Gmail and Yahoo have decided to take the security of email communication one step forward. As one of the most widely used mailbox providers, both will tighten their rules for delivering bulk email messages from 1 February 2024. The goal is to reduce the volume of fraudulent messages such as phishing and spam in general.

It's almost remarkable that both companies were able to agree on the basic principles that both will require. For the most part, these are rules that other mailbox providers, for example, have required before, but on several points this is a major breakthrough in the field of email security. What exactly is this about and what impact will it have on email marketing? Below you will find the most important changes that should be of interest to you. For a full list of changes, see the original sources below the article.

Domain Authentication

In addition to the previously checked authentication using SPF and DKIM records, a DMARC record will also be required.

Details about the DMARC record can be found in this article. In a nutshell, this is a sender domain protection mechanism that instructs mailbox provider servers how to handle inboxes that are not fully authenticated with SPF and DKIM records.

In practice, you can set your own policy on your domain about what the recipient's server should do with such untrusted emails - this is called a DMARC policy

• none - do nothing
• quarantine - put in the spam folder
• reject - do not deliver

However, Google and Yahoo are aware that most senders are not fully prepared to switch to a stricter policy straight away, as this would put at risk, for example, their corporate communications or transactional emails, which are often poorly secured. Therefore, for the time being, they will make do with the "none" policy, which, although it will have no impact at all on the handling of unsigned emails by other mailbox providers, will serve its purpose - the DMARC record will become public knowledge. So we can expect Gmail and others to start requiring stricter policies in the coming months. For now, however, it is important to have a DMARC record at all.

Easy unsubscribe

• The user must have a simple one-click option to unsubscribe from the newsletter. This puts an end to the complicated processes of replying to emails or calling the customer service line.
• One-click unsubscribe will be required, which is secured by a special header, and e.g. Gmail and other email clients can display an "Unsubscribe" button directly in the user interface.

• The body of the email must also prominently display an unsubscribe link, which may lead to a special unsubscribe page.

Low complaint rate

Gmail will require that the spam rate (the percentage of recipients who mark your messages as spam) is below 0.1%. Exceeding the 0.3% threshold will have a rapid impact on a sender's spam score.

The status of this metric can be monitored using Google Postmaster Tools.

Several things are essential to keeping this metric under control:

• Send newsletters to users who are actually interested. The use of double opt-in subscriptions should already be standard.
• Create informative, valuable and personalized messages, using customer segmentation.
• Give users an easy way to unsubscribe.
• Eliminate recipients who don't open your emails for a long time.
• Have an integrated feedback loop to automatically unsubscribe customers who mark your emails as spam.

Additional general requirements

• PTR record at the sending IP address
• TLS connection for sending email
• Correct HTML message format in accordance with RFC 5322
• The domain in the "from" header must match the domain signed by the SPF or DKIM record (for successful processing of the DMARC record).
• Google recommends setting the ARC protocol for domains that forward emails.

If any of the rules above are not met by the sender, there is a risk that the sent messages will automatically end up in the SPAM folder or will not be delivered at all. We therefore recommend that you check as soon as possible that your current email solution meets these requirements. While some of the requirements will only apply to senders with more than 5,000 recipients per day (DMARC record, one-click unsubscribe), the other points apply to all senders. Yahoo has not yet specified what it means by "bulk sender". It is therefore definitely better to be prepared for this situation in advance.

Samba users needn't worry - all the new requirements are already in place or will be soon. Email security is the cornerstone of good deliverability, without which your email marketing simply won't work. If you have any questions, don't hesitate to contact us - we'll be happy to make sure your emailing is not only secure, but more importantly, profitable.

Source:

• https://blog.google/products/gmail/gmail-security-authentication-spam-protection/
• https://blog.postmaster.yahooinc.com/post/730172167494483968/more-secure-less-spam