Home
Mailgun Blog
Deliverability category
Get the Key Takeaways from Our Fireside Chat with Gmail and Yahoo
Deliverability
Understanding the Gmail and Yahoo sender requirements: Takeaways from our fireside chat with Gmail and Yahoo
What is the impact of Gmail and Yahoo’s new requirements on email deliverability? What actions do senders need to take? Why is this happening now? The industry has been buzzing around these requirements for months. We decided to sit down with reps from Google and Yahoo to get some clarity. So now we have a question for you, are you ready to yahoogle? Let’s go.
PUBLISHED ON
The inbox requirements for bulk senders announced by Google and Yahoo in October 2023 have shot through the community like panic up a spine. As with any big announcement it can be hard to wade through content and opinion to get to the truth. The truth is these requirements are more established and familiar than you may realize.
To break through confusion, Sinch Mailgun’s VP of Deliverability, Kate Nowrouzi sat down with Marcel Becker, Sr. Product Manager for Yahoo, and Anu Yamunan, Director of Product for Anti-Abuse & Safety at Google to dispel the rumors surround the requirements and answer questions about what will change for bulk senders, and why enforcement for these requirements is happening now.
Table of contents
Why are these requirements being enforced now?
Who do these changes impact?
What does one-click unsubscribe mean?
Why is a 0.3% spam rate threshold being enforced, and what happens if you go over the limit?
Why enforce a DMARC policy when requirements only dictate setting it to "none"
Table of contents
What’s changing and why?
Google and Yahoo are both cracking down on enforcing requirements for bulk senders around authentication standards, spam rate thresholds, and one-click unsubscribe policies. We covered the requirements in depth when they were first announced in October 2023, and got some further insights from Yahoo featured in our Email’s Not Dead podcast. If we’ve learned anything from industry changes, it’s that sometimes there is never enough information straight from the source. That’s why we hosted a webinar and put both of these mailbox giants in the same room to set the record straight.
The requirements in a nutshell
Here’s a quick recap. Bulk senders will be held to three primary requirements designed to enforce a healthy and happy inbox experience. These requirements revolve primarily around preventing spammy behaviors by strengthening authentication, creating a uniform unsubscribe process, and managing overall spam rates.
Authentication: Bulk senders must implement SPF, DKIM, and DMARC authentication protocols.
One-click unsubscribe: One-click unsubscribe headers must be used in accordance with the RFC 8058 standard.
Spam rate 0.3%: Senders will need to maintain a spam complaint rate of 0.3% or below.
Your questions answered
Throughout the rest of this post, we’re going to feature some of the most asked questions around each of these requirements from our recent Fireside chat with Google and Yahoo which you can watch on-demande here. To kick it off, we’re going to dive into an easy, albeit existential question. Why now?
Why are these requirements being enforced now?
Like we said, these requirements may seem familiar and that’s because they’ve been around for a while. The goal is not to disrupt senders, it’s to make the inbox safer for users. Here’s what the experts had to say:
"These are new requirements for bulk senders based on policies and industry standards that have existed for 10+ years. They are designed to help improve the user experience when combating spam and fraud. This is an exciting opportunity for us as an industry to meaningfully upgrade the safety of the email ecosystem. We believe all users should be able to trust the messages that they are reading are from trusted sender."
Anu Yamunan, Director of Product for Anti-Abuse & Safety at Google
"All of these requirements have been well documented best practices for years. A lot of senders have already implemented them. Authenticating your email traffic should be something that you're already doing if you care about the health of your email traffic as well as your infrastructure. Putting easy unsubscribe options into the header and making sure people can unsubscribe from your emails instead of marking them as spam, that should be a no brainer, that technology has been around. And if you're sending emails people want your spam rates should be well below 0.1%."
Marcel Becker, Senior Director of Product at Yahoo
Aside from why now, the next big question is who will these requirements affect?
Who do these changes impact?
The ultimate goal is to create a better and more secure experience for users. If you take away only one thing from this post it should be this: Users are shared customers between mailbox providers, ESPs and senders. Enforcing these requirements is about building a better email ecosystem that will benefit us all.
The requirements are specific to bulk senders. Much of the confusion surrounding these requirements has revolved around what that means. What send volume makes you a bulk sender?
"There is a very strong reason why we (Yahoo) didn't give a number. What does this number (5,000) mean? If you send a lot of the same emails to a lot of different people, you're a bulk sender. It doesn't really matter if it's 3,000 or 2,000, or 10,000. There's no limit we can share, if you are a bulk sender, you know you are a bulk sender, and you need to follow these guidelines."
Marcel Becker, Senior Director of Product at Yahoo
Google has placed a 5,000 daily send nametag on bulk senders – purely for the sake of documenting a ballpark for reference – but senders shouldn’t think they can skirt around the requirements by sending 4,999 messages. There is no magic number or final straw that breaks the camel’s back. These requirements are more about sending habits than they are about exact math.
What does one-click unsubscribe mean?
Now that we’ve covered who will be impacted, let’s dive into the actual requirements, starting with one-click unsubscribe. One-click unsubscribe has confused a lot of senders who already include unsubscribe links in the body of their emails. But this requirement isn’t about that, it’s about including unsubscribe headers defined by RFC 8058.
RFC 8058 defines the "Unsubscribe" header field for email messages. This header field provides a standardized way for email clients to display an unsubscribe option to users, allowing them to easily opt-out of receiving future emails from the sender directly from the UI of their mailbox. In other words, the "Unsubscribe" header field defined in RFC 8058 offers a standardized mechanism for facilitating unsubscribes in email messages.
"For one-click unsubscribe the RFC you need to follow is RFC 8058. From a sender benefits perspective, letting people opt out of messages can improve your open rates, click through rates, and your sending efficiency."
Anu Yamunan, Director of Product for Anti-Abuse & Safety at Google
According to Anu Yamunan, if you aren't compliant with the one-click unsubscribe requirement yet, you have until June 2024 before Gmail starts rejecting the traffic.
"We're just making sure we can put an easy link in front of our users which allows them to unsubscribe. What you as a sender unsubscribe them from is completely up to you. Just like you control it now with an unsubscribe link in the body." | "If you don't put the unsubscribe header in there people will just mark you as spam and that's worse because it will have a negative impact on your sender reputation. We've seen that senders who put a one-click unsubscribe affordance in their headers get 20-40% less spam votes and that's a noble goal for you as a sender to create a better user experience."
Marcel Becker, Senior Director of Product at Yahoo
What you’ll need | How to get there |
---|---|
What you’ll need | |
Same for Gmail and Yahoo: A single-click pathway for users to easily unsubscribe from your messages from within the mailbox provider’s UI using list-unsubscribe headers, and internal support to honor unsubscribe requests and remove addresses from relevant email lists within 2 days. | Senders will need to put list-unsubscribe post headers into the header of their email as specified by RFC 8058. |
Why is a 0.3% spam rate threshold being enforced, and what happens if you go over the limit?
First off, a spam rate of 0.3% is generous. By many accounts, keeping your spam complaint rate below 0.1% – 1 email in 1,000 marked as spam– is the mark of a healthy sender.
One of the main goals of these requirements is to make the inbox less spammy. DMARC helps prevent bad actors from stealing and spoofing sender identities, the unsubscribe requirements gives users control to manage the messages they receive with the same ease as it takes to mark a message as spam (saving senders the pain of being spammed), and the low spam threshold is a way to identify and react to senders that empl0y spam tactics.
"Please keep your user in mind. If your users are reporting that a lot of messages coming from you are spam, it is going to impact your future deliverability."
Anu Yamunan, Director of Product for Anti-Abuse & Safety at Google
Remember when we said these requirements weren’t about exact math? Well, that applies to the spam rate requirement also. In our podcast Email’s Not Dead, we sat down with Marcel Becker and he broke down this spam rate requirement a bit more and left us with the mantra, more than a day, less than a year.
Senders who hit a higher spam rate on one campaign won’t automatically be punished for it. Mailbox providers are looking at your average spam complaint rate over an undisclosed period of time, somewhere between a day and a year. If your high spam rate becomes habitual it will impact you, but this requirement isn’t a one and done limit.
What you’ll need | How to get there |
---|---|
What you’ll need | |
Same for Gmail and Yahoo: The spam complaint threshold is 0.3%. | Closely monitor your spam rate, as well as other engagement metrics, using resources like Google Postmasters Tools. Employ deliverability best practices like list management and sunset policies to optimize your email lists, ensuring you’re only sending messages to engaged recipients. Use deliverability tools like Email Verification and Inbox Placement Testing to stay on top of your overall deliverability and improve your inbox placement. |
Why enforce a DMARC policy when requirements only dictate setting it to "none"
You’ve got to start somewhere. With DMARC the requirement is about enforcing adoption…finally. When DMARC first emerged as an authentication, mailbox providers crossed their fingers and prayed to the deliverability gods that senders would catch on, but that didn’t happen.
DMARC adoption has been slow and according to Sinch Mailgun’s 2023 State of Email Deliverability report, among those using DMARC for authentication, 40% don’t know what their policy is. According to dmarc.org, most active DMARC policies (68.2% as of 2022) are p=none. If your DMARC policy is "p=none" mailbox providers take that as an indication you are focusing on the "R" in DMARC which stands for reporting, but this isn’t the end goal.
"The end goal is ideally a policy of p=reject. That's what DMARC is for. Ensuring that your domain cannot be spoofed and protecting our mutual customers from abuse."
Marcel Becker, Senior Director of Product at Yahoo
If your DMARC policy is "p=none" it indicates you as a sender are focused on the "R" in DMARC which stands for reporting, so ensure you also have the rua tag (rua=mailto:) configured which defines where mail receivers should send the aggregated reports. Kate Nowrouzi, VP of Deliverability for Sinch Mailgun predicts that p=reject will become the requirement in 2024. Learn more in our post: Email predictions for 2024.
What you’ll need | How to get there |
---|---|
What you’ll need | |
Gmail: Both SPF and DKIM are required by Gmail. Messages that don’t carry these protocols will be rejected from the inbox or marked as spam. DMARC is also required to prevent Gmail impersonation in FROM headers. | If you’re a Mailgun user, we’ve already got you covered on SPF and DKIM. But if you’re not we’ve outlined the processes for obtaining these authentications in these posts: SPF basics and Understanding DKIM. For DMARC you will need to set at minimum a p=none policy. |
How to get there | |
Yahoo: Will require strong authentication and for users to “leverage industry standards such as SPF, DKIM, and DMARC”. | Implementing DMARC takes a bit more time, as DMARC allows you to make choices regarding your policy based on your email program. Get started now by checking out our Implementing DMARC article. |
Keep calm and Yoogle on
These sender requirements aren’t the end of the world. Not even a little bit. Ultimately, mailbox providers like Gmail and Yahoo are hopeful that implementing these requirements will benefit senders as well as users. But it can be complicated to break these requirements down, understand them, and then bring your unique email program into compliance.
If you want to dive deeper, check out the full-length Fireside Chat with Gmail and Yahoo, and visit our Yoogle resources page for more insights and answers.
On-demand webinar
Are you prepared for Google and Yahoo's new sender requirements?
View our fireside chat with Marcel Becker, Senior Director of Product at Yahoo, Anu Yamunan, Director of Product for Anti-Abuse & Safety at Google, and Kate Nowrouzi, Vice President of Deliverability at Sinch Mailgun, as we explore the new requirements for bulk email senders.