| | |

Don’t Let Your Email Be Blocked: Understanding the New Requirements

email authentication

Email remains a crucial tool for communication, but as technology evolves, so do the standards surrounding it. In February 2024, two major email providers, Google (including Gmail) and Yahoo, implemented new requirements for bulk senders—entities sending a high volume of emails daily. With these changes, companies aim to improve email security and user experience, plus reduce spam. They will ultimately impact both senders and recipients.

Who Is Affected?

email authenticationThe new requirements primarily target bulk senders—defined by Google as those sending more than 5,000 emails a day to Gmail addresses. This includes businesses and organizations sending newsletters, marketing materials, transactional emails, and other forms of mass communication. Individual users sending a small number of emails daily are not directly impacted.

This affects all mail senders, regardless of origin or destination. Although these requirements are being publicized by Yahoo and Google, an increasing number of ISPs and mail filters are also starting to impose stronger authentication requirements on inbound mail. Although they are not publicly advertising it, Hotmail/Outlook.com and Office365 domains scan inbound mail for authentication compliance as well. Many other enterprise filters do too.

Why Are these Changes Happening?

These new requirements address several challenges in the email landscape:

  • Increased email fraud: Phishing scams and email spoofing are common tactics employed by cybercriminals. Enhanced authentication helps combat these attempts by verifying email legitimacy and protecting user identities. Authentication techniques and protocols are used to verify the legitimacy of an email message and ensure that it hasn’t been forged or altered. This is important for preventing spam, phishing, and other malicious activities.
    Google says, “Many bulk senders don’t appropriately secure and configure their systems, allowing attackers to easily hide in their midst. To help fix that, we’ve focused on a crucial aspect of email security: the validation that a sender is who they claim to be.”
  • Rising spam rates: Unsolicited and unwanted emails (spam) contribute to cluttered inboxes and a negative user experience. Lowering spam rates improves the overall email environment for users and reduces the abuse of email channels for marketing purposes.
    Google notes that authentication is already showing results. “Last year we started requiring that emails sent to a Gmail address must have some form of authentication. And we’ve seen the number of unauthenticated messages Gmail users receive plummet by 75%, which has helped declutter inboxes while blocking billions of malicious messages with higher precision.”
  • Improved user control: Simplifying the unsubscribe process empowers users to manage their email subscriptions effectively and avoid unwanted communication.

What Are the New Requirements?

The new guidelines focus on three key areas:

  1. Enhanced email authentication:
  • What: Senders must implement sender policy framework (SPF); domain keys identified mail (DKIM); and domain-based message authentication, reporting, and conformance (DMARC).
  • Why: These security protocols verify the sender’s identity, preventing email spoofing (sending emails disguised as someone else) and protecting users from phishing attacks.
  • How: Setting up these protocols requires technical expertise and may involve collaborating with your email service provider (ESP). Resources and guides are available from email providers and security vendors.
  1. Reduced spam rates:
  • What: Bulk senders must maintain a reported spam rate below 0.3% in Google’s Postmaster Tools.
  • Why: This measure seeks to combat spam and improve user experience by ensuring emails are truly relevant and desired by recipients.
  • How: Senders can monitor their spam rates in Postmaster Tools and implement best practices to reduce spam complaints. This includes obtaining explicit consent before adding individuals to email lists, sending relevant and valuable content, and providing clear unsubscribe options.
  1. Simplified unsubscription:
  • What: Emails must include a single-click unsubscribe option, easily accessible to recipients.
  • Why: This simplifies the process for users to opt out of unwanted emails, encouraging responsible email list management and reducing frustration.
  • How: Most email marketing platforms and ESPs offer built-in unsubscribe functions, ensuring compliance with this requirement. Additionally, senders must promptly process unsubscribe requests, typically within two business days—versus the 10 days required by the CAN-SPAM Act. If you use a bulk mail service, they may provide automation tools to make this happen. If you are not using a service, make sure you process unsubscribe requests before you send out your next mailing.

What Does this Mean for You?

bulk emailIf you are an individual user: These changes primarily impact bulk senders. However, users can expect to see improved email security and a reduction in spam. Additionally, you can take advantage of the simplified unsubscribe process to easily manage your email subscriptions and receive only the emails you want.

If you are a bulk sender: Some ESPs say that properly authenticated mail tends to get better open/click rates. However, it’s likely that Google and Yahoo will bounce some mail while sending other mail to the spam/junk folder.  How that affects senders could change over time as they adjust their filtering. For now, it’s important to familiarize yourself with the new requirements and ensure your email practices comply with them.

  • Partner with your ESP or a qualified IT professional to implement the necessary authentication protocols.
  • Monitor your spam rates and implement strategies to keep them below the stipulated threshold.
  • Finally, ensure your emails include a clear and functional unsubscribe option and promptly process unsubscribe requests.

Email Marketing Laws

Along with these rules, businesses that use email marketing also need to comply with mail marketing laws, including the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM). Email marketing laws like this one require that senders of commercial email display accurate email header and subject lines, identify messages as advertisements, include valid physical postal addresses, and provide recipients with the ability to opt-out of the receipt of future commercial email communications.

While there is no private right of action under CAN-SPAM, some states like Utah and California, allow consumers to bring email marketing claims under their deceptive marketing law statutes.

Failure To Comply

Google says messages from senders who don’t meet their requirements might be rejected or delivered to recipients’ spam folders. They do send a rejection code to senders, and a reason for the rejection.

Temporary failure messages include error codes like these that indicate which sender requirement is causing the failure:

ErrorDescription code
4.7.27SPF isn’t set up for your sending domains or IP addresses. All senders must use either SPF or DKIM authentication for outgoing messages. Bulk senders must use both SPF and DKIM authentication for outgoing messages.
4.7.30DKIM isn’t set up for your sending domains or IP addresses. All senders must use either SPF or DKIM authentication for outgoing messages. Bulk senders must use both SPF and DKIM authentication for outgoing messages.
4.7.23 Your domain or IP address doesn’t have valid forward and reverse DNS records. This is a requirement for all senders
4.7.29Messages aren’t sent over a secure TLS connection. This is a requirement for all senders.
4.7.32 The domain in the From: header of your messages isn’t aligned with either the SPF domain or the DKIM domain. This is a requirement for bulk senders.

Crucially, if you breach the rules, you risk getting your entire organization suspended from sending emails. However, Google does promise a mitigation process if that happens.

These changes may require adjustments to your email marketing practices, but ultimately contribute to a safer and more user-friendly email environment for all. By embracing these requirements and prioritizing responsible email sending, you can ensure your messages reach the intended recipients and avoid potential deliverability issues.

Additional Considerations:

  • These are the current requirements from Google and Yahoo. While other email providers might adopt similar policies in the future, it’s crucial to stay updated on the evolving landscape.
  • Continuous monitoring and adaptation are essential. As technology advances, email sending standards might further evolve, requiring ongoing awareness and compliance efforts from bulk senders.

By understanding and adhering to these new email requirements, bulk senders can contribute to a more secure, user-centric, and trustworthy email environment for everyone.

Sagacent Technologies Can Help

Sagacent is available to work with your marketing department to help you understand these requirements and become fully compliant. Contact us today to find out how.