What DMARC/DKIM/SPF updates are needed for new Gmail/Yahoo requirements?

Summary

To comply with updated Gmail and Yahoo requirements, bulk senders must implement email authentication using SPF, DKIM, and DMARC. DKIM domains should align with the visible 'from' address. While DMARC 'p=none' is a minimum, a stricter policy is preferable. Maintaining a low spam rate (below 0.1%) and providing easy unsubscribe options are also critical. For DKIM, a 2048-bit key size is recommended. SPF records must stay within DNS lookup limits. DMARC reporting, though complex and costly, aids in monitoring sending sources. If resources are limited, prioritize DKIM alignment, and ensure the primary mail stream is authenticated. DMARC monitoring is unnecessary if the policy is 'p=none'. The goal is to prevent spoofing and enhance deliverability.

Key findings

  • Authentication Compliance: Gmail and Yahoo now require SPF, DKIM, and DMARC for bulk senders.
  • DKIM Alignment: DKIM domain should align with the visible 'from' address.
  • DMARC Minimum: DMARC 'p=none' is the minimum, stricter policies are better.
  • Spam Rate Threshold: Maintain a spam rate below 0.1%.
  • Unsubscribe Ease: Provide easy, one-click unsubscribe options.

Key considerations

  • DKIM Key Size: Use at least a 2048-bit DKIM key.
  • SPF Lookup Limits: Keep SPF records within DNS lookup limits.
  • DMARC Reporting Cost: DMARC reporting can be complex and expensive.
  • Engineering Prioritization: Prioritize DKIM alignment if resources are limited.
  • Gradual DMARC Enforcement: Start with p=none

What email marketers say
11Marketer opinions

In response to new requirements from Gmail and Yahoo, bulk email senders need to ensure they have proper email authentication in place, including SPF, DKIM, and DMARC. For DKIM, the DKIM domain should match the domain in the visible 'from' address. At a minimum, DMARC should be set to 'p=none', but a stricter policy is recommended for better protection. Bulk senders also need to maintain a low spam rate (below 0.1%) and provide easy one-click unsubscribe options. Setting up custom authentication improves deliverability and protects brand reputation. Using a DKIM key size of at least 2048 bits is suggested. Keeping SPF records under the DNS lookup limit is crucial to avoid authentication failures. DMARC reporting assists in monitoring sending sources and identifying unauthorized senders.

Key opinions

  • Authentication Required: Gmail and Yahoo require bulk senders to authenticate emails using SPF, DKIM, and DMARC.
  • DKIM Alignment: The DKIM domain should match the domain in the visible 'from' address for proper authentication.
  • DMARC Policy: DMARC policy must be at least 'p=none', but a stricter policy is recommended.
  • Spam Rate: Bulk senders must maintain a spam rate below 0.1%.
  • Unsubscribe: Easy one-click unsubscribe options are required.

Key considerations

  • DKIM Key Size: Use a DKIM key size of at least 2048 bits for improved security.
  • SPF Record Limit: Keep SPF records under the DNS lookup limit to avoid authentication failures.
  • DMARC Reporting: Implement DMARC reporting to monitor sending sources and identify unauthorized senders.
  • Gradual DMARC Implementation: Start with a 'p=none' DMARC policy to monitor email streams before moving to stricter policies.
Marketer view

Email marketer from MailerLite shares that Google and Yahoo are enforcing stricter email authentication policies for bulk senders, including requiring SPF, DKIM, and DMARC setup. These changes aim to improve email security and reduce spam.

February 2024 - MailerLite
Marketer view

Email marketer from Sendinblue explains that to comply with Gmail and Yahoo's new requirements, businesses need to authenticate their emails using SPF, DKIM, and DMARC. They also need to ensure a low spam rate and provide easy unsubscribe options.

February 2023 - Sendinblue
Marketer view

Email marketer from ZeroBounce shares that bulk senders must authenticate their emails with SPF, DKIM, and DMARC. DMARC needs to be set to 'p=none' at a minimum, but a stricter policy is recommended for better protection. They also need to maintain a spam rate below 0.1% and implement one-click unsubscribe.

January 2024 - ZeroBounce
Marketer view

Email marketer from Litmus explains that by implementing SPF, DKIM and DMARC you are telling mailbox providers that you are who you say you are and are authorized to send email using your domain.

November 2021 - Litmus
Marketer view

Email marketer from EasyDMARC shares that implementing DMARC reporting helps monitor who is sending emails on behalf of the domain, so that any unauthorized senders are identified and remediated. Aggregated reports are very useful in identifying problems.

June 2023 - EasyDMARC
Marketer view

Email marketer from Email Geeks shares that if you have DKIM and it’s passing and the DKIM domain matches the domain in the visible from address - no changes are needed. If the DKIM domain doesn’t match (at least on the parent level), you need to get DKIM with your domain. For DMARC, you need at least have “none” policy.

February 2024 - Email Geeks
Marketer view

Email marketer from SparkPost highlights the importance of keeping SPF records under the DNS lookup limit (typically 10) to avoid authentication failures. Using include mechanisms efficiently is crucial.

November 2021 - SparkPost
Marketer view

Email marketer from Reddit explains that for DMARC, start with a 'p=none' policy to monitor your email streams. Once you're confident that all legitimate email is properly authenticated, you can move to 'p=quarantine' or 'p=reject'.

January 2024 - Reddit
Marketer view

Email marketer from Email Geeks shares that you also need SPF if you are a bulk over 5K sender, but it only has to align if DKIM doesn’t and recommends aligning DKIM (aka match the domains to the visible from address).

September 2021 - Email Geeks
Marketer view

Email marketer from Mailchimp highlights that setting up custom authentication, including DKIM and SPF, improves deliverability and protects your brand's reputation.

August 2024 - Mailchimp
Marketer view

Email marketer from Email Marketing Forum suggests using a DKIM key size of at least 2048 bits for improved security and compliance with the latest standards.

May 2023 - Email Marketing Forum

What the experts say
5Expert opinions

New requirements from Gmail and Yahoo mandate that bulk senders implement email authentication (SPF, DKIM, DMARC) and maintain low spam rates to avoid message blockage or spam filtering. If focusing engineering efforts, prioritizing DKIM alignment over SPF may be strategic. For bulk mail, ensure the primary mail stream is authenticated and aligned. DMARC monitoring is not essential if the policy remains at 'p=none'. Setting up DMARC reporting is complex and expensive; it should be prioritized after other authentication measures.

Key opinions

  • Authentication Mandate: Gmail and Yahoo now require bulk senders to authenticate emails with SPF, DKIM, and DMARC.
  • DKIM Prioritization: If resources are limited, prioritize DKIM alignment.
  • Stream Authentication: For bulk mail, focus on authenticating and aligning the primary mail stream.
  • DMARC Monitoring (p=none): DMARC monitoring is not necessary if the DMARC policy remains at 'p=none'.
  • Blocking/Spam Placement: Senders not authenticating will have messages blocked or sent to spam.

Key considerations

  • DMARC Reporting Complexity: DMARC reporting is complex and expensive to implement properly.
  • DMARC Reporting Priority: Prioritize other authentication measures before implementing DMARC reporting.
  • Spam Rates: Maintaining low spam rates is also a key requirement
  • The bare minimum: Ensure the DMARC record is not just published at p=none - it needs to be correctly configured for the email stream
Expert view

Expert from Email Geeks explains that setting up DMARC reporting is a very expensive thing to do properly, so unless you actually care about DMARC it’s a _long_ way down the list of things to do. Expert from Email Geeks adds to think of it as a step 2 or 3, not a step 1.

April 2023 - Email Geeks
Expert view

Expert from Word to the Wise explains that new requirements for bulk senders are being implemented by Google and Yahoo, requiring authentication (SPF, DKIM, DMARC) as well as low spam rates. Senders who don't authenticate will have messages blocked or sent to spam.

February 2024 - Word to the Wise
Expert view

Expert from Email Geeks explains that for bulk mail where there’s a single mail stream about all you can do is make sure that one mail stream is authenticated and aligned when it’s sent, you can do that with much, much less effort than handling DMARC reports. Marketer from Email Geeks adds that as long as your solution to the “must publish DMARC for this stream” problem isn’t “publish p=none at the org domain and be done with it”.

February 2022 - Email Geeks
Expert view

Expert from Email Geeks explains that there is no need to do any monitoring for DMARC if you have no intention of moving to something other than p=none.

May 2021 - Email Geeks
Expert view

Expert from Email Geeks explains that if you can align both SPF and DKIM then do, but if you need to focus engineering in one place, pick DKIM.

January 2023 - Email Geeks

What the documentation says
4Technical articles

To comply with Gmail and Yahoo's new email requirements and ensure reliable delivery, domain owners must set up email authentication. This includes using SPF to specify authorized mail servers, DKIM to verify message integrity and domain origination, and DMARC to protect against email spoofing. DMARC builds upon SPF and DKIM, providing a framework for authentication, reporting, and conformance.

Key findings

  • Authentication Required: Email authentication is mandatory for reliable delivery to Gmail accounts.
  • SPF Purpose: SPF identifies authorized mail servers for a domain.
  • DKIM Purpose: DKIM verifies that email was sent by the stated domain and hasn't been altered in transit.
  • DMARC Purpose: DMARC protects against email spoofing and provides reporting on email authentication.

Key considerations

  • Comprehensive Setup: Implement SPF, DKIM, and DMARC for optimal email security and deliverability.
  • DMARC Reporting: Utilize DMARC reporting to monitor email activity and identify potential abuse.
  • Prevent Spoofing: The primary driver is to prevent spammers sending from your domain.
Technical article

Documentation from RFC Editor explains that DKIM defines a domain-level authentication framework for email. It provides a mechanism for verifying that email was sent by the stated domain and hasn't been altered in transit.

May 2023 - RFC Editor
Technical article

Documentation from Google Workspace Admin Help explains that to ensure your messages are delivered as expected to Gmail accounts, you must set up email authentication for your domain. Meeting Google’s sender requirements helps ensure reliable delivery to Gmail, prevents spoofing, and helps keep Gmail users safe. Senders must authenticate their email using SPF or DKIM. They also advise to set up DMARC authentication for your domain.

December 2022 - Google Workspace Admin Help
Technical article

Documentation from Microsoft explains that SPF is a DNS record that identifies which mail servers are permitted to send email on behalf of your domain. Configuring SPF prevents spammers from sending messages with forged From addresses at your domain.

February 2024 - Microsoft
Technical article

Documentation from DMARC.org explains that DMARC, which stands for “Domain-based Message Authentication, Reporting & Conformance”, is an email authentication protocol. It is designed to give email domain owners the ability to protect their domain from unauthorized use, commonly known as email spoofing. DMARC builds upon the widely deployed SPF and DKIM protocols, adding a reporting function that allows domain owners to monitor who is sending email on behalf of their domain.

May 2021 - DMARC.org