What You Need to Know About Gmail and Yahoo’s Big Changes for Newsletters

These stories are presented thanks to beehiiv, an all-in-one newsletter suite built by the early Morning Brew team. It’s fully equipped with built-in growth and monetization tools, no code website and newsletter builder, and best-in-class analytics that actually move the needle. Some of the top newsletters in the world are built on beehiiv, and yours can be too. It’s one of the most affordable options in the market, and you can try it for free — no credit card required. Get started with beehiiv today.

As of February 1, Gmail and Yahoo are rolling out several major changes in the inbox. I know behind-the-scenes deliverability news may make some of your eyes glaze over, so let’s get to the part that should scare you into action:

If you fail to comply with these new rules, you won’t be able to send newsletters to readers who have Gmail or Yahoo email addresses. (And that includes anyone whose business uses Google Workspace.)

Litmus data from December 2023 says that combined, Gmail and Yahoo represent 32.2% of all emails opened. When I look at data for Inbox Collective clients, the number is even higher than that — it usually represents at least 50% of all emails on a list.

Imagine being unable to send to a third, a half, or more of your email list. If you don’t comply with the new rules, Gmail and Yahoo are likely to bounce back your emails, meaning they won’t land anywhere in the inbox or spam folder.

The good news is that Gmail and Yahoo have set up requirements that anyone can fulfill — even if you’re not particularly tech-savvy. So, let’s talk about what’s happening, what Gmail and Yahoo are requiring you to do, and what actions you need to take to stay in the inbox.

Why are Gmail and Yahoo making these changes?

These changes are a direct response to the sudden rise in spam and phishing attacks. As I wrote in a recent piece about email security:

The global metrics around email hacking are staggering. SlashNext, an email security platform, reported a 1,265% increase in phishing attacks over the past 12 months — a rise they said is driven by artificial intelligence tools like ChatGPT. (SlashNext researchers even discovered online forums with tutorials about how to use ChatGPT to write phishing emails.) The platforms have countered with their own AI-based solutions. In October, one major security company, Proofpoint, acquired Tessian, which deploys AI to stop phishing attempts. 

Even as security companies make adjustments to protect users, more and more attacks are reported nearly every few weeks. Vade, another email security platform, saw more than 493 million phishing attacks in the third quarter of 2023, a jump of 173% just from Q2.

These changes are a way for Gmail and Yahoo to improve their filters to keep inboxes free from bad actors. “There’s so much bad mail out there,” Jennifer Nespola Lantz, vice president of industry relations and deliverability at Kickbox, told me. With the required changes, Gmail and Yahoo should be able to better identify which mail is spam and which newsletters — like yours — belong in the inbox.

What are Gmail and Yahoo requiring of senders?

You can read Gmail’s requirements here and Yahoo’s requirements here. But let’s break down the key parts. Anyone who sends to any Gmail or Yahoo email addresses, even if you only send to a handful of them, is:

• Required to set up SPF — Sender Policy Framework, or SPF, verifies that an email message’s sender is authorized to use a particular domain’s email service. 
• Required to set up DKIM — Domain Keys Identified Mail (DKIM) authenticates the message’s content by using digital signatures to confirm that it has not been altered during transit.
• Required to keep spam complaint rates low — Gmail says spam complaint rates should stay below 0.1% and never rise above 0.3%. Yahoo says rates should stay below 0.3%.

If you send to more than 5,000 Gmail or Yahoo readers per day, you’re what’s known as a “bulk sender,” and you’re subject to one additional requirement:

• You’re required to set up DMARC — Domain-based Message Authentication, Reporting, and Conformance, or DMARC, is an authentication protocol that helps prevent email spoofing. With DMARC, you can tell the inboxes where you send your email from and tell them what to do if they spot someone trying to spam, spoof, or phish a reader using your email address.

On top of these requirements, Gmail and Yahoo expect you to be transparent with your readers, giving them a clear opportunity to opt in to newsletters and making sure you send them only the content they’ve requested. Here’s how Yahoo explains it:

• Verify you’re only sending mail to users who specifically requested it.

• Honor the frequency of the list’s intent. Don’t start sending daily emails to subscribers of your weekly or monthly mailing.

• Don’t purchase mailing lists or subscribe users by having an opt-in checkbox automatically checked on your website.

There are also a few things that Gmail and Yahoo are requiring that, as long as you’re sending via a reputable email service provider, your ESP will take care of. These include:

• One-click unsubscribe links — Readers need to be able to unsubscribe with one click, and Yahoo is requiring senders to honor that opt-out within two days. (One small win for all inboxes: Goodbye to the businesses that promise to process your unsubscribe within 7-10 days!) If you have multiple newsletters under a single brand, you’re still free to include an additional link to a preferences center so a reader can opt in or out of other newsletters.
• Forward and reverse DNS records for your IP address — This allows someone to clearly see what IP address is connected with a specific domain, and vice versa.

Before we get to the next steps, there are two quick things I want to make sure to address:

What if I send via an email address my ESP gave me?

Several major email brands, like Beehiiv or Substack, allow you to send emails via their domains. For instance, Claire Zulkey, who edits a lot of the stories you read on Inbox Collective, has a newsletter on Substack called Evil Witches. She doesn’t send her newsletter from claire@evilwitches.com or another custom domain — her emails come via evilwitches@substack.com. If you’re like Claire and send using a Beehiiv or Substack domain, those ESPs have already taken care of the SPF, DKIM, and DMARC requirements for you. There’s no additional action you need to take.

Other platforms, like Ghost, are rolling out multiple options for users: You can use their default settings, where they take care of all authentication for you, or you can set up authentication yourself using a custom sending domain if you choose.

What if I don’t have a professional email address to send from?

ESPs have long discouraged newsletter operators from sending their newsletters from a personal Gmail, Yahoo, or other common email address. They’ve always recommended that you use a professional email address — it’s the reason why my newsletter, for instance, comes from an @inboxcollective.com address instead of my personal Gmail account.

As part of these changes, Gmail and Yahoo haven’t explicitly stated that everyone should move to a professional email — but in the requirements listed, in fairly technical terms, they’re saying that you need to be sending via a professional email address. Both AWeber CEO Tom Kulzer and Kickbox’s Nespola Lantz pointed out to me that these changes effectively put an end to the practice of using a personal email. If you try sending via @gmail.com address to Gmail, for instance, your newsletter will end up in the spam folder or go undelivered.

My recommendation: If you send via a personal email address, make the switch to a professional domain. Look at buying your domain via a tool like Hover. (I also love using Domainr to find available domain names.)

The one exception: If you send via Beehiiv, Substack, or another domain that gives you your own email address (i.e., mynewsletter@beehiiv.com), you’re free to keep using that.

What do I actually need to do to fulfill Gmail and Yahoo’s requirements?

If you use a custom domain, there are four main requirements around SPF, DKIM, DMARC, and spam complaints that you’ll need to take care of. 

Here’s what you need to do to be compliant.

1.) Check to see if you’ve already set up SPF, DKIM, and DMARC

There’s a chance you’ve already got some of these authentication tools set up, so you’ll first want to check to see if you’ve done this.

My favorite way to check is by opening one of your newsletters in Gmail. Click on the three dots next to the date in the top right corner of the message. Then click on “Show Original.”

You’ll see something like this pop up:

The three most important things I’m looking for here:

• Does the DKIM record show your domain? — In my case, I want to see my domain, “inboxcollective.com,” listed. If Mailchimp still handled DKIM for me, I’d see “mailchimpapp.net” listed as the domain, and that’d be a flag that I needed to set up DKIM.
• Is there a DMARC record listed? — If not, you won’t see it listed below SPF and DKIM, and you’ll have to set one up.
• Is everything passing? —  There are only two options with SPF, DKIM, and DMARC: “PASS” means you’ve set up these options correctly. “FAIL” means you’ve got issues you need to fix right away.

If you don’t use Gmail, I recommend using a tool like About My Email to check if you’re compliant. You send it an email from your ESP, and it’ll show if you’re passing SPF, DKIM, and DMARC.

Once you’ve figured out what needs to be set up, then you’re on to the action items.

2.) Set up SPF

SPF is one of two digital keys that helps certify that you are who you say you are. (DKIM is the other.) SPF, essentially, is a way to tell the inbox that you’re allowed to send emails via a specific email platform.

But here’s the complicated part: Some ESPs handle SPF for you, and some do not. And in some cases, the answer depends on the type of customer you are.

• Customer.io, for instance, encourages you to add an SPF record for your newsletter.
• AWeber and Active Campaign allow you to set up SPF but don’t require it.
• Brevo handles SPF for users on a shared IP but requires you to set it up if you’re on a dedicated IP.
• Beehiiv and Mailchimp handle all SPF requirements for users.

There are too many ESPs to list out the rules for each here, but a quick search or check-in with your ESP’s customer service team will help you figure out if you need to set up SPF for your newsletter.

If you send email via another source — maybe work emails through Google Workspace, internal company emails via an HR tool, or emails from your online store through something like Shopify — you’ll want to authenticate those sources, too.

Now for the technical part: The SPF record should be added to your DNS as TXT file. To spell it out for the non-technical folks: If your ESP allows you to update SPF yourself, they’ll give you a little bit of code, known as an SPF record, and you’ll add it to wherever your emails are hosted — something like GoDaddy or Bluehost.

I’ll give a shout-out here to the team at RedSift, which has put together a list of step-by-step SPF guides for many commonly-used hosting services. Go here and search for your hosting service, and you’ll find SPF instructions for various services. (Your hosting service’s customer service team can also point you in the right direction.)

Here’s an example: I send newsletters via Mailchimp and work emails via Google Workspace. Mailchimp handles all SPF requirements for me, so there’s nothing more to do there. But Google Workspace does not, so I followed their instructions and set up SPF so any day-to-day emails from @inboxcollective.com domains are certified.

3.) Set up DKIM

DKIM is the second big digital key. It’s like a digital ID — an inbox provider matches the ID in the code of a newsletter to an ID on your website, ensuring that you are who you say you are.

There are some ESPs that will handle DKIM for you, like Beehiiv and Klaviyo. (Though here’s an example of where things get complicated: Klaviyo handles DKIM for you — unless you’re on a custom IP, in which case you have to set up DKIM during the set-up process. Again, check with your ESP directly for instructions! This stuff is confusing!)

The DKIM record, like the SPF record, gets added as a TXT file to your DNS.

Red Sift, which I mentioned above, has instructions on DKIM setup — again, search for your hosting service’s name, and they’ll send you to the right step-by-step guides.

4.) Set up DMARC

DMARC first rolled out in 2012, in partnership between the inboxes and companies like PayPal. The idea was simple: Sure, it’s nice to have tools like SPF and DKIM that allow you to verify who you are, but what happens when a spammer attempts to impersonate you?

For a company like PayPal, this was a big deal — spammers were constantly trying to spoof their domain, and PayPal wanted a way to stop it. So DMARC was invented to solve the problem.

DMARC checks to see if you have SPF and DKIM set up. If your DMARC record matches up with either the SPF or DKIM records, you pass the DMARC check.

But the percentage of large companies who’ve set up DMARC has always been relatively low, even though it’s one of the best tools you can use to keep spammers and spoofers at bay. One 2023 report from SendLayer found that 12% of the Fortune 500 and 41% of companies in the banking sector had not set up DMARC. Among the types of newsletters Inbox Collective works with — those belonging to newsrooms, non-profits, and individual writers — I see very low adoption of DMARC policies.

The good news is that setting up DMARC is relatively easy to do. Unlike SPF and DKIM, where the rules vary based on your ESP, the set-up process for DMARC is the same for all newsletters. We’ve got step-by-step instructions here to walk you through the process.

Ask a Deliverability Expert: Should I Set Up DMARC?

Four more things to note with DMARC:

• To start, set your enforcement policy to “none” — There are three levels of enforcement for DMARC policies: None, quarantine, and reject. I highly recommend you start with “none.” If you set your policy to “quarantine” and “reject” but have incorrectly set up SPF or DKIM, your emails may start going to the spam folder. (I will confess that I screwed this up with my own DMARC set-up process a few years ago and went through a 24-hour period where every email I sent went to spam. Not great!) Right now, Gmail and Yahoo are only requiring policies of “none,” though that may change in the future. Of note: Any changes are highly unlikely to come in 2024.
• Use a tool to monitor DMARC — Free tools, like Valimail’s DMARC Monitor or Postmark’s DMARC tool, can help keep tabs on DMARC reporting and show you which domains are passing or failing. If you’ve made an error in setting up DKIM for your ESP, for instance, you’d be able to see in these tools that your DKIM policy is failing, and then you can go and fix that. Once everything is passing correctly, then you can change your policy to “quarantine” or “reject.” (Here’s a bit more about what each of these policies means.)
• Even if you send fewer than 5,000 emails per day, I’d still set up DMARC — Yes, Gmail and Yahoo are only requiring DMARC for bulk senders. But I’d still go ahead and do this even if you don’t meet that threshold — just set your enforcement policy to “none.” One benefit: Doing may have a positive impact on deliverability. Any newsletter that’s set up a DMARC policy will be more trustworthy, in the eyes of the inboxes, than a newsletter that hasn’t.
• Large brands may also want to set up BIMI — If you’re a big brand — I’d define that as the kind of brand that has a trademarked logo — you may also want to set up BIMI to further solidify your reputation in the inbox.

5.) Keep spam complaints low

The final requirement, which applies to anyone who sends newsletters to any list size, is to minimize the number of spam complaints. There’s a discrepancy here between Gmail and Yahoo: Gmail says spam complaint rates should stay below 0.1% and never rise above 0.3%. Yahoo says rates should stay below 0.3%. In general, I’d stick with Gmail’s number: 0.1% is the threshold to stay under.

The best way to track these numbers isn’t in your ESP’s dashboards — it’s via tools like Google Postmaster. Setting up Postmaster takes just a few minutes, and tutorials like this can walk you through the process.

Once it’s set up, you’ll get a few interesting data points from Postmaster, including spam complaints and data about the health of your domain.

If your spam complaint rates are above 0.1%, you’ll want to immediately look through this list of steps and take action.

What happens if I don’t follow these requirements?

Kickbox’s Nespola Lantz said she expects to see Gmail and Yahoo slowly introduce these changes starting February 1. Don’t expect them to erect a wall around the inboxes on that first day — it’ll be a slow rollout. In February, your newsletters might start taking longer to deliver to inboxes, and you may start to see some newsletters get rejected from the inbox in what’s known as a “bounce.” If you still haven’t made changes by the spring, she expects that those brands will start to see a significant number of bounces — Gmail and Yahoo will reject newsletters from the inbox, meaning that they won’t even reach the spam folder. Those brands will eventually see a massive hit in terms of emails delivered and opened. 

When I asked Nespola Lantz if every newsletter operator should be moving quickly to set up these requirements, she made things as clear as can be: “If you care about Gmail and Yahoo, yes.”

This story was updated on January 24, at 4:23 p.m., to better reflect Gmail and Yahoo’s policy around sending via a personal email address.

Thanks to our sponsor

The stories you’re reading on inboxcollective.com are made possible thanks to the generous support of our winter sponsor, beehiiv, an all-in-one newsletter suite with built-in growth and monetization tools, no code website and newsletter builder, and best-in-class analytics that actually move the needle. Start your journey with beehiiv today, absolutely free — no credit card needed.