Back to main menu

Deliverability

Understanding new sender requirements: A fireside chat with Yahoo & Google

Yahoo and Google have finally pulled the trigger on enforcing authentication best practices. We sat down with Yahoo’s Senior Director of Product, Marcel Becker, and Google’s Director of Product Anti-Abuse and Safety, Anu Yamunan, to find out with this means for email senders.

Hermes sitting in front of a fireplace

PUBLISHED ON

PUBLISHED ON

Now that we’ve officially rolled into 2024, it means Google and Yahoo’s email authentication changes are coming into effect. But what does this really look like for email senders? How is it going to impact you directly? And what will need to be implemented to stay on the right side of Johnny law?

Well, there’s no better people to ask than those behind the changes, right? Which is why we invited Yahoo’s Senior Director of Product, Marcel Becker, Google’s Director of Product Anti-Abuse and Safety, Anu Yamunan, and Sinch Mailgun’s Vice President of Deliverability, Kate Nowrouzi, to go through all your questions – and more – in our recent webinar. Here’s what they had to say.

What's changing and why?

Google and Yahoo are stepping up their game to keep our inboxes safe and junk free. They’re rolling out a new set of requirements for brands sending bulk email (5000+ emails a day) to reduce the risk of spam, phishing, and other malicious activities, improving the delivery of legitimate emails to subscribers' inboxes.

So, why now? Why the sudden need for action?

Well, it’s probably worth mentioning that these new requirements are simply best practices that have existed for well over 10+ years now. There’s nothing particularly new or revolutionary about what Yahoo and Google have announced. In fact, many email senders already meet these authentication standards. The difference is they will now be enforced.

Here’s what Anu had to say about the “why” behind the changes:

“It’s an opportunity for the industry to finally come together and meaningfully upgrade the safety of the email ecosystem. We believe that all recipients should be able to trust the messages they are reading from verified senders, as well as have more control over this relationship.”

Anu Yamunan, Director of Product Anti-Abuse and Safety at Google

Marcel also weighed in:

“We are looking at this from the UX perspective, we don't want to punish senders, but simply provide the best experience possible for users. Email volume is increasing year on year, and consequently, so is the threat.”

Marcel Becker, Senior Director of Product at Yahoo

What new requirements should I be aware of?

OK, so we know there are incoming changes, but what do they look like in practice? What do they entail at a more technical level? Essentially, there are three key requirements you will need to prioritize:

  1. Badge Check

    Email authentication: Senders will be required to verify their identities with the standard protocols SPF, DKIM, and DMARC.

  2. Badge Check

    Add a one-click unsubscribe header: Senders will need to implement a valid List-Unsubscribe header within emails if they haven’t already, to allow recipients to easily opt out.

  3. Badge Check

    Only send emails users want: Gmail and Yahoo are getting serious about spam monitoring and senders will need to ensure they’re keeping below a set spam rate threshold.

These mandates will only affect bulk senders. While Yahoo has steered away from giving a definite number (which we’ll get to later) Google has set a figure of 5000 or more messages to Gmail addresses in one day.

Let’s look at each of the three requirements in greater detail:

Email authentication

The first thing you will need to do Is set up the three standard protocols used to verify the legitimacy of your domain. This is good practice for a few reasons:

  1. Badge Check

    It ensures your email has not been tampered with (spoofing) and that it originates from the claimed source.

  2. Badge Check

    Helps prevent recipients from email fraud, phishing, and other malicious attacks.

  3. Badge Check

    Reduces the likelihood of messaging from your organization being marked as spam.

Now, those protocols in question are SPF, DKIM, and DMARC. If you’ve not come across them before we’ll quickly run through each one below:

SPF (Sender Policy Framework) allows senders to specify the servers and domains permitted to send email from their organization. When servers receive a message from your brand, they compare it to the list of allowed servers. This lets them verify the message actually came from you.

DKIM (DomainKeys Identified Mail) adds an encrypted digital signature to every message sent from your brand. Receiving servers use a public key to read the signature and verify that it came from you. This also prevents content being changed when the message is sent between servers.

DMARC (Domain-based Message Authentication, Reporting, and Conformance) essentially tells receiving servers what to do with messages from your brand when they fail either SPF or DKIM. Now, there are three options or “instructs” for servers:

  • Badge Check

    p=none: Log the entry but take no action.

  • Badge Check

    p=quarantine: Filter into spam.

  • Badge Check

    p=reject: Bounce the email message.

Both Yahoo and Gmail will require bulk senders to implement DMARC with a minimum policy of p=none which instructs receiving mail servers to log but not to take any action.

What­ you’­ll need­

How to get ther­e

What­ you’­ll need­

Gm­ail: Both­ SPF and DKIM­ are requ­ired by Gmai­l. Mess­ages that­ don’­t carr­y thes­e prot­ocols will­ be reje­cted from­ the inbo­x or mark­ed as spam­. DMAR­C is also­ requ­ired to prev­ent Gmai­l impe­rsonation in FROM­ head­ers.

If you’­re a Mail­jet user­, just­ foll­ow our deta­iled gui­de to get your­ doma­ins auth­enticated with­ SPF and DKIM­. If you’­re not,­ we’v­e outl­ined the proc­esses for obta­ining thes­e auth­entications in thes­e post­s: How­ to hand­le SP­F­ and DKI­M setu­p. For DMAR­C you will­ need­ to set up at mini­mum a p=no­ne poli­cy.

How to get ther­e

Ya­hoo: Will­ requ­ire stro­ng auth­entication and for user­s to “lev­erage indu­stry stan­dards such­ as SPF,­ DKIM­, and DMAR­C”.

Impl­ementing DMAR­C take­s a bit more­ time­, as DMAR­C allo­ws you to make­ choi­ces rega­rding your­ poli­cy base­d on your­ emai­l prog­ram. Get star­ted now by chec­king out our arti­cle Wha­t is DMAR­C and how it work­s.

One-click unsubscribe

Giving your readers the option to unsubscribe from your email is, despite sounding very counterintuitive, beneficial at many levels. It can boost both open and click-through rates, while reducing the chance of your content being marked as spam.

This is why both Google and Yahoo have decided to mandate that senders include a one-click unsubscribe link. It’s important to note that this is not the same as adding an unsubscribe link to the foot of your emails. What is required is that you add a list-unsubscribe post headers into the header of your email as specified by RFC 8058.

When done correctly it should appear as follows:

Example of list-unsubscribe in an email header

This loops back to what Marcel mentioned earlier, about providing the best possible email experience for both senders and recipients. It’s much easier for readers to unsubscribe from an email if it appears in the header above the body content, rather than scrolling down to the bottom of the page.

What­ you’­ll need­

How to get ther­e

What­ you’­ll need­

Sa­me for Gmai­l and Yaho­o: A sing­­le-click path­­way for user­­s to easi­­ly unsu­­bscribe from­­ your­­ mess­­ages from­­ with­­in the mail­­box prov­­ider’s UI usin­­g list­­-unsubscribe head­­ers, and inte­­rnal supp­­ort to hono­­r unsu­­bscribe requ­­ests and remo­­ve addr­­esses from­­ rele­­vant emai­­l list­­s with­­in 2 days­­.

Send­­ers will­­ need­­ to put list­­-unsubscribe post­­ head­­ers into­­ the head­­er of thei­­r emai­­l as spec­­ified by RFC­­ 8058­­.

Reduce spam complaints

Now, reducing your spam complaint rate is a good idea for a number of reasons. It improves your sender reputation, fosters trust with your subscribers and positively impacts your email deliverability. Google and Yahoo both agree, setting a spam complaint threshold at 0.3%.

This shouldn’t be an issue for most email senders, with many brands coming in well under 0.1%. However, you’ll still want to monitor your spam complaint rate, which you can do so by signing up with Google Postmasters Tools. Mailjet customers are already forwarded Yahoo’s Feedback Loops which monitor spam complaints.

What­ you’­ll need­

How to get ther­e

What­ you’­ll need­

Sa­me for Gmai­l and Yaho­o: The spam­­ comp­­laint thre­­shold is 0.3%­­.

Clos­ely moni­tor your­ spam­ rate­, as well­ as othe­r enga­gement metr­ics, usin­g reso­urces like­ Goo­gle Post­masters Tool­s. Empl­oy deli­verability best­ prac­tices like­ lis­t mana­gement and sun­set poli­cies to opti­mize your­ emai­l list­s, ensu­ring you’­re only­ send­ing mess­ages to enga­ged reci­pients. Use deli­verability tool­s like­ Bul­k Veri­fications and or Sin­ch’s Inbo­xReady’s Inbo­x Plac­ement Test­ing to stay­ on top of your­ over­all deli­verability and impr­ove your­ inbo­x plac­ement.

Who does this impact?

While officially the rollouts will affect bulk senders – defined by Google as those sending over 5000 messages a day to Gmail accounts – the truth is it’s not as exact as that. What we mean is if you send 4999 messages you're not suddenly exempt from these requirements.

"If you're a bulk sender, sending mass marketing email, whether that's 2000, 3000, 5000 or 10,000 a day, you need to follow these guidelines. They are designed to help our mutual customers have the best inbox experience possible"

Marcel Becker, Senior Director of Product at Yahoo

Anu confirmed this to be the case with Google, too. The 5000-email figure is more of a guidepost than a strict number to be adhered to. Realistically, every sender should ensure their authentication systems are set correctly.

At the end of the day, these changes benefit everyone in the email ecosystem. They make senders more resilient against impersonation or spoofing attacks, while easier unsubscribe options will also reduce your spam score and consequently, maintain a relative level of interest from your email list.

Transactional emails are excluded from the unsubscribe requirement. An example of a transactional email would be a password reset, reservation confirmation, etc.

You can watch the full webinar recording below:

How Sinch Mailjet can help

Email deliverability excellence is always at the core of our product offering for all our email solutions. We’re constantly striving to set up our users for deliverability success and making sure you get the help you need to achieve it.

For example, a List-Unsubscribe header is added to all emails sent from Mailjet, meaning customers already comply with this requirement by default. We also have detailed documentation to set up the SPF and DKIM email authentication protocols required by Gmail and Yahoo.

And if you’re looking for even more tailored support, check out our Deliverability Services! We have a dedicated team of experts ready to help your company navigate these evolving industry standards and implement the tailored strategy that best fits your email needs.

Get world class email deliverability support

Maximize the success of your email campaigns and reduce the amount of content landing in your recipient’s spam folder with our Deliverability Services offering, where a dedicated account manager will be on hand to help you every step of the way.

Popular posts

Hermes rides a firework next to a Goddess in front of a night sky with more fireworks

Email best practices

6 min

Top email marketing trends for 2022

Read More

Hermes on a moped delivering mail to a mailbox

Email best practices

8 min

Reducing email’s carbon footprint

Read More

Mother's day gift for Hera

Marketing

14 min

Marketing calendar 2024: Dates you shouldn’t miss this year

Read More

It's never been easier to build connected experiences. Start sending with Mailjet today.Get started on your path
CTA icon