Navigating 2024 email requirements
Starting in February 2024, Gmail and Yahoo Mail set the stage for a significant shift in email communication standards by enforcing new requirements for bulk email senders. This move by two of the Internet's email giants will likely encourage other providers to follow their lead. Gmail and Yahoo are pushing bulk senders to authenticate their emails and include links that make it easy for recipients to unsubscribe from emails with a single click. This post reviews these new requirements, provides a refresher on email authentication, and even shares a few tools to help ensure your emails are compliant.
Bulk sender changes
Gmail and Yahoo classify any sender transmitting over 5,000 daily emails per domain as a bulk sender. This rule extends to subdomains, meaning that emails sent from any subdomain—like ads.example.com or notifications.example.com—are added to the total count for the root/main domain (example.com). This per-domain rule is significant for me since our organization uses one main domain to host several cloud applications. Then, each application is assigned its own subdomains. Although the services I am responsible for send fewer than 5,000 transactional (non-marketing) emails daily, this regulation still impacts us because our services fall under the umbrella of the primary domain.
If you're a bulk sender, Gmail and Yahoo are now requiring you to adhere to a few new requirements:
- Authenticate email: SPF, DKIM, and DMARC are all existing standards that bulk senders must now adopt. These standards help ensure that email is authentic and unaltered while also helping to reduce the amount of spam received in inboxes. Adopting these standards has been considered best practice for some time, but many email senders still need to embrace them. Gmail, Yahoo, and others encourage adoption by imposing restrictions on bulk senders.
- Include easy unsubscribe links: Senders must include a link in every email that allows recipients to unsubscribe from receiving future emails with a single click. Failing to provide a simple way to unsubscribe will block emails.
- Stop sending unwanted emails: Gmail and Yahoo monitor the rate at which email recipients mark emails sent from a domain as spam. Gmail and Yahoo will block your emails if your spam rate is too high (>0.1%~0.3%). Gmail suggests sending transactional and marketing emails with different subdomains to lessen the chance that users who report marketing emails as spam also inadvertently block more important transactional emails. Using different subdomains for different email purposes is an excellent strategy as email guidelines become more stringent.
Email authentication standards
There's tons of detailed information on email authentication standards on the Internet, and I'll provide a short overview here. For those new to this topic, I recommend reviewing Cloudflare's email guide as an excellent primer on these standards. Gmail and other email service providers also provide extensive documentation on this topic.
-
Sender Policy Framework (SPF)
- Introduced in the 2000s, SPF was among the first widely adopted email authentication standards. Although SPF was a significant step forward, it falls short of preventing email tampering or spoofing entirely. SPF allows domains to specify which servers are authorized to send emails on their behalf in a DNS TXT record. An SPF TXT record can include entries specified in another domain's DNS SPF record, e.g., amazonses.com, IPv4/IPv6 IP addresses, and even A records.
- If example.com had a TXT SPF record of
example.com TXT v=spf1 include:amazonses.com ip4:192.168.0.0/16 -all
, this would specify that the valid email servers for example.com include all AWS SES servers listed in Amazon's SPF record and any servers with an IP address between 192.168.0.0 and 192.168.255.255.
- If example.com had a TXT SPF record of
- Introduced in the 2000s, SPF was among the first widely adopted email authentication standards. Although SPF was a significant step forward, it falls short of preventing email tampering or spoofing entirely. SPF allows domains to specify which servers are authorized to send emails on their behalf in a DNS TXT record. An SPF TXT record can include entries specified in another domain's DNS SPF record, e.g., amazonses.com, IPv4/IPv6 IP addresses, and even A records.
-
DomainKeys Identified Mail (DKIM)
- DKIM, combined with SPF, significantly improves email security and authenticity. It employs public-key cryptography so that emails can be digitally signed. Email senders can publish a public key as a TXT DNS record. The sender then signs emails with their private key in an email header, allowing recipients to verify the email's integrity by verifying the signature with the sender's public key.
- DKIM TXT records are in the format
[selector]._domainkey.[domain]
where[selector]
is a value used by the email provider or email server to include as a DKIM email header. Email servers receiving emails can use the selector value to look up the public key when validating that the email was signed with the domain's private key. The selector value can be anything as long as it matches the configuration of the email service provider. However, it's common for an email provider to provide "Easy DKIM" DNS records to you. If example.com used selector as a selector,selector._domainkey.example.com TXT v=DKIM1;t=s;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDDPuiIgLA5PZ/c14WOBw0vwX+xZqbkhHJYrCTO9ANwzY4R+4IepCjKr5ZTY7zhGVTy9aWRS2jRcmebtRTMHN9gLRgb2qjD7Dmwi6RsxE4JN5phl/tm8ltLMb2dd9Bna/cHbhqbD4kSToZXMvBMU8BrwudYBxKJPs4FWY+/H0M1fQIDAQAB
could potentially be a valid DKIM record. Note that this record publishes the public key corresponding to the private key the sender signs its emails with.
- DKIM TXT records are in the format
- DKIM, combined with SPF, significantly improves email security and authenticity. It employs public-key cryptography so that emails can be digitally signed. Email senders can publish a public key as a TXT DNS record. The sender then signs emails with their private key in an email header, allowing recipients to verify the email's integrity by verifying the signature with the sender's public key.
-
Domain Message Authentication Reporting and Conformance (DMARC)
- DMARC instructs email servers on how to handle emails that fail to pass SPF and DKIM verification. Depending on the DMARC policy, servers are instructed to deliver, reject, or quarantine these unqualified emails, further enhancing security measures against fraudulent email activities. Additionally, senders can specify an endpoint to which email servers can report invalid emails. Several paid services, like Easy DMARC, will collect and monitor these reports.
- An example of a valid, simple DMARC record instructing mail servers to reject all emails that fail validation could be
_dmarc.example.com TXT v=DMARC1; p=reject
.
- An example of a valid, simple DMARC record instructing mail servers to reject all emails that fail validation could be
- DMARC instructs email servers on how to handle emails that fail to pass SPF and DKIM verification. Depending on the DMARC policy, servers are instructed to deliver, reject, or quarantine these unqualified emails, further enhancing security measures against fraudulent email activities. Additionally, senders can specify an endpoint to which email servers can report invalid emails. Several paid services, like Easy DMARC, will collect and monitor these reports.
Email providers to the rescue
Fortunately, many commercial email services, such as Amazon's Simple Email Service (SES), SendGrid, and Mailgun exist. Since these email providers make money if you can adhere to these policies and deliver email, they have tools to help make adhering to these standards as easy as possible.
I have experience with AWS SES for transactional emails, an example of an email service provider that makes adhering to these new rules as easy as possible. SES will provide the 3 DNS records to add to a hosted DNS Zone for "Easy DKIM" support for a given email domain (verified identity). Additionally, SES has a Subscription Management feature that allows email recipients to unsubscribe easily without needing to handle unsubscribe requests yourself. The only DNS records I've had to manually create while using SES are the SPF and DMARC records. While several excellent email services exist, sending complaint emails with SES is easy and worth considering if you're already in the AWS ecosystem.
Email validation tools
With these upcoming changes to email, it may be an excellent opportunity to verify how compliant your emails are. I've found two websites to be helpful when needed to assess this.
First, I highly recommend Mail Tester. Mail Tester offers a free service that allows you to send an email to a temporary email address for testing and will return a score indicating how well your email conformed to various standards. The UI provides an overall score and highlights areas where your emails could improve. If you test an email through this service and don't receive a score of 8/10, some email providers may likely block emails sent from your service.
Second, I recommend Easy DMARC. Easy DMARC provides free tools to verify that your domain's SPF, DKIM, and DMARC records are present and valid. If you need some records or they're invalid, Easy DMARC also has tools to assist you with generating correct DNS records.
Summary
In summary, the upcoming changes by Gmail and Yahoo Mail mark a significant milestone in email communication, emphasizing the importance of authentication and having user consent for email senders. By enforcing stricter requirements for email authentication through SPF, DKIM, and DMARC and requiring user-friendly unsubscribe links, these platforms are helping to make email even better.
Sending email is complicated, and we can reasonably expect it to get even more complex in the future. If you're still trying to manage and maintain your email service or server, consider using a SaaS email service specializing in this evolving domain.