Get relevant information on mobile marketing delivered to your inbox.
Back to blog

Mastering 2024 Email Security Updates: Yahoo & Gmail Guide

Mastering 2024 Email Security Updates: Yahoo & Gmail Guide

Gmail and Yahoo are ushering in a new era of inbox security and spam reduction, with their latest email policies taking effect from February 1, 2024. As email senders, compliance is key to maintaining your email delivery game and steering clear of potential hurdles like bounces or the dreaded spam folder. These guidelines apply to all bulk senders with a daily volume of over 5000 marketing emails.

Here’s a quick summary of these updates:

  • DMARC Record: From February 1, 2024, all email-sending domains must have an enabled DMARC record if your daily marketing email-sending volume exceeds 5,000, along with  DKIM and SPF records in place. It’s crucial to implement a DMARC policy for each of your sending domains to confirm the success of your DMARC checks, ensuring that your “from” addresses align with domains where DKIM and SPF setup is correctly executed. Additionally, valid forward and reverse DNS/PTR records for your email-sending domains and IPs are mandatory. 
  • Unsubscribe Link: From June 1, 2024, ensure that the unsubscribe link in your emails captures the user request with just a single click.The updated guidelines for unsubscribing aim to streamline the opt-out process, improving open rates, click-through rates, and overall sending efficiency. For those sending over 5,000 messages daily, marketing and subscribed messages must support one-click unsubscribe.Google recommends including both List-Unsubscribe-Post and List-Unsubscribe headers in outgoing messages, supporting both one-click unsubscribe (RFC 8058) and “mailto” unsubscribe (RFC 2369). Recipients should be allowed to review and unsubscribe from individual mailing lists, with an additional recommendation to automatically unsubscribe recipients with multiple bounced messages.
  • Spam Complaints: Google mandates that bulk senders keep the spam rate (as per Postmaster Tools) less than 0.1% to be part of the email good senders list. While the threshold set by ISPs is 0.3%, it’s safe to maintain the spam rate not more than 0.1%. Consider 0.2% as a red alert and 0.3% as a calamity. Google won’t be addressing any tickets for senders hitting a 0.3% spam rate, and your email practices will be constantly under watch.

Complying with Google & Yahoo Bulk Sender Updates

1. Establish proper email authentication and infrastructure configuration

Below is a brief overview of the nitty-gritty of email authentication and the three interlinked mechanisms involved:

    • Sender Policy Framework (SPF): Prevents domain spoofing by enabling senders to specify authorized email servers for dispatching emails from their domain.
    • DomainKeys Identified Mail (DKIM): Adds a digital signature to outgoing emails, verifying the message’s origin from an authorized sender and confirming it hasn’t been altered during transmission.
    • Domain-based Message Authentication, Reporting, and Conformance (DMARC): Empowers domain owners to define actions for emails failing authentication and facilitates reporting on email authentication outcomes.

    Customers relying on CleverTap’s Email Delivery system will have SPF and DKIM authentication implemented by default, however in order to comply with these newly announced requirements, senders will be responsible for setting up DMARC by February 1st 2024.

    You can follow the steps below to complete your email authentication setup: 

    1.SPF  : Have a valid SPF record on the RETURNPATH/ENVELOPE DOMAIN, adding all your SMTP outgoing IP addresses.

    Validate your SPF record using any of the links below : https://www.kitterman.com/spf/validate.html
    https://easydmarc.com/tools/spf-lookup
    Sample valid SPF record :

    2. DKIM : Authenticate ALL (Yahoo, Gmail, Outlook, including corporate domains) your emails with 2048-bit (recommended) length DKIM keys.

    Validate your DKIM records using any of the links below:

    https://easydmarc.com/tools/dkim-lookup
    https://dmarcly.com/tools/dkim-record-checker
    Sample valid DKIM record :

    3.DMARC : Implement the DMARC record on the FROM domain and ensure that SPF and DKIM domains are aligned.

    For example, if you are using the domain clevertap.com to send out emails, the return path/envelope and DKIM domain should be clevertap.com or a sub-domain of clevertap.com. This way, we can ensure that all the authentication settings are 100% aligned. This is a mandatory step to follow.
    Sample valid SPF, DKIM and DMARC in email headers:

    Sample DNS records:

    Sample DMARC record :


    NOTE : Few of the parameters in the DMARC record are optional. Please contact your IT team for appropriate parameters as per your company policies.

    Here are the prerequisites to be followed before enabling DMARC :

      • Review all outgoing SMTP emails, including internal corporate traffic, to identify any misalignments in authentication settings. If any are found, fix the alignment. Enforcing DMARC before fixing such anomalies will lead to DMARC failure, preventing emails from reaching the user’s mailbox.
      • After verifying and aligning authentication settings, you are good to go ahead and enable the DMARC record with NONE as a policy.
      • DMARC aggregate reports are sent to the email address mentioned in the “rua:” section of the DMARC record. Make sure to monitor the reports to identify any SPF/DKIM failures. The DMARC and DMARC alignment success rate should be >99%. The 1% failures should be more likely due to intermittent DNS fluctuations than misalignment.
    • You are good to change the policy (p=) to QUARANTINE or REJECT if the DMARC and DMARC alignment is >99% for at least 2 weeks, as a good practice.

    2. Enable recipients with simple and accessible options to unsubscribe

    It is essential to provide a clearly visible option for unsubscribing, utilizing a straightforward one-click process, and promptly addressing such requests within a 48-hour window.

    Regardless of whether you are using CleverTap Email Delivery or your own ESP (SG/SES/Custom SMTP connector, etc.), assess your configuration through the following steps:

      • The List-Unsubscribe header in an email added by the sender shouldn’t have an additional hop or action required from the user. It should be a one-click unsubscribe process.
      • While ISPs mention that users should be removed from the mailing list within 48 hours, we recommend removing the user in real-time or within a few hours of the user raising an unsubscribe request as a best practice to avoid follow-up unsubscribe requests or REPORT SPAM.
      • Make sure to enable SSL on List-Unsubscribe URL (https://) as per the RFC document linked here

      CleverTap is in the process of incorporating built-in support for the One Click Unsubscribe feature, offering an alternative for brands that prefer not to utilize the one provided by their email partner. This functionality will initially be introduced for our Email Add-On Customers, followed by SMTP and Amazon SES in the near future.

      3. Regulate spam levels

      Google mandates that bulk senders maintain a reported spam rate below 0.1% in Google Postmaster Tools (equivalent to 1 spam report for every 1000 mails sent) and you can follow the steps below to keep you spam levels in check: 

        • Review your historical spam rate and work on an action plan if you see spam rates higher than 0.1%. Consult your ESP to build an email strategy to reduce spam complaints.
        • Ensure you have a valid forward (A record) and reverse (PTR record) aligned with the from domain for all outgoing email IP addresses.

        Note : Please contact your domain administrator for assistance to add/modify any DNS records.

        For email marketers, staying agile is paramount. While adjustments in mailbox provider requirements can be unnerving, they signify positive changes. Emphasizing email authentication and DNS, along with facilitating easy unsubscribes, ensures emails reach genuinely interested subscribers. It’s crucial to view these changes positively, recognizing their role in advancing the email industry.

        Last updated on February 13, 2024