• by Ray Schultz , Columnist, October 5, 2023

As reported earlier this week, Google has announced new requirements for bulk email senders, potentially disrupting the email channel for some users. 

“This announcement is huge as it will impact nearly every Gmail mailbox holder,” Valimail writes in an advisory. “This policy is the first time any email inbox provider has placed requirements for widely adopted email sending and email authentication best practices.”

The rules, which are also being enforced by Yahoo, take effect in February 2024 for firms sending more than 5,000 messages to Gmail per day 

But what do they actually require? Valimail explains: 

First, senders must implement SPF and DKIM. These are “robust email authentication protocols that have been in existence for over a decade each,” Valimail writes. 

Why are they so important? “SPF and DKIM provide two different methods not only for authorizing the use of a domain name in an email message, but also for helping to ensure that a domain owner gets proper credit for their sending practices, Valimail adds.  

Also, brands must send their emails from a domain with a DMARC policy of at least p=none. Most email senders (including the U.S. government) use DMARC, a protocol that builds on SPF and DKIM. 

“A DMARC DNS record with a policy preference of p=none is the lowest bar for participating in DMARC, as it requests no special handling for messages that fail authentication, but at the same time, gives the domain owner full visibility into its mail streams,” Valimail observes.

Next is the imperative for each message to have a visible From domain that aligns with the SPF or DKIM domain, preferably the latter. 

“For those unfamiliar with the concept, the term ‘alignment’ here comes straight from the DMARC protocol, and per that protocol, two domains are in alignment if they’re identical or at least share an organizational domain (i.e., the domain that is registered when an organization wishes to establish a presence on the public Internet).” 

Another rule is that brands have valid forward and reverse DNS. Google demands that legitimate emailers connect from IP addresses that have existing PTR records (the record used to map IP addresses to host names). “Google is going one step further here and requiring not only that the connecting IP address have a PTR record, but also that the PTR record resolves to a hostname that then resolves back to that same IP address,” Valimail reports.  

Google also insists on a one-click unsubscribe. When a sender inserts specially crafted headers in a message, “it signals to the mail client that the recipient can unsubscribe from that sender’s messages with just one click if the mail client supports the functionality,” Valimail explains.  

Finally, there’s the low spam rate requirement. This rule “doesn’t come with any numbers publicly attached to it, but their intention seems pretty clear; domain owners must send wanted mail to people who demonstrate that it’s wanted (through engaging with those messages) or else the domain owners will lose the privilege of sending mail to Gmail.” 

Overall, these no reason to be alarmed.  

“These requirements are a pretty low bar for most email senders, but they’re things that bad actors usually fail to implement,” Valimail concludes. “With this requirement, Gmail users can be a bit more confident that the messages they’re receiving are at least getting past basic email.