If you haven't already heard, new security mandates set by Google and Yahoo are going into effect in February 2024.
I know, I know. Email security is everyone’s favorite topic, right?
For better or for worse – it’s important to stay on top of these changes so you can stay on top of your customers’ inbox (and out of the spam folder).
In this blog post, you’ll learn what the new requirements are, what they mean for you, and what you need to do to continue landing in the inbox.
What Are The New Sender Requirements?
Starting February 1st, 2024, all domains must be authenticated and implement additional security measures so bad actors can’t spoof your email address and send under your name.
These have long been recommended by Gmail, but are now being required to provide a safer, less spammy inbox for consumers (which is a good thing).
These changes apply to anyone who sends more than 5,000 emails to Gmail or Yahoo users in a single day, but we recommend that everyone implements them to get ahead of the curve and prepare for inbox providers requiring everyone meet them in the future.
You can find a full breakdown of the changes in Gmail’s Help Center, but I’ve distilled the most important changes for you here:
- All domains must have a DMARC policy in place.
- Because of this, all Drip customers need to set up a Custom Sending Domain.
- Your "From:" Email must match your domain, for example, hello@drip.com for the Drip.com domain.
- Marketing emails must include a one-click unsubscribe method (Drip handles this for you).
- Marketing emails must include an unsubscribe link in the message body (but this link doesn’t need to be one step). Drip automatically inserts this in our email builder.
- Your spam rate for Gmail or Yahoo addresses must be under 0.10% in a given window of time. (No word on the length of time yet, but we think you can safely assume within a given week. We’ll keep you posted).
If your blood pressure started to rise while reading through those changes, take a deep breath.
Here’s what you need to do next.
What Does This Mean for Me?
While Drip will handle some of the changes for you, there are some things you’ll need to do yourself to remain compliant.
Luckily, these are, overall, best practices you might already be doing.
Set Up a Custom Sending Domain (If You Haven’t Already)
First and foremost, these changes mean that if you don’t have a Custom Sending Domain (CSD) set up, you need to do that first.
If you’re not sure how to do this, we have an excellent guide on how to set up a Custom Sending Domain for your Drip account.
Get a DMARC Policy in Place
Once you get your CSD set up, you are required to have a DMARC policy in place. This is a good thing to double-check for those who already use Custom Sending Domains, too.
DMARC is an email security measure designed to prevent email fraud and phishing attacks. It adds an extra layer of protection to your emails and enhances your brand reputation. Read how to set up DMARC plus all of its components in our help article.
When it comes to how strict to set the policy, we recommend starting at the “p=none” policy level so you’ll get reports of any emails that fail authentication.
Google is only requiring that your policy is set to “p=none” right now, so as long as that record is in place, you’ll meet the minimum requirements.
If you want to use additional features like BIMI to have your brand logo appear in Gmail, you’ll need to bump up to “p=quarantine” for your policy.
For those just getting started, we heavily recommend doing this slowly to avoid sending anything that fails to spam. It’s better to slow-roll technical changes.
Make It Easy To Unsubscribe
Per Gmail’s new requirements, all senders must include a one-click unsubscribe method in the email header and an unsubscribe link in the message body.
This includes making them effectively invisible through changing the colors on the text, or anything of that nature.
Drip automatically requires that every marketing email includes an unsubscribe link, but purposefully making them obscure to click on is called out in Google’s new documentation, so it’s worth mentioning.
Additionally, your marketing emails must include a one-click unsubscribe method (aka a List-Unsubscribe Header). As of February 2024, Drip automatically includes unsubscribe headers embedded into all emails.
The moral of the story is that if people want to stop getting your emails, let them unsubscribe.
After all, you don’t want to send to those who don’t want to hear from you.
Unsubscribes are way better than spam complaints. 😃
Keep Your Spam Rates Below 0.1%
With these changes, Google & Yahoo have provided a numerical threshold for spam complaints from their email addresses of 0.1%, or 1 out of every 1000 recipients. 0.3% is the absolute max, but Gmail warns reaching that threshold will have heavier consequences.
1/1000 is the industry standard, but Gmail doesn't tell you when someone reports you as spam. You can only see an average of spam complaints via Google Postmaster Tools – and we do recommend setting that up as well.
The guidelines around the length of time Gmail is looking at, and how you’ll be penalized if you go over the 0.1% threshold aren’t extremely clear, but the goal is to keep your spam rates as low as possible.
The takeaway here is that if people stop shopping with you or stop engaging with your emails, you should remove them from your list.
This will change over time as privacy gets more and more advanced and open rates get less and less reliable, but other information like cart data is still very reliable. Gmail and Yahoo are pushing senders to lean into this (and take those contacts from 2 years ago off your list 😉).
Don’t Impersonate Gmail From: Headers
Lastly, Gmail is putting a DMARC policy in place for its domains, which means that anything sent under an @gmail.com email address from outside the Gmail ecosystem is likely going to run into problems.
Drip doesn’t allow you to use Gmail emails as your sender email, but if you have any other tools like your helpdesk, fulfillment, or receipts sending from yourbusiness@gmail.com, those will likely stop working come February if not sooner.
Update them to a business email ASAP, as those emails will be either rejected or filtered to spam by default.
Next Steps to Stay Compliant with Gmail and Yahoo Sender Changes
So to sum up, this is all you need to do:
- Set up Custom Sending Domain: Just like our emails to you come from @drip.com, you want your emails to come from your unique domain.
- Create a DMARC policy and set “P=none”: This is the base requirement that Gmail will require.
- Make sure you have a visible unsubscribe link in every email: If people want to go, let them. Having extra contacts who don’t want to hear from you doesn’t serve you. A great email service provider (like Drip) will do this automatically for you.
- Clean your email list and keep your spam rates below 0.1%: Segment off those contacts that don’t engage and remove them from your list. Make sure your spam rate is nice and low.
- Don’t use Gmail to mass send emails: If your store, help center, or any other part of your business is currently using Gmail, it’s time to stop and get those under your custom sending domain.
I know that this is a lot of information to take in. Deep breaths. We’ve got your back.
If you have additional questions, or if you need to know even more, get in contact with our Support team. They’re more than happy to provide you with additional information or connect you with the right team to dive in even further.