New Email authentication requirements 2024

New email requirements coming in 2024

Narrative IndustriesThoughts

In October last year, Google, Yahoo and Apple announced a joint effort to combat the deluge of unwanted emails & spam received by their users. Starting from February 2024, they will start enforcing strict authentication requirements on emails that pass through their systems.

Email is based on very old tech – the first email was sent in 1971 – and, in its basic form, open to abuse like spam & spoofing. Anyone can, for example, easily change the sender of an email to give the impression that it came from a bank, a delivery company, a utility company, or a social media account. And anyone can send thousands of unwanted emails.

So these new email sender requirements are intended to help prevent unwanted email by requiring the owners of a domain name to “authorise” which systems can send emails under their name. If an email does not come from an “authorised” sender, it may get blocked/bounced, or marked as spam. The new requirements also keep track of how much unwanted email comes from that domain name, and will block domains that send too much unwanted email.

Microsoft and other large email providers are expected to make similar announcements soon.

This is a good thing, but it is very likely to create issues for a lot of existing businesses whose websites email order confirmations, booking details or have contact forms; or who use CRMs & newsletter providers; or who have automated systems that email invoices / purchase orders… or any other system like that, which sends email under your domain name.

The new email sender requirements could (and probably will) prevent those types of emails getting through to recipients.

Who does it impact?

If you have a website, application or service that sends emails as your domain name, you may need to take action (e.g. order confirmations, quotes, purchase orders, booking confirmations, cart abandonment, account creation, password resets, two-factor authentication, etc); if you use web-based accounting software to send invoices; if you send emails from a CRM; or if you use high-volume senders for marketing emails & newsletters.

If you’re not doing anything like that, and exclusively sending standard emails from your computer/phone (through a reputable email service provider), then you should already meet the new email authentication requirements and should not need to take any further action. There’s no harm in getting your provider to confirm that, though.

What is changing?

Starting in February 2024, Google, Yahoo, and Apple will require all senders to follow email authentication best practices which include publishing specific records in their DNS. These may include SPF, DKIM as well as DMARC policies. Senders must have valid forward and reverse DNS records published for their mail servers and use a TLS connection for transmitting mail.

Google, Yahoo and Apple will also track user-reported spam rates; if more than 0.3% of email from an authenticated domain is marked as spam, they may restrict or block all email sent from that domain.

Bulk email senders (e.g. transactional emails, marketing emails, newsletters, etc) will be subject to even stricter authentication requirements. Check that your marketing emails or newsletters offer the option to unsubscribe from future emails through one-click unsubscribe. Senders who don’t comply with the new requirements will be subject to message rate limiting, blocked messages, or have their messages marked as spam.

What do you need to do?

That’s going to depend on the services you use & how they are set-up to send email.

So start by making a list of all the systems that can send emails from your company domain name(s). e.g. your website (especially if you use eCommerce, a CPQ, bookings, or have contact forms, etc), and any other web-based invoicing software, CRM, newsletters etc. that may send email under your domain name.

If you use a service provider, then any half-decent ecommerce or web agency will know about this, and may have already taken steps on your behalf, but check with them.

You will need to check if your invoicing software, or CRM, or newsletters, etc, etc are compliant. You may need to work with the relevant service providers to ensure they are following best practices for sending emails, or any emails they send on your behalf might not get through.

Many services (like Mailchimp) have simple instructions or wizards to help you authorise them, and they will validate the changes to make sure they are correct.

Some systems, like Xero for example, do not send emails/purchase orders etc from your business domain; Xero sends emails from an address like messaging-service@post.xero.com. When we checked with Xero, they confirmed that they have the necessary records in place.

If you have a Wix website, AND you bought your domain name through them, they should do it automatically. If you’re using Shopify, and you don’t make the required changes, they will start sending emails from store@shopifyemail.com to meet the minimum requirements outlined by Google and Yahoo.

Other providers may have other steps in place but there’s far too many to go into here.

Then, once you’re all set-up and all your services are authenticated, make sure you avoid sending unwanted emails from those systems!

What has Narrative Done?

For over decade, we have aimed to maintain good email deliverability for our client’s transactional emails & marketing emails by ensuring the relevant records are in place at the DNS (SPF, DKIM, DMARC, etc). For transactional emails, we avoid sending emails directly from webservers and have used other gateways – in the past we used Sendgrid but, last year, we moved to PostMarkApp which, so far, has proved to have excellent deliverability for transactional emails.

Technical Details:
You can find out more about the technical requirements for new email sender requirements on the links below.

Google’s New Email Sender Guidelines
Yahoo’s New Email Sender Guidelines
Apple’s New Email Sender Guidelines