As of February 1, 2024, email giants Google and Yahoo will implement updated and mandatory domain verification and email marketing requirements (and others will most likely follow suit in the not-to-distant future). So, whether you’re sending one email to a customer about a project or blasting out a newsletter to thousands, these changes apply to you.

Why? Because email phishing and spoofing are major problems for everyone – businesses and consumers alike.

According to StationX, a cyber security training company, from 2019 to 2022, reported phishing attacks grew by 508% from just under 780,000 to 4.7 million a year. And 55% of those attacks use brand names to make themselves look credible. In fact, by 2022, 98% of cyberattacks contained one or more elements of social engineering, like spoofing (Graphus, 2022).

And it’s precisely because of statistics like these that Google and Yahoo are implementing new domain authentication requirements. Changes that, if you ignore them, could prevent your emails from reaching your subscribers’ inboxes.

Okay, yes. Technically, these changes are currently for bulk senders (those who send 5,000 emails or more). But in reality, they apply to all businesses, whether you send just a few dozen or thousands of emails because the threat of phishing and spoofing is very real and should be taken seriously by all businesses – big or small.

So, if you want your emails to continue hitting your customers’ or coworkers’ inboxes, implementing these changes is vital. Plus, they’re technically required now.

But reading, and more importantly, understanding all the technical jargon in the articles these companies have published about what’s changed isn’t necessarily easy. With this post, I aim to help you break down all the techy mumbo-jumbo into a digestible, actionable to-do list.

Here’s an overview of the key changes and what you need to do to meet the February 1, 2024 requirement deadline:

Get a Custom Domain

Moving forward, using public domain email addresses as verifiable sending domains (the domain you send your emails from) for bulk email sends may lead to your emails becoming flagged as untrustworthy. So, if you’re running your email marketing program with a Gmail, Yahoo, or other email address (name@gmail.com), you’ll need to invest in a custom domain name and an email platform (like Google Workspace or Proton Mail) that you can verify. Not only will this protect your ability to deliver emails, but it will elevate your brand’s professional image. BONUS!

YOUR TO-DO:

Get yourself a custom domain and email service. If you already have one, fantastic! Check this off your list.

Verify Your Sending Domain

Once you have secured a custom domain, you must now authenticate it.

To do this, you must log in to wherever you purchased your domain (such as Google Domains, Namecheap, Squarespace, etc.) and update your DNS settings with three new records: SPF, DKIM, and DMARC.

SPF, or Sender Policy Framework, authenticates which service providers can send emails using your domain name. For general business emails, it grants permission to the likes of Google Workspace or Proton Mail. For email marketing, it clears the way for email service providers such as MailerLite or ConvertKit to send bulk emails using your domain name. In a nutshell, it protects your emails from the point of email creation and sending.

SPF is added to your DNS as a TXT record.

DKIM, or DomainKeys Identified Mail, is used by your mail server to detect forged sender email addresses (spoofing) on incoming emails. Basically, it confirms that the email address you use to send your email is legitimate, and it functions on two keys. If they don’t match, your emails could be dropped into the spam folder or not delivered at all.

DKIM is added to your DNS as a CNAME record.

DMARC stands for “Domain-based Message Authentication, Reporting & Conformance” and protects your domain from unauthorized uses (such as email spoofing). It uses the powers of your DKIM and SPF records to take action. If an email comes from your domain but fails your DKIM and SPF requirements, your DMARC record decides how to handle that email.

There are three levels of monitoring in DMARC, and the level you set determines where, and if, your emails end up in inboxes: none (monitor emails only), quarantine (automatically send unauthorized emails to spam folders), and reject (doesn’t delivery unauthorized emails at all).

Currently, DMARC is only being encouraged for those sending 5,000 or more emails (total emails/month from your domain, not just marketing emails). But setting this up now helps protect you today and as your business grows.

DMARC is added to your DNS as a TXT record.

Combined, these new records work together to help prevent spammers and phishers from maliciously taking over and using your domain.

YOUR TO-DO:

Start by checking to see if your domain is protected. I recommend using dmarcian for this. Visit their site, enter your domain name, and hit “check my domain.” The site will automatically generate a free report. Below, you can see the results for my websites. The first is my personal website, tammyhooker.com, and the second is ziastoria.com.

If your domain passes the test, you’ll see a + Details link below each report.

Note: The red X by DMARC changes based on what level you’ve set your DMARC to (none, quarantine, or reject). So, look for the +Details link and click on that for a more detailed confirmation notice.

Once you know what verifications you’re missing, log into your domain’s hosting account and add the necessary records to your domain’s DNS settings.

How to do this will vary depending on where you host your domain. If you need help with this, quickly search your domain host’s help center for articles on adding these records. The number of individual records you’ll need to add will depend on how many platforms use your domain to send emails – so regular emails, marketing emails, e-commerce emails, etc.

Keep your Spam Rate Below the Threshold

Google is also lowering its limit for spam complaints.

While best practice has always been to stay below 0.3%, this level is transitioning to more of a hard ceiling. Though I personally advocate for the lower threshold of 0.2%. If your spam complaints tick above this level, Google may automatically send all your emails to spam.

But don’t worry if it does creep up a bit. There are things you can do to bring it back down.

YOUR TO-DO:

Set up Google’s Postmaster Tools. With 53% of the U.S. market using Gmail, this tool is currently one of the best ways to monitor your spam rate, so if your rate starts to creep up, you can spot it and make the necessary changes. Alternatively, you can also use the reporting dashboard within your email service provider’s account (MailerLite, ConvertKit, etc.). While this is a quick and easy way to check your overall spam rate, being able to go straight to the source with Postmaster Tools can’t be understated.

Use a One-Click Unsubscribe Link

CAN-SPAM laws already require you to offer subscribers an easy way to unsubscribe. The new rules make it easier by mandating one-click unsubscribes in your email headers. Most email service providers (MailerLite, ConvertKit, etc.) should incorporate this behind the scenes. But you’ll want to double-check that your emails have it. If not, contact their support team to see if they’re working on it.

But there’s more.

This change also means that you can no longer ask subscribers to email you if they don’t want to be on your list or have subscribers fill out a “why are you unsubscribing” survey BEFORE they’re officially unsubscribed.

Moving forward, if someone hits “unsubscribe,” that needs to happen immediately. You can survey them after the unsubscribed request has been submitted to ask why they left your list or if they want to stay on one of your other lists over another. You’ll need to check your email service provider’s setup process to see how this could be accomplished.

YOUR TO-DO:

Double-check that your email service provider has implemented or is working on implementing the change to the header.

And if you don’t currently have an unsubscribe link in the body or footer of your email, make sure you add one to your email templates.

Lastly, if you survey subscribers during the unsubscribe process, ensure the survey happens AFTER they’ve been unsubscribed.

What else can you do?

In addition to making the above-required changes, you can take a few other steps to ensure your email is functioning at peak deliverability effectiveness.

CLEAN YOUR LIST:

Run your current subscriber list through a list-cleaning platform like MailerCheck, which can verify that emails are valid and safe, identify full inboxes, discover catch-all email addresses, and find addresses with errors. Best of all, it integrates with most of the major email service platforms. I LOVE this tool!

Bonus: MailerCheck has a built-in DMARC monitoring and reporting tool to help you keep tabs on your domain’s reputation.

CREATE AND SEND A RE-ENGAGEMENT EMAIL CAMPAIGN:

With your list cleaned up, your next step should be identifying and re-engaging with your cold subscribers. Now’s the time to send a targeted email campaign to encourage subscribers to start interacting with your emails again. If, in the end, they don’t, feel free to unsubscribe them. Remember, a small but engaged list is far more valuable than a large, unengaged one.

REVIEW YOUR OPT-INS AND AUTOMATED SEQUENCES:

You’ve just finished cleansing your list. Now, take some time to ensure that your onboarding process is built to attract your ideal subscriber, which means drilling into GDPR-approved consent practices. AKA: Make sure you’re getting permission to market to folks. Yup, that means folks can’t just subscribe willy-nilly. They must say (and you need to have recorded), “YES, I’m okay with receiving marketing emails.” Depending on your email service provider, there are several ways to do this.

Conclusion

If you’re tech-savvy, working through this checklist should take less than 30 minutes. But depending on how long it takes to locate the DNS values for your service providers, plus give your DNS records time to update, it might be a day or two before you see your dmarcian report reflect your changes and show that your domain is verified.

Either way, domain authentication is no longer simply a best practice. It’s now a necessary part of doing business to keep both you and your customers safe.

---

If all of the new domain authentication requirements seem a bit overwhelming, never fear. I’m here to help. So let’s chat!