Gmail and Yahoo’s 2024 inbox protections and what they mean for email programs

How does this interact with transactional emails &#x2F; 2FA &#x2F; password resets? If 5000 people request a 2fa code in a month, I have to give them a unsubscribe header as well? Or magic login links?<p>If I don&#x27;t provide a list-unsubscribe header: do these emails then get blocked and noone can log in ?<p>If I provide a list-unsubscribe header, what is the expected behaviour if they do click the Unsubscribe button?<p>- tell them they can&#x27;t unsubscribe to this email because it&#x27;s needed to accomplish what they want to do in the future?<p>- delete their account? what if it&#x27;s a bank account or something like that?<p>Would appreciate some clarify from Google at least...

As a self-hoster for over a decade, setting up SPF, DKIM, and DMARC are pretty much once-and-done and free, so there&#x27;s pretty much no downside. I&#x27;d be shocked if most self-hosters haven&#x27;t set these up long ago.

DKIM, SPF, and DMARC are old hat and implemented by anyone serious for years. What&#x27;s buried in this article is the required <a href="https:&#x2F;&#x2F;datatracker.ietf.org&#x2F;doc&#x2F;html&#x2F;rfc8058" rel="nofollow">https:&#x2F;&#x2F;datatracker.ietf.org&#x2F;doc&#x2F;html&#x2F;rfc8058</a> support for one-click unsubscribe posts. I don&#x27;t see many messages in my inbox yet with that.

&gt; These mandates will only affect bulk senders, defined by Google as senders with volumes of 5000 or more messages to Gmail addresses in one day.<p>This is not a requirement for a personal self-hosted email.

In practice I think people who care about deliverability have already instituted these measures ... because spam blocking measures at Big Email are so opaque you’ve tried everything&#x2F;anything. And it’s not that difficult.

I get plenty of spam <i>through</i> Gmail, and there is no easy way to report it, it also doesn&#x27;t seem like they are the least bit interested in tackling the problem.<p>I wish they took a closer look at themselves and also applied these kinds of rules to themselves.

My addition to title: “If you send &gt;5000 emails a day.”<p>Posthaven has very helpful (free) tools for setting up this stuff. Also GPT has a good understanding of the dns records needed.

Is there any service that can process DMARC report e-mails? Those mails with zips with indecipherable XMLs inside them are a bit useless. Something that takes the junk, gives a nice human readable dashboard, and informs me if something is wrong, would be nice.

A fairly big deal is being made of this, but dmarc has been a signal for a long time and there&#x27;s a good chance half your mail has been randomly landing in junk folders if you don&#x27;t have it setup right. This may actually help people by making them realise that.

What&#x27;re the best resources for testing and configuring this stuff?

From Q1 2024, Gmail and Yahoo will require senders to have SPF, DKIM, <i>and DMARC</i>. Also, spam complaints must be kept below 0.3%.<p>I recently added DMARC monitoring to some of my domains through CloudFlare.

Unsubscribe HAS to require an authenticated session. What do they mean by “single click”?<p>Otherwise anyone who receives a forwarded email can unsubscribe you! Right?<p>At least we can email the peson to say they’ve been unsubscribed, as a transactional email? And give them a chance to resubscribe and prevent such unsubscriptions — or what?<p><i>Enable easy unsubscription: Senders will need to implement a single-click unsubscribe link within emails if they haven’t already, to allow recipients to easily opt out.</i>

I use cloudflare&#x27;s email remailer. i.e emails are mailed from from &amp; to my Gmail via cloudflare. Using a custom email domain.<p>Does this mean that my emails will no longer be sent?

Slightly off-topic: it seems that Outlook has given up fighting spam and isn&#x27;t even in such conversations. I have a decades-old hotmail.com email address that is getting spams daily in the inbox, while a similarly old gmail.com almost always filters them out. Well, Gmail occasionally flags false positives but never false negatives. This is getting so bad that I have completely moved off that hotmail.com address.

I wonder if this will force Borrowell to finally allow unsubscription from their regular emails without deleting your account.<p><a href="https:&#x2F;&#x2F;helpcentre.borrowell.com&#x2F;hc&#x2F;en-us&#x2F;articles&#x2F;10014508919060-How-do-I-unsubscribe-from-Borrowell-s-marketing-emails-" rel="nofollow">https:&#x2F;&#x2F;helpcentre.borrowell.com&#x2F;hc&#x2F;en-us&#x2F;articles&#x2F;100145089...</a>

I’d say the only real worry for “black hat emailers” is the spam rate monitoring. Everything else is fairly trivial to comply by, but lowering the spam compliance threshold could really put a wrench in a lot of sales outreach campaign.<p>The market(Google and others) was forced to act because how laughably easy the Can-Spam act is to stay compliant while legally mass spamming.

That&#x27;s so weird considering those two domains are the source of ALMOST all the spam I&#x27;ve seen over the last couple decades.

&gt; <i>Gmail and Yahoo are getting serious about spam monitoring and senders will need to ensure they’re keeping below a set spam rate threshold.</i><p>Does anyone know what this sentence means? Is this “the user said this is spam”, or “the gmail spam filter false positives 10% of the time; don’t be part of the 10%, or it’ll permaban you”?

I can&#x27;t wait for this to take effect.<p>It seems that every time I buy something or someone gets ahold of my email address, I get added to a SPAM list.<p>I can&#x27;t wait for all of these to be blocked.<p>For example: I recently elected a benefit, and the company added me to a SPAM list for weekly deals 100% unrelated to the benefit. They even ignored the fact that I unsubscribed.

Having DMARC to allow all emails is still stupid. They should have added a mandatory reject policy.

I hope the &lt;0.3% spam limit is low enough to force companies to stop with the usual &quot;congratulations, you unsubscribed from newsletter 13 (but will continue to get newsletters 1-12 and 14-39)&quot; bullshit.

Yahoo cracked down on my wanted emails - they simply deleted my first 10 years of emails.

How does the one-click unsubscribe not get triggered by enterprise SPAM tools like Mimecast or Barracuda?

How are they counting the 5,000&#x2F;day? Per sender email? IP?

If anyone is interested, I wrote some sort of tldr blog post for quickly setting up your DMARC&#x2F;SPF&#x2F;DKIM: <a href="https:&#x2F;&#x2F;www.uxwizz.com&#x2F;blog&#x2F;stop-others-use-your-domain-emails" rel="nofollow">https:&#x2F;&#x2F;www.uxwizz.com&#x2F;blog&#x2F;stop-others-use-your-domain-emai...</a>

Please describe ‘easily unsubscribe’ - subjective terms like this don’t work when you’re dealing with the profit focused marking department of scumcorp.<p>I don’t want to log into your service or explain why I want to unsubscribe or chose which mailing lists I want to unsubscribe from (read: All of them) nor do I want to deal with your dark patterns such as colouring the ‘cancel my request to unsubscribe’ button green and ‘yes really unsubscribe me’ red.

For those interested in testing their email for SPF, DKIM, and DMARC compliance or eager to learn about these mechanisms that enhance email security and prevent spoofing, check out <a href="https:&#x2F;&#x2F;learnDMARC.com" rel="nofollow">https:&#x2F;&#x2F;learnDMARC.com</a>. This is a site I developed to promote adoption and share knowledge. It includes a challenging quiz, tough even for professionals. I&#x27;d be keen to know your scores on the first attempt – honesty counts!

I find much of the discourse on these changes to be pretty amusing. It&#x27;s a lot of sales and marketing teams asking how they can tweak things at a technical level so that they can keep doing the same things they&#x27;ve always been doing.<p>You can&#x27;t. That&#x27;s the point. Stop.<p>I mark all commercial email as spam. I never asked for it, I don&#x27;t want it. I don&#x27;t really care if you carefully constructed a form in such a way to be compliant with the laws in my country. I don&#x27;t care how your BDR found me. I don&#x27;t ever want to hear from you. If I didn&#x27;t ask for it, it&#x27;s spam, I&#x27;m marking it spam, and I hope people who use Gmail and Yahoo do the same.

Mandatory DMARC basically breaks all e-mail forwarding services (SPF doesn&#x27;t survive forwarding due to modification of Return-Path). I think ARC&#x2F;RFC8617 is supposed to be the fix for that, but it&#x27;s not even standardized yet. This seems like a rather big issue?

I hope this also applies to T&amp;C spam - the thing where a company reminds you that they exist once a month by e-mailing you about a minor change to the wording of their terms and conditions, and because it&#x27;s &quot;important legal information&quot; it overrides your opt-out preferences. If I think someone is taking the piss, I flag these as spam, and if more than 0.3% of the population did this then companies would think twice about this tactic.

Mailgun is a spammer, so, like, cry me a river?<p>I have them blocked at the server level because of how much spam they were sending me. They clearly do zero enforcement of opt-in.

Abusive, SPF is plenty enough unless you cannot map the domain with the right IPs due to DNS trickery (rotation, etc), then you would need an IP agnostic way to do some checks, hence the cryptographic DNS based signature.<p>That said, with no-DNS email addresses, SPF comes for free (alice@[x.x.x.x] bob@[ipv6:...]).<p>Namely, if SPF does pass, cryptographic DNS based signature mecanisms are excessive and must not be used to score.