Starting in February 2024, Google and Yahoo will require bulk email senders to authenticate emails with both SPF and DKIM and have one of these authentication methods configured in an aligned manner for the email to pass DMARC.
As part of these new authentication requirements, it will also be mandatory to have a DMARC record with a DMARC policy of p=none (or stronger) in place for the RFC5322.From domain.
In this article, we will explain and exemplify what the new Google and Yahoo requirements mean specifically for Email Authentication.
TABLE OF CONTENTS
- Email Authentication Requirements for Bulk Senders
- Authentication and Alignment
- Verify compliance
- Considerations
Email Authentication Requirements for Bulk Senders
Google classifies any email sender as a bulk sender if they send close to 5,000 messages or more to personal Gmail accounts in a 24-hour period. Senders who meet this criteria at least once are permanently considered bulk senders. Yahoo on the other hand did not specify a volume threshold, they will classify as a bulk sender any domain sending a significant volume of emails to personal Yahoo accounts.
Figure out how to meet the requirements, create a plan to do so, and then execute on the plan, because even if you’re not strictly required to meet them today, we believe that in the future all senders will be required to meet these authentication requirements.
For an email to be compliant with DMARC it needs to be authenticated and aligned with either SPF or DKIM. This will not change for regular senders, but bulk senders will now have an additional requirements to authenticate emails with both SPF and DKIM and have alignment configured for at least one of them.
| Email Authentication Compliance for Bulk and Regular Senders | |||||
|---|---|---|---|---|---|
| Sender Type | SPF Authenticated | DKIM Authenticated | SPF Aligned | DKIM Aligned | Compliant? |
| Bulk and Regular |  |  |  |  |  |
| Bulk and Regular |  |  |  |  |  |
Bulk and Regular |  |  |  |  |  |
| Regular |  |  |  |  |  |
| Regular |  |  |  |  |  |
Authentication and Alignment
For an email to be authenticated with SPF, the sending IP needs to be listed in the SPF record of the domain in the RFC5321.MailFrom address.
- SPF relaxed alignment is achieved when the RFC5321.MailFrom domain and the RFC5322.From domain have the same organizational domain.
- SPF strict alignment is achieved when the two domains are identical.
- Relaxed alignment is the default requirement for DMARC.
An email is authenticated with DKIM when the sender adds a digital signature to the outgoing message, to ensure the receiver that the content of the message was not modified in transit. DKIM alignment happens when the domain that is associated with the digital signature matches the domain in the user-visible From address (also known as RFC5322.From).
To learn about the different types of alignment, please refer to this article.
Verify compliance
A very effective way to check if an email is compliant with the new sender requirements is to look at the header of the message. The email header contains a section called Authentication-Results showing the results of the SPF, DKIM, and DMARC checks, as well as the SPF and DKIM alignment.
Components of the Authentication-Results section: spf= The result of the SPF check. A "pass" indicates that the sending IP is listed in the SPF record of the domain in the 5321.MailFrom address. smtp.mailfrom= Domain from the 5321.MailFrom address. dkim= The result of the DKIM check. header.d= DKIM signing domain. header.from= Domain from the user-visible From address (also known as RFC5322.From). dmarc= The result of the DMARC pass.
In the example below we can see that the email sent on behalf of example.com passed both SPF and DKIM authentication, but only SPF was aligned (smtp.mailfrom=header.from). Even if DKIM was not aligned with the Header From domain (header.d≠header.from), this email would still be considered compliant for both Bulk and Regular senders, since it was authenticated with SPF and DKIM and one of these (SPF) was aligned.
Authentication-Results spf=pass (sender IP is 104.195.127.15) smtp.mailfrom=example.com; dkim=pass header.d=bigcommerce.net; dmarc=pass action=none header.from=example.com ;compauth=pass reason=100
Considerations
Although Google mentioned that only domains sending close to 5000 emails/day to Gmail recipients will be considered bulk senders, this should not be used as a guideline when prioritizing setting up email authentication for your senders. This is mostly because Yahoo did not mention a threshold, so if you send less than 5000 emails/day to Gmail recipients, Yahoo might still classify you as a bulk sender based on other factors.
If a sending service does not currently have DKIM authentication configured, you should reach out to the vendor and ask them to set up DKIM authentication for your domain, or if that is not supported by their service, they should at least DKIM sign emails using a DKIM key published on their domain. The recommendation above is for the senders that support SPF authentication and alignment, but don't DKIM sign the outbound emails.
In case a sender has DKIM authentication and alignment properly set up, but SPF authentication is failing, the sender should make sure that they have published an SPF record on the domain in the 5321.MailFrom address and the sending IPs are included in that SPF record.
The email authentication guidelines for bulk senders are only a few of the new requirements coming from Google and Yahoo. For a complete list of requirements see the articles linked below:
- Click here for the complete list of Google Email compliance guidelines.
- Click here for the complete list of Yahoo Email compliance guidelines.