Categories
DMARC Email Authentication Email News

The New Requirements for Email Delivery at Gmail

Read below to prepare for Google’s new Gmail requirements

gmail's new email requirements cover photo

This information within this blog reflects new guidance and clarifications from Google. The content below has been updated as of March 2024.

Google’s announcement on October 3, 2023, is a massive change that is intended to impact email senders who send to Gmail inboxes. 

In order to make Gmail inboxes trusted and safe spaces for recipients, Google will be enforcing a handful of new requirements for these types of senders. Beginning in February, email senders will need to have the following requirements in place in order to get email delivered: 

  • Authenticate all messages with DMARC (technically, authenticate all messages with SPF or DKIM aligned with the From domain)
  • Send from a domain with a DMARC policy of at least p=none
  • Have valid forward and reverse DNS that match each other
  • Use the one-click unsubscribe header and an unsubscribe link in the footer
  • Maintain a low spam rate of < 0.1%
  • Encrypt your email (technically, require TLS)

For many email senders, these new requirements won’t impact their email programs, but for others, these changes will mean they’ll need to re-examine their current email authentication and sending practices. 

Below, we’ll dive into the details of each new requirement, what this means for senders and recipients, the reasoning behind making this policy change, and what we think it means for the future of email. You can jump to any of these sections here:

What senders will be impacted?

When this news was announced, the guidance was simply that email senders who send marketing emails to 5,000 or more inboxes per day would be impacted. As we approach the deadline, however, more clarification has been provided, and the impact of these requirements is going to impact many more email senders and types of email than originally thought.

Originally, it seemed as if current bulk senders would only be the ones affected by this. Now, any sender who has sent 5,000 messages in a day at least once in the past is now classified as a bulk sender. So even if you aren’t sending 5,000 messages a day currently but did at some point, you’ll need to meet these new requirements as you’re permanently classified as a bulk sender. This update will affect many more senders than we originally thought. 

If you’re wrongly classified as a bulk sender, Google has hinted that there could be a process for getting off that list. However, these requirements are a signal for the future, and these best practices will be required for all senders at some point. It’s best to start the process now, regardless of whether you’re a bulk sender or not. 

Additionally, Google has also provided guidance for all senders, regardless of sending volume. Starting in February, all senders will need to comply with general email-sending practices that are outlined in Google’s guidelines.

Yahoo, Microsoft, and other inbox providers

While Google is paving the way for these new requirements, Yahoo is also backing these changes. That alone makes up the majority of consumer inboxes. 

However, we’ve talked with other email inbox providers that will likely follow suit. Whether they do or not, it’s still important to meet these requirements because the majority of your email list will be using a Gmail or Yahoo inbox. These technical requirements are challenging to meet, but segmenting your email list according to the requirements will be even more challenging.  

What is the latest timeline?  

In December 2023, Google released an updated timeline and requirements for the enforcement of the email sender requirements. Thankfully, senders now have a little bit more time to prepare, meet these requirements, and ensure their email doesn’t get blocked.  

Currently, the new timeline is: 

  • February 2024: All senders, regardless of volume, must comply with the general email-sending practices outlined in the guidelines.
  • February 2024: Bulk email senders must start implementing enhanced requirements, including email authentication (messages must pass DMARC to be delivered and come from a domain with at least p=none). A percentage of messages that do not meet these requirements will start getting temporary errors.
  • April 2024: Google will begin rejecting non-compliant traffic. Rejection will be gradual and will impact non-compliant traffic only. Google strongly recommends senders use the temporary failure enforcement period to make any changes required to become compliant.
  • June 2024: The following requirements will begin to go into effect:
    • DMARC record with a minimum policy of none (p=none).
    • One-click unsubscribe in marketing messages
    • Mitigations unavailable when user-reported spam rates exceed 0.3% or if the sender has not met the authentication or one-click unsubscribe requirements.
Yahoo and Google timeline

Bulk senders now have more time to implement technical changes before they start to experience disruptions to their email sending. It allows for a smoother transition.

To aid in this transition, Gmail will send temporary error codes to users whose domains aren’t authenticating correctly. Users started receiving these codes in February, and while their mail is temporarily rejected, these codes are meant to show users what they need to fix before April, when mail may start to be rejected or affected.

Google is clearly listening to sender feedback yet is still committed to enforcing these new requirements. But if senders were waiting for Google to cancel these guidelines before implementing changes, these requirements aren’t going anywhere. In fact, they may implement stricter requirements in the future. Senders need to act as soon as possible to ensure they’re compliant according to the latest timeline. 

What types of email does this impact?

Imagine your users get locked out of their accounts and can’t get their password reset email. Imagine they don’t receive their purchase confirmation and can’t track purchases. Imagine they aren’t getting any of the newsletters that they signed up for.

This could be a real possibility if you don’t meet these new requirements. 

These requirements will affect all types of emails, including marketing and transactional messages: 

  • Newsletters
  • Password resets 
  • Shipping notices
  • Account activity alerts
  • Product announcements
  • Content releases
  • Account confirmations
  • Purchase receipts 
  • Sales announcements
  • Event invitations

We do know that transactional messages, such as password resets and receipts, won’t be required to have one-click unsubscribe; all the other requirements will still apply. 

At the end of the day, all types of email will be impacted by this requirement, which is why it’s even more imperative that senders get compliant. 

CHECK YOUR COMPLIANCE TODAY

SPF, DKIM, DMARC, and alignment – What does this all mean?

Two of the most important and confusing elements of these new requirements are:

  • The domain in the sender’s From: header must be aligned with either the SPF domain or the DKIM domain.
  • Set up DMARC email authentication for your sending domain. Your DMARC enforcement policy can be set to p=none.

Currently, you need to have both SPF and DKIM implemented, but only one of them needs to be aligned. This is more advanced than current DMARC requirements, which only require either SPF or DKIM to be implemented and aligned. Now, both will need to be implemented, but you need to only align one. 

LEARN ABOUT DMARC WITHOUT THE JARGON

An easy way to meet these requirements

While you can work with your email service provider (ESP) to get compliant with some of these guidelines, Valimail has an “easy button” for some of the more technical requirements. 

Valimail Align can help you meet Google and Yahoo compliance by achieving an aligned DMARC pass and setting up a policy of p=none. Valimail Align gives you insights into which requirements you’re meeting and which ones you still need to meet. 

Asset-ProductVisuals-Align

Valimail Align offers:

  • Guided workflows that accelerate compliance
  • One-click resolution of alignment issues
  • Lightning-fast authentication ensures precise email defense
GET COMPLIANT WITH VALIMAIL ALIGN

Dig into these requirements

These are a lot of requirements to keep track of, and with so many moving parts, it’s challenging to keep track of where you left off. Use our interactive checklist to help you ensure your email doesn’t get blocked from being non-compliant. 

Implement SPF and DKIM 

Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) are mature, robust email authentication protocols that have been in existence for over a decade each. SPF and DKIM provide two different methods not only for authorizing the use of a domain name in an email message, but also for helping to ensure that a domain owner gets proper credit for their sending practices.

Send from a domain with a DMARC policy of at least p=none

Domain-based Message Authentication, Reporting, and Conformance (DMARC) is a protocol that builds on SPF and DKIM:

  • To authorize the use of a domain in the visible From header
  • Give the domain owner insight into the authentication practices of mail streams using that domain
  • Provide the domain owner a mechanism to request handling of messages that fail authentication checks (referred to as a policy preference)
dmarc-policy-graphic

A DMARC DNS record with a policy preference of p=none is the lowest bar for participating in DMARC, as it requests no special handling for messages that fail authentication, but at the same time, gives the domain owner full visibility into its mail streams. The data collected at this step allows the domain owner to make any adjustments to authentication practices necessary before moving on to stronger policy preferences.

SET YOUR P=NONE POLICY FOR FREE

Send with an aligned From domain 

With this requirement, Google is asking for each message to have a visible From domain that aligns with either the SPF or DKIM domain, with a preference for alignment with the DKIM domain

For those unfamiliar with the concept, the term “alignment” here comes straight from the DMARC protocol, and per that protocol, two domains are in alignment if they’re identical or at least share an organizational domain (i.e., the domain that is registered when an organization wishes to establish a presence on the public Internet). 

For example, “valimail.com” is our organizational domain, and the domains “sales.valimail.com” and “auth.valimail.com” are in alignment with each other because they share the same organizational domain. 

To align your domain, check out Valimail Align. It ensures that you’re compliant with the changing email sender requirements and that your email still gets sent to major inboxes like Gmail and Yahoo. With Align, you’ll be confident in your compliance across all your sending services by using our automation suite to seamlessly align SPF and DKIM.

Valid forward and reverse DNS

Among other records in the DNS, there are two types that are specifically keyed around IP addresses. The DNS “A” record is used to map hostnames to IP addresses (sometimes called “forward DNS”), and the DNS “PTR” record is used to map IP addresses to hostnames (sometimes called “reverse DNS”). 

It has long been a best practice for inbound mail servers to require that sending servers connect from IP addresses that have existing PTR records, but Google is going one step further here and requiring not only that the connecting IP address have a PTR record, but also that the PTR record resolves to a hostname that then resolves back to that same IP address.

The reason for this requirement is that anyone with control over DNS can publish PTR records resolving to any name they choose, so it’s very easy to attempt to spoof ownership. 

As an example, if there were an IP address 12.34.56.78 which had its PTR resolve to mailServer.knownbrand.com, Google would require the A record for mailServer.knownbrand.com also resolves to the IP address 12.34.56.78, a technique sometimes called Forward Confirmed reverse DNS or just “FCrDNS.”

Marketers who aren’t familiar with this technical process will need to start a conversation with their IT team to get these changes implemented. If you aren’t sure of how to start the conversation, check out our template email to help you start that dialogue. 

One-click unsubscribe

As defined in RFC 8058, when a sender inserts specially crafted headers in a message, it signals to the mail client that the recipient can unsubscribe from that sender’s messages with just one click if the mail client supports the functionality. Gmail supports this functionality, which can be seen in any number of messages you might see in the Promotions tab or elsewhere from B2C emails: 

lattice unsubscribe gmail button

The image above is a notification from Lattice. The “Unsubscribe” link next to the sender’s email address in this example is the One-Click Unsubscribe that Google requires here.

Low spam rate 

When Gmail users report unwanted messages as spam, its filters use those reports and other heuristics to identify mail that is likely to be unwanted. This “Low Spam Rate” requirement requires that senders keep their reported spam rate in Postmaster Tools below .1%; however, you should avoid ever reaching a spam rate of .3% or higher.

Their intention seems pretty clear; domain owners must send wanted mail to people who demonstrate that it’s wanted (through engaging with those messages), or else the domain owners will lose the privilege of sending mail to Gmail.

What this means for senders and recipients

It’s important to note here that this policy change from Google is meant to benefit the end recipient. Google wants to ensure that Gmail users can trust the mail they receive, and by making SPF, DKIM, and DMARC requirements, they’re taking an excellent first step. 

These requirements are a pretty low bar for most email senders, but they’re things that bad actors usually fail to implement. With this requirement, Gmail users can be a bit more confident that the messages they’re receiving are at least getting past basic email authentication

“While it’s easy to think this policy change will only impact marketing and other commercial emails, the fact is there are many other types of email that organizations send. These changes impact all email coming from a domain, and while that might include mail being sent through Mailchimp or SendGrid, there are many other emails flowing through the organization’s ecosystem.”

Seth Blank, CTO of Valimail

Without ensuring all email coming from your domain is following these requirements, your HR team might not be able to get payroll emails delivered, or the sales team sending outreach messages to prospects might get email blocked. 

For senders of legitimate email, these requirements shouldn’t be revolutionary, but organizations should at least double-check that they have their bases covered. If you’re curious about the email coming from your domain, sign up for Monitor for free today to get visibility into your SPF, DKIM, and DMARC records.  

Why make this policy change?

The benefit of requiring authentication is increased trust and safety throughout the entire ecosystem, at every mailbox provider that validates email authentication (hint: it’s all of them). For businesses sending email, this means protecting their employees, their customers, their executives, and their brand.

At Valimail, we believe that authentication is foundational, and doing it the right way is critical. Email is rife with abuse, and we must do better as an ecosystem to protect everyone. You should be able to trust your email– the email in your inbox should be from who it says it’s from, not a malicious actor pretending to be someone else. When a sender properly authenticates their email, it ensures that no one else can send fake email using their authenticated domains.

quotation mark

“Google’s policy is a great first start; requiring aligned SPF or DKIM with a DMARC policy of at least p=none is a phenomenal low bar, and more is needed. Until all senders utilize the strongest authentication — DMARC at enforcement — their domains are spoofable, and bad actors can continue to defraud users at an accelerating rate.

DMARC at enforcement is not well deployed enough in the market for this to be a realistic requirement today. We hope Google can get aggressive at raising the bar, so strong authentication becomes the norm for everyone in the near future. This is where the real protection for everyone kicks in.

This policy update from Google is a huge step towards a safer world in email for everyone.”

Seth Blank, CTO of Valimail

At its core, this announcement is Google’s way of telling legitimate senders that if they don’t follow these well-established best practices, their email is not going to be delivered.

“Many bulk senders don’t appropriately secure and configure their systems, allowing attackers to easily hide in their midst. To help fix that, we’ve focused on a crucial aspect of email security: the validation that a sender is who they claim to be.”

Google’s Announcement

This announcement is huge as it will impact nearly every Gmail mailbox holder. This policy is the first time any email inbox provider has placed requirements for widely adopted email sending and email authentication best practices.

What does this update mean for the future?

This policy update is a great first step in the right direction, and it’s just the beginning. Google is likely going to evolve from here, and at some point in the future, we expect Google to require DMARC enforcement in order for email to get delivered correctly. 

Over the past few years, we’ve seen an incredible increase in businesses and other organizations adopting DMARC. Unfortunately, the vast majority of those senders aren’t enforcing DMARC with policies of p=quarantine or p=reject. We believe this means the ecosystem isn’t quite ready for Gmail, or any other inbox provider, to implement a strict DMARC requirement. 

dmarc policies

But the writing is on the wall.

This update from Goole is a sign that SPF, DKIM, DMARC, and all the other sending best practices are making the shift from recommendations to requirements. Once Gmail requires any sort of DMARC record, it’s likely only time before their recommendation that senders set their policy at p=quarantine or p=reject becomes another requirement. 

If you’re reading this, it means you’re already ahead of the curve when it comes to running a successful email ecosystem. No matter what tool you use, it’s important that you take the steps to ensure your email gets delivered as intended. 

To make sure you’re meeting all of Google’s new requirements (and any future guideline updates), and to start protecting your domain and your brand:

SCHEDULE A FREE DEMO