Read time: 8 minutes

Just this month, Google and Yahoo coordinated announcements of new requirements for email senders.

Google and Yahoo are the two biggest providers of free email inboxes in the US. If you’re a nonprofit emailer and you take a look at your email list, you’re likely going to find somewhere between half and two-thirds of your subscribers have an email address with Google (@gmail.com) or Yahoo (@yahoo.com, @aol.com, @verizon.com, and all those regional variants).

This is what we in the deliverability community would call “a pretty big deal.”

Here’s the good news: your organization probably already meets most (or even all!) of these new requirements — none of them are truly new ideas, and most have been requirements for years. And if you don’t, you have until Feb 1, 2024 to get up to speed.

(That’s right: you do NOT have to make any changes before your Giving Tuesday or end of year campaigns. Sigh of relief!)

Now here’s the bad news: if you don’t get on board with the new requirements, you’re likely to see your emails going to spam. 

So yeah… this is important.

Take a deep breath. We’re going to tackle this together.

I’m going to walk you through what Google and Yahoo laid out as their new requirements, and how to check if you’re already meeting them — or if you’ve got something important to do before February 1.

Email Authentication

The requirements Google and Yahoo laid out fall into three major categories. The first is email authentication. This is the most technical category, but it boils down to: when you send email, can you prove you are who you say you are? Or do you look like a scammer or a phisher just pretending to be a well-respected nonprofit institution?

Here’s what Google and Yahoo will be looking for on this front:

SPF, DKIM, and DMARC authentication

Sorry, I know that looks like alphabet soup. What you need to know is that those are three different ways a recipient can authenticate an email. SPF and DKIM have been required for years, and you’ve almost certainly already got it set up.

DMARC is a little trickier to put in place, and it has been considered an “optional” authentication — until now. DMARC is the requirement on this list you’re most likely to be missing — so make sure you check now if you’ve got it set up!

How to check your SPF, DKIM, and DMARC authentication

The easiest way to do this is with an account using Gmail’s inbox (whether that’s an @gmail.com address or one using Google Apps). If you don’t have a Gmail account, you can also check with a Yahoo address — it’s a bit trickier but still doable.

Here’s how:

1. Open either https://mail.google.com/mail/ or https://mail.yahoo.com.
2. Find an email sent directly from your nonprofit to that email address. (This will NOT work if it is forwarded or sent to a group. And make sure you’re looking for something that came straight from your CRM, like a recent enews or appeal!)

From there, in a Gmail inbox: 

3. Open that email, click the three vertical dots on the right hand side, and select “View Original.”
4. At the top of the page will be a box with a summary of information. You’re looking for three lines that say:

1. SPF: PASS with IP [a bunch of numbers]
2. DKIM: PASS with domain [a domain belonging to your organization or to your CRM]
3. DMARC: PASS

Three PASS = success! 🎉

Or, if you’re checking in Yahoo:

3. Open that email, click the three horizontal dots on the top next to the spam button, and select “View raw message.”

4. You’ll see a bunch of raw code, but don’t get overwhelmed! The part you’re looking for should be near the top. You want to find a line that says “Authentication-Results” and below that three lines that start with:

1. dkim=pass [a bunch of other text]
2. spf=pass [a bunch of other text]
3. dmarc=pass [a bunch of other text]

In either case, if any of those lines say “FAIL” or are missing, then you need to contact your CRM for next steps on how to get these authentications set up. (You’ll likely need the help of your web and IT team, as well).

If you don’t have a Gmail or a Yahoo account, there are a number of free checkers online — but they can get pretty confusing, so I’d recommend instead you reach out to your CRM for help.

Additional Authentication

SPF, DKIM, and DMARC are the big ones, but in the spirit of being thorough, here’s the other things Google and Yahoo are going to look for:

Sender alignment with either SPF or DKIM domain

This is necessary to set up DMARC authentication. If you followed the steps above and your emails are passing DMARC, great, this is done!

If you don’t have DMARC in place yet, part of what your CRM will work with you to do to get you ready for DMARC is ensure your SPF and DKIM records are setup to allow this.

Ensure that sending domains or IPs have valid forward and reverse DNS records, also referred to as PTR records

You’ve almost definitely got this already set up. However, if you are using a dedicated IP address and you know what it is (and if you followed the steps above, you do! the IP address listed after SPF is your sending IP), it’s quick and easy to double check:

1. Use this PTR checking tool from Google: https://toolbox.googleapps.com/apps/dig/#PTR/
2. Enter your IP address and look at the record that comes up.
3. Copy the domain under “Target” and look it up using the same tool for A: https://toolbox.googleapps.com/apps/dig/#A/ 
4. The IP address under DATA should match the one you put in for step #1
   1. If it does: congratulations, your PTR record meets requirements!
   2. If it does not: contact your CRM

Format messages according to the Internet Message Format standard (RFC 5322)

These standards have been in use since 2008. Unless you are a time traveler planning to send emails from 2007 to 2024, no need to worry about this one!

Easy Unsubscription

This part is a little easier to understand: Google and Yahoo want to make sure that if someone doesn’t want to get your emails anymore, they can unsubscribe with ease. You, of course, want that too (because if it’s hard to unsubscribe, people are likely to hit that “Spam” button instead) — but let’s take a closer look at the new standards for what’s “easy” enough.

One-Click Unsubscribe (really, List-Unsubscribe Header)

Both Google and Yahoo’s announcements state that when it comes to unsubscribing from email, “it should take just one click.” If you read that, you may wonder how exactly they’re going to be measuring that — is it one click in email? Or one click on the unsubscribe page after you’ve already clicked through from email? What if there’s an optional question asking why you’ve unsubscribed — how does that factor into the math??

Good news: you can ignore all of that. When they talk about one-click unsubscribe, they actually mean a list-unsubscribe header. This is a bit of code that goes in your emails and tells inbox providers how unsubscribe works, so they can put an “Unsubscribe” button into their own inbox controls — and not worry about how that link shows up in the body of your email.

How to check for list-unsubscribe header

Again, this is easiest if you’ve got a Gmail or Yahoo account! Just open up an email from your nonprofit and check the top. If you’ve got the code for this header in place, you’ll see:

In Gmail: a small, underlined “Unsubscribe” link right next to the sender name, looking something like this:

NonProfit <email@nonprofit.org> Unsubscribe

In Yahoo: click the three horizontal dots next to the Spam button. One of the options should be “Unsubscribe.”

Process unsubscribes within 2 days

Most likely, the CRM tool you’re using processes unsubscribes within this period already. But if you’re using multiple tools to send email that have to sync unsubscribe data back and forth between systems, you’ll want to check that everything is set up so those unsubs are processed within a 2-day window.

Ensure email is wanted

This is both the easiest and the hardest of the new requirements.

Easy, because you’re already following deliverability best practices and only emailing active constituents that have opted in and show they WANT to receive your emails — right?

Hard, because this can be a difficult metric to track.

Google and Yahoo have announced that they want to keep user-reported spam rates below 0.3%. To keep an eye on that number with Google, you can use Google’s free Postmaster Tools which also reports how Google ranks your sending domain and IP address. (It’s not just free, but quick to set up and easy to use, and I highly recommend getting it in place and checking it regularly if you haven’t already!)

Unfortunately, Yahoo doesn’t have a similar tool available to individual senders. But generally the patterns you see at Google are going to be similar to what your Yahoo users will be doing.

Once you’ve got it set up, check that your spam rate is below 0.3%. It’s not unusual to see the occasional spike above that benchmark, but those should be showing up on low-volume days when not a lot of email was sent, and a single complaint can skew the data. If you’re seeing spikes on days you’re sending more than automated series and autoresponders, it’s worth investigating the cause and tightening up your targeting to make sure you’re only sending email where it’s wanted.

Don’t Panic

These new requirements are rolling out for all senders, so you’re not alone! And the tools you use to send emails will need to work with all their clients to make sure they’re set up for success, so you shouldn’t need to start from scratch with them.

Here’s what CRMs are sharing about how they’ll support these requirements:

ActionKit:

• In their October release notes, ActionKit stated, “Most of [the new technical standards] like SPF, DKIM, and List-Unsubscribe, are standard parts of ActionKit’s email setup for every client. Others, like having a DMARC record, may require DNS changes for some groups; if you need such changes, we’ll reach out to you about them well before February.”

Engaging Networks:

• Engaging Networks has published a Supportal page with instructions for how their clients can ensure they are in compliance.

EveryAction / NGP VAN (Bonterra):

• EveryAction has shared information with their users via email, including links to help documentation on DKIM / SPF and on DMARC (login required to access these pages.)

Action Network:

• Action Network has published a Help page with details about this change. Anyone using this platform can reach out to support@actionnetwork.org and include their reply-to email, and AN will respond with what you need to install in your DNS records.

We’ll update this list with more information from other CRMs when we see it. If you’ve got a tool to add to this list, shoot us an email at hello@mrss.com!

————

When Anne’s not nerding out over deliverability or the newest email tool functionality, she’s doing her best to keep her knitting yarn out of her cats’ claws. You can find her at APaschkopic@mrss.com.