UPDATE: You need to authenticate with both DKIM and SPF.
Google are circulating a new set of requirements for bulk senders on their blog.
So are Yahoo. It’s almost like postmasters talk to each other or something.
If you dig through the links in the Gmail blog post you can find this summary of what they’ll be requiring from bulk senders by February:
- Set up SPF or DKIM email authentication for your domain.
- Ensure that sending domains or IPs have valid forward and reverse DNS records, also referred to as PTR records. Learn more
- Keep spam rates reported in Postmaster Tools below 0.3%. Learn more
- Format messages according to the Internet Message Format standard (RFC 5322).
- Don’t impersonate Gmail From: headers. Gmail will begin using a DMARC quarantine enforcement policy, and impersonating Gmail From: headers might impact your email delivery.
- If you regularly forward email, including using mailing lists or inbound gateways, add ARC headers to outgoing email. ARC headers indicate the message was forwarded and identify you as the forwarder. Mailing list senders should also add a List-id: header, which specifies the mailing list, to outgoing messages.
And for anyone sending more than about 5,000 emails a day, also:
- Set up DMARC email authentication for your sending domain. Your DMARC enforcement policy can be set to none. Learn more
- For direct mail, the domain in the sender’s From: header must be aligned with either the SPF domain or the DKIM domain. This is required to pass DMARC alignment.
- For subscribed messages, enable one-click unsubscribe with a clearly visible unsubscribe link in the message body. Learn more
These all seem very reasonable. They’re things that have been best practice for a long time, that everyone should be doing (and that I’d have guessed large mailbox providers were soft-enforcing already).
I’ve been chatting with folks on slack, and worked out some clarifications. Google will be publishing DMARC p=quarantine for at least gmail.com and googlemail.com. That means that anyone sending a small business or personal newsletter with their @gmail.com or @yahoo.com email address in the From: header needs to stop doing that pretty sharpish.
The one-click unsubscribe requirements mean that all bulk mail should be using List-Unsubscribe: and List-Unsubscribe-Post: headers to handle in-MUA unsubscription (ideally, anyway, but you can probably get away with just List-Unsubscribe: with a mailto: URL). You should also have a visible unsubscribe link in the body of your message (and that should link to a page that makes it easy for a recipient to unsubscribe from all mail by clicking a big, obvious button). Having a valid List-Unsubscribe-Post requires that your mail be DKIM signed, so that’s another reason not to rely solely on SPF for authentication.
And if you’re not using DMARC yet, it’s time to publish a record with p=none, and start making sure that your authentication is aligned.
These are all good practices, and the large consumer mailbox providers are giving you a nudge towards implementing them. Soon. Make it your New Years Resolution.
RSS - Posts
So, basically, these rules are a good way to make sure emails are legit and follow the rules. It’s something all those who send lots of emails should start doing soon. This article is a helpful reminder for all of us to include these good email practices in our plans.
FYI, it looks like Google’s support page was updated, and now requires SPF/DKIM for all senders (as opposed to just bulk senders).
https://support.google.com/mail/answer/81126?hl=en#zippy=%2Crequirements-for-all-senders
Thanks, Arnaud. I’ve updated the post to add that.
Hi Steve! I ve apreciciatted your post. I have some dubs.
I work in an ESP that our customers in some cases sent with their own domains but without DKIM and SPF, then this emails are signed with the domain in the return path which is managed by us.
Is it strict necessary wich the domain in the FROM are signed with DKIM? Or with our domian signed in the returnpath is enoguh? It is worth mentioning that our Domain has DKIM, SPF and DMARC.
In the case that our customer domains must be DKIM signed, is it necessary to have DMARC configured on the customer domains?
Any comment as to why they state:
“The SPF record for your domain should reference all email senders for your domain. If third-party senders aren’t included in your SPF record, messages from these senders are more likely to be marked as spam.”
Isn’t this back to ESPs incorrectly recommending that we publish their SPF includes on our domains?
“That means that anyone sending a small business or personal newsletter with their @gmail.com or @yahoo.com email address in the From: header needs to stop doing that pretty sharpish.” WHy would this affect newsletters people signed up for?
Yahoo publishes a “>DMARC policy of p=reject and has done since 2014. This statement means that if you send mail through an ESP and use a yahoo.com address in the 5322.from address and the recipient domain respects DMARC policy requests that they will reject your mail for being unauthorized. Yahoo does not want anyone using a yahoo.com address through any other infrastructure than their own.
Gmail is moving to a p=quarantine DMARC policy. This means that if you send mail through an ESP and use a gmail.com address in the 5322.from address and the recipient domain respects DMARC policy requests they are likely to treat your mail as unauthorized and potential spam.
Yahoo and Google are asking for alignment between the authenticated domains and the domain in the 5322.from address. They’re also asking for a DMARC policy for all domains in the 5322.from address.
You’ll need to make sure all your customers sending bulk mail have that alignment in place. There are a number of ESPs that use their own authentication for SPF and DKIM and they’re going to have to change that. Some are rewriting the domain for their customers, some are requiring DKIM alignment. But if your customers aren’t sending aligned mail in the next few months they’re going to have delivery problems.