On January 11, 2024, Valimail hosted a webinar and Q&A session for anyone and everyone interested in learning more about the new sending requirements from Google and Yahoo.
During the webinar, experts from both Valimal and Simon Data provided background on the new requirements, what types of senders will be impacted, the types of email that could be sent to spam or blocked, and the timeline for when these requirements will be rolled out.
Below, we’ll dive into the different areas of discussion, and we’ll provide answers to the questions we didn’t get to.
What Are the New Email Sender Requirements?
On October 3, 2023, Google announced that they (along with Yahoo) would be rolling out new requirements for “bulk email senders” in 2024. In short, email senders will need to have the following requirements in place in order to get email delivered:
- Implement both SPF + DKIM
- Send from a domain with a DMARC policy of at least p=none
- Send with an aligned From domain
- Valid forward and reverse DNS
- One-click unsubscribe
- Low spam rate
Domain-based Message Authentication, Reporting, and Conformance (DMARC) is a widely-accepted email authentication policy and reporting protocol. It builds on earlier email authentication protocols Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM).
Neither SPF nor DKIM authenticates the sender against the “From:” field that users see. A DMARC record ensures “alignment” between the visible From: address and the DKIM signing domain or the SPF-verified sender, meaning that they’re identical or at least part of the same DNS namespace.
Who Will Be Impacted?
Two of the biggest questions circulating online right now about these new email sender requirements are:
- Who will be impacted?
- What does “bulk email sender” actually mean?
When Google and Yahoo originally announced these new email sender requirements, the guidance stated that domains that send more than 5,000 messages per day to Gmail or Yahoo inboxes would need to comply with these requirements.
The definitions around this have changed and become more clear since that original announcement. From Google, the new definitions are:
“A bulk sender is any email sender that sends close to 5,000 or more messages to personal Gmail accounts within a 24-hour period. Messages sent from the same primary domain count toward the 5,000 limit.
Sending domains: When we calculate the 5,000-message limit, we count all messages sent from the same primary domain. For example, every day you send 2,500 messages from solarmora.com and 2,500 messages from promotions.solarmora.com to personal Gmail accounts. You’re considered a bulk sender because all 5,000 messages were sent from the same primary domain: solarmora.com. Learn about domain name basics.
Senders who meet the above criteria at least once are permanently considered bulk senders.”
Email sender guidelines FAQ
This is incredibly important because Google has now let organizations know that if they have ever sent more than 5,000 messages in a day, they’ll likely be categorized as a bulk sender, and they’ll need to follow these requirements.
We also know that these definitions are not necessarily concrete. If you send 4,990 messages, you’ll still likely get identified as a bulk sender. The best course of action for any and all email senders is to follow these requirements whether you believe you fall into the bulk email sender category or not.
What Types of Email Will Be Impacted?
Like the bulk email sender definition, the types of emails originally thought to be impacted by these new requirements were primarily marketing messages that are sent to large contact lists.
Unfortunately, each organization has a unique email infrastructure, so it’s difficult to determine if your business-critical emails will be impacted or not. Based on the updated guidelines from Google, the type of email doesn’t really matter when it comes to these requirements, this means that if you’re categorized as a bulk sender, all of your emails could be impacted, including:
- Password resets
- Account confirmations
- Shipping notifications
- Newsletters
- Event invitations
One thing that we know for sure is that transactional messages like password resets and order confirmations will not be required to have a one-click unsubscribe in place.
The best thing you can do is make sure you follow the new sending requirements, regardless of the type of email message or domain you’re sending from.
What Requirements Can You Address With Simon Data?
Whether you’re using Simon Data or another reputable email service provider (ESP), you should be able to address a handful of the requirements, including:
- Dedicated, aligned SPF and DKIM
- Valid forward and reverse DNS is in place
- One-click unsubscribe
- Low spam rate
What Requirements Can You Address with Valimail?
Two of the most critical requirements being put into place by Google and Yahoo are centered around DMARC specifically:
- Aligned DMARC Pass – One of the crucial aspects of Gmail’s requirements is that you must pass DMARC in addition to a p=none policy. Many senders might have a DMARC policy, but if they do not pass, it’s futile
- Policy of p=none – Valimail is the best DMARC software available to not only implement a policy of p=none, but also to enforce DMARC with policies of p=quarantine or p=reject
Valimail has been a market leader in DMARC-as-a-service since 2017, and we are uniquely positioned to assist organizations of all sizes in determining if they are compliant with the new sender requirements and assist you in making any necessary changes to prevent your emails from being blocked.
Since these requirements were announced, Valimail has been hard at work developing an “easy button” for email senders of all types. Valimail Align provides you with the ability to determine which requirements you’re meeting and what you need to update prior to the requirements going into place.
Q&A
As part of our live session, we requested attendees submit questions they have about the upcoming requirements, and we received quite a few!
Why are Google and Yahoo Making this change now?
This isn’t anything new. DMARC, as well as the other requirements, are well-known best practices for senders to improve/maintain deliverability, but it does impose some serious repercussions for senders that do not have these things in place.
Can you set up DMARC as a non-technical person, or should I work with IT to do this?
It depends on how comfortable you are with making Domain Name System (DNS) changes. You might be able to set this up for just your ESP/Simon Data, but you should also work with IT to ensure that you’ve done everything correctly.
What do these changes signal for the future? Will there be more requirements?
In all likelihood, yes! Google and Yahoo have both indicated that they will require DMARC enforcement (meaning p=reject or p=quarantine) in the future. The best thing that you can do as an email sender and organization is get started with DMARC today and implement a p=none DMARC policy.
Why would I choose to work with a DMARC vendor?
Working with a DMARC vendor like Valimail ensures that you have visibility into all of the emails being sent from your domain and gives you the best chance at not only meeting these requirements but also protecting your brand, employees, and customers from phishing attempts and other fraudulent email.
Are there specific dates associated with when these requirements will go into effect?
Yes, Google has updated its timeline and rollout:
- February 2024: Regardless of volume, all senders must comply with the general email-sending practices outlined in the guidelines.
- February 2024: Bulk email senders must start implementing enhanced requirements, including email authentication
- April 2024: Messages that are not compliant will start getting rejected.
- June 2024: Senders must implement one-click unsubscribe in all commercial and promotional messages.
It’s 5,000 messages per sending domain in a day, not per sending address, correct?
This is correct. The volume of email sent is associated with the domain (or sub-domain) sending the email. We recommend that any domain associated with a high number of emails follow the new requirements.
Do you need DMARC to align with both SPF and DKIM to be compliant with these changes? Or only one, since DMARC only needs one of them to pass?
Currently, the guidelines from Google state that you need both SPF and DKIM implemented, but only one of them needs to be aligned. This goes beyond the current DMARC requirements, which require either SPF or DKIM to be implemented and aligned.
Are talking about transactional emails, marketing emails, or both?
The new requirements can impact both transactional and marketing emails. One caveat to note here, though: transactional messages will be required to have a one-click unsubscribe.
We have DKIM and SPF set up already. We use Microsoft Office 365 as our email server and Klaviyo for our email marketing. Are we required to do anything extra? If yes, at Microsoft, Klaviyo, or both?
In order to ensure none of your email is blocked you will need to follow all the requirements at both Klaviyo and Microsoft. In addition to this, you should ensure that any other sending service you use (Salesforce, ADP, Workday, Splunk, etc.) is also compliant.
Can you get off the Gmail bulk sender list? How?
Google has hinted that organizations can get themselves re-categorized if they truly are not bulk email senders, but the process for this has not been disclosed. The bottom line is that these requirements are signaling an evolution in how email will be delivered moving forward, and you are better off ensuring you’re compliant now, no matter how many emails you send.
We haven’t talked about BIMI, but would BIMI improve marketability, and how hard is it to get BIMI implemented?
BIMI’s prerequisite is that you are enforcing a DMARC policy. BIMI implementation has been shown to improve open rates, and DMARC does help with deliverability, so leveraging both would be beneficial.
If I’ve already implemented DMARC, exactly what is the new requirement in February?
First of all, congrats! Unfortunately, passing DMARC is just one of the requirements. To ensure that your messages continue to get delivered correctly, you’ll still want to double-check the following:
- Implement both SPF + DKIM – We’ve seen many senders that have DMARC implemented with just SPF or DKIM aligned, but Google has indicated they will require both to be implemented and that one must align.
- Send with an aligned From domain
- Valid forward and reverse DNS
- One-click unsubscribe
- Low spam rate
What if we send marketing emails using a subdomain (for example: e.domain.com) including our from address?
Those marketing emails should be set up to leverage SPF and DKIM for either the subdomain or top-level domain. You’ll need your email to be aligned for DMARC, whether you use a subdomain or org domain.
Do you think that more email providers will follow suit with these standards (M365, etc?)
Based on conversations we’ve had with other inbox providers, we expect more inbox providers to implement similar requirements. Since Google and Yahoo are two of the largest inbox providers, email senders are better off following and complying with the new email sender requirements. There is likely no situation in which you would segment out certain inboxes and only send to addresses where these requirements are not in place. Your best bet is to make sure you’re in compliance to get your email delivered. You evaluate your domain by signing up for Valimail Align.
We basically use 2 domains – one is for “bulk marketing” and automated email sends, and the other is mainly used for our Customer Services staff (which gets nowhere near 5k/ month). Is there any downside to authenticating this second, low-volume domain? These are being sent from individual Customer Services emails i.e., john@customerservices.com.
We recommend setting up a DMARC record on all of your domains. The current requirement is just for reporting, so there won’t be any impact, and it will give you insight into your additional domains.
One-click unsubscribe seems to be built into the inbox providers now (Google has now added a button beside each marketing email) – Is there anything else we need to do in regard to your one-click unsubscribe recommendation?
The button you see next to marketing emails in Gmail is actually Google recognizing that you have one-click unsubscribe in place, and they’ve added that button to make it easy for you. Most ESPs add the link into the headers for you or are working to make sure this functionality is in place by the June deadline. You should be able to reach out to your specific ESP to learn more.
Is the only requirement for DMARC p=none? Does DKIM and SPF have to be strict or relaxed … or does it matter?
Yes, with a DMARC in place, your policy only needs to be p=none and a correct reporting RUA address. The SPF and DKIM part is dependent on the authentication and service(s) being used.
Unsure of where your domain’s SPF and DMARC currently stands?