As marketers, we spend a lot of time thinking about the purpose of an email campaign, how it looks and what content to include. We don’t necessarily think much about how it is getting into our customers’ inboxes.

So we asked Daniel Thorpe, Spotler Group’s Head of Deliverability, to explain properly what the Gmail & Yahoo updates of February 2024 mean, who can implement the requirements, and the steps they need to take.

Note: this article also covers the changes by Microsoft who announced similar requirements starting May 2025.

Watch the recorded session here.

Requirements Recap

Google: Google Workspace Admin Help

Yahoo: Yahoo Sender Hub

Outlook: Microsoft Tech Community

Spotler already take care of most of the items in this list for our customers; you’ll just need to focus on the ones in italics.

If you’re using a different ESP, you’ll need to check how much rests with you to carry out.

All senders

  • Set up SPF or DKIM email authentication for your domain.
  • Ensure that sending domains or IPs have valid forward and reverse DNS records, also referred to as PTR records.
  • Use a TLS connection for transmitting email.
  • Keep spam rates reported in Postmaster Tools below 0.10% and avoid ever reaching a spam rate of 0.30% or higher.
  • Format messages according to the Internet Message Format standard (RFC 5322).
  • Don’t impersonate Gmail From: headers. Gmail will begin using a DMARC “quarantine” enforcement policy, and impersonating Gmail From: headers might impact your email delivery.
  • If you regularly forward email, including using mailing lists or inbound gateways, add ARC headers to outgoing email. ARC headers indicate the message was forwarded and identify you as the forwarder. Mailing list senders should also add a List-id: header, which specifies the mailing list, to outgoing messages.

If you send more than 5000 emails per day:

  • Set up DMARC email authentication for your sending domain. Your DMARC enforcement policy can be set to “none”.
  • For direct mail, the domain in the sender’s From: header must be aligned with either the SPF domain or the DKIM domain. This is required to pass DMARC alignment.
  • Marketing messages and subscribed messages must support one-click unsubscribe, and include a clearly visible unsubscribe link in the message body.

“Better to have it and not need, than need it and not have it”

As these steps are being taken to crack down on spammy behaviour and illegitimate senders, it seems reasonable to think that they will be added to in the coming years or even months. So we believe that if you are currently sending any bulk mail, setting up DMARC now is still a smart move. Spotler clients have been encouraged to set up DMARC authentication for several years, regardless of how much sending they are doing. This not only leaves them free to concentrate on producing the highest-quality emails rather than fiddle about with technical compliance, it also sends a clear message to their audience that they take privacy and security seriously, and that they are proactive in following industry best practices.

What do these updates need you to do?

One-click unsubscribe

This is not a function of your email design. It refers to a process between Gmail/Yahoo and your ESP. The jargon you need to know is “List-Unsubscribe” or List-Unsubscribe-Post” Header. The Mailbox Provider will use these headers to provide an unsubscribe link in the UI, to encourage users to unsubscribe safely if they don’t want to engage with the email directly. 

It also encourages the recipient to not complain and report the email as spam. Most Unsubscribe links that are included in email designs are two-click: clicking the link takes you to a preference centre where you click a button to Unsubscribe. But unfortunately, if recipients don’t want to receive the email, they are very unlikely to use that unsubscribe. Instead, they are more likely going to report the email as spam.

With Google and Yahoo focusing a lot on complaints and spam rates, an unsubscribe is a better outcome. This helps avoid the spam rate 0.1% and 0.3% thresholds.

This particular requirement has actually been delayed until June 2024, as it requires development work from ESPs, which takes a while to test and deploy.

Google Postmasters

Google Postmaster Tools

This is a set of tools that show you various metrics for your delivery to Google. The 2 best graphs to pay attention to are “User-Reported Spam”, where you’ll see how close you are to the target of <0.3%, and “Domain reputation”. Domain reputation is mostly for B2C senders at this point, as it measures how you perform when sending to @gmail, and @googlemail, but not GSuite (Google’s business accounts). However, there is a belief among deliverability experts that this will be expanded, so it’s worth familiarizing yourself with the tool now and benchmarking your current performance.

Access to this data does depend on you sending enough volume to register, and if you have a good enough reputation. Google do not show any data for very bad senders because information can be used, and they don’t want to give information to spammers.

DMARC

Important note: This article is meant to explain what DMARC is, not a guide of how one should implement it. DMARC has more considerations than this article explains, and every domain will be different with its setup and rollout of DMARC.  

DMARC stands for Domain-based Message Authentication, Reporting and Conformance. It lives on the visible From address that you use to send your emails.

These mailbox provider requirements currently all talk about high-volume senders, or sending over 5000 a day.  But that could change any day to just be all domains.  Therefore, you should be setting up DMARC for every domain your business uses, regardless of what the domain is used for. 

Note that to pass DMARC authentication, your domain needs to also pass either SPF or DKIM authentication.  For many years now, Spotler has not allowed customers to use domains that don’t already pass SPF, DKIM and DMARC.  But depending on the domain you use and its policy setting, all this DMARC talk is still important for you.

There are several different tools you can use to check whether you have a DMARC record set up; two popular ones are:

Whether you have a DMARC record, and whether it is doing what it needs to do, are not exactly the same question.

If you don’t already have a DMARC record, here’s what you need to know.

DMARC has 3 policy levels, which you should move through one at a time:

  1. p=none (minimum requirement)
  2. p=quarantine
  3. p=reject (best)

The point of DMARC is to protect your sending domain from being abused or spoofed by malicious actors.  These policy values are instructions to the mailbox providers, for how to handle emails from your domain that fail authentication. 

The minimum requirement that mailbox providers ask for is a “none” policy but the intention of DMARC is for you to progress your policy up to “reject”.

“p=none” means your instruction to the mailbox provider, is to do nothing if they receive unauthenticated email from your domain. You technically pass DMARC.  But if some malicious actor is using your domain, you aren’t telling the mailbox provider to do anything about it.  The emails being sent from malicious actors will be delivered, and your reputation can be impacted severely from them.

“p=quarantine” is in the mid-point for rolling out DMARC on your domain.  Your instruction to the mailbox provider is to quarantine all email sent from your domain that fails authentication.  Malicious actors are now immediately unable to use your domain with the success they have with a “none” policy.  But quarantined emails could still be accessed by the recipients and your reputation can still be impacted.

“p=reject” means you are confident all email sent using your domain passes authentication.  Your instruction to the mailbox provider is to reject all email sent from your domain that fails authentication.  This is the strongest policy setting, and you should be aiming to get your domain to this level.

You cannot just immediately start with a “reject” policy, however.  DMARC affects your whole domain.  You must check every possible use of your domain, passes authentication at all of its usages.  If you know your domain is only used at a single place, say an ESP, then you could go straight to the “reject” policy.  But if the domain you are managing is used elsewhere, say for your day-to-day business emails, then you need to make sure they pass authentication too.  Otherwise, if you were to start higher than the “none” policy, you could impact your email sending from those other sources.

Another important note: DMARC is set up on the root of the domain.  Its policy applies to all subdomains.  You are setting up DMARC for the domain in its entirety.  Not just for the subdomain. So, if DMARC is set up for example.com, it’s also set up for esp.example.com and support.example.com, but not for example-esp.com or example.co.uk.

So if the domain you use for an ESP is a subdomain, where that domain is used elsewhere.  You are setting up DMARC for the domain in its entirety.  Not just for the subdomain.

Because of all this is why the DMARC setup in your DNS allows for reporting addresses (rua and ruf) for where mailbox providers should send reports about your DMARC authentication.

The idea with DMARC is that you should use the reporting feedback and start with a “none” policy.  You check the reports and make sure every email you send for your domain passes authentication, fixing any that fail.  When you are confident that all your genuine mail passes, you move to the “quarantine” policy and monitor again. When you are confident everything still passes ok, you move to the “reject” policy.  But if you are already 100% confident, you could start with “reject” straight away.

An example DMARC record for a staged rollout with reporting would look something like:

v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com; ruf=mailto:dmarc@yourdomain.com

v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com; ruf=mailto:dmarc@yourdomain.com

v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com; ruf=mailto:dmarc@yourdomain.com

Microsoft Email Hygiene Recommendations

Microsoft also recommend the following for email hygiene…

  • Compliant P2 (Primary) Sender Addresses: Ensure the “From” or “Reply‐To” address is valid, reflects the true sending domain, and can receive replies. 
  • Functional Unsubscribe Links: Provide an easy, clearly visible way for recipients to opt out of further messages, particularly for marketing or bulk mail. 
  • List Hygiene & Bounce Management: Remove invalid addresses regularly to reduce spam complaints, bounces, and wasted messages. 
  • Transparent Mailing Practices: Use accurate subject lines, avoid deceptive headers, and ensure your recipients have consented to receive your messages. 

These are not currently technical requirements, but they are worth reviewing.  The last three are self-explanatory but we have had some questions about the first, so let’s go into that.

This recommendation is stating that “from” or “reply-to” address should be valid, not an address which doesn’t exist, where sending an email to it would bounce.  Ideally, the replies go into something that humans can access.  Sending from “noreply@” type addresses is not technically denied by this recommendation, but the tone here is you shouldn’t use them.

Our Recommended Next Steps

Ensure Opt-Ins – Ensure you are emailing people who want to hear from you

Test Subscribed Contacts – Periodically send messages to ensure subscribed contacts are engaging

Avoid Spam Content – Links and attachments should be visible and easy to understand. Don’t encourage contacts to click on links they don’t understand

Unsubscribe Contacts – Consider manually unsubscribing contacts who aren’t interacting

Readability – Keep spam score down with clear and engaging subject lines, and avoid misleading text

“noreply” – Stop sending from “noreply@” type addresses and make the recipients feel they can reply and reach a human if they want to.

Need more help?

If you’re a Spotler customer, as much of this work as possible has been done for you already, as we challenge ourselves to stay ahead of industry best practices as much as possible. Your account manager is the best person to contact if you want further information and support to roll out these changes.

Not using Spotler yet? Let’s talk about how we can help you send better, more secure emails.