Summary
To comply with updated Gmail and Yahoo requirements, bulk senders must implement email authentication using SPF, DKIM, and DMARC. DKIM domains should align with the visible 'from' address. While DMARC 'p=none' is a minimum, a stricter policy is preferable. Maintaining a low spam rate (below 0.1%) and providing easy unsubscribe options are also critical. For DKIM, a 2048-bit key size is recommended. SPF records must stay within DNS lookup limits. DMARC reporting, though complex and costly, aids in monitoring sending sources. If resources are limited, prioritize DKIM alignment, and ensure the primary mail stream is authenticated. DMARC monitoring is unnecessary if the policy is 'p=none'. The goal is to prevent spoofing and enhance deliverability.
Key findings
- Authentication Compliance: Gmail and Yahoo now require SPF, DKIM, and DMARC for bulk senders.
- DKIM Alignment: DKIM domain should align with the visible 'from' address.
- DMARC Minimum: DMARC 'p=none' is the minimum, stricter policies are better.
- Spam Rate Threshold: Maintain a spam rate below 0.1%.
- Unsubscribe Ease: Provide easy, one-click unsubscribe options.
Key considerations
- DKIM Key Size: Use at least a 2048-bit DKIM key.
- SPF Lookup Limits: Keep SPF records within DNS lookup limits.
- DMARC Reporting Cost: DMARC reporting can be complex and expensive.
- Engineering Prioritization: Prioritize DKIM alignment if resources are limited.
- Gradual DMARC Enforcement: Start with p=none
What email marketers say
11 marketer opinions
In response to new requirements from Gmail and Yahoo, bulk email senders need to ensure they have proper email authentication in place, including SPF, DKIM, and DMARC. For DKIM, the DKIM domain should match the domain in the visible 'from' address. At a minimum, DMARC should be set to 'p=none', but a stricter policy is recommended for better protection. Bulk senders also need to maintain a low spam rate (below 0.1%) and provide easy one-click unsubscribe options. Setting up custom authentication improves deliverability and protects brand reputation. Using a DKIM key size of at least 2048 bits is suggested. Keeping SPF records under the DNS lookup limit is crucial to avoid authentication failures. DMARC reporting assists in monitoring sending sources and identifying unauthorized senders.
Key opinions
- Authentication Required: Gmail and Yahoo require bulk senders to authenticate emails using SPF, DKIM, and DMARC.
- DKIM Alignment: The DKIM domain should match the domain in the visible 'from' address for proper authentication.
- DMARC Policy: DMARC policy must be at least 'p=none', but a stricter policy is recommended.
- Spam Rate: Bulk senders must maintain a spam rate below 0.1%.
- Unsubscribe: Easy one-click unsubscribe options are required.
Key considerations
- DKIM Key Size: Use a DKIM key size of at least 2048 bits for improved security.
- SPF Record Limit: Keep SPF records under the DNS lookup limit to avoid authentication failures.
- DMARC Reporting: Implement DMARC reporting to monitor sending sources and identify unauthorized senders.
- Gradual DMARC Implementation: Start with a 'p=none' DMARC policy to monitor email streams before moving to stricter policies.
Marketer view
Email marketer from MailerLite shares that Google and Yahoo are enforcing stricter email authentication policies for bulk senders, including requiring SPF, DKIM, and DMARC setup. These changes aim to improve email security and reduce spam.
16 Jul 2021 - MailerLite
Marketer view
Email marketer from Sendinblue explains that to comply with Gmail and Yahoo's new requirements, businesses need to authenticate their emails using SPF, DKIM, and DMARC. They also need to ensure a low spam rate and provide easy unsubscribe options.
27 Dec 2023 - Sendinblue
What the experts say
5 expert opinions
New requirements from Gmail and Yahoo mandate that bulk senders implement email authentication (SPF, DKIM, DMARC) and maintain low spam rates to avoid message blockage or spam filtering. If focusing engineering efforts, prioritizing DKIM alignment over SPF may be strategic. For bulk mail, ensure the primary mail stream is authenticated and aligned. DMARC monitoring is not essential if the policy remains at 'p=none'. Setting up DMARC reporting is complex and expensive; it should be prioritized after other authentication measures.
Key opinions
- Authentication Mandate: Gmail and Yahoo now require bulk senders to authenticate emails with SPF, DKIM, and DMARC.
- DKIM Prioritization: If resources are limited, prioritize DKIM alignment.
- Stream Authentication: For bulk mail, focus on authenticating and aligning the primary mail stream.
- DMARC Monitoring (p=none): DMARC monitoring is not necessary if the DMARC policy remains at 'p=none'.
- Blocking/Spam Placement: Senders not authenticating will have messages blocked or sent to spam.
Key considerations
- DMARC Reporting Complexity: DMARC reporting is complex and expensive to implement properly.
- DMARC Reporting Priority: Prioritize other authentication measures before implementing DMARC reporting.
- Spam Rates: Maintaining low spam rates is also a key requirement
- The bare minimum: Ensure the DMARC record is not just published at p=none - it needs to be correctly configured for the email stream
Expert view
Expert from Email Geeks explains that setting up DMARC reporting is a very expensive thing to do properly, so unless you actually care about DMARC it’s a _long_ way down the list of things to do. Expert from Email Geeks adds to think of it as a step 2 or 3, not a step 1.
28 Apr 2024 - Email Geeks
Expert view
Expert from Word to the Wise explains that new requirements for bulk senders are being implemented by Google and Yahoo, requiring authentication (SPF, DKIM, DMARC) as well as low spam rates. Senders who don't authenticate will have messages blocked or sent to spam.
8 Jul 2021 - Word to the Wise
What the documentation says
4 technical articles
To comply with Gmail and Yahoo's new email requirements and ensure reliable delivery, domain owners must set up email authentication. This includes using SPF to specify authorized mail servers, DKIM to verify message integrity and domain origination, and DMARC to protect against email spoofing. DMARC builds upon SPF and DKIM, providing a framework for authentication, reporting, and conformance.
Key findings
- Authentication Required: Email authentication is mandatory for reliable delivery to Gmail accounts.
- SPF Purpose: SPF identifies authorized mail servers for a domain.
- DKIM Purpose: DKIM verifies that email was sent by the stated domain and hasn't been altered in transit.
- DMARC Purpose: DMARC protects against email spoofing and provides reporting on email authentication.
Key considerations
- Comprehensive Setup: Implement SPF, DKIM, and DMARC for optimal email security and deliverability.
- DMARC Reporting: Utilize DMARC reporting to monitor email activity and identify potential abuse.
- Prevent Spoofing: The primary driver is to prevent spammers sending from your domain.
Technical article
Documentation from RFC Editor explains that DKIM defines a domain-level authentication framework for email. It provides a mechanism for verifying that email was sent by the stated domain and hasn't been altered in transit.
30 Aug 2023 - RFC Editor
Technical article
Documentation from Google Workspace Admin Help explains that to ensure your messages are delivered as expected to Gmail accounts, you must set up email authentication for your domain. Meeting Google’s sender requirements helps ensure reliable delivery to Gmail, prevents spoofing, and helps keep Gmail users safe. Senders must authenticate their email using SPF or DKIM. They also advise to set up DMARC authentication for your domain.
17 Mar 2025 - Google Workspace Admin Help
Do subscription based emails require a list unsubscribe option according to Gmail and Yahoo's new sending requirements?
Do Yahoo and Gmail require DMARC authentication for senders?
How are Gmail and Yahoo enforcing unsubscribe requests, and what factors do they consider for compliance?
How can I ensure email compliance with Yahoo/Google rules including DMARC, SPF, and FcrDNS?
How do Gmail and Yahoo's new one-click unsubscribe requirements work?
How do the new Gmail/Yahoo changes affect sending from a branded domain with DMARC alignment?
