As of 1st February 2024, Google and Yahoo will be clamping down on email security with a new set of sender requirements.
As of 1st February 2024, Google and Yahoo will be clamping down on email security with a new set of sender guidelines. These changes cover domain authentication, easy unsubscribes, and reported spam rates. Here’s what you need to do to comply and ensure all your emails - including review requests - land as they should.
Email is essential in eCommerce. It’s convenient, cost-effective, and a key driver of customer engagement. Sadly, as we’re all too aware, it’s also a vehicle for unwanted messages and malicious attacks.
Google and Yahoo’s new sender guidelines are designed to protect consumers from a rise in spam and increasingly intelligent phishing scams. They take once considered best practices and turn them into enforceable rules, intended to create a safer email ecosystem.
If you’re already following best practices for email deliverability you’re probably covered. But it’s important to fully understand what’s around the corner to prevent your emails from landing in the junk box, or being blocked entirely.
The new rules apply to all merchants that send emails to personal Gmail and Yahoo accounts, so you can safely assume that they apply to you.
There’s also a number of rules aimed specifically at bulk senders - those who send 5,000 or more emails per day. That includes every type of email you can think of - transactional, marketing, customer support, survey, and review requests - they all count towards the 5,000 threshold.
Let’s take a look at what these guidelines are, starting with the rules for bulk senders, as these are the changes most likely to require immediate action.
Note that what follows is a breakdown of the sender guidelines issued by Google. Yahoo is essentially following suit where applicable, so if you tick all of Google’s boxes, you’ll be covered under both providers.
As a bulk sender, you should send emails from your own branded domain, as opposed to any shared domain provided by a third party, like REVIEWS.io.
This means that when an email lands, the “From” address that customers see will have a clear association with your company. If you’re not yet sending from your own domain, you’ll notice that your review requests and associated emails are all from firstname.lastname@example.org.
We highly recommend that you send from a branded domain - regardless of whether you're classed as a bulk sender - as it adds a level of credibility and trust. It also helps you build a consistent presence across all your communications.
For help setting this up, check out our support article on how to send review invites from your own email address.
Authentication helps email providers verify if an email claiming to be from a specific sender is legitimate, preventing spammers and phishers from piggybacking on your domain.
As of February 1st, Google requires bulk senders to have all of the following authentication protocols in place:
SPF (Sender Policy Framework) - this tells email providers which servers are allowed to send emails on behalf of your domain, helping prevent fraudulent messages.
DKIM (DomainKeys Identified Mail) - this adds a unique signature to your outgoing emails that lets the recipient know the email is really from you and hasn't been tampered with.
DMARC (Domain-based Message Authentication, Reporting, and Conformance) - DMARC lets you decide what happens if SPF and DKIM checks fail, and gives you reports on any authentication issues.
You'll need to input a DMARC enforcement policy - instructions on how email providers should handle messages that fail authentication. Google states that this can be set to none (p=none), meaning it won't take any action based on DMARC results, but will still provide reports for your analysis.
To set these protocols up, you’ll need to make changes to your domain's DNS records. If you don’t have an in-house IT team, your domain hosting provider will be able to support you here.
Already best practice under GDPR and the U.S. CAN-SPAM Act, Google now requires bulk senders to offer recipients a quick and easy way to unsubscribe from unwanted communications.
The significant change here is that this must now be a one-click unsubscribe using a List-Unsubscribe header, and all unsubscription requests must be processed within two days.
You’ll also need to include a clear & visible unsubscribe link in the message body of your emails, though there’s no requirement for this additional link to be one-click.
If you’re sending fewer than 5,000 emails per day, you’re not required to include one-click unsubscribe links, nor are you required to set up DMARC authentication. Instead, you can run with either SPF or DKIM.
However, we recommend going for full authentication and offering a one-click unsubscribe anyway, as it will help you build a healthy sender reputation as your brand grows.
It’s also likely that these guidelines will be rolled out universally at some point in the future, so you might as well get ahead of the game.
As of February, Google is enforcing a clear spam rate threshold that you must stay below, ideally 0.10%. If your spam rates exceed 0.30%, you’ll start to experience significant deliverability issues.
To avoid creeping anywhere near that top threshold, follow best practices like obtaining explicit consent, using clear and transparent subject lines, and providing valuable and relevant content.
It’s also recommended to monitor your spam rates by setting up Google Postmaster Tools (GPT) - a free solution that helps you stay informed about your email delivery performance.
The following best practices will also be enforced rules as of February. It’s likely you already have everything in place for these guidelines, but for reference:
- You must set up valid forward and reverse DNS records for sending domains.
- You must use a TLS (Transport Layer Security) connection for transmitting email.
- You must format messages according to the Internet Message Format standard.
- You must not impersonate Gmail From: headers.
- Assess your status: determine whether you qualify as a bulk sender and review your current email authentication practices.
- Set up a branded domain: obtain a unique domain that reflects your brand identity and set this up as your default “From” address.
- Authenticate your emails: ensure the legitimacy of your emails by implementing SPF, DKIM, and DMARC protocols
- Simplify unsubscribing: implement a one-click unsubscribe option and include a clear and visible unsubscribe link in your email templates.
- Monitor spam rates: keep your spam complaint rate under 0.30% by following best practices for email deliverability and engagement, and using GPT to monitor performance.
Google’s new sender guidelines offer a win for both brand and consumer.
For you, compliance means improved email deliverability and a trusted reputation. Your emails are more likely to land in a recipient’s inbox and drive engagement when they do - helping you build long-term and profitable customer relationships.
On the consumer side, a cleaner email ecosystem drowns out unwanted noise and helps them better connect with the brands they love.
You can read Google’s sender guidelines updates in full here. And of course, if you need any help with anything REVIEWS.io related, just give our support team a shout.