Google and Yahoo Email Authentication Requirements: Step-by-Step Guide

As a small business owner, you know the importance of emails. They’re like our modern-day letters, carrying crucial messages, updates, and information from your business to your customers. But, just like a letter can get lost in the mail, emails can also fail to reach their intended recipients; this is where email deliverability becomes crucial. 

On October 3, 2023, Google and Yahoo announced requirements that bulk senders must have DMARC in place beginning February 2024. These new rules to ensure emails are delivered safely and securely using SPF, DKIM, and DMARC records. 

These changes will help prevent spoofing, phishing, and spam by:

Not following these rules could lead to:

  • Your emails ending up in the spam folder or not being delivered at all.
  • Your business becoming an easy target for phishing attacks.
  • A potential loss of trust from your customers due to inconsistent communication.

This guide will help you understand these new rules, why they’re important, who needs to use them, and how to set them up. As a business owner, it’s crucial to stay ahead and ensure your communication remains smooth and effective. 

Who Needs To Add SPF, DKIM, & DMARC Records?

If you send emails, especially as a small business owner, you should consider adding SPF, DKIM, and DMARC records. SPF and DKIM are like the basic passport for your emails, ensuring they reach their destination. 

At least one of these is necessary. DMARC, while optional, adds an extra layer of security and is a good idea to consider. It’s all about making your emails secure, trustworthy, and deliverable.

Will I Be Affected By The New DMARC Regulations?

As a small business owner, you might be wondering if the new DMARC regulations will affect you. 

The short answer is: yes, especially if your business sends more than 5,000 emails per day to Google or Yahoo inboxes. This includes emails sent through third-party services like Contact Contact, Active Campaign, or MailChimp. 

“The Email sender guidelines are not applicable to messages sent to Google Workspace accounts. These sender requirements and Google’s enforcement of them are only relevant when sending emails to personal Gmail accounts.

However, when sending messages from Google Workspace accounts to personal Gmail accounts, all senders, including Google Workspace users, must adhere to the requirements outlined in Google’s Email sender guidelines.” – Google

Google and Yahoo are making what used to be best practices for secure email authentication into must-follow rules. 

Here’s what you need to know:

  • You need to have valid forward and reverse DNS records.
  • Your spam rate should be below 0.3% as reported in Postmaster Tools.
  • Your email message format must follow RFC 5322 Standards, which basically means your emails should be readable and understandable. Most email clients handle this automatically.
  • You can’t pretend to be Gmail in your FROM headers.
  • You need to follow email forwarding requirements.

If you’re sending fewer than 5,000 emails per day, you’ll need either SPF or DKIM email authentication. But if you’re sending more than 5,000, you’ll need both SPF and DKIM, plus DMARC authentication. You’ll also have stricter rules for your FROM headers and need to provide a one-click unsubscribe option for subscribed messages.

It might sound complicated, but you’re likely already following most or all of these rules, especially if you’re not sending bulk emails. 

The key points are:

  • Don’t send spam! Only send emails to people who have opted in, and don’t buy email lists.
  • Keep your spam complaint rate below 0.3%. Google even offers a free service to help you track this.
  • Make sure your emails are properly formatted. This is usually handled by your email client.
  • Don’t pretend to be gmail.com or yahoo.com. If you’re using a service that lets you send emails as these addresses, you might run into delivery issues.

These new DMARC regulations are all about making email communication more secure and trustworthy. 

Understanding Email Deliverability

Why Are SPF, DKIM, & DMARC Records Needed To Ensure Emails Are Delivered?

As a small business owner, ensuring your emails reach their destination is crucial. That’s where SPF, DKIM, and DMARC records come in. These are like the passport, seal, and policy for your emails, making sure they’re delivered safely and securely.

SPF (Sender Policy Framework)

SPF, or Sender Policy Framework, is like a passport for your emails. It’s a list of servers that are allowed to send emails from your domain. This helps confirm the sender of an email, preventing anyone from pretending to be you and reducing the chances of phishing attempts and spam.

DKIM (DomainKeys Identified Mail)

DKIM, or DomainKeys Identified Mail, is like a tamper-proof seal for your emails. It adds a digital signature to your outgoing emails, proving your identity and ensuring the email content hasn’t been changed. This helps build trust with the people receiving your emails.

DMARC (Domain-based Message Authentication, Reporting, and Conformance)

DMARC, or Domain-based Message Authentication, Reporting, and Conformance, is like a policy for your emails. It tells servers what to do if they get an unauthorized email from your domain. The options are to quarantine it, reject it, or do nothing.

SPF, DKIM, and DMARC records work together to make sure your emails are delivered successfully. They help establish a secure and trustworthy communication channel, protect your business’s reputation, and reduce the risk of your emails being marked as spam or phishing attempts. 

What Are The Key Components of DMARC?

Domain-based Authentication

DMARC, or Domain-based Message Authentication, Reporting, and Conformance, is a key player in the email game. It’s like a security guard for your emails, making sure they’re authentic and handling them based on your set rules.

Policy Enforcement

DMARC uses SPF and DKIM to check if an email is genuinely from your domain–policy enforcement. This is like checking the passport and seal we talked about earlier. It gives you, the domain owner, the power to set rules on how to handle emails that don’t pass these checks. You can choose to monitor them, mark them as spam, or not deliver them at all.

Reporting Mechanism

DMARC includes a reporting mechanism. It also lets email receivers send you feedback about these checks. This includes information about both legitimate and fraudulent emails, helping you keep an eye on and improve your email practices.

Phishing Protection

One of the biggest advantages of DMARC is its ability to protect against phishing attacks and email spoofing. It adds an extra layer of security, making sure only authorized senders can use your domain. This helps protect your business’s reputation.

DMARC is like a security guard, a rule-setter, and a feedback tool all in one. It’s widely used to enhance email security, prevent misuse of domains, and build trust in digital communication. By using DMARC, you’re taking a big step in the fight against email-based threats.

DMARC Email Deliverability Implementation Guide

The first step of ensuring your email deliverability is verifying what records are present. Use the Dmarcian DMARC Domain Checker to find out if an email domain is protected against phishing, spoofing or fraud.

I like this domain checker because it offers quick insights by inspecting DMARC, SPF and DKIM records all in one place and shows you if there are any actions you need to take.

Here’s a step-by-step guide for creating & installing each record type:

How to Create & Install SPF Record

Setting up SPF records involves identifying which mail servers are allowed to send emails from your domain. 

These could include web servers (for emails sent automatically from your website), your email service provider’s mail server, in-office mail servers (like Office 365 or Google Workspace), and any other third-party mail servers you use to send emails (like CRMs or marketing tools such as Mailchimp or ActiveCampaign).

If you don’t have an SPF record or there are errors, follow these steps:

Generate SPF Record

Use this SPF Record Generator from EasyDMARC.com to generate your SPF record.

Install SPF Record on the Domain

Navigate to your domain’s DNS management system and add a new TXT record using the SPF syntax you just generated. 

  1. Hostname/Location: Enter “ “; no name.
  2. Record type: “TXT”
  3. Value/Data: Enter the SPF record itself. SPF Syntax Record Example: v=spf1 include:_spf.example.com ~all
  4. Save your changes.

Remember: Each domain can only have one SPF record, limited to 255 characters. To authorize multiple email servers, simply add more includes to your existing record.

Validate SPF record

Tools like the SPF checker by EasyDMARC.com can be used to display what recipients view: a roster of servers authorized to send emails on your behalf.

How to Create & Install DKIM Records

Setting up DKIM records involves creating a pair of keys: a public one and a private one. The public key is added to your DNS as a TXT record, while the private key is kept on the mail server.

Generate DKIM Record – Google Workplace

  1. Sign in to your Google Admin console (at admin.google.com).
  2. Go to Apps > Google Workspace > Apps > Gmail > Authenticate email.
  3. Click Authenticate email.
  4. Select the domain and click Generate new record. A new DKIM TXT record will be generated
  5. Add the new DKIM record to your DNS
  6. Come back to the Authenticate Email screen & select ‘start authentication’.
Screenshot 2 14 2024 9 47 28 Am

Generate DKIM Record – Third Party Email

 If you’re using third-party services to send emails, they’ll usually give you the public key to add to your DNS, and they’ll handle the private key.

Generate a DKIM key pair using a DKIM key generator tool or consult your email service provider. 

If you’re dispatching emails directly from your domain, the generator tool will produce a valid DKIM record. If you’re using a third-party service, they usually have pre-generated DKIM records in your account settings. 

Install DKIM Record

Navigate to your domain’s DNS management system and add a new TXT record with the DKIM public key, usually named selector: _domainkey. 

  1. Hostname/Location: Enter “_domainkey“; the leading underscore character is required.
  2. Record type: “TXT”
  3. Value/Data: Enter the DKIM record itself. DKIM Syntax Record Example: v=spf1 include:_spf.google.com include:_spf.protection.outlook.com -all
  4. Save your changes.

Validate DKIM Record

Use this DKIM Record Lookup from EasyDMARC.com to validate your DKIM record.

How to Create & Install DMARC Records

DMARC records serve as the rulebook for your emails, instructing servers on handling emails that fail SPF and DKIM checks, while enabling reporting. 

Generate DMARC Record

Use a tool to generate your DMARC record. Make sure you choose a DMARC policy (none, quarantine, or reject) when doing this.

While there are 11 potential DMARC tags, only v (DMARC version, always “DMARC1”) and p (policy) are strictly required. The “rua” tag is also highly recommended for receiving reports.

Install DMARC Record

Navigate to your domain’s DNS management system and add a new TXT record with the DMARC syntax, incorporating the policy and reporting addresses.  In the DNS management console, you will be asked for the following:

  1. Hostname/Location: Enter “_dmarc”. The leading underscore character is required.
  2. Record type: Enter “TXT”, as DMARC records are published in the DNS as TXT records.
  3. Value/Data: Enter the DMARC record itself. DMARC Syntax Record Example: v=DMARC1; p=quarantine; rua=mailto:[email protected]; ruf=mailto:[email protected]
  4. Save your changes.

Validate DMARC Record

Use this DMARC Record Lookup tool from EasyDMARC.com to validate your DMARC record.

Note that it may take 24-48 hours before your new DMARC record is recognized across the internet.

Postmaster Tools

After validating all of your records, sign in to your email and navigate to Postmaster Tools to validate your domain. 

Postmaster Tools tracks data on large volumes of emails sent from your sending domain. It’s helpful for understanding Gmail delivery errors, spam reports, feedback loop, and more.

“To use Postmaster Tools, you need to have a Google Account; use these instructions from Google to add your domain to Postmaster Tools:”

Add your domain to Postmaster Tools

  1. Sign in to Postmaster Tools.
  2. In the bottom right, click Add Add.
  3. Enter your authentication domain.
    • Tip: You can add either the DomainKeys Identified Mail (DKIM) domain or the Sender Policy Framework (SPF) domain.
  4. Click Next.
  5. Verify your domain:
    • To prove that you own this domain, click Verify.
    • To skip this step and continue without verification, click Not now. You will need to verify your domain at some point to view any data related to that domain. To go back and verify, point to the domain you want to verify. Then, click More and then Verify domain.

Testing Email Authentication

Now that you’ve used the tools above to verify your email deliverability, let’s do two final checks.

Tool Verification – Email Authentication Method

The first Email Authentication testing is to utilize https://toolbox.googleapps.com/apps/checkmx/. I personally have seen bugs when using this, so I double verify with https://mxtoolbox.com/ by selecting Solve Email Deliverability Problems.

Screenshot 2 14 2024 9 57 06 Am

Manual Email Authentication Method

The second Email Authentication method is to manually check the original email for 3 passing markers.

  • Send an email to yourself from your domain email to a different email you use.
  • Once you receive that email, open it & select the three dots to the far right; you’ll see a menu like so:
Screenshot 2024 02 14 092854
  • Select < > Show Original
  • Ensure that all 3 of these bottom rows say ‘PASS’
Screenshot 2 14 2024 9 32 53 Am

Email Deliverability FAQS

What defines a bulk sender?

A bulk sender is an individual or entity that sends 5,000 or more emails to individual Gmail accounts within a 24-hour period. All messages sent from the same primary domain are counted towards this limit.

Is bulk sender status permanent? Can it be altered by changing my sending practices?

Once you are classified as a bulk sender, this status is permanent and cannot be changed by modifying your email sending practices.

How can bulk senders ensure they are adhering to the sender guidelines?

Bulk senders can ensure compliance by adhering to Google’s Email sender guidelines, which include requirements for email authentication, infrastructure configuration, and subscription management.

Do the sender guidelines apply to emails sent to Google Workspace accounts?

No, the Email sender guidelines do not apply to messages sent to Google Workspace accounts. These guidelines are only applicable when sending emails to personal Gmail accounts.

Do the sender guidelines apply to emails sent from Google Workspace accounts?

Yes, all senders, including those using Google Workspace, must comply with Google’s Email sender guidelines when sending messages to personal Gmail accounts.

What is the enforcement timeline for sender guidelines?

Enforcement for bulk senders not meeting Google’s Email sender guidelines will be gradual and progressive, starting from February 2024. By June 1, 2024, bulk senders must implement one-click unsubscribe in all commercial, promotional messages.

What are the consequences if senders fail to meet the requirements in the sender guidelines?

If senders fail to comply with Google’s Email sender guidelines, their messages may be rejected or delivered to recipients’ spam folders.

How is the spam rate calculated?

The spam rate is calculated daily. To ensure optimal message delivery, senders should maintain a spam rate below 0.1% and prevent it from reaching 0.3% or higher.

Are all messages required to have a one-click unsubscribe feature?

No, the one-click unsubscribe feature is only required for marketing and promotional messages. Transactional messages such as password reset messages, reservation confirmations, and form submission confirmations are exempt from this requirement.

What is the DMARC alignment requirement for bulk senders?

For messages sent directly to personal Gmail accounts, the organizational domain in the sender From: header must align with either the SPF organizational domain or the DKIM organizational domain.

How can I check if a message is authenticated?

You can check the authentication of a message by looking at the “Mailed by” and “Signed by” headers below the sender’s name in Gmail. If you see a question mark next to the sender’s name, the message is not authenticated.

Are subdomains subject to the requirements?

Yes, all subdomains of an organizational level domain for which a DMARC policy is published are subject to DMARC verification.

How can I find out my spam rate?

You can discover your spam rate using Google’s free Postmaster tools.

What will happen if I don’t meet the requirements?

Failure to meet the requirements may result in your mail being sent to the spam folder or rejected.

How will DMARC improve deliverability?

DMARC allows senders to specify how receivers can act on email which may not be sent from their domains. Depending on the policy published by the sender it may get rejected, or go to the spam folder or no action may be taken.

Are there requirements for non-bulk senders?

Yes, starting February 1, 2024, all senders who send email to Gmail accounts must meet certain requirements.

How can I fix messages that aren’t authenticated?

To fix unauthenticated messages, ensure that messages you sent are authenticated using DKIM (preferred) or SPF.

Why should I test my DMARC record?

Testing your DMARC record can help you verify if your record has been published correctly, prevent mistakes in the formatting of your record, provide more information about the possible extra parameters, and find out where your DMARC reports are being sent to.

How to create a DMARC record?

Use either of these free tools to generate a DMARC record: https://easydmarc.com/tools/dmarc-record-generator  https://dmarcian.com/dmarc-record-wizard/ 

Alt Email Marketing Provider Instructions

  • Flodesk
  • ActiveCampaign
  • ConvertKit
  • Mailchimp

share this post:

Facebook
LinkedIn
Pinterest
Twitter
Reddit

Leave a Reply

Your email address will not be published. Required fields are marked *