Google and Yahoo announce new requirements for email delivery

Google and Yahoo announce new requirements for email delivery

On October 3, 2023, Google and Yahoo announced a new set of requirements for email delivery that will become mandated by February 2024. 

For senders that send more than 5,000 emails a day to Gmail addresses, Google will require a set of authentication measures to be met in order to ensure secure email delivery to its inboxes. While Yahoo does not state a minimum sending requirement, it will align with Google’s criteria. 

The following requirements will be enforced:

  • Implementation of both SPF + DKIM
  • Sending with an aligned `From` domain in either the SPF or DKIM domains
  • Sending from a domain with a DMARC policy of at least p=none 
  • Using a TLS connection for transmitting email (added as a requirement in December 2023)
  • Valid forward and reverse DNS (FCrDNS)
  • One-click unsubscribe (RFC 8058)
  • Low spam reported rate

The full requirements are detailed in Google’s help article.

Google and Yahoo’s united stance promises a seismic shift in email security, ensuring global inboxes are safer through the enforcement of industry-acknowledged best practices. 

“We firmly believe that users worldwide deserve a more secure email environment, with fewer unwanted messages for an improved overall experience. We look forward to working with peers across the industry to boost the adoption of these email standards that benefit everyone.” 
Neil Kumaran, Group Product Manager, Gmail Security & Trust

What does this mean for senders?

Failure to comply with these requirements means that emails sent to Gmail and Yahoo inboxes will not be delivered. When considering that Gmail’s 1.8 billion inboxes equate to almost a quarter of the world’s email-using population, these enforcements will have severe implications for non-compliant businesses that rely on email communication for their operations. 

The good news is that these requirements are already considered best practice across the email ecosystem. They use open standards that are accessible to everyone, such as SPF, DKIM, and DMARC, that can be implemented quickly and safely with the right solution. For businesses that are yet to implement these measures, there’s never been a better time to get ahead of the curve and be ready for Google and Yahoo’s mandate.

What are the benefits of making these changes?

We are thrilled that the email industry is getting together and advocating for these changes as strong email authentication has always played a critical role in email-based business operations. This is because implementing email security protocols like SPF, DKIM, and DMARC is the only effective way to protect your business’s reputation from exact domain impersonation-based phishing attacks. 

To drill into this in a little more detail, DMARC is the email security protocol that blocks exact domain impersonation attacks. It allows domain owners to take back control of their email identity by telling receiving inboxes to reject spoof emails, i.e. when a bad actor pretends to be you to send phishing emails to your employees, customers, and supply chain. 

This is the same protocol that Google refers to in its latest update, where it states that DMARC is no longer a best practice recommendation but a steadfast requirement:

“Many bulk senders don’t appropriately secure and configure their systems, allowing attackers to easily hide in their midst. To help fix that, we’ve focused on a crucial aspect of email security: the validation that a sender is who they claim to be.”
New Gmail protections for a safer, less spammy inbox 

Unfortunately, email security protocols are oftentimes shrouded in myths and thought of as being too difficult to deploy, confusing, or a lot of manual work. However, with the help of an automated DMARC application that shows you actionable insights and provides step-by-step guidance, you could get to full protection in as little as 6 weeks and become compliant with Google and Yahoo’s new requirements. While it does take some level of dedication, this is simply the short-term legwork required for businesses to ensure long-term gain: having secure email communications with employees, customers, and partners and improved email deliverability.

With Google and Yahoo making email authentication a requirement, we are hopeful that these myths will be debunked and that deployment of best practice email security protocols will be deemed a business-critical initiative that is adhered to by SMBs and enterprises alike.

Want to check if you’re ready for Google and Yahoo’s upcoming changes?

If you want an easy way to make sure your email-sending domains are ready come February 1, 2024, Red Sift makes it easy. 

In just 3 minutes, our free Investigate tool checks how you stack up against Google and Yahoo’s requirements and provides a visual breakdown of exactly what you need to action. All you need to do is send an email to the unique address we provide and wait for your results to come in! By testing your specific email-sending service, Investigate can ensure that FCrDNS is configured correctly, that there is DKIM or SPF alignment and that the DKIM key is valid, all of which are critical to pass Google and Yahoo’s requirements.

Example of Red Sift’s Investigate tool cards

To check your Google and Yahoo readiness and fix any issues that exist, try our free Investigate tool now.

Red Sift ensures email security success for 1,000+ global organizations – and can help you, too

Red Sift’s automated DMARC application, OnDMARC, enables businesses all over the globe to easily, quickly, and safely implement DMARC, thus protecting business email communications with customers, suppliers, and partners by blocking vendor fraud, account takeovers, and email spoofing. 


To get started with your DMARC implementation, reach out to us to speak with an expert.

PUBLISHED BY

Francesca Rünger-Field

24 Oct. 2023

SHARE ARTICLE:

Categories

Recent Posts

VIEW ALL
DMARC

The Mail Check deadline has passed: Is your organisation at risk? 

Jack Lilley

The National Cyber Security Centre (NCSC) proposed changes to Mail Check services came into effect on 24 March 2025, including the ending of DMARC aggregate reporting. Organisations who are yet to comply must now seek an alternative provider or risk exposure to harmful cybersecurity incidents. This change comes as a measure to expand the…

Read more
Awards

Red Sift named a Top 50 company in 2025 Emerging Stars Awards

Jack Lilley

We’re pleased to share that Red Sift has been named Best Performing Company – Security & Infrastructure in the 2025 Emerging Stars Awards. These awards, part of the Megabuyte100 series, recognise the UK’s 50 best-performing scale-up technology companies based on solid financial performance, from over 800 entries.  Being recognised in this category reflects the…

Read more
DMARC

Mailgun and Red Sift partner to boost email programs with stronger authentication  

Rebecca Warren

Senders know that email is a critical channel for driving customer engagement and establishing trust, yet deliverability and security issues can disrupt email programs. Mailgun, a leader in cloud-based email delivery, is providing free DMARC reporting for all Mailgun senders courtesy of Red Sift OnDMARC. This integration brings senders complete visibility into authentication results…

Read more
DMARC

Over 60% of healthcare organizations remain unprotected against data breaches

Sean Costigan

Introduction Red Sift’s analysis of healthcare organizations that reported large breaches to the Department of Health & Human Services (HHS) in 2023-2024 uncovered a troubling trend: post-breach, 61% remain unprotected against phishing and domain spoofing due to weak or nonexistent DMARC policies. DMARC (Domain-based Message Authentication, Reporting & Conformance) is a widely recognized security…

Read more