Categories
Local Marketing Activation

Email Marketing in 2024: Navigating Gmail and Yahoo’s New Sending Guidelines

Gmail and Yahoo will enforce new sending guidelines starting February 1, 2024, which require subscriber protections for inboxes. Those impacted include bulk email senders who send more than 5,000 emails per day to Gmail and Yahoo subscribers.

Email has always been a prime target for attackers, and unfortunately, simply encrypting message transfers between email servers is no longer enough to protect us from spammers, phishers, and other malicious actors. These attackers often use sophisticated techniques to forge emails and make them appear as if they are from legitimate senders.

The key to reducing unwanted and malicious emails is to use techniques to authenticate the sender of an email and verify that the email itself has not been tampered with in transit. This can be done using a variety of protocols, such as SPF, DKIM, and DMARC.

Did you know? According to Gmail, “Messages without at least one of these authentication methods are rejected with a 5.7.26 error or are marked as spam.” Gmail also states that if requirements are not met by February 1, 2024, your email might be marked as spam or not delivered.

The new standards aim to protect subscribers from malicious messages and reduce spam by authenticating senders and preventing impersonation.

This will impact senders with volumes of 5,000 emails a day to Gmail and is powered by “Gmail’s AI powered defenses” to stop more than 99.9% of phishing, malware, and spam. Yahoo will also implement the same requirements. Marketers must authenticate their email – The email must pass DKIM authentication and pass SPF authentication. Senders are advised to start this process now if they have not already done so.

Requirements for sending 5,000 or more messages per day.
  • Set up SPF authentication for your domain, or DKIM authentication for your domain.
  • Ensure that sending domains or IPs have valid forward and reverse DNS records, also referred to as PTR records. Learn more
  • Keep spam rates reported in Postmaster Tools below 0.3%. (Gmail) Learn more 
  • Format messages according to the Internet Message Format standard (RFC 5322).
  • Don’t impersonate Gmail From: headers. Gmail will begin using a DMARC quarantine enforcement policy, and impersonating Gmail From: headers might impact your email delivery. 
  • If you regularly forward email, including using mailing lists or inbound gateways, add ARC headers to outgoing email. ARC headers indicate the message was forwarded and identify you as the forwarder. Mailing list senders should also add a List-id: header, which specifies the mailing list, to outgoing messages.
Both GMAIL and Yahoo require:
  • One-Click/Tap unsubscribe: Both will require bulk senders give subscribers the ability to unsubscribe from an email in just one click – no login required or having to jump through hoops.
  • Send emails that users want to engage with – Yahoo and Google require senders to send emails that users want to engage with. To do this, senders should monitor engagement and stop mailing to users who do not engage. Google requires a low spam rate: Keep spam rates reported in Postmaster Tools below 0.3%.
  • Gmail is also requiring sender to process unsubscription requests within two days.
  • Be CAN-SPAM compliant.

Although not a requirement it is advised to make sure your 2024 emails are ADA compliant.

  • Become ADA compliant.
How SPF, DKIM, and DMARC Work Together to Protect Email Users

Email authentication is the process of verifying an email came from who it claims to be from. SPF, DKIM, and DMARC are three email authentication protocols that work together to protect users from spam, spoofing, and phishing attacks.

SPF (Sender Policy Framework) is a DNS-based protocol that allows domain owners to specify which email servers are authorized to send email on their behalf. This helps to prevent spammers from sending emails that appear to be from legitimate domains.

DKIM (DomainKeys Identified Mail) is a cryptographic protocol that allows domain owners to digitally sign their emails. This allows receiving email servers to verify that the email came from the domain it claims to be from and that it has not been tampered with in transit.

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is a policy-based protocol that allows domain owners to specify how receiving email servers should handle emails that fail SPF and/or DKIM authentication. This helps to protect domain owners from email spoofing and phishing attacks.

SPF, DKIM, and DMARC work together in the following way:
  1. When an email server receives an email, it checks the SPF record for the sending domain to see if the sending server is authorized. If the sending server is not authorized, the email is more likely to be marked as spam.
  2. If the sending server is authorized, the receiving email server checks the DKIM signature of the email. If the signature is valid, the receiving email server can be confident that the email came from the domain it claims to be from and that it has not been tampered with in transit.
  3. If the DKIM signature is not valid, or if the email fails SPF authentication, the receiving email server checks the DMARC record for the sending domain to see what to do with the email. The DMARC record can specify that the email should be quarantined, rejected, or delivered.

By using SPF, DKIM, and DMARC together, domain owners can help to protect their users from spam, spoofing, and phishing attacks.

Here are some additional benefits of using SPF, DKIM, and DMARC:
  • Improved email deliverability: Email providers are more likely to deliver emails from domains that use SPF, DKIM, and DMARC authentication.
  • Increased protection from phishing attacks: SPF, DKIM, and DMARC make it more difficult for spammers to send emails that appear to be from legitimate domains.
  • Improved insights into email traffic: DMARC reports can provide valuable insights into your email traffic, including how much spam and phishing is being sent from your domain. If the receiving email server cannot find a DMARC record for the sending domain, it will typically use its own policies to decide how to handle the email. DMARC reports can be used to identify unauthorized servers that are sending emails on your behalf, as well as to identify spammers and phishers who are targeting your users.

SPF, DKIM, and DMARC are essential tools for protecting email users from spam, spoofing, and phishing attacks. Domain owners are encouraged to implement all three protocols to protect their users and improve their email deliverability.

Let’s dive in to get a better understanding:

Email Authentication: Google and Yahoo will require bulk senders to authenticate their email using security protocols: SPF or DKIM and DMARC. According to Gmail, this will “Ultimately, … close loopholes exploited by attackers that threaten everyone who uses email.” Subscribers should have trust in the identity of their senders. *Check with your email service provider and make sure they have authenticated your domain’s email with DKIM and SPF.

Expanded Explanation:
SPF

Sender Policy Framework (SPF) is a security protocol that helps to prevent email spoofing, a type of email attack in which the sender’s email address is forged or stolen. SPF allows domain owners to specify which email servers are authorized to send email on their behalf. This helps to protect email users from phishing attacks, in which spammers send emails that appear to be from a legitimate source to trick people into revealing sensitive information.

When a receiving email server receives an email, it checks the SPF record for the sending domain to see if the sending server is authorized. If the sending server is not authorized, the email is more likely to be marked as spam.

How to set up SPF

To set up SPF, you will need to add a DNS TXT record to your domain. The specific steps will vary depending on your domain registrar, but you can usually find instructions on their website.

Once you have added the DNS TXT record, you will need to test your configuration to make sure it is working properly. There are several online tools you can use to test your SPF record, such as SPF Record Checker and MXToolbox.

Benefits of using SPF

There are a few benefits to using SPF, including:

  • Improved email deliverability: Email providers are more likely to deliver emails from domains that use SPF authentication.
  • Reduced spam: SPF can help to reduce the amount of spam that your recipients receive.
  • Increased protection from phishing attacks: SPF can make it more difficult for spammers to send emails that appear to be from your domain.

Here is a simplified analogy:

Imagine that you have a mailbox at the post office. You can give the key to your mailbox to anyone you want, and they will be able to put mail in your box. However, if you don’t give the key to someone, they won’t be able to put mail in your box.

SPF works in a similar way. When you publish an SPF record for your domain, you are essentially giving the key to your mailbox to a list of authorized IP addresses. Any email server that wants to send email on your behalf will need to have the key. If they don’t have the key, the email server will be able to tell that the email is a forgery and will reject it.

DKIM

DomainKeys Identified Mail (DKIM) is a security protocol that helps to prevent email spoofing, a type of email attack in which the sender’s email address is forged or stolen. DKIM works by allowing domain owners to digitally sign their emails. When a receiving email server receives an email, it can verify the DKIM signature to see if it is valid. If it is, the email server can be confident the email came from the domain it claims to be from and it has not been tampered with in transit. Verifying the DKIM signature of an email helps to protect email users from phishing attacks and other malicious emails.

Here is a simplified explanation of how DKIM works:

  1. The sending email server creates a digital signature of the email using a private key that is known only to the sending domain.
  2. The sending email server adds the digital signature to the email header.
  3. The receiving email server retrieves the sending domain’s public key from a DNS TXT record.
  4. The receiving email server uses the public key to verify the digital signature of the email.
  5. If the digital signature is valid, the receiving email server can be confident the email came from the sending domain and has not been tampered with in transit.

Here is a simplified analogy:

Imagine that you are sending a letter to a friend. You want to make sure that your friend knows that the letter is really from you, so you sign the letter at the bottom. When your friend receives the letter, they can see your signature and know it is really from you. DKIM works in a similar way. When you send an email using DKIM, you are essentially signing the email with a digital signature. When the email server receives the email, it can verify the digital signature to make sure that it is valid. If it is, the email server can be confident the email came from you and has not been tampered with in transit.

DMARC

DMARC (Domain-based Message Authentication, Reporting, and Conformance) builds on SPF and DKIM to provide even greater protection against email spoofing and phishing attacks. DMARC allows domain owners to specify how receiving email servers should handle emails that fail SPF and/or DKIM authentication. This helps to protect domain owners from email spoofing and phishing attacks.

DMARC policies are published in the Domain Name System (DNS) as TXT records. Publishing DMARC policies in the DNS allows all email servers to see the domain owner’s preferred handling of emails that fail SPF and/or DKIM authentication. DMARC policies can specify the following:

  • What to do with emails that fail SPF and/or DKIM authentication (quarantine, reject, or do nothing)
  • Whether to send reports to the domain owner about emails that fail SPF and/or DKIM authentication

DMARC reports can be used by domain owners to identify and address the following issues:

  • Email spoofing attacks
  • Phishing attacks
  • Outbound email servers that are misconfigured or compromised

There are several benefits to using DMARC, including:

  • Improved email deliverability: Email providers are more likely to deliver emails from domains that use DMARC authentication.
  • Reduced spam: DMARC can help to reduce the amount of spam your recipients receive.
  • Increased protection from phishing attacks: DMARC can make it more difficult for spammers to send emails that appear to be from your domain.
  • Improved insight into email traffic: DMARC reports can provide valuable insights into your email traffic, including how much spam and phishing is being sent from your domain.

Here is a simplified analogy:

Imagine that you have a mailbox at the post office. You can specify what the post office should do with mail that is not addressed to you. For example, you can tell them to return the mail to sender, throw it away, or put it in a special folder.

Domain owners can use DMARC to specify what email servers should do with emails that fail to authenticate using SPF or DKIM. For example, they can tell the email servers to reject the emails, quarantine them, or deliver them.

DMARC Policy Options

Domain owners can use DMARC policy options to specify how receiving email servers should handle emails that fail SPF and/or DKIM authentication. The DMARC protocol allows domain owners to specify how receiving email servers should handle emails that fail SPF and/or DKIM authentication. DMARC offers three policy options:

  • None: This option means that no action should be taken on emails that fail SPF and/or DKIM authentication. Emails that fail authentication may still be delivered, but they may be marked as suspicious. The None policy is typically used when first implementing DMARC, as it allows domain owners to collect data on how often the policy is invoked.
  • Quarantine: This option means that emails that fail SPF and/or DKIM authentication should be quarantined. Quarantined emails are not delivered to recipients immediately, but they can be retrieved by recipients at a later time. The Quarantine policy is a good option for domain owners who want to protect their recipients from malicious emails, while still giving recipients the option to receive emails that may be legitimate.
  • Reject: This option means that emails that fail SPF and/or DKIM authentication should be rejected. Rejected emails are not delivered to recipients at all. The Reject policy is the most restrictive option, but it is also the most effective way to protect recipients from malicious emails.

Domain owners should choose a DMARC policy based on their specific needs and risk tolerance. For example, domain owners who are concerned about protecting their recipients from phishing attacks may choose the Reject policy. Domain owners who are concerned about reducing the number of false positives may choose the None or Quarantine policy.

Resources

Gmail:
New Gmail protections for a safer, less spammy inbox: https://blog.google/products/gmail/gmail-security-authentication-spam-protection/
https://blog.google/products/gmail/gmail-security-authentication-spam-protection/
https://support.google.com/a/answer/10583557?hl=en&sjid=11701372456395968691-NA#zippy=%2Cvideo-why-email-authentication%2Cvideo-set-up-email-authentication
https://support.google.com/mail/answer/81126?hl=en#requirements-5k&zippy=%2Crequirements-for-sending-or-more-messages-per-day

Yahoo:
Enforcing email standards for a better experience: https://blog.postmaster.yahooinc.com/post/730172167494483968/more-secure-less-spam
Best Practices for Yahoo: https://senders.yahooinc.com/best-practices/

Outlook.com:
Best Practices: https://sendersupport.olc.protection.outlook.com/pm/policies.aspx


Authentication

Domain-based Message Authentication, Reporting & Conformance: https://dmarc.org/

DomainKeys Identified Mail: http://www.dkim.org/

Sender Policy Framework:  http://www.open-spf.org/

CAN-SPAM Act: A Compliance Guide for Business: https://www.ftc.gov/business-guidance/resources/can-spam-act-compliance-guide-business

MX TOOLBOX: https://mxtoolbox.com/dmarc.aspx

By Cindy Collum

An accomplished professional, Cindy serves as the Director of Email Development at Ansira, bringing her expertise and leadership to enhance the company's email marketing strategies. She leads email development, training, consulting efforts, onboarding clients, and consults with other Ansira teams. Cindy is a General Patton in sticking with process for quality and Agile development.