2024 Email Compliance

Starting February 2024, major inbox providers (Gmail and Yahoo) are requiring senders to meet a new standard of email authentication.

These standers have been best practice for a long time, however now they will be required to ensure you don’t end up in the spam box.

This is effecting accounts in different ways. Those two categorize are if you send :
Less than 5,000 emails per day
More than 5,000 emails per day

What’s changing :

1. Gmail is removing inactive accounts. That means emails that have not been logged into for over two years. This might affect your send rate.

2. Gmail and Yahoo are requiring new email compliance for bulk senders. This means if you send over 5,000 emails per day this applies to you.

  • You will be required to use a custom domain

  • Email authentication with SPF, DKIM or DMARC

  • One-click unsubscribe

  • Maintaining spam complaints below 0.3%

Actions to take :

1. Try to clean out your email list once a year. This keeps it from having inactive emails. (Depending on your email platform can create a flow to do this automatically)

2. If you don’t have one already, obtain a custom domain and custom email domain.

3. Authenticate your domain.

- SPF (Sender Policy Framework) is an email authentication that helps prevent email spoofing by specifying the mail servers authorized to send emails on behalf of your domain. Meaning you authorize your email platform such as Klaviyo, Mailchimp, Flodesk, Constantcontact or any other you use.

To set up your SPF :

  • Access your domain’s DNS settings

  • Add a CNAME record containing your SPF information, which you can copy and paste from your provider.



- DKIM (DomainKeys Identified Mail) adds an “encrypted digital signature” to your outgoing emails so that inboxes like Gmail can verify your emails are authentic. This is an easy copy and paste of a line from your mailing platform to your domains DNS settings.

To set up your DKIM

  • Generate DKIM keys, which you can copy and paste from your provider (Flodesk, Klaviyo, Mailchipmp…) by navigating to Domain setup

  • Add the generated DKIM keys to your domain’s DNS settings

  • The process of validation can take up to 48 hours



- DMARC (Domain-based Message Authentication, Reporting, and Conformance) is a security measure that helps prevent email fraud and phishing attacks by prevent spammers from sending emails from your domain.

  • p=none: This means nothing will happen to your message if DMARC fails

  • p=quarantine: This means “quarantine a message that fails DMARC”. You’ll usually find your email in spam when this happens

  • p=reject: This means if the email doesn’t pass DMARC it will be rejected (resulting in a bounce)

    (p=none is the recommend options for now)


4. Set up one-click unsubscribe. Depending on your email platform, this might be done for you. For example, I know Flodesk is automatically implementing this change for all users. Check with your individual email platform.


5. Share only relevant content. If your emails are flagged with a 0.3% of spam complaints, you risk Gmail blacklisting your email domain. (This is a very low bar so I will keeping an eye to see how closely they enforce this new rule.)

Ariel Ouziel

Passionate about the education on sustainability so that humans and other ecosystems can live in harmony.