Blogs
Feb 5, 2024
A step-by-step technical guide for developers and SaaS companies that want their email notifications to comply with Google's and Yahoo's new bulk sender policies.
Context
Starting in February 2024, Google enforces new requirements for sending emails to its users.
Does this apply to me?
Yes. The requirements can be split into 3 levels:
Basic requirements for any sender
Bolder new requirements for domains that send more than 5000 emails per day
One additional requirement for domains that send marketing emails
Since it is unclear how Google recognizes your emails as transactional vs. marketing, we recommend that anyone sending more than 5k emails/day follow all the requirements.
Does NotificationAPI help with compliance?
NotificationAPI users are automatically compliant.
Level 1 Requirements:
Any Sender
1. SPF & DKIM
You probably have one or both of these DNS records already setup:
AWS SES: Verified domains use DKIM by default, you may need to verify SPF
SendGrid: DKIM & SPF verified by default
Mailgun: you need to check the "DKIM" option when configuring your domain
How to test:
Send an email to yourself in Gmail. Check your domain's verifications using the "Show Original" option.
Test SPF/DKIM/DMARC verification in Google
2. Spam rate < 0.1% - 0.3%
This refers to how many of your outgoing emails are reported as spam by recipients. Google suggests keeping this below 0.1% (1 in 1000 emails) and avoiding 0.3%.
We recommend signing up for Google Postmaster Tools, which reports on your domain's email reputation and spam rates.
3. Generic requirements: PTR Record, TLS Connection, RFC 5322 Email Formatting
If you use any modern email service, you shouldn't worry about these requirements.
Level 2 Requirements:
Senders with 5000+ emails/day
4. DMARC record
DMARC is a TXT record that has many configurations. Simply, it tells recipients how to treat emails from your domain that don't pass SPF/DKIM verification.
Setting a strict DMARC configuration could block your emails. So be careful!
We recommend that you start with a loose DMARC record, such as:
Record Name: _dmarc
Record Value: v=DMARC1; p=none;
This record tells recipients that you want to follow DMARC standard v1 (recommended) but not to do anything (p=none) when they encounter an email from your domain that doesn't pass SPF/DKIM.
Over time, you want to change the DMARC record to:
Report back emails with faulty SPF/DKIM using the rua option,
Fix the issues,
And make the DMARC record more strict using the p option
5. DMARC Alignment
There are two "from" addresses for every email:
Header From: the regular From address you see on an email, e.g. John Smith <john@smith.com>
Envelope From: refers to the source of the email. For example, an email from john@smith.com may have an envelope header sendegrid.com.
DMARC Alignment means Header From matching your Envelope From.
Alignment could be 1) relaxed, where one From is the subdomain of the other from, or 2) strict, where the domains exactly match. Google is ok with either.
In the image below, you see a spam email where the Header From differs from the Envelope From, and Gmail is bringing attention to it with the "via" keyword.
Level 3 Requirements:
For marketing emails, BUT…
There is no way to know how Google categorizes your emails (marketing vs transactional), so we recommend doing this anyway.
6. One-Click Unsubscribe
First, create an API end-point like the one below. The method must be POST, but the URL can be anything.
Method: POST
URL: https://app.yourdomain.com/unsubscribe?email=user@gmail.com
Body: none
You should unsubscribe the user from your email when this end-point is hit. For example, Google will call this end-point when the user hits the "Unsubscribe" button in Gmail's interface.
The One-Click Unsubscribe mechanism in action
Then, add the following headers to your outgoing emails:
List-Unsubscribe-Post: List-Unsubscribe=One-Click
List-Unsubscribe: <https://app.yourdomain.com/unsubscribe?email=user@gmail.com>
Remember to replace it with actual values.
Compliance through NotificationAPI
NotificationAPI provides the one-click unsubscribe option at no cost without writing a single line of code. Our account setup process also ensures your emails comply with SPF, DKIM, DMARC, and DMARC Alignment.
So, all NotificationAPI users are compliant without additional effort.