Back to main menu

Deliverability

Understanding the Gmail and Yahoo sender requirements: Takeaways from our fireside chat with Gmail and Yahoo

What is the impact of Gmail and Yahoo’s new requirements on email deliverability? What actions do senders need to take? Why is this happening now? The industry has been buzzing around these requirements for months. We decided to sit down with reps from Google and Yahoo to get some clarity. So now we have a question for you, are you ready to yahoogle? Let’s go.

PUBLISHED ON

PUBLISHED ON

The inbox requirements for bulk senders announced by Google and Yahoo in October 2023 have shot through the community like panic up a spine. As with any big announcement it can be hard to wade through content and opinion to get to the truth. The truth is these requirements are more established and familiar than you may realize.

To break through confusion, Sinch Mailgun’s VP of Deliverability, Kate Nowrouzi sat down with Marcel Becker, Sr. Product Manager for Yahoo, and Anu Yamunan, Director of Product for Anti-Abuse & Safety at Google to dispel the rumors surround the requirements and answer questions about what will change for bulk senders, and why enforcement for these requirements is happening now.

What’s changing and why?

Google and Yahoo are both cracking down on enforcing requirements for bulk senders around authentication standards, spam rate thresholds, and one-click unsubscribe policies. We covered the requirements in depth when they were first announced in October 2023, and got some further insights from Yahoo featured in our Email’s Not Dead podcast. If we’ve learned anything from industry changes, it’s that sometimes there is never enough information straight from the source. That’s why we hosted a webinar and put both of these mailbox giants in the same room to set the record straight.

The requirements in a nutshell

Here’s a quick recap. Bulk senders will be held to three primary requirements designed to enforce a healthy and happy inbox experience. These requirements revolve primarily around preventing spammy behaviors by strengthening authentication, creating a uniform unsubscribe process, and managing overall spam rates.

  • Authentication: Bulk senders must implement SPF, DKIM, and DMARC authentication protocols.

  • One-click unsubscribe: One-click unsubscribe headers must be used in accordance with the RFC 8058 standard.

  • Spam rate 0.3%: Senders will need to maintain a spam complaint rate of 0.3% or below.

Your questions answered

Throughout the rest of this post, we’re going to feature some of the most asked questions around each of these requirements from our recent Fireside chat with Google and Yahoo which you can watch on-demande here. To kick it off, we’re going to dive into an easy, albeit existential question. Why now?

Why are these requirements being enforced now?

Like we said, these requirements may seem familiar and that’s because they’ve been around for a while. The goal is not to disrupt senders, it’s to make the inbox safer for users. Here’s what the experts had to say:

"These are new requirements for bulk senders based on policies and industry standards that have existed for 10+ years. They are designed to help improve the user experience when combating spam and fraud. This is an exciting opportunity for us as an industry to meaningfully upgrade the safety of the email ecosystem. We believe all users should be able to trust the messages that they are reading are from trusted sender."

Anu Yamunan, Director of Product for Anti-Abuse & Safety at Google

"All of these requirements have been well documented best practices for years. A lot of senders have already implemented them. Authenticating your email traffic should be something that you're already doing if you care about the health of your email traffic as well as your infrastructure. Putting easy unsubscribe options into the header and making sure people can unsubscribe from your emails instead of marking them as spam, that should be a no brainer, that technology has been around. And if you're sending emails people want your spam rates should be well below 0.1%."

Marcel Becker, Senior Director of Product at Yahoo

Aside from why now, the next big question is who will these requirements affect?

Who do these changes impact?

The ultimate goal is to create a better and more secure experience for users. If you take away only one thing from this post it should be this: Users are shared customers between mailbox providers, ESPs and senders. Enforcing these requirements is about building a better email ecosystem that will benefit us all.

The requirements are specific to bulk senders. Much of the confusion surrounding these requirements has revolved around what that means. What send volume makes you a bulk sender?

"There is a very strong reason why we (Yahoo) didn't give a number. What does this number (5,000) mean? If you send a lot of the same emails to a lot of different people, you're a bulk sender. It doesn't really matter if it's 3,000 or 2,000, or 10,000. There's no limit we can share, if you are a bulk sender, you know you are a bulk sender, and you need to follow these guidelines."

Marcel Becker, Senior Director of Product at Yahoo

Google has placed a 5,000 daily send nametag on bulk senders – purely for the sake of documenting a ballpark for reference – but senders shouldn’t think they can skirt around the requirements by sending 4,999 messages. There is no magic number or final straw that breaks the camel’s back. These requirements are more about sending habits than they are about exact math.

What does one-click unsubscribe mean?

Now that we’ve covered who will be impacted, let’s dive into the actual requirements, starting with one-click unsubscribe. One-click unsubscribe has confused a lot of senders who already include unsubscribe links in the body of their emails. But this requirement isn’t about that, it’s about including unsubscribe headers defined by RFC 8058.

RFC 8058 defines the "Unsubscribe" header field for email messages. This header field provides a standardized way for email clients to display an unsubscribe option to users, allowing them to easily opt-out of receiving future emails from the sender directly from the UI of their mailbox. In other words, the "Unsubscribe" header field defined in RFC 8058 offers a standardized mechanism for facilitating unsubscribes in email messages.

"For one-click unsubscribe the RFC you need to follow is RFC 8058. From a sender benefits perspective, letting people opt out of messages can improve your open rates, click through rates, and your sending efficiency."

Anu Yamunan, Director of Product for Anti-Abuse & Safety at Google

According to Anu Yamunan, if you aren't compliant with the one-click unsubscribe requirement yet, you have until June 2024 before Gmail starts rejecting the traffic.

"We're just making sure we can put an easy link in front of our users which allows them to unsubscribe. What you as a sender unsubscribe them from is completely up to you. Just like you control it now with an unsubscribe link in the body." | "If you don't put the unsubscribe header in there people will just mark you as spam and that's worse because it will have a negative impact on your sender reputation. We've seen that senders who put a one-click unsubscribe affordance in their headers get 20-40% less spam votes and that's a noble goal for you as a sender to create a better user experience."

Marcel Becker, Senior Director of Product at Yahoo

What­ you’­ll need­

How to get ther­e

What­ you’­ll need­

Sa­me for Gmai­l and Yaho­o: A sing­le-click path­way for user­s to easi­ly unsu­bscribe from­ your­ mess­ages from­ with­in the mail­box prov­ider’s UI usin­g list­-unsubscribe head­ers, and inte­rnal supp­ort to hono­r unsu­bscribe requ­ests and remo­ve addr­esses from­ rele­vant emai­l list­s with­in 2 days­.

Send­ers will­ need­ to put list­-unsubscribe post­ head­ers into­ the head­er of thei­r emai­l as spec­ified by RFC­ 8058­.

Why is a 0.3% spam rate threshold being enforced, and what happens if you go over the limit?

First off, a spam rate of 0.3% is generous. By many accounts, keeping your spam complaint rate below 0.1% – 1 email in 1,000 marked as spam– is the mark of a healthy sender.

One of the main goals of these requirements is to make the inbox less spammy. DMARC helps prevent bad actors from stealing and spoofing sender identities, the unsubscribe requirements gives users control to manage the messages they receive with the same ease as it takes to mark a message as spam (saving senders the pain of being spammed), and the low spam threshold is a way to identify and react to senders that empl0y spam tactics.

"Please keep your user in mind. If your users are reporting that a lot of messages coming from you are spam, it is going to impact your future deliverability."

Anu Yamunan, Director of Product for Anti-Abuse & Safety at Google

Remember when we said these requirements weren’t about exact math? Well, that applies to the spam rate requirement also. In our podcast Email’s Not Dead, we sat down with Marcel Becker and he broke down this spam rate requirement a bit more and left us with the mantra, more than a day, less than a year.

Senders who hit a higher spam rate on one campaign won’t automatically be punished for it. Mailbox providers are looking at your average spam complaint rate over an undisclosed period of time, somewhere between a day and a year. If your high spam rate becomes habitual it will impact you, but this requirement isn’t a one and done limit.

What­ you’­ll need­

How to get ther­e

What­ you’­ll need­

Sa­me for Gmai­l and Yaho­o: The spam­ comp­laint thre­shold is 0.3%­.

Clos­ely moni­tor your­ spam­ rate­, as well­ as othe­r enga­gement metr­ics, usin­g reso­urces like­ Goo­gle Post­masters Tool­s. Empl­oy deli­verability best­ prac­tices like­ lis­t mana­gement and sun­set poli­cies to opti­mize your­ emai­l list­s, ensu­ring you’­re only­ send­ing mess­ages to enga­ged reci­pients. Use del­iverability tool­s like­ Emai­l Veri­fication and Inbo­x Plac­ement Test­ing to stay­ on top of your­ over­all deli­verability and impr­ove your­ inbo­x plac­ement.

Why enforce a DMARC policy when requirements only dictate setting it to "none"

You’ve got to start somewhere. With DMARC the requirement is about enforcing adoption…finally. When DMARC first emerged as an authentication, mailbox providers crossed their fingers and prayed to the deliverability gods that senders would catch on, but that didn’t happen.

DMARC adoption has been slow and according to Sinch Mailgun’s 2023 State of Email Deliverability report, among those using DMARC for authentication, 40% don’t know what their policy is. According to dmarc.org, most active DMARC policies (68.2% as of 2022) are p=none. If your DMARC policy is "p=none" mailbox providers take that as an indication you are focusing on the "R" in DMARC which stands for reporting, but this isn’t the end goal.

"The end goal is ideally a policy of p=reject. That's what DMARC is for. Ensuring that your domain cannot be spoofed and protecting our mutual customers from abuse."

Marcel Becker, Senior Director of Product at Yahoo

If your DMARC policy is "p=none" it indicates you as a sender are focused on the "R" in DMARC which stands for reporting, so ensure you also have the rua tag (rua=mailto:) configured which defines where mail receivers should send the aggregated reports. Kate Nowrouzi, VP of Deliverability for Sinch Mailgun predicts that p=reject will become the requirement in 2024. Learn more in our post: Email predictions for 2024.

What­ you’­ll need­

How to get ther­e

What­ you’­ll need­

Gm­ail: Both­ SPF and DKIM­ are requ­ired by Gmai­l. Mess­ages that­ don’­t carr­y thes­e prot­ocols will­ be reje­cted from­ the inbo­x or mark­ed as spam­. DMAR­C is also­ requ­ired to prev­ent Gmai­l impe­rsonation in FROM­ head­ers.

If you’­re a Mail­gun user­, we’v­e alre­ady got you cove­red on SPF and DKIM­. But if you’­re not we’v­e outl­ined the proc­esses for obta­ining thes­e auth­entications in thes­e post­s: SPF­ basi­cs and Und­erstanding DKIM­. For­ DMAR­C you will­ need­ to set at mini­mum a p=no­ne poli­cy.

How to get ther­e

Ya­hoo: Will­ requ­ire stro­ng auth­entication and for user­s to “lev­erage indu­stry stan­dards such­ as SPF,­ DKIM­, and DMAR­C”.

Impl­ementing DMAR­C take­s a bit more­ time­, as DMAR­C allo­ws you to make­ choi­ces rega­rding your­ poli­cy base­d on your­ emai­l prog­ram. Get star­ted now by chec­king out our Imp­lementing DMAR­C arti­cle.

Keep calm and Yoogle on

These sender requirements aren’t the end of the world. Not even a little bit. Ultimately, mailbox providers like Gmail and Yahoo are hopeful that implementing these requirements will benefit senders as well as users. But it can be complicated to break these requirements down, understand them, and then bring your unique email program into compliance.

If you want to dive deeper, check out the full-length Fireside Chat with Gmail and Yahoo, and visit our Yoogle resources page for more insights and answers.

On-demand webinar

Are you prepared for Google and Yahoo's new sender requirements?

View our fireside chat with Marcel Becker, Senior Director of Product at Yahoo, Anu Yamunan, Director of Product for Anti-Abuse & Safety at Google, and Kate Nowrouzi, Vice President of Deliverability at Sinch Mailgun, as we explore the new requirements for bulk email senders.

Related readings

How email deliverability impacts your ROI

Email isn’t a new medium. In fact, it’s one of the original pillars of the internet. Though it may seem like “You’ve got mail” is a phrase that’s lost some of its excitement over the...

Read More

The DMARC perspective: Protecting your sending in the age of stricter enforcement

The world of email is undergoing a significant shift. With Google and Yahoo recently increasing enforcement on DMARC, many organizations are having to implement DMARC...

Read More

The dirty truth about email lists and how to scrub them with email list cleaning

Pardon our French, but nothing delivers a bigger sucker punch to your deliverability than a dirty email list. Email lists aren’t just for organizing and storing contacts, they are the...

Read More

Popular posts

Email inbox.

Email

5 min

Build Laravel 11 email authentication with Mailgun and Digital Ocean

Read More

Mailgun statistics.

Product

4 min

Sending email using the Mailgun PHP API

Read More

Statistics on deliverability.

Deliverability

5 min

Here’s everything you need to know about DNS blocklists

Read More

See what you can accomplish with the world's best email delivery platform. It's easy to get started.Let's get sending
CTA icon