Gmail has announced yesterday that it is updating its bulk sender guidelines to enhance email security and reduce spam (see announcement).
These changes will primarily affect bulk senders, those who send over 5,000 messages to Gmail addresses daily, but you can safely assume that this will impact everyone doing email marketing.
What is it about? What is changing? Let’s dive in.
The state of email security
Email started in the 70s. At that time, it was used by university professors to talk to each other. There was no security protocol included in it. SMTP, which stands for Simple Mail Transfer Protocol, was introduced in 1977. There were no security or authentication mechanisms included in it.
This means that you could impersonate someone very easily. All you had to do was tell this electronic message was sent by
[email protected], even if, in reality, you are
[email protected]. That wasn’t a big thing then because the Internet was still little known. But the thing is, SMTP is still in use today.
Now being ubiquitous, with an estimation of around 347 billion emails sent per day, there were several security mechanisms introduced to start to authenticate your messages. SPF, DKIM, and ARC, to name the most common. But they were still optional in most places.
With its latest announcement, Gmail is saying that it will require security mechanisms to accept emails, as well as enforcing two other email hygiene best practices.
Gmail’s new requirements for bulk senders
With its latest announcement, Gmail is updating its email sender guidelines and gives five months to bulk senders (i.e. users of Mailchimp, Sendgrid, Mailmeteor, etc.) to adapt.
To get into the details, Gmail is sharing that, starting February 2024, it will start to require bulk senders to:
Authenticate emails using DKIM
DKIM is an email authentication method that digitally signs each email, ensuring that someone is not impersonating the sender. Said differently, it enforces that the email was sent by [email protected], and no one else.
DKIM was introduced in 2004, the same year as Gmail was launched. Almost 20 years later, Gmail is enforcing its usage and will purely reject all emails that are not authenticated.
To ensure your DKIM is enabled, look at your DNS record. If you don’t know what it is, ask your IT department. Gmail has extensive documentation on DKIM to help you set it up in case you need it. If you’re using Mailmeteor to send emails, follow Gmail’s documentation on how to set up your DKIM record.
On a side note, this also means that SPF is no longer deemed secure enough for Gmail engineers. That might come after a recent hack exposed at the latest DEFCON where a hacker showed how to spoof millions of domains that had SPF enabled.
Enable easy unsubscription
On top of security measures, Gmail also wants to enforce one-click unsubscribe. That means, that having “Click here to unsubscribe” at the end of your emails is not enough. You should technically make it easy to unsubscribe in one click, as shown below:
Thankfully, the One-Click Unsubscribe has been in place since 2017. It works by adding headers to your emails, such as:
List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: <https://solarmora.com/unsubscribe/example>
If you are using Mailmeteor, it’s already done. Every time you insert an unsubscribe link, we include these headers, so there are no actions for you to take.
Sending wanted email
The last but not least important aspect of the announcements is that Gmail will start to enforce “a clear spam rate threshold.” While Gmail’s threshold isn’t shared, industry experts consider that an acceptable level is less than 0.1% of spam reported.
That’s the spam rate threshold recommended by Mailchimp, one of the largest email marketing platforms. Some others have even more stringent spam rates, such as 0.08% for Mailjet. Said differently, that’s less than 1 spam report out of 10,000 emails you’ve sent.
While it’s great for all of us that Gmail continues its fight against spam, it’s pretty surprising that Gmail hasn’t implemented a spam rate threshold yet. Gmail is famous for fighting spam. In 2022, following an academic study demonstrated that the algorithm was biased toward US democrats. That forced Gmail to explain a little about how its spam filters work, stating that the algorithm is primarily focused on the complaint rate.
So, it’s unclear to me what is new today.
Also, it’s not clear how Gmail will enforce this new policy. You might expect they will try out different thresholds. And, Gmail didn’t share if the spam rate applies to the sender’s email address (i.e. [email protected]), its entire domain (@example.org), or even more broadly, the email service (e.g. Mailchimp).
The email industry’s response
These “new” requirements are familiar to email senders. Implementing DKIM and One-Click Unsubscribe have been around for years. The spam-rate threshold is also already implemented by most email marketing solutions to prevent abuse on their platform.
Gmail itself presents these new requirements as “basic email hygiene.” If you haven’t implemented them yet, Gmail is just saying it’s probably time to look into it.
It’s, of course, too recent to analyze the impacts of this new policy. But it shouldn’t affect bulk senders that already follow the industry guidelines. Gmail is targeting spam here. If you don’t send spam (unsolicited emails), you should be fine.
What’s also interesting here is that Gmail is trying to find other solutions to block spam. In this announcement, Gmail shared that it blocks nearly 15 billion unwanted messages daily. That’s around 10 million spam blocked per minute. Fun fact, Gmail shared the same number in 2019. One might consider that AI-powered defenses are not enough when it comes to spam.
Impacts on Mailmeteor’s users
First and foremost, Gmail announcements are targeting those who send more than 5,000 messages to Gmail addresses in one day. As a user of Mailmeteor, your daily quota is below this threshold (up to 2,000 emails per day), so it will probably not apply to your sendings.
But I wouldn’t be surprised if Gmail start applying these new requirements to everyone. Let’s consider that’s the case. Here’s what’s changing for you;
- Authenticating emails: if you haven’t yet, enable DKIM now. It takes a few minutes, but Gmail has excellent documentation on how to do it.
- One-click unsubscription: Mailmeteor already includes it when you add an unsubscribe link. It’s available to all our users (free and paid), so there’s nothing to worry about.
- Ensure you’re sending wanted email: Gmail’s anti-spam algorithm already takes spam complaints into account, so it’s unclear what’s new here.
Ultimately, it all comes down to email hygiene, aka email reputation, aka deliverability, and we have several guides to help you with that:
- The Ultimate Guide to Email Reputation (2023)
- 10 tips for leveling up your Gmail deliverability (2022)
These new announcements from Gmail should be applauded, especially the “DKIM-everywhere” which is a significant leap toward security. But they aren’t “new” to the industry experts.
Let’s keep the conversation going on X and work together to ensure that email remains a secure and indispensable part of our lives.