Skip to main content
Understanding the Gmail and Yahoo DMARC Requirements

Understanding the Gmail and Yahoo DMARC Requirements

Ecosystem NewsEmail Security InsightsEmail Technology

On October 3, 2023, Google and Yahoo announced requirements that bulk senders must have DMARC in place by February 2024. 

As part of our mission to make DMARC accessible for all, we’re here to help. This guide will provide you with guidance, regardless of the size or complexity of your email infrastructure. 

Who is affected?

If you send 5,000 messages a day or more into either of the world’s largest mailbox providers, starting February 1, 2024, your email domain must have a DMARC policy in your DNS. These messages must pass DMARC Alignment or they will not be delivered. This includes messages sent on behalf of your organization by third-party email service providers (ESPs) like Constant Contact and MailChimp that use your email domain.

Note: If you’re also hosting your domain on Google Workspace, your internal message volume will likely count towards this daily limit.

Why is this happening?

Google and Yahoo both recognize the importance of email and are taking steps towards making it more safe and secure. By focusing on email validation, they are helping prevent unwanted spam and potential bad actors from reaching their customers’ inboxes. 

Sending from a domain that has DMARC in place has the additional benefit of improving inbox placement. A DMARC record helps ISPs identify you as a sender that is serious about following established email standards and reducing your spam liability. 

How do I prepare for this change?

A good place to start is to determine the status of your email domains. Our free domain checker will verify the status of your DMARC compliance, along with the open-source protocols it is built upon, SPF and DKIM. SPF is a list of servers and services that are authorized to send email via your domain, and DKIM is a tamper-proof seal that verifies that the content of your email hasn’t been altered. 

DMARC tells the world how to handle unauthorized emails sent via your domain by generating reports as your email moves to its destination. These reports can be sent to dmarcian’s powerful DMARC Management platform that gives visibility and control over how your email domains are used. It provides actionable insights every step of the way toward DMARC compliance and beyond.

If you have an internal (or external) IT resource that is responsible for the management of your email and DNS, dmarcian is here to help every step of the way with robust tooling and a vast library of resources. 

If you don’t have an IT resource on staff, we have a network of MSPs (managed service providers) and partners who utilize dmarcian’s best-of-class platform and technical insight to deploy DMARC effectively and accurately. 

Technical Requirements

For anyone sending more than 5,000/day into either of the the world’s largest mailbox providers, here’s what you need to do:

You must have a DMARC policy in your DNS. Though a monitor-mode policy of p=none will suffice for Google and Yahoo, this is only the first stage of taking full advantage of the security control.

  • First, check if you have a DMARC record with our DMARC Inspector.
  • If you don’t have a DMARC record, use our DMARC Record Wizard to create one.
    • Nearly every DMARC project starts with a monitor-only mode of p=none. Our Wizard’s default selection is this value. 
  • Enabling DMARC monitoring is the first step to gain insights into whether you have any email sources that are out of compliance. 
  • You are likely to need a visualization tool to help make sense of the data. You can start a free trial with us to gain insight into your domains and be guided through the process.

Your messages must pass DMARC. Messages can pass DMARC alignment in one of two ways.

  • Your messages pass DKIM, using the same domain as your message From: header; this is the d= value within email headers.
  • Your messages pass SPF, using the same domain as your message From: header. This is the Return-Path value within email headers. This header value is sometimes referred to as the “bounce domain,” “envelope-from” or “MailFrom.”
  • Of these two options, DKIM tends to be an easier and more reliable method as it survives forwarding. Much like Google and Yahoo postmasters have promoted, dmarcian also recommends a DKIM-first approach. However, a valid SPF record must be present.

Sending IPs must have a PTR record. Also known as “forward and reverse DNS” or a “hostname.”

  • If you maintain any of your own mail servers, you should validate that each IP address has a corresponding PTR record in your DNS.
  • If you don’t maintain any of your own mail servers, this responsibility falls on the email vendors you leverage. Because DMARC is a means of observing who, what, and how your domain is being used to send email, basic DMARC monitoring (p=none) can help validate that your email vendors are in compliance.
  • It’s rare that legitimate mail servers don’t have a PTR record. The bad guys have learned to compromise other connected devices (smart devices, residential modems, etc.) to send mail. Absence of a PTR record is a clear signal to the receiver that this IP address is not properly configured to send email.

Don’t send spam.

  • Yahoo asks you to only send messages to recipients who have opted in. You honor the stated frequency established at the point of registration, and you don’t buy lists.
  • Gmail requires you to keep your Spam Complaint Rate below 0.3%. They even offer a free reputation service to help you keep track of your spam rates.

Properly Format Your Messages: Emails must meet the standards established by RFC 5322.

Don’t spoof or Google and Yahoo will begin to ramp their own DMARC policies. If you are using an email service that allows you to send “as your or address,” you are likely to experience substantial delivery issues. Best bet is to open a support ticket with your provider to understand more appropriately what exactly is at stake for you.

Include one-click unsubscribe: You’ll need to institute a one-click unsubscribe in order for your emails to be delivered. Yahoo says the one-click unsubscribe should honor a user’s requests within two days. Google adds that a clearly visible unsubscribe link must be in the message body.

Want to continue the conversation? Head over to the dmarcian Forum.