New Requirements for Bulk Senders

UPDATE: You need to authenticate with both DKIM and SPF.

Google are circulating a new set of requirements for bulk senders on their blog.

So are Yahoo. It’s almost like postmasters talk to each other or something.

If you dig through the links in the Gmail blog post you can find this summary of what they’ll be requiring from bulk senders by February:

  • Set up SPF or DKIM email authentication for your domain.
  • Ensure that sending domains or IPs have valid forward and reverse DNS records, also referred to as PTR records. Learn more
  • Keep spam rates reported in Postmaster Tools below 0.3%. Learn more
  • Format messages according to the Internet Message Format standard (RFC 5322).
  • Don’t impersonate Gmail From: headers. Gmail will begin using a DMARC quarantine enforcement policy, and impersonating Gmail From: headers might impact your email delivery.
  • If you regularly forward email, including using mailing lists or inbound gateways, add ARC headers to outgoing email. ARC headers indicate the message was forwarded and identify you as the forwarder. Mailing list senders should also add a List-id: header, which specifies the mailing list, to outgoing messages.

And for anyone sending more than about 5,000 emails a day, also:

  • Set up DMARC email authentication for your sending domain. Your DMARC enforcement policy can be set to none. Learn more
  • For direct mail, the domain in the sender’s From: header must be aligned with either the SPF domain or the DKIM domain. This is required to pass DMARC alignment.
  • For subscribed messages, enable one-click unsubscribe with a clearly visible unsubscribe link in the message body. Learn more

These all seem very reasonable. They’re things that have been best practice for a long time, that everyone should be doing (and that I’d have guessed large mailbox providers were soft-enforcing already).

I’ve been chatting with folks on slack, and worked out some clarifications. Google will be publishing DMARC p=quarantine for at least gmail.com and googlemail.com. That means that anyone sending a small business or personal newsletter with their @gmail.com or @yahoo.com email address in the From: header needs to stop doing that pretty sharpish.

The one-click unsubscribe requirements mean that all bulk mail should be using List-Unsubscribe: and List-Unsubscribe-Post: headers to handle in-MUA unsubscription (ideally, anyway, but you can probably get away with just List-Unsubscribe: with a mailto: URL). You should also have a visible unsubscribe link in the body of your message (and that should link to a page that makes it easy for a recipient to unsubscribe from all mail by clicking a big, obvious button). Having a valid List-Unsubscribe-Post requires that your mail be DKIM signed, so that’s another reason not to rely solely on SPF for authentication.

And if you’re not using DMARC yet, it’s time to publish a record with p=none, and start making sure that your authentication is aligned.

These are all good practices, and the large consumer mailbox providers are giving you a nudge towards implementing them. Soon. Make it your New Years Resolution.

Related Posts

Mail Client Improvements

There’s been extensive and ongoing development of email through the years, but much of it has been behind the scenes. We were focused on the technology and safety and robustness of the channel. We’re not done yet, but things are much better than they were.
The good part of that is there is some space to make improvements to the inbox as well. Over the last few months there have been a number of announcements from different mail client providers about how they’re updating their mail client.

Read More

Affiliate marketing overview

Most retailers have realized that sending unsolicited email is bad for their overall deliverability. Still, the idea they can send mail to people who never heard of them is seductive.
Enter affiliate email. That magical place where companies hire an agency, or a contractor, or some other third party to send email advertising their new product. Their mail and company reputation is protected because they aren’t sending the messages. Even better, affiliates assure their customers that the mail is opt-in. I’m sure some of them even believe it.
The reality is a little different from what affiliates and their customers want to believe.

Read More

Gmail showing authentication results to endusers

A bit of older news, but worth a blog post. Early in August, Gmail announced changes to the inbox on both the web interface and the android client. They will be pushing authentication results into the interface, so end users can see which emails are authenticated.

These are not deliverability changes, the presence or absence of authentication will not affect inbox delivery. And the gmail Gmail support pages clarify that lack of authentication is not a sign that mail is spam.
This isn’t a huge change for most ESPs and most senders. In fact, Gmail has reported more than 95% of their mail is authenticated with either SPF or DKIM. Now, Gmail does a “best guess” SPF – if it looks like an IP should be authorized to send mail for a domain (like the sending IP is the same as the MX) then it’s considered authenticated.
It’s good to see authentication information being passed to the end user.

Read More