If your ecommerce business sends bulk email communications from a branded email address, there are incoming changes that require action, after two of the major email inbox providers have laid out requirements for stronger authentication as of February 2024.
New Email Authentication Requirements
Gmail and Yahoo have announced changes that require senders to authenticate and add a DMARC record on their domain if they want to continue sending emails from a branded email address.
The rationale for these changes, as described by Google, is as follows:
“Gmail’s AI-powered defences stop more than 99.9% of spam, phishing and malware from reaching inboxes and block nearly 15 billion unwanted emails every day. But now, nearly 20 years after Gmail launched, the threats we face are more complex and pressing than ever. So we’re introducing new requirements for bulk senders - those who send more than 5,000 messages to Gmail addresses in one day - to keep your inbox even safer and more spam-free.”
There is a focus on improving the validation that shows a sender is who they claim to be. It’s still sometimes impossible to verify who an email is from - this is due to the inconsistency across the huge number of systems in use on the internet.
In 2023, Google made it a requirement that emails sent to a Gmail address must have some form of authentication which helped reduce the number of unauthenticated messages Gmail users receive by 75%, which is great progress, but the new requirements aim to improve this further.
What Does This Mean for Shopify Store Owners?
Shopify stores and other online businesses sending emails from a branded email address will need to have a valid DMARC record, have authenticated the email address, allow for easy unsubscription and stay under a reported spam threshold.
Does It Apply To Everyone?
While Google makes it clear that bulk senders refers to ‘those who send more than 5,000 messages to Gmail addresses in one day’, Yahoo doesn’t define their definition. Google also states that once you’re considered a bulk sender, you’ll be permanently labeled as such.
If you send fewer than 5,000 messages to Gmail addresses in one day, it is feasible to skip the one-click unsubscribe and DMARC, and opt for just SPF or DKIM (we’ll talk through these terms and their definitions in a moment).
To be on the safe side, we recommend that all email marketers – no matter the size of their contact database or send regularity - adapt to these rules.
What Steps Should Shopify Businesses Take To Comply With New Email Authentication Requirements?
1. Authenticate your email with DKIM, SPF and DMARC
(Note: the terms DKIM, SPF and DMARC are explained in more detail in the ‘guide to email authentication terms’ section later in this article.)
You should be able to confidently rely on an email’s source. So Gmail and Yahoo will require those who send significant volumes to strongly authenticate their emails following well-established best practices. The benefit is that it will close loopholes exploited by attackers that threaten everyone who uses email.
Email authentication methods help to verify that an email is genuinely sent by the person or organisation it claims to be from, preventing spam, phishing attempts, and other malicious activities that could damage your brand’s reputation or the trust recipients have in your emails.
Before you can use DMARC (Domain-based Message Authentication, Reporting, and Conformance) for your domain, you should turn on Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM).
Using a DMARC policy requires that messages sent from your domain are authenticated by receiving servers with SPF and DKIM. Google has put together some instructions for setting up SPF and DKIM for your domain.
Once you have done that, you’re ready to set up DMARC. Here is a guide to setting up DMARC.
2. Enable easy unsubscription
It should be easy and take one click to unsubscribe to senders you no longer want to receive messages from. So the requirement is that large senders give recipients the ability to unsubscribe from commercial email in one click, and that unsubscription requests are processed within two days.
3. Keep spam complaints below 0.3%
Nobody likes spam. The requirement for senders will be keeping a spam complaint threshold of 0.3% or below.
To keep an eye on this, follow best practices that will minimise spam complaints.
To effectively monitor your spam complaints, you can review your email marketing platform’s reporting dashboard. Here, you’ll be able to see spam complaints from a broad perspective or at a campaign level. For a more detailed analysis, you can use Google Postmaster Tools to observe your Spam Rate.
4. Remove Gmail or Yahoo from your ‘from’ address
Don’t use Gmail or Yahoo email addresses in your ‘from’ address. If you are using @gmail.com or @yahoo in the ‘from’ address of your emails, switch it to a website domain you own.
In order to meet this requirement, you need an email address that includes your own site domain name.
5. Set up a branded sending domain
Branded sending domains allow for better control over your sender reputation. They also improve your branding in the ‘from’ address in the inbox. Branded sending domains are a great deliverability best practice, and are a requirement for bulk senders who regularly email Google and Yahoo recipients starting in February 2024.
6. Align your ‘from’ address with your branded domain
In order to be DMARC compliant, the domain in your ‘from’ address must align with the root domain in your branded sending domain.
Klaviyo writes “if your branded sending domain is called send.kvyodc.com, the root domain would be kvyodc.com. Therefore, using firstname.lastname@example.org as your ‘from’ address would be in alignment with the root domain.”
What Happens If You Don’t Make The Changes?
It’s worth saying that many senders already meet most of these requirements as part of their general email practice as they constitute good email hygiene. Shopify has sent an email to all Shopify store owners notifying them of the new requirements. If any owners do not make the changes discussed, Shopify will change the sender email address to ‘email@example.com’ which meets the minimum requirements set out by the email providers, meaning stores will be able to continue to send to their customers.
The issue you’ll have in this case, is that your emails will be sent from the new ‘store@’ address rather than your own branded address, which could reduce open rates and recipient trust, and increase unsubscribe rates.
Whether you send one email or millions, protecting your domains, avoiding spam, and following deliverability best practices is important to keep your subscribers safe and your email lists healthy.
Guide to Email Authentication Terms
There are a few terms used in this article that will be useful to know in order to allow you to take the steps required to comply with the new requirements from Google and Yahoo. Here we talk through what they all mean.
What is DKIM?
DKIM stands for ‘DomainKeys Identified Mail’ - it’s an email authentication method which detects forged sender addresses in email, a technique often used in phishing and email spam.
Receiving mail servers that get messages signed with DKIM can verify messages actually came from the sender, and not someone impersonating the sender. DKIM also checks to make sure message contents aren’t changed after the message has been sent.
When receiving servers can verify messages are from you, your messages are less likely to be marked as spam.
With DKIM authentication, you improve the likelihood that your legitimate messages are delivered to recipients’ inboxes. Receiving servers can verify messages are actually from your domain, and aren't forged.
What Is SPF?
It’s not ‘sun protection factor’ in this case (although that is also important) - in this context we’re referring to ‘Sender Policy Framework’. This is an email authentication standard used to verify that the sending email server is authorised to send email on behalf of a specific domain.
SPF helps protect your domain against spoofing (when spammers forge your organisation to send fake messages that look like they come from you), and helps prevent your outgoing messages from being marked as spam by receiving servers. SPF specifies the mail servers that are allowed to send email for your domain. Receiving mail servers use SPF to verify that incoming messages that appear to come from your domain were sent by servers authorised by you.
SPF is traditionally required for the envelope return path domain, which is the address that bounces will be sent to.
What Is DMARC?
DMARC stands for ‘Domain-based Message Authentication, Reporting and Conformance’ and is an email authentication protocol that provides additional safeguards to protect email domain owners from email spoofing and other unauthorised use of their domain.
By configuring a DMARC record, inbox providers can confirm how to process any emails sent from your domain that do not pass SPF and DKIM checks.
A DMARC also provides a reporting mechanism for domain owners to learn how often recipient servers around the world are receiving emails sent from their domain, and what percentage is properly authenticated.
If you need any assistance with your Shopify business’ email marketing, drop us a line. We have a team of email and CRM Strategists who have helped dozens of businesses like Mimi and Lula improve their email marketing, make more revenue and grow their audience.