're elucidating this policy so that it is more broadly understood.
You can find more analysis on this over here courtesy of Steve Atkins of Word to the Wise.

And be sure to read it all for yourself, straight from the mailbox providers themselves:

If you're an email marketer, don't fret. Follow the implementation requirements as defined by your email send platform; pay careful attention to the authentication best practice recommendations. Make sure your mail fully authenticates with DKIM (and SPF if your platform supports it, but really, I suspect the big deal focus here is more on DKIM). Don't do silly things like buying lists or sending mail to people who have unsubscribed; these can spam complaints rates explode. Always include an unsubscribe link as appropriate, and if you have to enable a setting to turn on list-unsubscribe or list-unsubscribe-post support, do it (don't be afraid to ask the send platform's support for help on that one). And be sure to sign up for Google Postmaster Tools to be able to observe those spam complaint rates first hand.

If you run an email sending platform, ESP or CRM or similar, then it's time to make sure you're allowing all clients to implement authentication properly and make sure you've got appropriate list-unsubscribe header support. I'd probably also make sure you're looking at how to properly police clients from a policy enforcement perspective; let your users emit too much unwanted mail and blocks could spill over, affecting more than just clients who have "earned" those blocks. Nobody is explicitly warning of that here, but I've watched both IP reputation and domain reputation go sideways because of issues like this in the past, and I'd be surprised if this type of thing didn't get more scrutiny in the future.


Comments policy: Al is always right. Kidding, mostly. Be polite, please and thank you.

  1. Al, do you think more providers will start offering a Custom Return Path to all accounts like SendGrid and MailGun with these new changs?

    1. I was just doing some testing to remind myself exactly what passes DMARC and what doesn't, and I think that while some ESPs might add custom return-path domain functionality (I think it's a good idea for more than one reason), I think you would still pass DMARC with DKIM d=your domain + a return-path of the ESP domain. ESP domain passes SPF, but the DMARC check only cares about "does DKIM or SPF match your from domain" and if the DKIM matches the from domain, you're covered, even if SPF doesn't match. I think that's basically how Mailchimp, for example, does things will folks move away from this, I'm not sure. They might not. But I still wish they would-- I want to see shared domains minimized as much as possible. They hurt ESP customers as much as they help.

  2. What do you think about limit of numbers of emails sended by server doesn't up more than 13000 per drop ?

    1. Can't decipher the question buried in here, sorry!

Previous Post Next Post