Ensuring Delivery of Email to Google and Yahoo Mailboxes

Hardly a day seems to go by without hearing about a new email scam. Even worse, bad actors are using generative AI tools to create ever more convincing emails to trick us into revealing some personal information. Fortunately, technology is also being used to preserve the integrity of email as a means of business communication. New standards and techniques are constantly being developed and implemented to combat the vulnerabilities most often used by hackers.

The latest counterattack on undesirable emails comes from two of the industry’s largest email service providers: Google and Yahoo. Both have announced that they will start rejecting delivery of emails to their users unless those emails conform to best practices. Given their prominence in the field, other vendors are likely to follow suit. Since their requirements simply reflect best practices that have been around for some time, now is the time to ensure that your emails comply with these standards. Otherwise, you could find that your emails are no longer getting to their intended recipients!

Here is what Google and Yahoo now require of incoming emails. Starting in April 2024, a small percentage of non-compliant emails will be rejected, with that percentage increasing over time.

• SPF and DKIM, the two foundational forms of email authentication, are now required. Together, they prevent unauthorised parties from sending emails on behalf of a domain they do not own. Sender Policy Framework (SPF) specifies a public list of all the servers that you legitimately send emails from. DomainKeys Identified Mail (DKIM) automatically “signs" your emails to prove they are from your organisation.
• DNS pointer records (aka PTR or reverse DNS records) are also required. They allow mailbox providers to verify the sender by checking that the sending server’s address matches the email’s “from” address.
• Senders must maintain a spam complaint rate below 0.3% in Google Postmaster. You can create a Postmaster account to monitor your email reputation with Google mailboxes. Similar tools exist for other large email providers.
  

The following two measures are only required for high-volume senders (i.e., more than 5000 emails a day), but they might become mandatory for everyone in the future.

• Building on SPF and DKIM, Domain-based Message Authentication Reporting and Conformance (DMARC) tells a receiving email server what to do when a SPF or DKIM check fails. Your DMARC policy can instruct mail servers to quarantine such emails, to reject them, or to deliver them. The policy can also request reports about which emails are passing and failing these checks so your email administrators can adjust the policies in the future.
• Enable one-click unsubscribe. This feature causes the recipient’s email client to insert an “unsubscribe” button next to the “from” address at the top of the email. You must also include a clearly visible unsubscribe link in the message body.
  

Taking these steps will not only ensure that your emails will continue to be delivered to recipients at GMail and Yahoo Mail. but they will also avoid having your organisation added to a spam blacklist - which can be a real headache to resolve. In short, implementing these email measures will make the Internet a little better for everyone.