Here is everything you need to know (I think? I hope?) about how to comply with the new sender requirements announced by Google and Yahoo, applying to Gmail and Yahoo mail, coming into force in early 2024.
You can read more about it all here (and over at Yahoo or Google), but it boils down to a handful of things that were previously best practice recommendations for deliverability excellence, which are now requirements that these two mailbox providers are saying that senders must implement. Those that don’t implement these requirements risk being blocked and unable to send mail to Yahoo Mail and Gmail subscribers.
Here are the ten steps you need to take, that if you follow these all the way through, you’ll be fully compliant with the new requirements.
- Stop sending newsletter/marketing/bulk mail as Gmail or Yahoo. For your 1:1 email messaging where you respond to emails from your customers or potential customers, you can continue to use Yahoo or Gmail (If I wanted to, I could continue to send mail as spamresource@gmail.com, from Gmail, when replying to people who contact me) – but for newsletters or marketing messages, you’ll need to use your own domain name. It's time to modify any email sending from an CRM (customer relationship management) platform, ESP (email service provider) or newsletter tool so that you no longer use a Gmail or Yahoo address as your from address. And don’t use any domain name in your from address unless you own that domain name. It really should be a domain name that you own, with very few exceptions. Meaning, I need to send my email newsletters as newlsetter@spamresource.com, not spamresource@gmail.com.
- Don’t have a domain name for your own sends from a newsletter platform or ESP? Go buy a domain. One buys a domain name from domain registrars, such as Godaddy, Hover.com or Namecheap. Which one is best is not for me to say – they essentially all work fine. Prices can vary a bit. Godaddy tends to have good packages to help small businesses implement business email and/or a website, and they have a fun little AI tool that will suggest domain names based on you providing a description of your business or target audience.
- Implement DKIM for your corporate mail and ESP/CRM/email newsletter platform. DKIM is a method of email authentication that helps make it easier for mailbox providers like Gmail and Yahoo to know that mail you send is legitimately authorized by you. Making it easier to identify your good mail makes it easier for them to identify (and block) bad mail and protect from threats from bad guys. Corporate mail systems and ESP/newsletter tools all have instructions on how to implement DKIM. Follow those instructions for any and all platforms you use. Meaning, if you send business email (one-to-one) from Microsoft O365, and you use Constant Contact to send newsletters, set up DKIM for both. Here's some helpful DKIM configuration links:
- How to implement DKIM for Mailchimp (ESP/newsletter mail)
- How to implement DKIM for Klaviyo (ESP/newsletter mail)
- How to implement DKIM for AWeber (ESP/newsletter mail)
- How to implement DKIM for Constant Contact (ESP/newsletter mail)
- How to implement DKIM for iContact (ESP/newsletter mail)
- How to implement DKIM for Microsoft O365 (business mail)
- How to implement DKIM for Google Workspace (business mail)
- Implement SPF for your corporate mail (Google Workspace or O365). If your domain is not new, and you previously purchased an email service or help with setup (Godaddy, O365, Google Workspace), SPF may already be configured for your domain (check here). Don’t worry about SPF for your ESP or newsletter mail, unless your email sending platform explicitly says otherwise. Even then, you might want to ask their support team for guidance.
- How to implement SPF for Microsoft O365 (business mail)
- How to implement SPF for Google Workspace (business mail)
- Implement DMARC for your domain. DMARC is a setting for your domain name that tells mailbox providers what to do with mail that fails authentication checks. You’re implementing it here because Gmail and Yahoo are now requiring it. You don’t necessarily have to become a DMARC master – here’s a link to my “DMARC, the quick and dirty way” guide here on Spam Resource. Read it, choose a path, and paste in the proper DNS record text as recommended for that path. It is up to you to decide whether or not you want to fully link up to a DMARC tool or service. My recommendation is do it if you can; it's a good way to protect your domain against spoofing. But, implementation may incur a cost or require a bit of technical expertise.
- Sign up Google Postmaster Tools. It’s domain based, so you’ll link it to your new domain. If you send “enough” mail, it’ll give you feedback that helps you understand whether or not Gmail thinks you’re a good (non-spammy) sender. It doesn’t always magically instruct you on how to fix problems, but it is a useful “red/yellow/green” to at least confirm when things are going right.
- Send wanted mail. The goal is to keep spam complaint rates very low. Google’s asking you to keep spam complaint rates under .1% and warning that regularly exceeding .3% could lead to your email being rejected.
- Don’t buy lists or get email addresses from third parties. Purchased lists or third party lists will have higher complaint rates, which put you at risk of running afoul of the new “keep spam complaints low” requirements mentioned above. Beyond that, engagement – the amount of interactions your email will receive from subscribers – will be below average. Gmail and Yahoo (and others) will notice this. This will make it more likely for your mail to go to the spam folder, not the inbox. And avoid cold leads.
- Make it easy to unsubscribe. Obvious, clear link, nothing silly like using a white-on-white unsubscribe link. If you’ve read the requirements, they talk about "RFC 8058" and "one click unsubscribe" or "list unsubscribe" handling. Ignore it. You don’t implement this – your email sending platform does. It is configured in hidden email headers by your ESP/newsletter sending platform. This has nothing to do with the body of your email messages -- not those links, and not the usual profile or subscription center that you might be linking to in those messages.
- Test periodically to make sure that everything is set up correctly. DMARCian’s DMARC Inspector and Steve Atkins’ Aboutmy.Email are very helpful tools. Confirm that you have a DMARC record. Confirm that you have DKIM authentication in place and working properly. Make sure the DKIM domain matches your from domain. This is called DKIM “alignment” and Gmail highlights both the from domain and DKIM domain when viewing the original message source inside of Gmail, allowing you to compare. (Learn more about Aboutmy.Email here.)
Please note that compliance does not guarantee that your mail will go to the inbox. A primary goal here across these requirements is to make it easy for Gmail and Yahoo Mail to denote that your mail is from you, not just mail from some random blob of customers for some email service provider. That means that people who implement these guidelines and who have good, non-spammy practices (sending wanted mail, etc.) will likely be just fine and see inbox placement success. Those that play games with permission or otherwise miss the mark when it comes to full compliance are more likely to have a rough go of things.
Yahoo Mail/Gmail 2024 Compliance Frequently Asked Questions
What is the actual timeline for enforcement? Both Yahoo and Gmail are saying that compliance with the “one click” unsubscribe functionality will begin in June. So if you’re waiting for your email platform to implement that functionality, there’s a few more months to go before it becomes a problem. As far as the general sender requirements, Yahoo and Google are both saying that compliance is required starting in February. Gmail is indicating that compliance will start small, and grow over time. In February, they’ll begin to temporarily delay some small percentage of non-compliant mail, to help senders identify problems. In April, they’ll start to reject some percentage of non-compliant mail, and they’ll increase that compliance over time. I’m not exactly sure what Yahoo will do, but I think the goal here should be to comply ASAP.
I only send 100 emails a day, do I have to comply? Google has said that their compliance requirements are targeted at those who send 5,000 or more email messages per day to Gmail subscribers. If you send far below that, you might be okay without complying. However, I wouldn’t risk it – assuming your email list is growing, you will hit that threshold eventually, and these are still best practices that help improve your chances of getting email delivered to the inbox. Also, the “lock down” of using Gmail or Yahoo in your from domain will likely apply to everyone, big or small.
What’s a domain name? Welcome to my blog at www.spamresource.com, where you're reading this guide. In my blog's web address, “spamresource.com” is the domain name. I send email newsletters using a from address of newsletter@spamresource.com, with my custom domain name of “spamresource.com.”
What’s a domain registrar? It’s a place you buy domain names (like “spamresource.com”) from. Domain registrars include Godaddy, Hover.com, Namecheap and many others.
What is DNS? Domain Name Service. It’s basically the phone book of the internet. Your domain registrar helps you attach DNS records to your domain name, that tell people and platforms how they can connect to your website, verify that mail is from you, and do various other technical things. (Want to learn more? I love this "zine" guide.)
What about TLS? Google did mention TLS as a sender requirement, yes? TLS refers to “Transport Layer Security” which helps ensure that emails are transmitted over the internet – handed off between mail servers – using encrypted connections between those servers. This is stuff that your email platform handles. You don’t have to put any special code in your email message to ensure TLS compliance. Gmail has effectively required TLS for years.
What about subdomains? If I wanted to send mail as newsletter@email.spamresource.com, that would be me setting up a subdomain called “email.” It is indeed possible to configure DKIM and DMARC for subdomains (though it isn’t strictly necessary for DMARC – you can set that at the top level (main level) of your domain and that covers subdomains). All doable, but outside of scope for this FAQ. Click here to learn more about subdomains in email.
What about other ISPs/MBPs like Outlook? Even though we specifically mention Yahoo Mail and Gmail, it’s really no longer safe to use any “freemail” or ISP/MBP (internet service provider/mailbox provider) domain in your from address, when sending bulk or newsletter mail. No sending as outlook.com, bigpond.com, icloud.com, or any other domain that you don’t own.
Can I have multiple DMARC or SPF records? No. Sometimes people get confused when it comes to configuring DMARC or SPF and accidentally implement it twice, usually based on conflicting guidance. Read here for more guidance on why double DMARC records don’t work. Same goes with SPF – you should only see one SPF record, when performing an SPF record for your domain name.
What about multiple DKIM records? You can configure DKIM for multiple providers (sending platforms), so yes, you can and should implement the multiple DKIM records necessary to support those providers. Some providers (ESP/newsletter platforms) will even ask you to implement two or three DKIM DNS records, for reasons of flexibility and security. Do as they recommend. For some of my domains, I have DKIM DNS records in place for Constant Contact, AWeber, Mailchimp AND Google Workspace (Gmail). This does not pose any issues other than showing me a long list of DNS records when I look up my domain settings.
Does DKIM email authentication really matter? Yes, even before all of the scrambling to help senders toward compliance with this as a requirement, it was already a best practice. I have long said that configuring DKIM authentication is that "one weird trick" most likely to help a newsletter or marketing sender (large or small) improve their chances of getting mail delivered to the inbox. There are caveats and complications, but I still stand by that statement.
I need more setup help for a specific email platform! Look here for a directory of email service provider platforms and Yahoo/Google compliance guidance and setup instructions for each.
What did I miss? Leave questions in comments below and I’ll update this as I’m able. Thanks for reading, and good luck. Everybody stay calm, implement the proper bits, and we'll all get through this together!
Helpful directions! Thanks from a novice.
ReplyDeleteSo, with reference to SPF, I get this message:
This seems to be a healthy SPF record.
×This SPF record has 4/10 terms that cause DNS queries
Is “terms that cause DNS queries” a bad thing? If so what does one do about it?
Do you know how the 5000/d is measured. Is it by IP, From, MAIL-FROM domain?
ReplyDeleteFollow-up question regarding one-click unsubscribes. You say not to worry about RFC 8058 but the bulk mail service we use does not appear to offer this option, and I'm convinced it's impacted our deliverability (~70% of our emails go to Google/Yahoo accounts). Is there anything we can do manually? Or do we need to find a different mail service?
ReplyDelete