How will Google and Yahoo's new email authentication policies affect senders using shared domains and ESP authentication?

Summary

Google and Yahoo's new email authentication policies require senders to authenticate their email using SPF, DKIM, and DMARC to combat spam, fraud, and abuse. Senders should own a domain for DKIM signing and use their organizational domain in the From header, aligning SPF and DKIM. ESPs are adapting their platforms, but preventing the use of freemail addresses remains a challenge. High-volume senders should avoid shared, unaligned DKIM, and those on shared IPs may face deliverability issues if others don't follow best practices. Increased scrutiny will occur for senders using shared domains or ESP authentication, and senders with poor reputations will be negatively impacted. Understanding and implementing DMARC is crucial, and those on shared hosting must ensure ESP compliance. Smaller businesses should correctly set up DKIM and DMARC and monitor deliverability. Mailbox providers prioritize customer satisfaction but will show less sympathy for those neglecting authentication. ESPs will require bulk mailers to authenticate using DMARC. Microsoft is also implementing similar requirements and providing a sender support portal. Senders not following the rules can expect blocking and spam placement, while low-volume senders with no complaints might initially be unaffected. Forward and reverse DNS records are essential, and ESPs handling client authentication will need configuration changes.

Key findings

  • Authentication Required: Google, Yahoo, and Microsoft require email authentication (SPF, DKIM, DMARC).
  • Domain Ownership: Owning a domain and using it for DKIM signing is highly recommended.
  • SPF/DKIM Alignment: Alignment of SPF and DKIM records with the organizational domain is essential.
  • Freemail Restriction: Preventing the use of freemail addresses in the From header is a key challenge.
  • Shared DKIM Issues: Shared, unaligned DKIM is not preferred, especially for high-volume senders.
  • Reputation Matters: Senders with poor reputations will experience negative deliverability impacts.
  • DMARC Crucial: Understanding and implementing DMARC is critical for all senders.
  • ESP Compliance: Senders on shared hosting must ensure their ESP complies with new standards.
  • Volume Sensitivity: Deliverability issues are more likely for higher volume senders (over 5000 messages).
  • Industry Shift: The email industry is moving towards stricter authentication requirements.
  • Importance of DNS: Valid DNS Records are required.

Key considerations

  • Domain Authentication: Implement SPF, DKIM, and DMARC for your sending domains.
  • ESP Evaluation: Evaluate and ensure your ESP complies with new authentication standards.
  • Sender Reputation: Monitor and maintain a good sender reputation through responsible sending practices.
  • Shared IP Awareness: If on shared IPs, understand the impact of other senders' authentication practices.
  • DMARC Policy: Implement and actively manage your DMARC policy.
  • Monitor Deliverability: Regularly monitor email deliverability to identify and address any issues promptly.
  • Proactive Adaptation: Be proactive in adapting to new email authentication requirements to avoid deliverability problems.
  • Review and Update Authentication Settings: Verify and Update Authentication Settings.

What email marketers say
10Marketer opinions

Google and Yahoo's new email authentication policies will significantly impact senders using shared domains and ESP authentication. High-volume senders must avoid shared, unaligned DKIM, and ESPs will adapt to guide users in setting up proper authentication. Senders on shared IPs might face deliverability issues if others don't follow best practices. Increased scrutiny will occur for senders using shared domains or ESP authentication, emphasizing the importance of aligning SPF and DKIM. Senders with poor reputations will experience negative impacts, highlighting the need for good sending practices. Understanding and implementing DMARC is crucial, and those on shared hosting must ensure ESP compliance. Smaller businesses should set up DKIM and DMARC correctly and monitor deliverability, while ESPs handling client authentication need to change configurations, prompting senders to check DMARC, SPF, and DKIM.

Key opinions

  • DKIM Alignment: High-volume senders should avoid shared, unaligned DKIM.
  • ESP Adaptation: ESPs will adapt their platforms to guide users in proper authentication setup.
  • Shared IP Risks: Senders on shared IPs may face deliverability issues if others don't follow best practices.
  • Increased Scrutiny: Senders using shared domains or ESP authentication will face increased scrutiny.
  • Reputation Impact: Senders with poor reputations will experience negative impacts.
  • DMARC Importance: Understanding and implementing DMARC is crucial for all senders.
  • ESP Compliance: Those on shared hosting must ensure their ESP is compliant with the new standards.
  • Smaller Business Action: Smaller businesses need to ensure DKIM and DMARC are correctly set up and monitored.
  • ESP Configuration Changes: ESPs handling client authentication will need to change their configurations.

Key considerations

  • Dedicated DKIM Setup: Explore setting up dedicated DKIM if using platforms like Klaviyo.
  • Proactive Authentication: Take responsibility for proper email authentication and educate yourself on best practices.
  • SPF/DKIM Alignment: Ensure SPF and DKIM records are aligned to match the sending domain.
  • Reputation Management: Prioritize good sending practices to maintain a positive sender reputation.
  • DMARC Implementation: Start with a 'p=none' policy to monitor email flows before implementing stricter DMARC policies.
  • ESP Evaluation: Evaluate your ESP's compliance with the new standards and switch providers if necessary.
  • Deliverability Monitoring: Monitor email deliverability regularly to catch any issues early.
  • DMARC,SPF and DKIM Checks: Carefully check your DMARC, SPF and DKIM records.
Marketer view

Email marketer from SparkPost Blog indicates senders using shared domains or ESP authentication might face increased scrutiny. Aligning SPF and DKIM records to match the sending domain becomes critical for maintaining deliverability.

January 2024 - SparkPost Blog
Marketer view

Email marketer from SMTP2Go Blog discusses that senders on shared IP addresses might experience deliverability issues if other users on the same IP are not following authentication best practices. Proper authentication is crucial to avoid being flagged as spam.

May 2024 - SMTP2Go Blog
Marketer view

Email marketer from Mailjet Blog suggests ESPs will be adapting their platforms to guide users in proper email authentication setup. Users might see more prompts and alerts regarding SPF, DKIM, and DMARC configurations.

September 2021 - Mailjet Blog
Marketer view

Email marketer from Reddit r/emailmarketing suggests that those on shared hosting must ensure their ESP is compliant. If the ESP doesn't adhere to the new standards, finding a new provider is crucial.

April 2024 - Reddit r/emailmarketing
Marketer view

Email marketer from Litmus Blog shares that understanding and implementing DMARC is more important than ever, with a recommendation to start with a 'p=none' policy to monitor email flows before moving to stricter policies.

October 2021 - Litmus Blog
Marketer view

Email marketer from Sendinblue Blog explains that senders with poor sender reputations will likely see a negative impact. Good sending practices, including authentication and engagement, are essential for positive deliverability outcomes.

September 2021 - Sendinblue Blog
Marketer view

Marketer from Email Geeks clarifies that for high-volume senders (>5k), shared, unaligned DKIM is not preferred. Platforms like Klaviyo allow brands to set up dedicated DKIM.

November 2021 - Email Geeks
Marketer view

Email marketer from Email Deliverability Forum recommends that smaller businesses using shared domains should ensure their DKIM and DMARC records are correctly set up. Proper monitoring of email deliverability is also key to catching any issues early.

January 2022 - Email Deliverability Forum
Marketer view

Email marketer from EmailVendorSelection says that ESPs that handle email authentication on behalf of their clients, or that have 'from' addresses will have to change their configuration. Senders will also need to check DMARC, SPF and DKIM.

March 2022 - EmailVendorSelection
Marketer view

Expert from Email Geeks expects more enforcement moving forward. (some) ESPs will do their part, but Senders must be more responsible and educate themselves on best practices, authentication and so on.

April 2022 - Email Geeks

What the experts say
13Expert opinions

The new email authentication policies from Google and Yahoo emphasize the importance of domain ownership and proper authentication. Senders should own a domain for DKIM signing, use their organizational domain in the From header, and align SPF and DKIM. ESPs are adapting to these changes, but a key challenge is preventing users from using freemail addresses. Large mailbox providers will not abruptly penalize senders but will show less sympathy for those neglecting authentication. Mail without SPF and DKIM will be rejected, and alignment is crucial for volumes over 5000. While ESP authentication is allowed, relying on it long-term can harm deliverability, especially for high-volume senders. The industry is moving towards stricter authentication, and non-compliance will result in blocking and spam placement. Smaller senders with low volumes and no complaints may be fine, but issues can arise with increased volume, new mailstreams, or IP changes. ESPs will require bulk mailers to authenticate using DMARC, ensuring proper configuration for shared or dedicated domains.

Key opinions

  • Domain Ownership: Owning a domain for DKIM signing is crucial.
  • SPF/DKIM Alignment: Aligned SPF and DKIM with organizational domain are essential.
  • Freemail Restriction: Using @gmail.com addresses in the From header will be problematic.
  • Authentication Enforcement: Mail without SPF and DKIM will be rejected, especially for high volumes.
  • ESP Authentication Limitations: Relying solely on ESP authentication can harm long-term deliverability.
  • Industry Shift: The email industry is moving towards stricter authentication standards.
  • Low Volume Exception: Low-volume senders with no complaints may initially be unaffected.
  • DMARC Requirement: ESPs will require bulk mailers to authenticate using DMARC.
  • DMARC Configuration: Dedicated domains must be properly configured for DMARC or sender needs to use an ESP Domain.

Key considerations

  • Domain Selection: Choose your main organizational domain or a subdomain for the From header.
  • ESP Infrastructure: Ensure your ESP is aware of the changes and implementing necessary infrastructure.
  • Volume Awareness: Understand volume thresholds, as alignment requirements differ for low vs. high-volume senders.
  • Proactive Authentication: Implement basic authentication measures like SPF and DKIM to avoid deliverability issues.
  • Monitor Performance: Monitor your sending reputation and engagement metrics to identify and address issues promptly.
  • DMARC Configuration: Configure DMARC appropriately on either a dedicated or shared ESP domain.
  • Domain Ownership: If using ESP consider moving to authenticating from your own domain.
Expert view

Expert from Email Geeks advises using your main organizational domain or a subdomain in your From header. Aligned SPF or DKIM, ideally both, are crucial. Aligned SPF means your return path is a subdomain of your organizational domain, while aligned DKIM means using your organizational domain in the d= of one of the DKIM signatures.

July 2024 - Email Geeks
Expert view

Expert from Email Geeks confirms that it will still be allowed for mailers to sign up on an ESP, verify their domain and send using the ESPs authenticated domain without needing to place any records in their DNS.

August 2022 - Email Geeks
Expert view

Expert from Email Geeks shares that the industry is moving, slowly but implacably. Those who disagree will be ground underfoot.

April 2021 - Email Geeks
Expert view

Expert from Email Geeks explains that if senders want to use their own domain in the From: while relying on ESP domain authentication they shouldn’t plan long term on having their mail delivered to the inbox.

May 2024 - Email Geeks
Expert view

Expert from Email Geeks indicates a key challenge will be preventing users from using @gmail.com addresses in the From header.

April 2023 - Email Geeks
Expert view

Expert from Word to the Wise explains that it will become easier for major mailbox providers to identify and block malicious and unwanted email, improving inbox experiences for consumers. Senders that don’t follow the rules will likely face increased blocking and spam placement.

November 2023 - Word to the Wise
Expert view

Expert from Email Geeks says that if they're sending more than 5000 messages with ESP authentication it will have delivery issues, but if they're sending a couple hundred, they should be fine.

June 2024 - Email Geeks
Expert view

Expert from Email Geeks states that mail with zero authentication (no SPF, no DKIM) will be rejected. For volumes >~5000, alignment between SPF or DKIM domains is needed, prohibiting freemail domains.

October 2021 - Email Geeks
Expert view

Expert from Email Geeks shares that ESPs dealing with smaller customers are aware of required changes and are implementing infrastructure to handle them.

March 2023 - Email Geeks
Expert view

Expert from Email Geeks explains that you should own a domain and use it to DKIM sign your messages. You can use multiple DKIM signatures, but one should be with your domain.

June 2024 - Email Geeks
Expert view

Expert from Spam Resource explains that The 2024 email authentication requirements will have ESPs require any bulk mailer to authenticate using DMARC. If using a shared domain, this means the sender must use the ESP's domain. If using a dedicated domain, then DMARC must be properly configured on the domain.

September 2024 - Spam Resource
Expert view

Expert from Email Geeks shares that if you’re only sending a few hundred emails a week, and you get no complaints from any of your recipients you’ll likely be fine indefinitely if you don’t change anything. You start getting complaints? You start up a new mailstream? You move IPs? Eh, maybe less so.

April 2021 - Email Geeks
Expert view

Expert from Email Geeks explains that large mailbox providers prioritize customer satisfaction and won't abruptly penalize senders. However, sympathy for those neglecting basic authentication will decrease.

March 2023 - Email Geeks

What the documentation says
5Technical articles

Google, Yahoo, and Microsoft are implementing stricter email authentication policies to combat spam, fraud, and abuse. These policies require senders to authenticate their email using SPF, DKIM, and DMARC. Senders also need to maintain a low spam complaint rate and provide easy unsubscribe options. DKIM verifies the source and integrity of email messages, while DMARC allows domain owners to specify how receiving servers should handle messages that fail authentication. Microsoft is also updating its sender guidelines and providing a sender support portal to check sender reputation.

Key findings

  • Authentication Required: Google, Yahoo, and Microsoft all require email authentication.
  • SPF/DKIM Essential: SPF and DKIM are fundamental authentication methods.
  • DMARC Recommended: DMARC is a crucial policy framework to manage unauthenticated mail.
  • Low Complaint Rates: Maintaining low spam complaint rates is critical.
  • Easy Unsubscribe: Providing easy unsubscribe options is necessary.
  • DKIM Function: DKIM verifies source and integrity of messages.
  • DMARC Function: DMARC allows domain owners to specify handling of failed authentication.
  • Valid DNS Records: Domains and IPs need valid forward and reverse DNS records (PTR records)

Key considerations

  • Implement SPF: Set up SPF records for your sending domains.
  • Implement DKIM: Enable DKIM signing for your email messages.
  • Implement DMARC: Configure DMARC policy to protect your domain.
  • Monitor Reputation: Regularly check your sender reputation with Microsoft and other providers.
  • Reduce Spam Complaints: Optimize your sending practices to minimize spam complaints.
  • Simplify Unsubscribing: Ensure a clear and easy unsubscribe process for recipients.
  • Validate DNS: Confirm valid forward and reverse DNS records (PTR records)
Technical article

Documentation from Google Workspace Updates states that to help prevent spam, fraud, and abuse, Google requires senders to authenticate their email. They must set up SPF or DKIM email authentication for their domain and ensure that sending domains or IPs have valid forward and reverse DNS records (PTR records).

July 2022 - Google Workspace Updates
Technical article

Documentation from RFC 4871 defines DKIM as providing a method for verifying the source and integrity of email messages. This standard ensures that the email hasn't been altered during transit and comes from a legitimate sender.

October 2022 - RFC 4871
Technical article

Documentation from Microsoft responds that they're implementing similar requirements and are updating their sender guidelines to require proper authentication. Senders can check their reputation with Microsoft through the Sender Support portal.

June 2023 - Microsoft
Technical article

Documentation from DMARC.org shares that Implementing DMARC allows domain owners to tell receiving mail servers what to do with messages that fail authentication checks, preventing spoofing and phishing attacks.

March 2023 - DMARC.org
Technical article

Documentation from Yahoo Mail Blog says that senders should authenticate their email using SPF, DKIM, and DMARC, maintain a low spam complaint rate (below 0.1%), and make it easy for recipients to unsubscribe from their emails.

April 2023 - Yahoo Mail Blog