On February 1, Gmail and Yahoo will begin to enhance email security measures to lower phishing and spam problems.

These requirements for senders fall into three buckets: email authentication, requiring senders to authenticate their email with one of the three widely known email authentication protocols; easy unsubscribe, requiring senders to offer a one-click unsubscribe option for users; and spam reduction, requiring senders to stay below a reported spam threshold.

According to Dean Canellos, manager of deliverable operations at Higher Logic, Yahoo and Gmail have taken what have long been considered best practices for email marketing and have made them requirements.

“Most providers advocate for customers to authenticate their mail because it’s the best way to prove to recipients that the mail is from the person who claims to be sending it. And it’s not a bad time to look at your list acquisition process and ensure you’re emailing people who want your mail,” he said.

Understand the Requirements

Gmail and Yahoo want all senders to authenticate emails with a Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM). Bulk senders—those who send more than 5,000 messages per day—will also need to use a Domain-based Message Authentication, Reporting, and Conformance (DMARC) protocol. These authentication methods help prevent unauthorized parties from sending emails on behalf of a domain they don’t own.

“SPF is an authentication protocol that lists IP addresses in a Domain Name System (DNS) TXT record that are authorized to send email on behalf of domains,” Canellos said. “DKIM is like an ID or passport that can verify who you are. Meanwhile, DMARC helps domains address domain-spoofing and phishing attacks by preventing unauthorized use of the domain in the friendly-from address of email messages.”

Bulk senders will also need to ensure that users can easily unsubscribe from their emails, also called one-click unsubscribe. According to Canellos, this does not refer to unsubscribe links that organizations may include in the footer of their messages; rather, there’s an email protocol that exists in the header of the message. This isn’t visible in the user interface, and it’s referred to as the “list unsubscribe header.”

Lastly, Gmail and Yahoo will enforce a spam rate threshold that senders must be under—below 0.1 percent and not exceeding 0.3 percent. This only pertains to messages people mark as spam, not to all messages in a user’s spam folder.

How to Prepare

While the email authentication and spam complaint protocols will start in February, providers won’t initially reject messages that don’t meet the requirements. Instead, they’ll defer messages and provide signals back to senders that messages aren’t in compliance.

“Gmail has said that they will begin temporarily deferring messages for senders not meeting their authentication requirements beginning February 1st. They will begin to reject messages that do not meet their standards in April,” Canellos said. “Yahoo has not said when they’ll reject messages that don’t meet the standards.”

Gmail and Yahoo will not enforce the one-click unsubscribe requirement until June. According to Canellos, this is often handled through the infrastructure organizations use to send messages.

“Higher Logic Thrive Marketing includes a list-unsubscribe header by default for customers, and it automatically excludes those who unsubscribe from future sends. You can also implement message categories and email preferences to give members greater control over their email subscription,” Canellos said.

Before February, Canellos recommends bulk senders review their current setup to make sure they have email authentication in place. Most providers have something in the user interface that will allow senders to search what they have or reach out to their support organizations to make sure they have SPF, DKIM, and DMARC.

He also suggests checking the metrics to determine your organization’s spam complaint rate. When monitoring data, work with your information technology team on domain validation. Google has Postmaster Tools that allow senders to sign up with a Google address and start tracking and monitoring data as Gmail sees it.

“Make sure you’re doing the right thing as far as collecting email addresses and validating,” Canellos said. “The gold standard is a confirmed opt, so where possible, leverage that and make sure you send mail to folks who want your messages.”

[D3Damon/ISTOCK]