Understanding Gmail and Yahoo DMARC Requirements

• January 2, 2024

Ecosystem News Email Security Insights Email Technology

On October 3, 2023, Google and Yahoo announced requirements that bulk senders must have DMARC in place beginning February 2024.

As part of our mission to make DMARC accessible to all, we’re here to help. This guide will provide you with guidance, regardless of the size or complexity of your email infrastructure.

Who is affected?

If you send 5,000 messages a day or more into either of the world’s largest mailbox providers, starting February 2024, your email domain must have a DMARC policy in your DNS. These messages must pass DMARC Alignment or they will not be delivered. This includes messages sent on behalf of your organization by third-party email service providers (ESPs) like Constant Contact and MailChimp that use your email domain.

Note: If you’re also hosting your domain on Google Workspace, your internal message volume will likely count towards this daily limit.

Why is this happening?

Google and Yahoo both recognize the importance of email and are taking steps towards making it more safe and secure. By focusing on email validation, they are helping prevent unwanted spam and potential bad actors from reaching their customers’ inboxes.

Sending from a domain that has DMARC in place has the additional benefit of improving inbox placement. A DMARC record helps ISPs identify you as a sender that is serious about following established email standards and reducing your spam liability.

How do I prepare for this change?

A good place to start is to determine the status of your email domains. Our domain checker will verify the status of your DMARC compliance, along with the open-source protocols it is built upon, SPF and DKIM. SPF is a list of servers and services that are authorized to send email via your domain, and DKIM is a tamper-proof seal that verifies that the content of your email hasn’t been altered.

DMARC tells the world how to handle unauthorized emails sent via your domain by generating reports as your email moves to its destination. These reports can be sent to dmarcian’s powerful DMARC Management platform that gives visibility and control over how your email domains are used. It provides actionable insights every step of the way toward DMARC compliance and beyond.

If you have an internal (or external) IT resource that is responsible for the management of your email and DNS, dmarcian is here to help every step of the way with robust tooling and a vast library of resources.

If you don’t have an IT resource on staff, we have a network of MSPs (managed service providers) and partners who utilize dmarcian’s best-of-class platform and technical insight to deploy DMARC effectively and accurately.

Get started with our 30-day trial

Technical Requirements

For anyone sending more than 5,000/day into either of the the world’s largest mailbox providers, here’s what you need to do:

You must have a DMARC policy in your DNS. Though a monitor-mode policy of p=none will suffice for Google and Yahoo, this is only the first stage of taking full advantage of the security control.

First, check if you have a DMARC record with our DMARC Inspector.
If you don’t have a DMARC record, use our DMARC Record Wizard to create one.
- Nearly every DMARC project starts with a monitor-only mode of p=none. Our Wizard’s default selection is this value.
- The DMARC record then must be published in your DNS.
Enabling DMARC monitoring is the first step to gain insights into whether you have any email sources that are out of compliance.
You are likely to need a visualization tool to help make sense of the data. You can start a 30-day trial with us to gain insight into your domains and be guided through the process.

Your messages must pass DMARC. Messages can pass DMARC alignment in one of two ways.

Your messages pass DKIM, using the same domain as your message From: header; this is the d= value within email headers.
Your messages pass SPF, using the same domain as your message From: header. This is the Return-Path value within email headers. This header value is sometimes referred to as the “bounce domain,” “envelope-from” or “MailFrom.”

Of these two options, DKIM tends to be an easier and more reliable method as it survives forwarding. Much like Google and Yahoo postmasters have promoted, dmarcian also recommends a DKIM-first approach. However, a valid SPF record must be present.

Sending IPs must have a PTR record. Also known as “forward and reverse DNS” or a “hostname.”

If you maintain any of your own mail servers, you should validate that each IP address has a corresponding PTR record in your DNS.
If you don’t maintain any of your own mail servers, this responsibility falls on the email vendors you leverage. Because DMARC is a means of observing who, what, and how your domain is being used to send email, basic DMARC monitoring (p=none) can help validate that your email vendors are in compliance.
It’s rare that legitimate mail servers don’t have a PTR record. The bad guys have learned to compromise other connected devices (smart devices, residential modems, etc.) to send mail. Absence of a PTR record is a clear signal to the receiver that this IP address is not properly configured to send email.

Don’t send spam:

Yahoo asks you to only send messages to recipients who have opted in. You honor the stated frequency established at the point of registration, and you don’t buy lists.
Gmail requires you to keep your Spam Complaint Rate below 0.3%. They even offer a free reputation service to help you keep track of your spam rates.

Properly Format Your Messages: Emails must meet the standards established by RFC 5322.

Don’t spoof gmail.com or yahoo.com: Google and Yahoo will begin to ramp their own DMARC policies. If you are using an email service that allows you to send “as your @gmail.com or @yahoo.com address,” you are likely to experience substantial delivery issues. Best bet is to open a support ticket with your provider to understand more appropriately what exactly is at stake for you.

Include one-click unsubscribe: You’ll need to institute a one-click unsubscribe by June 2024 in order for your emails to be delivered. Yahoo says the one-click unsubscribe should honor a user’s requests within two days. Google adds that a clearly visible unsubscribe link must be in the message body.

Sender Guideline Enforcement Dates

Yahoo reports that enforcement of sender guidelines will be gradually rolled out as they monitor compliance through the first half of the year:

Beginning in February 2024, Yahoo will be enforcing certain standards for all senders, including:
- Properly authenticating your mail
- Keeping complaint rates low
Beginning in February 2024, the requirements for bulk senders will be more strict, including:
- Enabling easy, one-click unsubscribe starting June 2024
- Authenticating with both SPF and DKIM
- Publishing a DMARC policy

Google’s “gradual and progressive” sender enforcement dates are as follows:

In February 2024, bulk senders who don’t meet sender requirements will start getting temporary errors (with error codes) on a small percentage of their non-compliant email traffic. These temporary errors are meant to help senders identify email traffic that doesn’t meet guidelines so that senders can resolve issues that result in non-compliance.
In April 2024, Google will start rejecting a percentage of non-compliant email traffic and gradually increase the rejection rate. For example, if 75% of a sender’s traffic meets our requirements, Google will start rejecting a percentage of the remaining 25% of traffic that isn’t compliant.
Enforcement for the following requirements will begin June 2024:
- DMARC record with a minimum policy of none (p=none).
- One-click unsubscribe in marketing messages
- Mitigations unavailable when user-reported spam rates exceed 0.3% or if the sender has not met the authentication or one-click unsubscribe requirements.

Get started with our 30-day trial

Gmail/Yahoo DMARC Requirement FAQs

Does spoofed email count toward the bulk sender limit of 5k?

Yes. “Spoofed emails will count toward the mail we look at for enforcement. If you have a spoofing problem, you should be implementing a DMARC enforcement policy (p=quarantine or p=reject) regardless.” —Yahoo

Are subdomains subject to the requirements?

Yes. All subdomains of an organizational level domain for which a DMARC policy is published is subject to DMARC verification. If the emails sent from the subdomains are not compliant, they will be impacted. Subdomains are in scope for DMARC deployment and should not be ignored.

How do I discover my Spam rate?

Google’s free, handy Postmaster tools can help you with that.

What will happen if I don’t meet the requirements?

“If you do not meet the requirements, your mail may be sent to the spam folder or rejected. If mail is rejected, we will return a specific error code with information about the rejection.” —Yahoo

How will DMARC improve deliverability?

DMARC allows senders to specify how receivers can act on email which may not be sent from their domains. Depending on the policy published by the sender it may get rejected, or go to the spam folder or no action may be taken. DMARC primarily protects you from third parties forging your domain. If that is a current problem for you, it will probably also improve deliverability.

Are there requirements for non-bulk senders?

The following is from Google:

Starting February 1, 2024, all senders who send email to Gmail accounts must meet the requirements in this section.

Set up SPF or DKIM email authentication for your domain.
Ensure that sending domains or IPs have valid forward and reverse DNS records, also referred to as PTR records. Learn more
Use a TLS connection for transmitting email. For steps to set up TLS in Google Workspace, visit Require a secure connection for email.
Keep spam rates reported in Postmaster Tools below 0.10% and avoid ever reaching a spam rate of 0.30% or higher. Learn more about spam rates.
Format messages according to the Internet Message Format standard (RFC 5322).
Don’t impersonate Gmail From: headers. Gmail will begin using a DMARC quarantine enforcement policy, and impersonating Gmail From: headers might impact your email delivery.
If you regularly forward email, including using mailing lists or inbound gateways, add ARC headers to outgoing email. ARC headers indicate the message was forwarded and identify you as the forwarder. Mailing list senders should also add a List-id: header, which specifies the mailing list, to outgoing messages.