Google and Yahoo Timeline to Meet New DMARC Requirements for 2024 are rolled out beginning February 2024 through June 2024. If you are sending over 5000 emails per day and need your emails to show up in the recipient’s inbox, you are subject to these changes.
Who is affected?
If you send 5,000 messages a day or more into either of the world’s largest mailbox providers, beginning February 2024, your email domain must have a DMARC policy in your DNS. These messages must pass DMARC Alignment, or they will not be delivered. This includes messages sent on behalf of your organization by third-party email service providers (ESPs) like Constant Contact and MailChimp that use your email domain.
Note: If you’re also hosting your domain on Google Workspace, your internal message volume will likely count towards this daily limit.
Why is this happening?
Google and Yahoo both recognize the importance of email and are taking steps towards making it more safe and secure. By focusing on email validation, they are helping prevent unwanted spam and potential bad actors from reaching their customers’ inboxes.
Sending from a domain that has DMARC in place has the additional benefit of improving inbox placement. A DMARC record helps ISPs identify you as a sender that is serious about following established email standards and reducing your spam liability.
How do I prepare for this change?
Call us at 310-421-4090. Our techs can check your email to ensure your email domain is setup and configured correctly. We are experts at email deliverability, DMARC, DKIM, and SPF. We can provide you reporting on how well your email deliverability is performing.
New Google and Yahoo email requirements
If you have a Gmail or Yahoo account, you’re likely familiar with the challenge of managing an inundated inbox filled with unwanted emails, including fraudulent attempts. If you’ve ever wondered why these companies can’t enhance their efforts to filter out deceitful messages and simplify the process of reducing unsolicited emails, rest assured, you’re not alone.
Here’s the positive development: Google, Yahoo, and Apple are taking steps to address this issue, promising a positive change for their email users. However, here’s the downside: If your company hasn’t fully integrated email authentication measures, there’s some urgent work ahead and limited time to accomplish it.
Beginning February 2024, Gmail will mandate the implementation of email authentication for messages sent to Gmail accounts. For bulk senders dispatching over 5,000 emails daily to Gmail accounts, additional email authentication requirements must be met. Additionally, you’ll need to:
- Have a Domain-based Message Authentication, Reporting & Conformance (DMARC) policy in place
- Ensure Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) alignment
- Make it easy for recipients to unsubscribe (one-click unsubscribe)
You can access Google’s detailed Email Sender Guidelines here.
Yahoo has rolled out similar requirements. It will also require strong email authentication to be in place beginning February 2024 to stop the flow of malicious messages and reduce the amount of low-value emails cluttering users’ inboxes.
Ten days after Google and Yahoo made their announcements in October 2023, Apple released a best practice guide for iCloud mail. It highlighted many of the same email authentication requirements. While Apple did not set a hard date for publishing a DMARC policy, it recommends that bulk senders follow these best practices to prevent their emails from being considered junk mail and automatically blocked.
Are you prepared to meet these requirements? Here’s what you should know.
The new requirements are broken down into two categories. All senders will need to follow the first set. Depending on how much email you send per day, there are also additional rules.
Applicable to all senders:
- Email authentication. This is a critical measure to help prevent threat actors from sending emails under the pretense of being from your organization. This tactic is referred to as domain spoofing and, if left unprotected, allows cybercriminals to weaponize sending domains for malicious cyberattacks.
- SPF is an email authentication protocol designed to prevent email spoofing, a common technique used in phishing attacks and email spam. As an integral part of email cybersecurity, SPF enables the receiving mail server to check whether incoming email comes from an IP address authorized by that domain’s administrator.
- DKIM is a protocol that allows an organization to take responsibility for transmitting a message by signing it in a way that mailbox providers can verify. DKIM record verification is made possible through cryptographic authentication.
- Low spam rates. If recipients report your messages as SPAM at a rate that exceeds the new 0.3% requirement (ideally targeting 0.1% spam rates, or 1 in 1,000 messages delivered marked as spam), your messages could be blocked or sent directly to a Spam folder.
Requirements for bulk senders:
- SPF and DKIM must be in place. Companies that send to Gmail or Yahoo must have SPF and DKIM authentication methods implemented.
- Companies must have a DMARC policy in place.DMARC is an email authentication standard that provides domain-level protection of the email channel.
- DMARC authentication detects and prevents email spoofing techniques used in phishing, business email compromise (BEC) and other email-based attacks.
- DMARC builds on the existing standards of Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM). It is the first and only widely deployed technology that can make the header “from” domain trustworthy. The domain owner can publish a DMARC record in the Domain Name System (DNS) and create a policy to tell receivers what to do with emails that fail authentication.
- Messages must pass DMARC alignment. This means that the sending Envelope From domain is the same as the Header From domain, or that the DKIM domain is the same as the Header From domain.
- Messages must include one-click unsubscribe. For subscribed messages, messages must contain List-Unsubscribe message headers and a clearly visible unsubscribe link in the message body that can be initiated with a single click (one-click unsubscribe). Unsubscribe actions must be taken for a requesting user within two days.
Google, Yahoo and Apple sender requirements
Requirement | Apple | Yahoo | |
DMARC pass required (SPF or DKIM email authentication passes) | Yes (<5,000 Msgs/day) | Yes | Yes |
DMARC pass required (SPF and DKIM email authentication passes) | Yes (5,000+ Msgs/day) | – | Yes |
Ensure valid forward and reverse DNS PTR records | Yes | Yes | Yes |
Spam rates reported in Postmaster Tools <0.3% (ideally, < 0.1%) | Yes | – | Yes |
Message format adheres to email standards (RFC 5321 and 5322) | Yes | Yes | Yes |
No provider domain Impersonation in FROM headers | Yes | Yes | Yes |
TLS required for inbound email | Yes | – | – |
Forwarded email requires ARC headers | Yes (5,000+ Msgs/day) | – | – |
DMARC email authentication for your sending domains | Yes (p=none DMARC) | Yes | Yes (p=none DMARC) |
From: header must be aligned with either the SPF domain or the DKIM domain | Yes | Yes | Yes |
One-Click Unsubscribe for subscribed commercial/promotional messages (RFC 8058) | Yes (June 1, 2024) | Yes | Yes (February 2024) |
Segregate email class types by | Yes (by domain) | Yes (by IP or domain) | Yes (by IP or domain) |
Ensure SMTP tempfailure and rejection errors are adhered to | Yes | Yes | Yes |
Important dates
As these requirements roll out, keep in mind these dates
January 2024
Apple is requiring DMARC policy.
February 2024
Google and Yahoo’s initial deadline to meet new requirements.
Google provided further clarification about the February deadline after its initial announcement. It stated that bulk senders who don’t meet sender requirements will start getting SMTP protocol-level temporary errors (with error codes) on a small percentage of their non-compliant email traffic. These temporary errors are meant to help senders identify email traffic that doesn’t meet the new guidelines and start addressing their non-compliance.
April 2024
Google will start rejecting percentages of non-compliant emails and will gradually increase the rejection rate. For example, if 70% of a sender’s traffic meets their requirements, they will start rejecting a percentage of the remaining 30% of non-compliant traffic.
June 1, 2024
Googles revised deadline for bulk senders to implement One-Click Unsubscribe in all commercial, promotional messages.
If you miss the deadline, what happens next?
If your company relies on email to communicate with your customers and you do not implement email authentication, these changes are going to significantly impact the deliverability of your messages sent to customers with Gmail, Yahoo and Apple iCloud accounts. If you send bulk emails to Gmail and Yahoo accounts and fail to have SPF and DKIM, or if you do not have a DMARC policy, these non-deliveries will have an even greater impact on your business.
Learn more about Google and Yahoo Timeline to Meet New DMARC Requirements
Contact us at 310-421-4090 or click here and learn more about these new requirements