Alphabet Soup: Stay Compliant with SPF, DKIM and DMARC


By L-Soft Staff

Stay Compliant with SPF, DKIM and DMARC

People who administer email lists and send email marketing and outreach campaigns need to be up-to-date on all privacy, security, authentication and other important best practices. That said, from time to time, different ESPs implement new policies that may require action, in this case Gmail and Yahoo, so be well prepared before 2024 when the new requirements go into effect.

Here's the latest for 2024 from two industry giants:


Gmail

By February 2024, Gmail will start to require that bulk senders:

  • Authenticate Their Email: You shouldn't need to worry about the intricacies of email security standards, but you should be able to confidently rely on an email's source. So we're requiring those who send significant volumes to strongly authenticate their emails following well-established best practices. Ultimately, this will close loopholes exploited by attackers that threaten everyone who uses email.
  • Enable Easy Unsubscription: You shouldn't have to jump through hoops to stop receiving unwanted messages from a particular email sender. It should take one click. So we're requiring that large senders give Gmail recipients the ability to unsubscribe from commercial email in one click, and that they process unsubscription requests within two days. We've built these requirements on open standards so that once senders implement them, everyone who uses email benefits.
  • Ensure They're Sending Wanted Email: Nobody likes spam, and Gmail already includes many tools that keep unwanted messages out of your inbox. To add yet another protection, moving forward, we'll enforce a clear spam rate threshold that senders must stay under to ensure Gmail recipients aren't bombarded with unwanted messages. This is an industry first, and as a result, you should see even less spam in your inbox.

New Gmail Protections for a Safer, Less Spammy Inbox:
https://blog.google/products/gmail/gmail-security-authentication-spam-protection


Yahoo

In the first quarter of 2024, we will require that all bulk senders:

  • Authenticate Their Email: To help our users to be more confident about an email's source, we will require senders to implement stronger email authentication leveraging industry standards such as SPF, DKIM and DMARC.
  • Enable Easy Unsubscription: Our users should be able to unsubscribe from unwanted emails without any hassle. It should just take one click. While we have promoted solutions for some time, adoption of these common sense standards have been low. We will require senders to support one-click unsubscribe and honor our users requests within two days.
  • Only Send Emails Our Users Want: True to our key mission, we want to ensure our users' inboxes are not cluttered with unsolicited or irrelevant emails. While we have measured user reported spam rates for some time and even exposed some of that data for trusted senders, we will start enforcing a threshold to ensure our users can continue to enjoy a spam free mailbox.

Postmaster @ Yahoo & AOL – More Secure, Less Spam: Enforcing Email Standards:
https://blog.postmaster.yahooinc.com/post/730172167494483968/more-secure-less-spam

Deliverability & Sender Best Practices:
https://senders.yahooinc.com/best-practices


Authenticate using SPF, DKIM and DMARC

Thankfully, LISTSERV has you covered on all key authentication standards and best practices.


SPF

SPF (Sender Policy Framework) is an authentication protocol used to verify that the originating IP address is authorized to send email for the domain name in the "MAIL FROM" line of the email message. The purpose of SPF is to make it harder for spammers to forge messages from domains that they don't control. SPF policies state which IP addresses mail from a given domain will come from.


DKIM

DKIM (DomainKeys Identified Mail) is a cryptographic authentication solution and allows a mail server to sign a message so that recipients know that the message was indeed created and sent by an authorized mail service and that it hasn't been changed since it was originally signed. DKIM uses two keys, a public key and a private key, for this certification. The public key for the domain is stored in the DNS, and the corresponding private key is registered with LISTSERV.


DMARC

DMARC (Domain-based Message Authentication, Reporting and Conformance) allows a domain to specify the circumstances under which a domain's SPF and DKIM policies apply. Certain types of DMARC policies – "p=reject" and "p=quarantine" specifically – can sometimes cause problems for mail coming from an email list because they require that the message pass the SPF policy of the original sender's domain. Since email coming from LISTSERV is sent through your organization's mail servers, and not the original sender's mail servers, it will typically fail this sort of test. In situations like this, LISTSERV will automatically rewrite the "From" address of messages it distributes to prevent them from failing DMARC.


Deliverability Tools in LISTSERV

For maximum deliverability, all LISTSERV sites should have an MX record and an SPF record in DNS and should also implement DKIM and DMARC. LISTSERV comes with a built-in deliverability assessment tool, which analyzes LISTSERV and DNS configurations, giving site administrators guidance and concrete suggestions on optimizing deliverability. To access the deliverability assessment report, use the web interface and click on "Deliverability Assessment" under "Server Administration" in the main navigation menu.


Sample Deliverability Assessment


Next Steps








LISTSERV is a registered trademark licensed to L-Soft international, Inc.

See Guidelines for Proper Usage of the LISTSERV Trademark for more details.

All other trademarks, both marked and unmarked, are the property of their respective owners.


Menu