Google and Yahoo announce new requirements for email delivery

Google and Yahoo announce new requirements for email delivery

On October 3, 2023, Google and Yahoo announced a new set of requirements for email delivery that will become mandated by February 2024. 

For senders that send more than 5,000 emails a day to Gmail addresses, Google will require a set of authentication measures to be met in order to ensure secure email delivery to its inboxes. While Yahoo does not state a minimum sending requirement, it will align with Google’s criteria. 

The following requirements will be enforced:

  • Implementation of both SPF + DKIM
  • Sending with an aligned `From` domain in either the SPF or DKIM domains
  • Sending from a domain with a DMARC policy of at least p=none 
  • Using a TLS connection for transmitting email (added as a requirement in December 2023)
  • Valid forward and reverse DNS (FCrDNS)
  • One-click unsubscribe (RFC 8058)
  • Low spam reported rate

The full requirements are detailed in Google’s help article.

Google and Yahoo’s united stance promises a seismic shift in email security, ensuring global inboxes are safer through the enforcement of industry-acknowledged best practices. 

“We firmly believe that users worldwide deserve a more secure email environment, with fewer unwanted messages for an improved overall experience. We look forward to working with peers across the industry to boost the adoption of these email standards that benefit everyone.” 
Neil Kumaran, Group Product Manager, Gmail Security & Trust

What does this mean for senders?

Failure to comply with these requirements means that emails sent to Gmail and Yahoo inboxes will not be delivered. When considering that Gmail’s 1.8 billion inboxes equate to almost a quarter of the world’s email-using population, these enforcements will have severe implications for non-compliant businesses that rely on email communication for their operations. 

The good news is that these requirements are already considered best practice across the email ecosystem. They use open standards that are accessible to everyone, such as SPF, DKIM, and DMARC, that can be implemented quickly and safely with the right solution. For businesses that are yet to implement these measures, there’s never been a better time to get ahead of the curve and be ready for Google and Yahoo’s mandate.

What are the benefits of making these changes?

We are thrilled that the email industry is getting together and advocating for these changes as strong email authentication has always played a critical role in email-based business operations. This is because implementing email security protocols like SPF, DKIM, and DMARC is the only effective way to protect your business’s reputation from exact domain impersonation-based phishing attacks. 

To drill into this in a little more detail, DMARC is the email security protocol that blocks exact domain impersonation attacks. It allows domain owners to take back control of their email identity by telling receiving inboxes to reject spoof emails, i.e. when a bad actor pretends to be you to send phishing emails to your employees, customers, and supply chain. 

This is the same protocol that Google refers to in its latest update, where it states that DMARC is no longer a best practice recommendation but a steadfast requirement:

“Many bulk senders don’t appropriately secure and configure their systems, allowing attackers to easily hide in their midst. To help fix that, we’ve focused on a crucial aspect of email security: the validation that a sender is who they claim to be.”
New Gmail protections for a safer, less spammy inbox 

Unfortunately, email security protocols are oftentimes shrouded in myths and thought of as being too difficult to deploy, confusing, or a lot of manual work. However, with the help of an automated DMARC application that shows you actionable insights and provides step-by-step guidance, you could get to full protection in as little as 6 weeks and become compliant with Google and Yahoo’s new requirements. While it does take some level of dedication, this is simply the short-term legwork required for businesses to ensure long-term gain: having secure email communications with employees, customers, and partners and improved email deliverability.

With Google and Yahoo making email authentication a requirement, we are hopeful that these myths will be debunked and that deployment of best practice email security protocols will be deemed a business-critical initiative that is adhered to by SMBs and enterprises alike.

Want to check if you’re ready for Google and Yahoo’s upcoming changes?

If you want an easy way to make sure your email-sending domains are ready come February 1, 2024, Red Sift makes it easy. 

In just 3 minutes, our free Investigate tool checks how you stack up against Google and Yahoo’s requirements and provides a visual breakdown of exactly what you need to action. All you need to do is send an email to the unique address we provide and wait for your results to come in! By testing your specific email-sending service, Investigate can ensure that FCrDNS is configured correctly, that there is DKIM or SPF alignment and that the DKIM key is valid, all of which are critical to pass Google and Yahoo’s requirements.

Example of Red Sift’s Investigate tool cards

To check your Google and Yahoo readiness and fix any issues that exist, try our free Investigate tool now.

Red Sift ensures email security success for 1,000+ global organizations – and can help you, too

Red Sift’s automated DMARC application, OnDMARC, enables businesses all over the globe to easily, quickly, and safely implement DMARC, thus protecting business email communications with customers, suppliers, and partners by blocking vendor fraud, account takeovers, and email spoofing. 

To get started with your DMARC implementation, reach out to us to speak with an expert.


Francesca Rünger-Field

24 Oct. 2023



Recent Posts


The best tools to protect yourself from SubdoMailing

Francesca Rünger-Field

In late February 2024, ‘SubdoMailing’ became a trending search term overnight. Research by Guardio Labs uncovered a massive-scale phishing campaign that had been going on since at least 2022. At the time of reporting, the campaign had sent 5 million emails a day from more than 8,000 compromised domains and 13,000 subdomains with several…

Read more
Product Release

Red Sift’s Spring 2024 Quarterly Product Release

Francesca Rünger-Field

This early into 2024, the cybersecurity space is already buzzing with activity. Emerging standards, such as Google and Yahoo’s bulk sender requirements, mark a new era of compliance for businesses reliant on email communication. At the same time, the prevalence of sophisticated cyber threats, such as the SubdoMailing campaign, emphasizes the continual hurdles posed…

Read more

Navigating the “SubdoMailing” attack: How Red Sift proactively identified and remediated a…

Rebecca Warren

In the world of cybersecurity, a new threat has emerged. Known as “SubdoMailing,” this new attack cunningly bypasses some of the safeguards that DMARC sets up to protect email integrity.  In this blog we will focus on how the strategic investments we have made at Red Sift allowed us to discover and protect against…

Read more

Where are we now? One month of Google and Yahoo’s new requirements…

Rebecca Warren

As of March 1, 2024, we are one month into Google and Yahoo’s new requirements for bulk senders. Before these requirements went live, we used Red Sift’s BIMI Radar to understand global readiness, and the picture wasn’t pretty.  At the end of January 2024, one-third of global enterprises were bound to fail the new…

Read more