All you need to know about the new deliverability rules for Gmail and Yahoo! in 2024

For several weeks now, the small world of email marketing has been buzzing around the Gmail and Yahoo! announce new deliverability rules for 2024. So it's time for a full update on the subject.

These new rules, like all email deliverabilityare first and foremost designed for protect users. Protect them from spam and unsolicited messages, but above all to guarantee their safety.

These two major objectives involve the need to prove your identity through various more or less technical processes and ensure that the recipients of your emails really want to receive them (and can therefore also object to receiving them).

Let's make no mistake. Together, Gmail and Yahoo! have simply dictated the new minimum foundation for email deliverability best practices.. In B2C databases, Gmail is often the most represented destination. By teaming up to announce very similar rules, the two players can be sure that all senders will align themselves with them. There's a reason why so much digital ink has been spilled.

Follow our next live broadcast: Yahoo and Google deliverability rules change... what's next?

Thursday, March 21, 2024 at 11 a.m.!

At the start of 2024, Google and Yahoo! shook up the email marketing world with a series of new deliverability rules. After a few weeks, what is the real impact of these rules? And above all, while some were completely unprepared, what can we expect in the future? Should we expect even more drastic rules in 2025? How can we prepare for future waves?

We'll be discussing all this with Yanna-Torry Aspraki (EmailConsul and EspecialMail) and Yves-Marie Le Pors-Chauvel (Postmastery).

Add the link to your calendar

In fact, there is no registration required for Badsender lives! You just have to go to our Youtube channel on D-Day.

However, to make sure you don't miss the live event, don't hesitate to use the links below to add the event to your agenda: Apple  Google  Office 365  Outlook  Outlook.com  Yahoo  

Pace of rollout of new Gmail and Yahoo! rules in 2024

Regarding the deployment date of these new rules, if they will begin to be implemented in February 2024 for Gmail and Yahoo! some will be progressive.

Google has announced that non-compliant senders will start to see the receipt of certain emails delayed from February 2024. Rejections will begin in April.

Regarding the introduction of List-Unsubscribe "one-click" (see below), the obligation will be active from June 2024 for both Google and Yahoo!

So you're not going to hit a brick wall on February 1.But if you're not very good at deliverability best practices, the hurdles will gradually build up by 2024.

Who is affected by these updates?

Any sender targeting Yahoo! and Gmail addresses. For Google this means two : gmail.com and googlemail.com. Google specifies that these rules do not apply to e-mails sent to business mailboxes from Google Workplace.

On the Yahoo! side, this concerns a large number of domain names (yahoo.com, yahoo.com, ymail.com, aol.com, aol.fr...). You can find an "almost" exhaustive open source list of Yahoo! deliverability destinations at our EmailDestinations project on GitHub.

Mass shippers are subject to some additional requirements which we'll explain below. Google points out thatfrom 5000 emails per day, you are considered a mass sender. There is no encrypted limit for Yahoo! which defines a mass sender as one who sends a "significant" quantity of emails.

If you're reading this, you're probably a mass-mailer. So try to comply with all the email best practices listed below. It can't hurt.

Should we expect Armageddon?

No. Just confirmation of good deliverability practices which have been repeated for many years. By the way, on the technical side, it's likely that if you go through a professional platform you're already obliged to authenticate your emails correctly, and that one-click List-Unsubscribe has been available for a long time.

The scary thing is now the rules are officialThey're written in hard copy in the documentation, and the consequences are known. So.., if you're a spammer (or one who doesn't know it), your life's about to get a whole lot tougher.. For the rest of you, keep working on the best practices on the market to keep improving.

If, on the other hand, you have good deliverability practices, you should be able to get by with a few minor adaptations.

On the other hand, compliance with these rules will in no way guarantee delivery of your emails in the main box. It's still a minimum to respect.

Finally, it's important to note that allowing your email recipients to feel safe and confident in their inboxes is also a great way to improve the overall email user experience. The less spam and illegitimate emails there are, the higher the visibility of your messages. Think about it!

Respect the basics of email deliverability

In its documentation and FAQ, Yahoo! takes the liberty of recall some basic elements that you are supposed to respect if you respect the law:

• Make sure yousend emails only to recipients who have requested them.
• Respect the delivery frequency promised at the time of registration (don't move your subscribers from your newsletter to your daily newsletter without asking).
• The optin must be explicit (no pre-checked boxes).
• Don't buy a contact list (and stop using previously acquired lists).
• **Remove inactives** from your contact lists.

All this should have been taken for granted a long time ago, but unfortunately we have to admit that this is not the case in our daily lives. If you don't respect even these elements, respecting the new Gmail and Yahoo! rules won't be enough..

Deliverability indicators

Maintain an email complaint rate below 0.3%

For both Gmail and Yahoo!, the threshold rate is clear: you must not never exceed the 0.3% limit for spam complaints. At Google, negative impacts begin if you exceed 0.1% spam complaints. The 0.3% is a threshold above which your e-mails will land in the spam box or be rejected, and will not be eligible for intervention by Google via their contact form of "Mitigation".

For Gmail, the reference rate is the one in the "Spam rate" tab. on Google Postmaster Tools. At Yahoo! you can track your complaint rate via the Yahoo! feedback loop or via the Deliverability and Performance Feed.

Yahoo! specifies that the complaint rate is calculated by dividing the number of complaints by the number of successful emails.

Who's concerned? The whole world

What does this mean in concrete terms?

First step, if you haven't already done so, configure Google Postmaster Tools for all your domains and sub-domains. This will enable you to track your Gmail spam complaint rate. On the Yahoo! side, you will need to have configured the "Complaint Feedback Loop" to find out your complaint rate.

Here, we're not dealing with a technical criterion, but with a question of performance. To achieve control your complaint rateit is recommended to work on acquisition sources addresses, on email inactives and on segmentation. In general, all the good marketing practices that are good for your engagement rates will also be good for reducing your spam complaint rate.

It is also We recommend that you separate your different types of email into different sub-domains (and different IPs).. This makes it possible to have different complaint rates for different types of messages, and to avoid having all your emails blocked at once.

Authentication required for everyone

We won't go into too much detail here, as we have several very complete articles dedicated to theemail authentication to which you can refer.

Just remember :

• SPF (Sender Policy Framework) allows you to define which IP addresses are authorized to send emails for a domain name.
• DKIM (DomainKeys Identified Mail) allows you to add a cryptographic signature to emails to ensure that their content is not altered during transport.
• DMARC (Domain-based Message Authentication, Reporting and Conformance) allows you to define a reject or quarantine policy if the message is not SPF or DKIM compliant. It also allows you to receive compliance reports.

These three techniques (along with the 4th, BIMI, which is not affected by the new Gmail and Yahoo! rules) allow you toauthenticate that the email sender is legitimate.

DKIM "or" SPF configuration

For all email senders to Yahoo! and Gmail, setting up either DKIM or SPF becomes mandatory.

Who's concerned? The whole world

What does this mean in concrete terms?

It is necessary to configure one or other of these techniques for all your emailsSPF is the simplest of the two to deploy. The simpler of the two to deploy is normally SPF.

DKIM "and" SPF configuration

SPF and DKIM have been recommended for many years. Bulk mailers will now have to configure both or their emails will be rejected.

In its documentation, Google recommends using the same domain for email authentication as for hosting your public website. This further strengthens the legitimacy of your domain and therefore of your mailings.

Who's concerned? Mass shippers

What does this mean in concrete terms?

If you're using a pro email solution, then you should find all the information you need in its documentation. Every modern mailing platform must implement SPF and DKIM.

If, on the other hand, you've built an in-house mailing solution, especially for DKIM, you're going to have your work cut out for you.

DMARC configuration

The use of DMARC becomes mandatory. But for the time being allowed to use a neutral policy. It is nevertheless recommended touse DMARC reports to bring all your traffic into compliance email. This will ensure that all your emails are authenticated with SPF and DKIM.

Who's concerned? Mass shippers

What does this mean in concrete terms?

The most basic action is simply to have a DMARC record on your DNS server. It's simple, and doesn't cost more than a 10-minute intervention.

Ideally, DMARC reports should be monitored. to ensure that all your traffic is properly authenticated.

Shipping strategy and technical configuration

Sending domain alignment

Once again, to legitimize your identity as a sender, Yahoo! and Google ask you to align your domains. This means that domain names to send your email must be the same as those used in your SPF and DKIM authentications.

There has to be a correct alignment with one of the two authentication techniques, either SPF or DKIM (but both at the same time is even better).

When it comes to alignment, there are two different levels. Strict or relaxed alignment. Strict alignment means that the domain is exactly the same, whereas on "relaxed" alignment, a sub-domain is allowed. The DKIM and SPF alignment policy is defined in your DMARC registration. A "relaxed" alignment is allowed by Gmail and Yahoo!.

Who's concerned? Mass shippers

What does this mean in concrete terms?

This is one of the most technical points in this article. To check your alignment level, you'll need to read the technical header of your email and check 3 things:

• From:" address This is the email address displayed to the recipient.
• Sender address "Envelope This is the Return-Path email address declared in the SMTP dialog, and to which bounces will be sent.
• The domain declared in the DKIM signature(s)

SPF alignment means that the domain of the "Envelope" address is the same as the domain of the "From:" address. In relaxed mode, sub-domains are allowed. In strict mode, it must be exactly the same domain.

DKIM alignment means that the domain of the DKIM signature is the same as the domain of the "From:" address. In relaxed mode, sub-domains are allowed. In strict mode, it must be exactly the same domain.

To validate DMARC, at least one of the two alignments must be respected.

More details in Google's documentation on the subject : https://support.google.com/a/answer/10032169?sjid=6612418846590111173-NA#alignment

Valid "reverse DNS" and "forward DNS" records

Once again, it's a bit technical! In short, these two techniques enable you to check that your sending domain is linked to your IP address via a type "A" DNS record (forward DNS). And in the other direction, your IP address is linked to your sending domain name via a "PTR" (reverse DNS) DNS record.

Two-way validation provides additional proof of the legitimacy of your emails and the absence of identity theft.

Who's concerned? The whole world

What does this mean in concrete terms?

Test your IP and domain configuration. I recommend that you do it via MultiRBL. By entering your IP address, the tool will automatically check that the domain in the PTR record refers to the original IP address.

Yahoo! specifies that the domain name present in the PTR record of your IP address must refer to your "From:" domain in some way.

Format your messages correctly

Your messages must comply with the Internet Message Format Standard described below. in RFC 5322. We won't go into it for too long in this article. It's all very technical. This standard describes how an email should be formatted. It must be respected. End of story 😉

Who's concerned? The whole world

What does this mean in concrete terms?

Probably nothing if you use an email tool market. It's up to them to make the changes, but chances are they're already compliant. If, on the other hand, you're using an "in-house" e-mail solution, you'd do well to check your compliance.

Introducing List-Unsubscribe "One-Click

As a reminder, List-Unsubscribe is the technical mechanism that enables webmail and messaging interfaces to display a unsubscribe button outside email content.

It becomes mandatory for Yahoo! and Gmail to put a List-Unsubscribe in your email headers. This List-Unsubscribe must be in "Post" mode. This means that the person who clicks on this List-Unsubscribe will no longer have to exit the webmail or email client interface to perform the unsubscribe action. The information will be automatically sent to the email routing platform.

What's more, this List-Unsubscribe will only be active if the email is signed by DKIM and DKIM signs the List-Unsubscribe and List-Unsubscribe-Post elements of your email.

If the "one-click unsubscribe" option becomes compulsory, this is only for promotional and commercial emails. Transactional emails should not be equipped with it.

The deadline is June 2024 for Yahoo! and Google. Unsubscription must be effective within two days of the user's action.

Who's concerned? Mass shippers

What does this mean in concrete terms?

Again, if you're working with a professional email solution, the implementation should be done directly by them. Nevertheless, if in doubt, you can check your email headers and see if you can find a "List-Unsubscribe-Post: List-Unsubscribe=One-Click "and the "List-Unsubscribe:" header contains a URL.

If you're using an in-house system and you're not using the unsubscribe mechanics natively integrated into your email campaign management solution. Then you've probably got your work cut out for you.

Using an encrypted connection with TLS on the Gmail side

TLS is used to encrypt the connection between two servers (in this case, SMTP for sending e-mail). While TLS was already widely recommended is now mandatory in order to send emails to Google.

Who's concerned? The whole world

What does this mean in concrete terms?

Once again, this is a highly technical notion, which takes place entirely on the sending server side. In principle, there's nothing to worry about if you're using a commercial solution. In Gmail, you can easily check whether an e-mail has been sent via a TLS-secured connection.

Other changes

Mass mailings from one address gmail.com

Google will publish a DMARC record with a "quarantine" policy. Yahoo! has long since switched to a "reject" policy.

This means that if you send emails with an address like mycompany@gmail.com from a third-party mailing platform (i.e. not from Gmail), your emails will be rejected or spammed.

Who's concerned? Not so many readers of this page (I hope)

What does this mean in concrete terms?

You'll need to use a domain name specific to your company and configure it on your mailing solution. If you don't have a domain name (and therefore no website), it's time to acquire one.

Simple and immediate unsubscribing

It must be easy for your recipients to unsubscribe of all the e-mails sent by your company, and all at once (even if you have several types of e-mail). This means that the unsubscribe link in your email must be visibleclearly identifiable and lead directly to a preference or unsubscribe page.

This means you don't have to put unsubscribing behind a login screen, or wait a month for the action to take effect. What's more, unsubscription must be effective within two days depending on the user's action.

Who's concerned? Mass shippers

What does this mean in concrete terms?

Set up a clearly visible unsubscribe button in your emails, allowing you to unsubscribe from all your emails at once. In an ideal world, this link would redirect to a email preference center.

Do you still have questions?

Will non-compliance trigger specific bounces?

Non-compliance may first send your e-mails to the spam box. If your emails are rejected, error codes will be sent with a specific message depending on the reason for rejection. This has been the case since September for thetotal lack of authentication in emails sent to Google.

In some cases, failure to comply with the rules (at least at Google) means that your mitigation requests via their contact form will be rejected by default.

Will a deleted/deactivated account send a specific bounce (soft, hard)? If so, on all shipments?

If we're referring to the fact that Gmail has been deactivating inactive email accounts since early December 2023 (the famous Gmail purge). So yes, deactivated addresses return bounces of the unknown user type.

Is List-unsubscribe required for all email types?

No. One-click List-Unsubscribe is only required for promotional and marketing e-mails. Basically, for emails where it's legitimate for a recipient to want to unsubscribe. List-unsubscribe is therefore not required for transactional emails.

Live: Deliverability: what to make of the recent announcements from Gmail and Yahoo!

This is the kind of (complex) subject that it's essential to cover orally.
In this live report, we go over every point of the latest announcements. We'll explain the impact on the delivery of your emails, and what you need to do to ensure they're received correctly.

Questions and answers during Live

Q: Do certifications such as Validity or CSA have an added value on this subject-> avoiding blacklisting in the event of a complaint rate exceptionally above the acceptable threshold?

R : Badsender For Gmail, no. For Yahoo, if you're above the Validity threshold you'll lose certification, so it's all the same.

Q: Do you have any service providers to recommend for reinterpreting the DMARC reports generated? Thank you! 🙂

R : Badsender Dmarcian, DmarcAdvisor, EasyDmarc, Merox, Dmarc.fr, ...

Q: Can't we use a preference center anymore? Or have a direct link and a link to preferences?

R : Jontathan Loriaux Yahoo, in its documentation, explicitly cites the advantages of the preference center.

Q: How do I monitor with GPT? Do you have an article on the subject?

R : Badsender Yes it's this way : https://www.badsender.com/2018/12/18/…

Q: Hello, can we still have a landing page on our site on which we ask questions about why we unsubscribe?

R : Jontathan Loriaux List-Unsubscribe must be clearly distinguished from the unsubscribe link in the e-mail. In List-Unsubscribe, you won't be able to declare a landing page; unsubscribing will be a one-click, immediate process. On the other hand, in the unsubscribe link in the e-mail, the landing page can still be used, but unsubscribing must be the primary objective of this page.

Q: If there's a "preference center", unsubscribing via list-unsubscribe won't prevent you from receiving "other mails/optins". There's a risk that Gmail will think you're still sending mail.

R : Jean-Philippe Machanovitch ' The average threshold would then be to deoptinize on all optins
R : Alexandre Zibrick From what I've heard from people at Google, the pref center is still ok for them. They just don't want a recipient who has unsubscribed to continue receiving mail.

Q: Will theunsubscribe list be mandatory for all mailings?

R : Jontathan Loriaux No, it's only for commercial and marketing mailings. Triggers (confirmation, lost password, etc.) are excluded unless they are of a commercial nature.

Q: Are the big emailers (mailchimp, brevo, others) already aligned with these requirements? Or... more or less?

R : Jontathan Loriaux It varies a lot. We can distinguish between self-service platforms and those requiring Onboarding. The latter will be much better equipped, particularly in terms of domain name alignment, reverseDNS, etc., even if it's not perfect everywhere. On other self-service platforms, such as Mailchimp, there are bound to be quite a few changes, particularly as regards SPF alignment, as many of them use the platform's technical domains.

R : Alexandre Zibrick I mean, we're mostly aligned with these new demands, and work with our customers on the rest. At the end of the day, it's not all about the router.

Q: If I have several opt-in types (because I have several message types) and the user unsubscribes from just one opt-in, how will Gmail interpret this?

R : Jontathan Loriaux He'll misinterpret it... because he won't understand the difference between your different types of optins unless you take him to a Preference Center.

R : Alexandre Zibrick I don't think we should imagine for a second that Google, Yahoo and others aren't capable of detecting the various actions of your users. Their means are sufficient.

Q: How do they differentiate between commercial emails and password emails, confirmations, etc.?

R : Jontathan Loriaux To be able to differentiate between them, you need to help them. On the one hand, the content (both the content of the e-mail and the subject line) of your e-mail helps Gmail and Yahoo to categorize the type of message, but it's also a question of the delivery address. If you get Gmail and Yahoo used to sending your purchase confirmations and lost passwords from one delivery address and your newsletters from another, this will help them to categorize and know what filtering behavior they need to have for the different message typologies.

Q: Is there a daily or campaign complaint rate?

R : Badsender I'll say per day, I haven't seen a notification that says this is done to the campaign because not all mass mailers have set up their feedback loop (for Gmail).

Q: Haven't there been a few BIMI breaches with certified spammers?

R : Badsender : Yes, a few months ago at Gmail because of Microsoft :p

Q: Is it possible to consult this complaint rate?

R : Badsender ' Google provides 2 types of complaints in its Google Postmaster Tools: complaints per day (Spam Rate) and complaints per campaign (Feedback Loop - if the latter is properly configured via a Feedkback-id).

Q: Microsoft is very (more) restrictive, isn't it?

R : Jontathan Loriaux I don't know if you could say they're more restrictive... I'd say they're less legible in the way they work. As a result, it's perhaps more abrupt the way filtering and blocking are carried out. What Gmail & Yahoo are doing is pretty strong, and lays a real foundation. It's a shame that Microsoft isn't participating in this movement in the same way... In short, it's more complicated to manage at Microsoft.

Q: Will this reinforcement of best practices for 2024 be homogeneous worldwide, or will there be differences by geographical zone (e.g. EU vs. US vs. South America)?

R : Jontathan Loriaux Yahoo is a separate entity from Yahoo, so the rules don't apply. Otherwise, I don't think there will be any difference in treatment between countries for Gmail or Yahoo.

Q: Where I can't get clear information about the spam rate: is it a rate that must not be exceeded for all sub-domains? For example, if a sub-domain exceeds these rates, does it penalize all sub-domains with the same "master" domain, or just the sub-domain concerned?

R : Jontathan Loriaux I think it's interesting to keep things in perspective. If you exceed the complaint rate of 0.3% on the main domain, you're potentially going to have an impact on all the sub-domains, and then you also have to monitor each independent sub-domain, but I don't think - but this will have to be checked - that if a single sub-domain causes a problem that there will be a contagion on the other sub-domains and on the main domain. In any case, we're going to learn a lot from February 2024 onwards, and after that about what's going to happen to the campaigns.

Q: What do you think is the motivation behind these new requirements? It seems to me that the underlying aim is to reduce the volume of mail stored.

R : Jontathan Loriaux What you need to bear in mind is that the big e-mail operators have 2 major challenges: 1) Making the user experience of their solution a pleasant one - this is a number one criterion, as it will enable them to get users and therefore keep afloat, generate advertising revenue and clearly filter out spam and graymail. 2) The cybersecurity aspect: all these rules will make it easier for them to reject more criminal-type messages (phishing, extortion, scams, etc.), as there is a legal risk vis-à-vis them if they were to do a poor job of protecting themselves.

Q: Do you have any feedback on the benefits of using private IP addresses for deliverability?

R : Jontathan Loriaux We're talking here about dedicated IP(s). There are many brands for whom dedicated IPs are not relevant, because their volumes are too small or their mailings too irregular. In this case, it's better to continue with shared IPs. After certain thresholds, it's difficult to give figures without knowing the advertiser's context. On the technical side, a dedicated IP address will make it easier to comply with reverseDNS or DMARC alignment with the MailFrom / return-path domain signed with SPF, since this IP will only be used by a single advertiser.

Q: What should a marketer listening to this live stream do to avoid being impacted by Gmail and Yahoo requirements?

R : Jontathan Loriaux ' Call a meeting with your alter ego in the IT department to review the various points mentioned in our article and classify them into 3 categories: this is ok, that's not ok, that we don't understand. And anything you don't understand, you'll need to ask your campaign management tool's support, or call in external consultants (like us) to draw up a checklist and make recommendations for implementation and deployment (send us an e-mail at yesreply@badsender.com).

Q: And maybe define what a complaint is?

R : Sébastien Fischer Yes, an action on the SPAM button on the mailbox with a feedback loop behind it.

Q: Would the BIMI standard have an impact on this? Is it mandatory? Is there any point in doing so?

R : Sébastien Fischer No impact on this subject. No Bimi is not mandatory at the moment, but I strongly recommend it for several reasons: adding an additional security protocol to the DNS, legitimizing the brand by displaying the logo and checkmarks (at Google and potentially at Yahoo if it decides to bring it back into service) to recipients.

Q: Is DMARC becoming mandatory?

R : Sébastien Fischer For mass mailings, yes, but it's better to implement it everywhere. It would be a shame to give the spammer a free ride by not securing your domain name and/or monitoring its activity (via DMARC reports).

Related resources

Google publications

• The announcement on the Gmail blog: https://blog.google/products/gmail/gmail-security-authentication-spam-protection/
• Official Gmail documentation : https://support.google.com/mail/answer/81126
• Gmail FAQ: https://support.google.com/a/answer/14229414

Publications from Yahoo!

• The announcement on Yahoo!'s Postmaster blog : https://blog.postmaster.yahooinc.com/post/730172167494483968/more-secure-less-spam
• An update of the initial announcement by Yahoo! https://blog.postmaster.yahooinc.com/post/737268108173230080/an-update-on-enforcing-email-standards
• Official Yahoo! documentation : https://senders.yahooinc.com/best-practices/
• Yahoo! FAQ: https://senders.yahooinc.com/faqs/

Additional resources

• On the Wordtothewise blog: https://wordtothewise.com/2023/10/new-requirements-for-bulk-senders/
• The announcement of the new rules on Al Iverson's blog: https://www.spamresource.com/2023/10/gmail-and-yahoo-new-deliverability.html
• Additional information on the dates from Al Iverson: https://www.spamresource.com/2023/12/yahoo-mail-and-gmail-compliance.html