Major email marketing compliance changes you can’t ignore: Steps to take before February 2024
Table of Contents Jump to:
Table of contents
TL;DR: Significant email compliance changes are coming to Gmail and Yahoo, which affect those sending over 5,000 emails per day. Here’s what’s happening, who it impacts, and how to prepare for these changes.
The world of email marketing is quickly evolving, and email compliance is changing right along with it. As a small business owner, staying ahead of compliance changes helps ensure you can continue emailing your audience.
Starting in early February 2024, major inbox providers like Gmail and Yahoo are requiring some senders to meet a new standard of email authentication. Here’s what’s happening, who it impacts, and everything you need to know to navigate these changes successfully.
Short on time? Here’s what you need to do
Email providers, like Gmail and Yahoo, are implementing measures to shift the industry towards less spam and more authentic email marketing. Standards that have long been considered best practices will now be required in order to ensure a high deliverability rate and stay out of the spam box.
Who does this impact?
Gmail and Yahoo’s new email compliance requirements apply to:
- All free email senders sending over 5,000 emails per day. A “free email” address is an email address from a free email provider, such as Gmail, Yahoo, and Hotmail. Some examples of free email addresses are firstname.lastname@example.org, email@example.com, or firstname.lastname@example.org.
- Any custom domain sender whose domain is unauthenticated AND who is sending over 5,000 emails per day. Those who are sending from a custom domain that hasn’t been properly authenticated through DKIM, SPF, or DMARC.
Any sender that falls into these categories will need to follow new requirements or else will be considered an unverified sender.
Note: If you are using a free email address on Flodesk to send emails, regardless of your list size, you will need to obtain a custom domain and authenticate your email through DKIM or SPF.
Not ready to get a custom domain? Don’t worry—we’re here to help. Until you hit our platform’s daily send limit, Flodesk will rewrite your sender address so that your emails are sent from one of our verified domains. This will allow you to continue nurturing your list until you’re ready (or required) to set up a custom domain.
What are the new requirements?
The following are now considered requirements for sending bulk email (defined as over 5,000 emails per day in either a single blast or through workflow automation). To remain compliant, you must:
- Send emails from a custom domain (as opposed to a “free email” domain, like gmail.com or yahoo.com)
- Verify your domain via DKIM and SPF
- Have A DMARC record set to “at least” p=none
- Offer a one-click unsubscribe button
- Keep spam complaints below 0.3%
Gmail and Yahoo will begin enforcing these new requirements in April 2024. However, we recommend that anyone sending more than 5,000 emails per day take action by February 2024 to prevent any disruption to your email marketing.
Remember: your daily sending volume includes marketing messages, newsletters, updates, coupons, and invitations sent through email. And yes—these changes apply to everyone, whether you’re a solopreneur, a small business, or a massive corporation.
What do I need to do?
We’re committed to making this transition as stress-free and straightforward as possible for Flodesk members. In the coming weeks, Flodesk will be implementing these easy-to-use features to help all members stay compliant ahead of these changes:
- One-click unsubscribe
- Easy access and guidance for adding the necessary records to your domain provider
We will share more information and personalized instructions about steps to take within the next couple of weeks. If you’d like to learn more about these requirements in the meantime, read our overview below.
A breakdown of Gmail and Yahoo’s new sender requirements
If you’re sending more than 5,000 emails per day, here’s what Gmail and Yahoo will begin requiring of you in 2024.
1. A custom domain
Major inbox providers now require that anyone sending more than 5,000 emails per day must be sent from a custom domain rather than a “free email” address. A custom domain means that you’re sending email from a domain name that you own. An example of a custom domain is email@example.com.
Additionally, we highly recommend all Flodesk members sending email, regardless of list size, upgrade their free email address to a custom domain to prevent disruptions to their account. When you use a free email sender address on Flodesk, you will be subject to our platform daily limit and deliverability standards.
2. Email authentication
If you send more than 5,000 emails per day, you’ll need to verify your sender identity by configuring SPF, DKIM, and DMARC records. Please note that only custom domains can be verified. This ensures the email and the domain you’re sending emails “from” is authenticated and helps email providers recognize and trust your emails, increasing your deliverability and reducing the risk of going to spam.
For example, an email for runningshoes.com might be firstname.lastname@example.org. In this case, email@example.com is sending emails from a custom domain, so they’ll need to authenticate their email address to ensure subscribers receive their messages.
If you send less than 5,000 emails per day through a custom domain email address and are using Flodesk, then you will need to configure either DKIM or SPF at a minimum.
These are the email authentication protocols to be aware of:
Unsure how to authenticate your email? Don’t sweat it. We’re sharing everything you need about email authentication and resources you can leverage to set up yours with top providers.
Sender Policy Framework (SPF) is a way for a domain to list all the servers that are authorized to send email on its behalf. Think of SPF like a list of authorized retailers for a high-end fashion product—so buyers can be assured they’re not getting a knock-off.
SPF records, managed by your domain host, list all the IP addresses of all the servers that are authorized to send mail on your behalf—just like a list of those authorized retailers. Inbox providers (like Gmail and Yahoo) can check incoming messages against this SPF record to make sure it’s really coming from you (and not a spammer) before passing it on to the recipient.
To set up SPF:
- Access your domain’s DNS settings
- Add a CNAME record containing your SPF information, which you can copy and paste from Flodesk by navigating to Domain setup
You can learn more about how to set up your SPF in Flodesk here. Not a Flodesk member? Learn how to set up SPF with your provider.
To put it simply, DomainKeys Identified Mail (DKIM) is a small, encrypted digital signature that gets put into your email headers and lets inboxes like Gmail know emails are really coming from you, rather than a spammer. DKIM enables domain owners to “sign” the emails being sent from their domain, much like you might sign an important document to prove it’s really coming from you.
You’ll need to configure your DKIM settings by pasting a set of generated keys from your Flodesk account into the DNS settings of your domain provider. Once you do so, the process of validation can take up to 48 hours.
To set up DKIM:
- Generate DKIM keys, which you can copy and paste from Flodesk by navigating to Domain setup
- Add the generated DKIM keys to your domain’s DNS settings
Authenticating your domain through DKIM in Flodesk is super easy and only takes a few minutes to do. Here’s how.
Domain-based Message Authentication, Reporting, and Conformance (DMARC) is another layer of email authentication that builds on DKIM and SPF to prevent spammers from sending emails from your domain. It adds an extra layer of protection to your emails and enhances your brand reputation by allowing you to set policies for handling your emails should they fail authentication checks. If you’re using a custom domain, you must have a DMARC policy in place.
Similar to DKIM and SPF, you’ll need to configure your settings by pasting a DMARC record into the DNS settings of your domain provider.
You can choose between 3 levels of strictness for your DMARC records depending on your desired level of security.
- p=none: This means nothing will happen to your message if DMARC fails
- p=quarantine: This means “quarantine a message that fails DMARC”. You’ll usually find your email in spam when this happens
- p=reject: This means if the email doesn’t pass DMARC it will be rejected (resulting in a bounce)
To keep things simple, we recommend starting by using “p=none”.
You can learn more about how to set up DMARC records for your domain here.
3. One-click unsubscribe
Gmail will begin requiring those sending more than 5,000 emails per day to have one-click unsubscribe enabled. If you’re a Flodesk member, there’s no need to take action here. Our team is implementing this new feature requirement into the Flodesk Email experience by default, so you won’t need to worry about manually adding one-click unsubscribe to your emails.
4. Send emails people love to get
With these new changes, senders of over 5,000 emails per day absolutely must keep spam complaint rates below 0.3% to avoid issues. If you reach a spam complaint rate of 0.3%, you risk having your domain blacklisted by Gmail altogether. And if you’re sending over 5,000 emails per day, it’s easy to exceed that rate—making it more crucial than ever to clean your list, segment subscribers, and share meaningful, relevant content with your community.
Protect your business by taking action to remain compliant
As Gmail and Yahoo begin implementing major changes to their email platforms, we recommend taking action by February to prevent any disruptions to your email marketing. We’re committed to making this transition as stress-free and straightforward as possible, and we’ll be sharing more information and instructions in the coming weeks.
At Flodesk, we are fiercely dedicated to empowering small businesses to succeed. We know just how unsettling change can feel, especially when it can impact your business. If you have questions about these compliance changes, please don’t hesitate to raise them in our Flodesk Insiders Facebook group or contact our team directly at firstname.lastname@example.org.
You’ve got this. We’re here for you every step of the way.
What happens if I ignore this?
If you’re sending more than 5,000 emails per day and don’t take action, more of your emails may land in the spam folder in Gmail and Yahoo mailboxes. This could result in lower email engagement and possible blacklisting by email providers.
Is this a one-time setup?
Generally, you’ll only need to set up your SPF, DKIM, and DMARC records one time. As a best practice, however, we recommend regularly monitoring DMARC and cleaning your email list.
How can I set up my DKIM, SPF and DMARC?
Additionally, in the upcoming weeks, Flodesk will be implementing new features to help all members stay compliant ahead of these changes.
To provide you with ample information in the meantime as our team implements new features, we’ve compiled the following resources on how to authenticate your domain with top providers in the table below.