Email Authentication, Gmail

How to Prepare for Gmail and Yahoo! Sender Requirements Before February 2024?

EmailLabs Team, 13 November 2023


Gmail has announced significant changes in the requirements for email senders to maintain a good reputation and proper classification of messages in user inboxes starting from February 1, 2024. Similar changes will be implemented by Yahoo! Mail in Q1 2024

Major global providers are gearing up to send a clear signal – it’s time to implement requirements previously considered best practices to enhance email users’ security and significantly reduce the amount of SPAM reaching our inboxes every day.

This is not surprising, especially considering the prior promotion of the BIMI standard, which we have been assisting our clients in implementing for over 2 years. Particularly, Gmail has emphasized the importance of fully securing the sender’s brand and its marking in the inbox. It’s worth noting that brands with implemented BIMI display their logo in the inbox, along with a clear indication that the sender is verified.

We believe that there will be a tightening of requirements within the DMARC authentication, moving from “p=none” policy to a more restrictive one. It’s advisable to familiarize yourself with these changes now to avoid being surprised by an increased number of bounced messages or messages classified as SPAM, she adds. The DMARC change will be a significant challenge for many senders. Some express concerns that organizing processes within their email systems will take at least a few weeks.

Katarzyna Garbaciak, COO EmailLabs


Domain-Based Message Authentication Reporting and Conformance combines two existing email authentication mechanisms, SPF and DKIM, and adds a layer of policy.

New Requirements for Gmail and Yahoo! Mail – Who Will Be Affected?

Gmail and Yahoo! Mail have announced that the changes concern what they refer to as ‘bulk senders.’ Only Gmail has clarified what this term exactly means. Specifically, a bulk sender is someone who sends over 5000 messages per day to their clients or subscribers.

Consideration is given to emails sent from a specific domain. However, upon closer examination of Google’s documentation, it is evident that the changes will have a broader impact. If you send messages to anyone using Yahoo! Mail or Gmail (as well as Workspace, formerly G Suite), you must adhere to the new requirements.

Consequences of Non-Compliance with Gmail and Yahoo! Mail Requirements

The sender’s failure to comply will have significant consequences, primarily impacting their sending reputation, which can be monitored, for instance, through the Google Postmaster Tool. Understanding the concept of sender reputation is crucial; this tool serves as a reliable benchmark for evaluating the sender’s quality and email delivery practices. It effectively illustrates the response to communications and engagement levels and indicates the spam complaint rate.

In practical terms, a sender’s lack of preparedness may result in penalties such as message rejection, redirection to the recipient’s spam folder, or, in more severe cases, the non-delivery of their emails altogether. It underscores the importance of sender readiness and emphasizes the need for compliance to maintain a positive sending reputation.

5 Ways to Check Sending Reputation

When Will The Changes For Senders Take Effect?

Requirements for sender authentication (SPF, DKIM, and DMARC), domain alignment, and spam complaint level requirements will come into effect in February. On the other hand, the one-click unsubscribe requirement will be effective from June 1, 2024. Google strongly emphasizes implementing these requirements earlier and not waiting until the final date. Quoting Google documentation:

“If you send more than 5,000 emails per day before February 1, 2024, follow the guidelines in this article as soon as possible. Meeting the sender’s requirements before the deadline may improve your email delivery.”

Yahoo! Mail provides a less precise timeframe, stating it will be within the first quarter of the new year.

What Exactly Will Change For Senders?

Google and Yahoo have been making significant efforts to enhance email security and reduce spam for years. The introduced changes aim to provide even better protection for email recipients and tighten the implementation of anti-spam filters. The modifications include:

First of all: Authenticate Your Domain!

The most crucial and challenging change involves email authentication. Mandatory SPF and DKIM authentication are being introduced for all senders.

Bulk senders will be required to implement DMARC authentication, at least with a “p=none” policy. This will now be a mandatory requirement, as opposed to a previously recommended practice.

Messages sent by bulk senders must undergo domain alignment in the DMARC record. This means that the Envelope From (Return-Path) domain must be the same as the Header From (From address) domain or that the DKIM domain is the same as the Header From domain. We recommend that highlighted elements be consistent.


Domain alignment is a mechanism that ensures that the authenticated email domain is consistent with the domain found in the ‘From’ header address, representing the sender’s identity.

How to Configure DMARC?

Setting up DMARC involves three essential steps besides the purely technical aspects of adding a DMARC record.

  1. Evaluate the infrastructure responsible for sending email messages.
    This includes mail servers and external services sending emails on behalf of the sender, such as server infrastructure providers like EmailLabs or marketing automation platforms.
  2. Creating a Custom DMARC Policy for Each Protected Domain.
    DMARC adds rules to the organization’s DNS record, instructing receiving servers on handling email messages sent from a specific domain. The DMARC policy itself can be set to “reject,” “quarantine,” or “none”:

    • Reject: The message will be rejected if it fails authentication tests and is not authorized by the sender.
    • Quarantine: Messages will be directed to the SPAM folder until they pass authentication checks and are authorized by the sender.
    • None: The receiving server takes no action on messages that fail authentication checks.

      Depending on the DMARC policy, the email message may be delivered, placed in the spam folder, or rejected outright.


  3. Publishing the DMARC Record in the DNS of Your Domain:
    To achieve this, access the DNS settings in the Admin Console and insert a TXT record resembling the following:
    v=DMARC1; p=quarantine; rua="[email protected]"; ruf="mailto:[email protected]"

In this record, the “v” tag signifies the DMARC version in use (typically “DMARC1”), the “p” tag indicates the DMARC policy and the “rua” and “ruf” tags specify the email addresses designated to receive reports related to DMARC activities – “rua” for aggregate reports and “ruf” for failure/forensic reports. If you employ the rua/ruf tag, it’s essential to use the “mailto:” prefix.

Read detailed instructions on how to set up DMARC correctly.

Simple Opt-In Process When users subscribe to your emails, make the process simple and transparent. Clearly state what they are signing up for and ensure they have full control over their subscription preferences.
Allow one-click Unsubscribes Provide a clear and accessible unsubscribe option in every email you send. Make it as straightforward as possible for users to opt out of your emails. Failing to do so can lead to user frustration and spam complaints.
Respect User Choices Honor unsubscribe requests promptly. Continuing to send emails to recipients who have unsubscribed is not only against best practices but can also result in email deliverability issues.

Secondly: The Spam Complaint Rate (marking emails as SPAM) Must Be Very Low.

Google specifies that it should not exceed 0.3% according to the data displayed in Google Postmaster (Spam Rate tab). Yahoo! Mail does not provide exact numbers. This req

uirement will apply to all senders.

The spam rate is the percentage of email messages marked as spam by users compared to the total emails delivered to the inbox for active users. If many emails are directly delivered to spam folders, the spam rate may be low, even if users continue to mark your emails in their inbox as spam.

We recommend that you read Emaillabs’ Anti-spam Policy. The level of spam complaints specified therein must not exceed 0.1%, so our approach to this metric is very strict.

Thirdly: Compliance with RFC 5322 Principles

All messages, regardless of the sender’s size, must adhere to the RFC 5322 standard. This is nothing more than the widely recognized internet standard that defines the format of emails, including headers, content, and attachments. Following these changes, emails that do not meet these requirements may face rejection.

Fourthly: Avoid Sending from Free Mailboxes

Google is changing its DMARC policy to “p=quarantine,” meaning that sending from addresses such as @gmail or @googlemail will no longer be allowed.

Fifthly: Enable One-Click Unsubscribes

Bulk senders should enable a swift and easy opt-out from marketing communication by implementing a one-click unsubscribe option (excluding transactional emails): the one-click unsubscribe feature.

The BIMI Standard and VMC Certificate

The tightening of sender classification criteria and fundamentals is a natural consequence of the increasing volume of emails and spam. The number of threats related to brand impersonation in email communication is also on the rise.

Google and Yahoo! Mail have been encouraging senders to adopt the BIMI standard for the past three years. Google rewards senders who implement the VMC certificate with an additional blue checkmark that appears alongside the logo and sender’s address, confirming that the message is from a sender who is also the domain owner.

Sender Verification In Google – Blue Verified Checkmarks Will Appear In Gmail

However, to enjoy the BIMI standard and display a logo in the Yahoo! Mail inbox, which is somewhat more lenient and does not require VMC, it is mandatory to implement DMARC with a restrictive policy. The new rules don’t go that far; requiring DMARC with a “p=none” policy is sufficient. However, it is expected that in the next step, email giants may tighten these rules further.

End of Spray and Pray

Gmail and Yahoo have long rewarded senders with high open rates (OR) and click-through rates (CTR), whose messages are widely shared. Now, however, it has become clear that a certain era is coming to an end – the era of sending messages to unverified recipient lists, inactive subscribers, and those not engaging in our communication. A tough time is approaching for senders who don’t know their customers, don’t segment them based on needs and preferences, and don’t create personalized communication.

Until now, there was no point in hiding the unsubscribe option for fear of an increased spam complaint rate. Now the bar has been raised. Gmail already represents 40-50% of the database for most clients. Senders can’t afford to create uninteresting, unattractive messages; not only will it be very easy to unsubscribe from such communication, but a spam complaint rate above 0.3% will result in unwanted emails being directed to spam or not delivered.

How to Prepare for Google and Yahoo Changes?

Google and Yahoo have announced the changes in recent weeks. We realize that the period is intense and demanding for many of you. Nevertheless, it is a good idea to start adjusting to the new requirements as soon as possible. If you are an EmailLabs customer, you can already prepare for the upcoming changes. Here’s a quick guide on where to start.

Are you an EmailLabs User? We have a Ready Checklist for you!

    1. Check if you have your own sending domain.
      It will no longer be possible to send from free domains. If you need support buying and configuring a domain in DNS, please write to us. Check out a support package tailored to your needs.
    2. Check if you have an SPF record with an EmailLabs entry in your domain.
      In EmailLabs, SPF is enabled by default, but for the mechanism to work properly, you must also add a corresponding entry in the TXT record in DNS.
    3. Check if you have the new sender authorization enabled in the Emaillabs panel.
      In the Administrator > Sender Authorization tab, you will generate an individual DKIM key with your sending domain. f you are currently using a standard DKIM key in the EmailLabs domain, such a setting will not suffice. If you have only authorized an email address, such a setting will also not suffice. If you have not yet performed domain authorization, be sure to read the instructions.
    4. Check if you already have a DMARC policy set up.
      If you have not yet added it to the DNS of your From domain, we encourage you to do so. All you need to do is set the DMARC policy to neutral: “p=none”. For security reasons, we recommend setting the DMARC policy on the subdomain, not the main domain.
    5. ATTENTION! After authorizing the sending domain, write to us at [email protected] so that we can switch to the new authorization method.

Free Sending Domain Setup Configurator

ATTENTION: We have released a free sender domain authentication configurator. To prepare for the upcoming changes from Google and Yahoo, please log in to your panel and complete the authorization today. Ensure that the configuration includes all domains from which you send messages. You can find the configurator in the EmailLabs dashboard under the Administrator tab > Sender Authorization.

Here, you will generate all the entries, including DMARC, which must then be added to your domain’s DNS settings. Similar steps need to be taken for each new domain from which you will be sending emails. You may need the support of an administrator or IT department. Don’t wait until the end of January; take the first step today and notify the relevant individuals in your organization. It may turn out that implementing the necessary settings will take more than 2 weeks, and you won’t meet the deadline of February 1.

Do you not know how to correctly add entries to DNS for a domain registered with your hosting provider? Check out the ready-implement instructions!

  1. Authorizing the domain hosted by Cloudflare
  2. Authorizing the domain hosted by GoDaddy
  3. Authorizing the domain hosted by cyber_Folks
  4. Authorizing the domain hosted by
  5. Authorizing the domain hosted by
  6. Authorizing the domain hosted by OVHcloud
  7. Authorizing the domain hosted by

Most popular

Latest blog posts