New Requirements for Bulk Senders

UPDATE: You need to authenticate with both DKIM and SPF.

Google are circulating a new set of requirements for bulk senders on their blog.

So are Yahoo. It’s almost like postmasters talk to each other or something.

If you dig through the links in the Gmail blog post you can find this summary of what they’ll be requiring from bulk senders by February:

  • Set up SPF or DKIM email authentication for your domain.
  • Ensure that sending domains or IPs have valid forward and reverse DNS records, also referred to as PTR records. Learn more
  • Keep spam rates reported in Postmaster Tools below 0.3%. Learn more
  • Format messages according to the Internet Message Format standard (RFC 5322).
  • Don’t impersonate Gmail From: headers. Gmail will begin using a DMARC quarantine enforcement policy, and impersonating Gmail From: headers might impact your email delivery.
  • If you regularly forward email, including using mailing lists or inbound gateways, add ARC headers to outgoing email. ARC headers indicate the message was forwarded and identify you as the forwarder. Mailing list senders should also add a List-id: header, which specifies the mailing list, to outgoing messages.

And for anyone sending more than about 5,000 emails a day, also:

  • Set up DMARC email authentication for your sending domain. Your DMARC enforcement policy can be set to none. Learn more
  • For direct mail, the domain in the sender’s From: header must be aligned with either the SPF domain or the DKIM domain. This is required to pass DMARC alignment.
  • For subscribed messages, enable one-click unsubscribe with a clearly visible unsubscribe link in the message body. Learn more

These all seem very reasonable. They’re things that have been best practice for a long time, that everyone should be doing (and that I’d have guessed large mailbox providers were soft-enforcing already).

I’ve been chatting with folks on slack, and worked out some clarifications. Google will be publishing DMARC p=quarantine for at least gmail.com and googlemail.com. That means that anyone sending a small business or personal newsletter with their @gmail.com or @yahoo.com email address in the From: header needs to stop doing that pretty sharpish.

The one-click unsubscribe requirements mean that all bulk mail should be using List-Unsubscribe: and List-Unsubscribe-Post: headers to handle in-MUA unsubscription (ideally, anyway, but you can probably get away with just List-Unsubscribe: with a mailto: URL). You should also have a visible unsubscribe link in the body of your message (and that should link to a page that makes it easy for a recipient to unsubscribe from all mail by clicking a big, obvious button). Having a valid List-Unsubscribe-Post requires that your mail be DKIM signed, so that’s another reason not to rely solely on SPF for authentication.

And if you’re not using DMARC yet, it’s time to publish a record with p=none, and start making sure that your authentication is aligned.

These are all good practices, and the large consumer mailbox providers are giving you a nudge towards implementing them. Soon. Make it your New Years Resolution.

Related Posts

Gmail / Apps authentication issues

I’ve seen several reports of unexpected rejections for unauthenticated email to Google over IPv6 today. Unauthenticated mail over IPv6 is a bad idea, but Google usually spam folders it rather than rejecting it.
The Gmail status dashboard is reporting an issue “Some messages sent to consumer Gmail accounts are being rejected due to authentication enforcement” so something isn’t working as intended.

Read More

Gmail showing authentication results to endusers

A bit of older news, but worth a blog post. Early in August, Gmail announced changes to the inbox on both the web interface and the android client. They will be pushing authentication results into the interface, so end users can see which emails are authenticated.

These are not deliverability changes, the presence or absence of authentication will not affect inbox delivery. And the gmail Gmail support pages clarify that lack of authentication is not a sign that mail is spam.
This isn’t a huge change for most ESPs and most senders. In fact, Gmail has reported more than 95% of their mail is authenticated with either SPF or DKIM. Now, Gmail does a “best guess” SPF – if it looks like an IP should be authorized to send mail for a domain (like the sending IP is the same as the MX) then it’s considered authenticated.
It’s good to see authentication information being passed to the end user.

Read More

Fun with spam filters

I recently had a challenging travel experience in the Netherlands, trying to get from Schipol airport to a conference I was speaking at. As part of my attempt to get out of the airport, I installed UBER on my phone. There were some challenges with getting UBER to authorise my phone number, so I tried linking it to my Gmail account.

Read More