What DMARC/DKIM/SPF updates are needed for new Gmail/Yahoo requirements?

Key findings

• Mandatory authentication: Bulk senders (those sending 5,000 or more messages a day to Gmail accounts) are now required to authenticate outgoing email using SPF, DKIM, and DMARC.
• DMARC policy requirement: A valid DMARC policy must be published for the sending domain, even if it's set to p=none.
• Alignment is key: Emails must pass SPF and/or DKIM checks and align with the domain in the visible From: header.
• Spam rate threshold: Bulk senders must keep their spam complaint rate below 0.1%, with a hard limit of 0.3%. High spam rates can lead to messages being rejected.

Key considerations

• Prioritize DKIM alignment: While both SPF and DKIM alignment are beneficial, if resources are limited, prioritize ensuring DKIM alignment by matching the DKIM domain to the visible From: address.
• Monitoring is still valuable: Even with a DMARC policy of p=none, monitoring DMARC reports can help identify authentication shortcomings before they impact deliverability. Google specifically states that unauthenticated messages might be rejected or marked as spam (see Google's sender guidelines).
• Understand ESP control: If using an Email Service Provider (ESP), clarify how they handle DMARC, DKIM, and SPF, and if they ensure alignment for your sending domain. Google and Yahoo's new policies can affect senders using shared domains.

Key opinions

• Starting point matters: The necessary updates to SPF, DKIM, and DMARC largely depend on the sender's current authentication setup.
• DMARC p=none is a good start: If there's no intention to move beyond a p=none DMARC policy, extensive monitoring of DMARC reports might not be considered an immediate necessity.
• DKIM alignment first: Marketers are advised to prioritize ensuring their DKIM is passing and the DKIM domain matches the visible From: address, as this is a key component for compliance.
• ESP reliance: Many believe that if an Email Service Provider (ESP) has control over the sending infrastructure, they will handle necessary adjustments to comply with the new requirements.
• Small business challenges: Small businesses often lack the dedicated IT teams or capacity to continuously monitor DMARC reports, making fundamental SPF, DKIM, and DMARC alignment and passing checks their primary focus initially.

Key considerations

• Aligning both SPF and DKIM: While DKIM alignment is highlighted, aligning both SPF and DKIM provides the strongest authentication posture.
• DNS records: Ensuring that sending domains or IPs have valid forward and reverse DNS records is another critical step for compliance, as mentioned by Twilio (Twilio's blog on sender requirements).
• Unsubscribe options: All emails should include easy unsubscribe options, with requests processed promptly, as this impacts sender reputation and deliverability.
• Gradual DMARC progression: For those with more resources, the progression from p=none to stricter DMARC policies (like quarantine or reject) should be a phased approach, undertaken after careful monitoring and analysis of DMARC reports.
• Domain reputation: Beyond technical setup, maintaining a good domain reputation is crucial. This involves minimizing spam complaints and ensuring emails are valued by recipients. Improving domain reputation using Google Postmaster Tools is an important step.

Key opinions

• DMARC reports are valuable: Even with a p=none DMARC policy, monitoring reports can help identify authentication issues, as Gmail has a de facto 'DMARC must pass' requirement.
• Cost of proper DMARC: Setting up and handling DMARC reports properly is an expensive endeavor, and may not be a top priority unless there's a specific need to enforce DMARC policies beyond p=none.
• Phased implementation: Full DMARC implementation, including report monitoring and moving to stricter policies, is considered a step 2 or 3 in the process, not an initial requirement.
• Beyond basic compliance: While publishing a p=none DMARC policy meets the basic requirement, it's not a complete solution for robust email authentication and deliverability.

Key considerations

• Understanding the 'DMARC must pass' implication: Even if the DMARC policy is set to p=none, unauthenticated messages may still be rejected or spammed by Google and Yahoo.
• Strategic DMARC transition: For organizations aiming for stricter DMARC policies (p=quarantine or p=reject), careful analysis of DMARC reports is essential to avoid legitimate emails being blocked. Suped offers guidance on safely transitioning your DMARC policy to quarantine or reject.
• Address underlying authentication issues: Focus on ensuring that all legitimate mail streams are properly authenticated and aligned first, as highlighted in this Word to the Wise article. This is more impactful than simply having a DMARC record.
• Managing DMARC for different users: The implementation details often vary significantly depending on the sender's user base and email sending infrastructure.
• Continuous improvement: The new requirements signify an ongoing need for senders to monitor their email programs, adapt to changes, and continuously improve their email authentication and compliance practices. Regular review of your DMARC record and policy examples is recommended.

Key findings

• Bulk sender definition: Senders sending 5,000 or more messages a day to Gmail accounts fall under the bulk sender requirements.
• Mandatory authentication protocols: SPF, DKIM, and DMARC authentication are required for outgoing email. Messages not authenticated may be rejected or marked as spam.
• Low spam complaint rate: Bulk senders must maintain a spam complaint rate below 0.1% and never exceed 0.3%.
• One-click unsubscribe: Marketing and subscribed messages must include a one-click unsubscribe option in the header, and unsubscribe requests must be processed within two days.
• Valid DNS records: Sending domains or IPs need valid forward and reverse DNS records.

Key considerations

• Interpreting 'might be marked as spam or rejected': This phrasing from documentation implies a strong de facto requirement for authentication, even if a DMARC policy is p=none. Authentication failures can lead to rejection with a 5.7.26 error.
• DMARC alignment vs. authentication: Documentation specifies that emails must pass SPF and DKIM checks and that at least one of these must align with the From: domain. A simple guide to DMARC, SPF, and DKIM can help clarify these concepts.
• Monitoring DMARC reports for insights: While not explicitly stated as a 'requirement' for p=none, documentation from Google (Gmail Help: Email sender guidelines) implies that monitoring can help ensure messages are authenticated and not sent to spam, thus preventing deliverability issues.
• Comprehensive approach: Compliance extends beyond just technical setup to include user experience (unsubscribe) and sender reputation (spam rates).