During 2024, Gmail and Yahoo began implementing stricter requirements for organizations and individuals that send email messages to personal email addresses hosted by these two services.

This includes all emails sent to addresses that end with @gmail.com, @googlemail.com, @yahoo.com, and others. For now, Google Workspace addresses are not part of this change.

In this article, we’ll take a close look at the new requirements and the best ways to ensure compliance.

Key points
  • For all senders, SPF or DKIM authentication must be configured.
  • For bulk senders (thousands of emails per day), SPF and DKIM must be configured. DMARC alignment is also required although the enforcement policy may be none.
  • To comply with these requirements, set up DMARC reporting to find all your sending sources. Usa reporting tool like DMARCwise to analyze your email setup.

Requirements for all senders

Starting February 2024, all senders must comply with the following rules:

  • SPF or DKIM authentication must be configured, at a minimum.
  • Spam complaints must be kept below 0.3%.
  • The sending IP should match the IP associated to the reverse domain (forward-confirmed reverse DNS).

Google and Yahoo don’t specify the level of SPF and DKIM compliance they require. We can assume that it’s not strictly required to achieve alignment, meaning that the SPF domain and the DKIM signature domain may not correspond to your domain name, and can be the ones provided by the email provider.

The recommendation is however to have both SPF and DKIM aligned with your organization’s domain.

To learn more about SPF, DKIM, and the details of how domain alignment works, we recommend reading:

In addition to the above, Google also requires that:

  • Email delivery to Google should happen over an encrypted TLS connection.
  • You won’t be able to send emails from @gmail.com addresses outside of Gmail anymore, as Gmail now enforces a DMARC policy of quarantine to prevent this.
  • Forwarding services should use ARC (Authenticated Receiver Chain), while mailing list software should add a List-Id header to email messages.

Requirements for bulk senders

Organizations that send many emails are subject to additional requirements.

In Google’s context, bulk senders are those who send more than 5,000 email per day to Gmail accounts.

Yahoo doesn’t specify a precise volume threshold and instead says that a bulk sender is “an email sender sending a significant volume of mail“.

In this context, “sender” actually means “sending domain”. Subdomains also count towards your primary domain limit. In Google’s case, if your domain exceeds the limit once, it will be permanently classified ads a bulk sender.

In addition to the requirements for all senders mentioned above, bulk senders must:

  • Implement both SPF and DKIM.
  • Set up DMARC authentication and alignment, and publish a record with a policy of at least p=none.
  • Enable one-click unsubscribes with the List-Unsubscribe header.

Both Google and Yahoo recommend that you setup DMARC reporting, a feature of DMARC that allows to collect delivery reports to ease troubleshooting of email authentication issues.

How to comply with the new requirements

Before doing anything, it’s a good idea to get a sense of your current email sending setup.

Depending on how complex your setup is, you may:

  • Use a mail checker tool that tells you if the email messages that you send comply with the above rules.
  • Use a DMARC reporting tool to obtain a list of all the sources that send email from your domain.

(I would tend to avoid tools that try to give you an answer by just giving them your domain name: the fact that you have some DNS records in place doesn’t say much about the actual compliance of the email messages.)

At DMARCwise we provide both tools: for example, you can start a free test below or on our homepage.

Once you have identified the sending sources, you should go through each of them and see if SPF and DKIM are not only configured, but also configured in a way that guarantees DMARC alignment (a requirement for bulk senders).

For example:

  • SPF, the mechanism for defining which servers are allowed to send from your domain, is often configured by default by your email service providers, but it’s a good idea to check if they also allow to enable SPF alignment with a custom Return-Path or custom MAIL FROM.
  • Similarly, in the case of DKIM, a cryptographic method to ensure that only those that own a secret key can send emails on behalf on your domain, it’s a good idea to check if your email provider has enabled email signing and find out how to enable custom DKIM signatures.

We have many other resources in our Documentation and Learn sections to help you reach DMARC compliance:

Both Google and Yahoo also published detailed pages with the guidelines and recommended steps:

You can also contact us, we’re happy to help!