Recently, Google and Yahoo announced new sender guidelines coming in 2024. We’re here to break it down, and help you get ready for those changes! Don’t worry – you still have time! Since these changes go into effect in Q1 of 2024, you have time to get through your holiday rush!
What are the new sender guidelines?
The new sender guidelines require:
- Email authentication using DKIM, SPF, and DMARC
- Avoid impersonating Gmail From: headers. Don’t use a shared/public email domain for bulk sending.
- Provide easier unsubscribe options for recipients (one-click) and process those suppressions within 2 days (no more delayed unsubscribe processes)
- Maintain spam complaint rates under 0.3%
While both Google and Yahoo are adding requirements, Google is slightly more strict, so we’re focusing primarily on their guidelines. If you meet theirs, then you’re all set for Yahoo’s requirements.
While all of this sounds scary, these new guidelines are a good thing for you and your customers. It will make it easier for your recipients to identify you as a legitimate sender and for them to actually see your messages.
Let’s Dive In – How to meet new sender guidelines.
These sender guidelines apply to all senders, but especially bulk senders. Google classifies this as someone who sends 5k or more emails to Google accounts per day. While that may seem like a lot of promotional emails, this does include transactional emails, and this total is counted across all your recipients. So for example if you only send one campaign a month, but if your list has over 5,000 profiles with @gmail.com email addresses, you’ll be classified as a bulk sender under these new guidelines in one send.
These new requirements have been best practices in the industry for years, so we recommend planning for these new guidelines, even if you don’t think you meet the current threshold.
If that threshold ever changes, you’ll already be prepared! Plus, you are likely already doing some of the things Google and Yahoo will require.
Steps to meet the new sender guidelines
There are 3 main requirements that you will need to satisfy to meet the new guidelines. Let’s discuss each one individually.
1. Set up DKIM, SPF, and DMARC authentication for your sending domain.
Good news – you can set this up for your sending domain via your DNS provider yourself. But what does that mean?
Email authentication is the technical standards that help identify an email sender’s identity. There are three common types of authentication – SPF, DKIM, and DMARC. Mail servers use one of these 3 types to verify that incoming messages are from a legitimate sender, prevent phishing scams, spoofing attempts, and other SPAM. Google will require DMARC specifically. You can think of DMARC verification as a combination of SPF and DKIM authentication. Essentially, a message must meet both SPF and DKIM protocols to be delivered.
Make a list of every service or website that sends email on your behalf.
For most of our clients that list will include their email host (such as Google Workspace), their website host (such as a self-hosted WordPress site or Shopify), email marketing services (such as Klaviyo or Mailchimp), and customer support services (such as Help Scout, Freshdesk, or Zendesk). But that example isn’t all inclusive. Do you have a rewards app such as Smile that emails customers about their point status? What about an affiliate system that notifies affiliates or customers on successful referrals? Do you use a reviews management service such as Judge.me or Trustpilot that emails customers requesting reviews? All of these systems must be accounted for when activating DMARC because they must all pass SPF or DKIM checks to be delivered successfully.
Review each of those services to ensure that it has appropriate SPF and/or DKIM authentication set in your DNS provider
Each service provider will have instructions for how to configure SPF records for their services if required. Not all services will require SPF records. For example, our transactional sending provider Postmark only requires DKIM authentication and a set return path to pass both SPF and DKIM alignment.
Set a _dmarc.domain.com TXT record in your DNS
Before setting up a final DMARC policy that will effectively reject emails that don’t pass your SPF and DKIM alignment, it’s best to monitor the DMARC reporting to ensure you’ve accounted for all the email sources in when making your list earlier. Fortunately, this reporting is built into the DMARC system and there are free tools available to get a weekly report on your DMARC results. We have used Postmark’s free tool to both generate DMARC records and monitor the results for over 3 years now. You can sign up at dmarc.postmarkapp.com. Cloudflare now also offers a new DMARC management service that’s in Beta at this time: https://developers.cloudflare.com/dmarc-management/
A typical example of a DMARC record looks like this:
_dmarc.domain.com TXT v=DMARC1; p=none; pct=100; rua=mailto:[email protected]; sp=none; aspf=r;
In this case, the sp and p tags are set to none indicating that the DMARC policies are in test mode so to speak and will not prevent delivery of any messages. That policy is set to apply to 100% of messages (pct=100). The rua contains the email address where reports will be sent and the aspf=r tag indicates a relaxed SPF alignment which would allow any subdomain of the primary domain to pass if the primary domain aligns with SPF records.
Here is an example report from the Postmark DMARC monitoring service
Note that since only one _dmarc record can be present per domain, that only one monitoring service can be used at any given time.
2. Ensure that your “From” header matches your domain.
In order to meet Google’s requirements, you will need your own sending domain – shared domains will no longer be allowed. Additionally, your “From” header (what your recipient sees in their inbox) must align with your sending domain in order to meet DMARC requirements.
So what does this mean? Plainly speaking, this means that you shouldn’t use shared domains for bulk email. Some common shared domains are: gmail.com, yahoo.com, hotmail.com, live.com, aol.com, comcast.net; or any email provider where you don’t control the domain (last part of the email) such as ISPs or free email services. We have always recommended to avoid using these emails for professional and business purposes. They are commonly used for spam (the root cause of these changes) and just don’t convey the trust users expect to differentiate your email in their inbox.
Klaviyo has a great explanation for a dedicated sending domain. This dedicated sending domain “allows you to send emails that appear to be coming from your brand and allows you to have better overall control of your sender reputation.” Any business can have a dedicated sending domain. Remember, you must own the domain that you use to send email, and have access to your DNS host to create necessary records. Again, each DNS host will have slightly different steps to create this dedicated sending domain.
WordPress sites utilize PHPMailer to send email from the hosting server. This usually is not a reliable sending method and should be replaced with a sending service than can be authenticated to meet these new guidelines. Sites can utilize a plugin to bypass PHPMailer and use your custom sending domain. There are several options available in the WP.org repository by searching SMTP. However, this is not the solution I would recommend for most sites. If you are running a business or ecommerce from your site, you should utilize a transactional email sending service. For this, at Sprucely Designed, we utilize Postmark. Other services in this space are Sendgrid, SparkPost, Mailgun, or Amazon SES. These services each have their own options for integration into your site using plugins. Check your provider for instructions.
Sites with a Proactive Maintenance Plan with Sprucely Designed are already in compliance here as we setup transactional email sending as part of our onboarding process.
Sites hosted with Sprucely Designed but not managed by us will need to take action to add an third-party SMTP service that can be authenticated to meet these new requirements.
Shopify merchants can set a custom sending domain from your Shopify admin. Go to Settings > Notifications, then in the Sender email section, enter your email address. After clicking save, you’ll receive an email to verify that you own and entered the address correctly. After verifying, return to Settings > Notifications and in the Sender email section, click authenticate your domain. Follow the instructions to add the DNS CNAME records to link your custom domain to Shopify’s SPF and DKIM records. Review detailed instructions here.
If Shopify merchants take no action, Shopify will override your sending email to
[email protected] which will help ensure that the emails are delivered. However, those email won’t be branded to your store and business. We highly recommend taking action to add your custom domain to help your customers identify your emails and build brand trust.
If you use an email marketing platform such as Klaviyo or Mailchimp, you will then need to configure your account to send from that dedicated sending domain. You can find instructions for Klaviyo here, and Mailchimp here. Klaviyo has also created a Klaviyo Academy (free) course on how to accomplish steps 1 and 2.
3. Make unsubscribing clearer and easier.
It’s likely that most of you already have this step covered! Let’s look at the two things you need to meet this requirement.
A. You must include a method to unsubscribe in just 1 step in your emails.
B. You must include an unsubscribe link in the message body.
There are several ways this can be accomplished, but the easier and clearer you make the unsubscribe option, the fewer recipients who will marker your messages as SPAM. While many emails typically include an unsubscribe link at the bottom of their emails, adding an unsubscribe option to your header, or at the top of your email, is a great idea. Remember, that option must be a 1 step unsubscribe. This means that once the recipient clicks that option, they are unsubscribed with no further action. If you utilize Klaviyo, they will be implementing an automatic unsubscribe header that will meet this requirement with no action required.
4. Keep your spam rates low.
Like requirement 3, most of you already take steps to ensure your spam reports stay low. With these new requirements, Google will require a 0.3% or lower spam complaint rates. You can utilize Google Postmaster Tools to help you monitor delivery rates, spam reports, and more.
If you are already compliant with the CAN-SPAM Act, then you are likely meeting this requirement already. As a refresher, to maintain compliance (and keep those spam complaints low) you should:
- Include a physical address for your business – no PO boxes here
- Ensure there is an unsubscribe link in every message
- Only send marketing messages to those who have opted in for promotional messages
What else do I need to know about the new 2024 sender guidelines?
Make your calendars – Google will begin enforcement of these new authentication guidelines on February 1, 2024. One-click unsubscribe requirements for senders who already have an unsubscribe link in their emails will be enforced starting June 1st, 2024.
Yahoo has not released an official date beyond Q1 as of this post. We recommend following their Sender Hub to stay up to date with deadlines.
We understand that these new guidelines could feel overwhelming and confusing. We would love to help you take steps to meet the new guidelines and beyond. We are Klaviyo partners, well versed in Mailchimp, and managed DNS via Cloudflare for all our clients.
Reach out to us here to schedule an introductory call to let us know how we can help you!