Home
The Mailjet Blog
Deliverability
Understanding new sender requirements: A fireside chat with Yahoo & Google
Deliverability
Understanding new sender requirements: A fireside chat with Yahoo & Google
Yahoo and Google have finally pulled the trigger on enforcing authentication best practices. We sat down with Yahoo’s Senior Director of Product, Marcel Becker, and Google’s Director of Product Anti-Abuse and Safety, Anu Yamunan, to find out with this means for email senders.
PUBLISHED ON
Now that we’ve officially rolled into 2024, it means Google and Yahoo’s email authentication changes are coming into effect. But what does this really look like for email senders? How is it going to impact you directly? And what will need to be implemented to stay on the right side of Johnny law?
Well, there’s no better people to ask than those behind the changes, right? Which is why we invited Yahoo’s Senior Director of Product, Marcel Becker, Google’s Director of Product Anti-Abuse and Safety, Anu Yamunan, and Sinch Mailgun’s Vice President of Deliverability, Kate Nowrouzi, to go through all your questions – and more – in our recent webinar. Here’s what they had to say.
Table of contents
What's changing and why?
Google and Yahoo are stepping up their game to keep our inboxes safe and junk free. They’re rolling out a new set of requirements for brands sending bulk email (5000+ emails a day) to reduce the risk of spam, phishing, and other malicious activities, improving the delivery of legitimate emails to subscribers' inboxes.
So, why now? Why the sudden need for action?
Well, it’s probably worth mentioning that these new requirements are simply best practices that have existed for well over 10+ years now. There’s nothing particularly new or revolutionary about what Yahoo and Google have announced. In fact, many email senders already meet these authentication standards. The difference is they will now be enforced.
Here’s what Anu had to say about the “why” behind the changes:
“It’s an opportunity for the industry to finally come together and meaningfully upgrade the safety of the email ecosystem. We believe that all recipients should be able to trust the messages they are reading from verified senders, as well as have more control over this relationship.”
Anu Yamunan, Director of Product Anti-Abuse and Safety at Google
Marcel also weighed in:
“We are looking at this from the UX perspective, we don't want to punish senders, but simply provide the best experience possible for users. Email volume is increasing year on year, and consequently, so is the threat.”
Marcel Becker, Senior Director of Product at Yahoo
What new requirements should I be aware of?
OK, so we know there are incoming changes, but what do they look like in practice? What do they entail at a more technical level? Essentially, there are three key requirements you will need to prioritize:
Email authentication: Senders will be required to verify their identities with the standard protocols SPF, DKIM, and DMARC.
Add a one-click unsubscribe header: Senders will need to implement a valid List-Unsubscribe header within emails if they haven’t already, to allow recipients to easily opt out.
Only send emails users want: Gmail and Yahoo are getting serious about spam monitoring and senders will need to ensure they’re keeping below a set spam rate threshold.
These mandates will only affect bulk senders. While Yahoo has steered away from giving a definite number (which we’ll get to later) Google has set a figure of 5000 or more messages to Gmail addresses in one day.
Let’s look at each of the three requirements in greater detail:
Email authentication
The first thing you will need to do Is set up the three standard protocols used to verify the legitimacy of your domain. This is good practice for a few reasons:
It ensures your email has not been tampered with (spoofing) and that it originates from the claimed source.
Helps prevent recipients from email fraud, phishing, and other malicious attacks.
Reduces the likelihood of messaging from your organization being marked as spam.
Now, those protocols in question are SPF, DKIM, and DMARC. If you’ve not come across them before we’ll quickly run through each one below:
SPF (Sender Policy Framework) allows senders to specify the servers and domains permitted to send email from their organization. When servers receive a message from your brand, they compare it to the list of allowed servers. This lets them verify the message actually came from you.
DKIM (DomainKeys Identified Mail) adds an encrypted digital signature to every message sent from your brand. Receiving servers use a public key to read the signature and verify that it came from you. This also prevents content being changed when the message is sent between servers.
DMARC (Domain-based Message Authentication, Reporting, and Conformance) essentially tells receiving servers what to do with messages from your brand when they fail either SPF or DKIM. Now, there are three options or “instructs” for servers:
p=none: Log the entry but take no action.
p=quarantine: Filter into spam.
p=reject: Bounce the email message.
Both Yahoo and Gmail will require bulk senders to implement DMARC with a minimum policy of p=none which instructs receiving mail servers to log but not to take any action.
What you’ll need | How to get there |
---|---|
What you’ll need | |
Gmail: Both SPF and DKIM are required by Gmail. Messages that don’t carry these protocols will be rejected from the inbox or marked as spam. DMARC is also required to prevent Gmail impersonation in FROM headers. | If you’re a Mailjet user, just follow our detailed guide to get your domains authenticated with SPF and DKIM. If you’re not, we’ve outlined the processes for obtaining these authentications in these posts: How to handle SPF and DKIM setup. For DMARC you will need to set up at minimum a p=none policy. |
How to get there | |
Yahoo: Will require strong authentication and for users to “leverage industry standards such as SPF, DKIM, and DMARC”. | Implementing DMARC takes a bit more time, as DMARC allows you to make choices regarding your policy based on your email program. Get started now by checking out our article What is DMARC and how it works. |
One-click unsubscribe
Giving your readers the option to unsubscribe from your email is, despite sounding very counterintuitive, beneficial at many levels. It can boost both open and click-through rates, while reducing the chance of your content being marked as spam.
This is why both Google and Yahoo have decided to mandate that senders include a one-click unsubscribe link. It’s important to note that this is not the same as adding an unsubscribe link to the foot of your emails. What is required is that you add a list-unsubscribe post headers into the header of your email as specified by RFC 8058.
When done correctly it should appear as follows:
This loops back to what Marcel mentioned earlier, about providing the best possible email experience for both senders and recipients. It’s much easier for readers to unsubscribe from an email if it appears in the header above the body content, rather than scrolling down to the bottom of the page.
What you’ll need | How to get there |
---|---|
What you’ll need | |
Same for Gmail and Yahoo: A single-click pathway for users to easily unsubscribe from your messages from within the mailbox provider’s UI using list-unsubscribe headers, and internal support to honor unsubscribe requests and remove addresses from relevant email lists within 2 days. | Senders will need to put list-unsubscribe post headers into the header of their email as specified by RFC 8058. |
Reduce spam complaints
Now, reducing your spam complaint rate is a good idea for a number of reasons. It improves your sender reputation, fosters trust with your subscribers and positively impacts your email deliverability. Google and Yahoo both agree, setting a spam complaint threshold at 0.3%.
This shouldn’t be an issue for most email senders, with many brands coming in well under 0.1%. However, you’ll still want to monitor your spam complaint rate, which you can do so by signing up with Google Postmasters Tools. Mailjet customers are already forwarded Yahoo’s Feedback Loops which monitor spam complaints.
What you’ll need | How to get there |
---|---|
What you’ll need | |
Same for Gmail and Yahoo: The spam complaint threshold is 0.3%. | Closely monitor your spam rate, as well as other engagement metrics, using resources like Google Postmasters Tools. Employ deliverability best practices like list management and sunset policies to optimize your email lists, ensuring you’re only sending messages to engaged recipients. Use deliverability tools like Bulk Verifications and or Sinch’s InboxReady’s Inbox Placement Testing to stay on top of your overall deliverability and improve your inbox placement. |
Who does this impact?
While officially the rollouts will affect bulk senders – defined by Google as those sending over 5000 messages a day to Gmail accounts – the truth is it’s not as exact as that. What we mean is if you send 4999 messages you're not suddenly exempt from these requirements.
"If you're a bulk sender, sending mass marketing email, whether that's 2000, 3000, 5000 or 10,000 a day, you need to follow these guidelines. They are designed to help our mutual customers have the best inbox experience possible"
Marcel Becker, Senior Director of Product at Yahoo
Anu confirmed this to be the case with Google, too. The 5000-email figure is more of a guidepost than a strict number to be adhered to. Realistically, every sender should ensure their authentication systems are set correctly.
At the end of the day, these changes benefit everyone in the email ecosystem. They make senders more resilient against impersonation or spoofing attacks, while easier unsubscribe options will also reduce your spam score and consequently, maintain a relative level of interest from your email list.
Transactional emails are excluded from the unsubscribe requirement. An example of a transactional email would be a password reset, reservation confirmation, etc.
You can watch the full webinar recording below:
How Sinch Mailjet can help
Email deliverability excellence is always at the core of our product offering for all our email solutions. We’re constantly striving to set up our users for deliverability success and making sure you get the help you need to achieve it.
For example, a List-Unsubscribe header is added to all emails sent from Mailjet, meaning customers already comply with this requirement by default. We also have detailed documentation to set up the SPF and DKIM email authentication protocols required by Gmail and Yahoo.
And if you’re looking for even more tailored support, check out our Deliverability Services! We have a dedicated team of experts ready to help your company navigate these evolving industry standards and implement the tailored strategy that best fits your email needs.