WingNews logo WingNews
top | item 38935048

Gmail and Yahoo’s 2024 inbox protections and what they mean for email programs

379 points| pqvst | 2 years ago |mailgun.com

268 comments

order

darylteo|2 years ago

How does this interact with transactional emails / 2FA / password resets? If 5000 people request a 2fa code in a month, I have to give them a unsubscribe header as well? Or magic login links?

If I don't provide a list-unsubscribe header: do these emails then get blocked and noone can log in ?

If I provide a list-unsubscribe header, what is the expected behaviour if they do click the Unsubscribe button?

- tell them they can't unsubscribe to this email because it's needed to accomplish what they want to do in the future?

- delete their account? what if it's a bank account or something like that?

Would appreciate some clarify from Google at least...

orliesaurus|2 years ago

You're talking about Transactional emails? You cant unsubscribe from TRANSACTIONAL emails. That's why they're transactional...not marketing. It's really important to differentiate that.

jerrygoyal|2 years ago

use different subdomains for transactional and marketing emails.

tsycho|2 years ago

Their algorithms very likely look at (I hope so, at least) spam marking rates. I would bet that users mark promotional emails at a order of magnitude higher rate than transactional emails.

mrtesthah|2 years ago

Well the answer of course is for google to clone the unique features of your service and classify your site and its outgoing emails as spam.

ahoka|2 years ago

Also forcing people to click on opaque links in random emails cannot end good.

dexwiz|2 years ago

Its 5000/day for marketing, and if you are sending 5000 emails a day, you probably should have unsubscribe links. https://support.google.com/mail/answer/81126#requirements-5k You also need a link, not just list-unsubscribe, and it is specifically for marketing emails.

In my experience, Google is pretty accurate in figuring out transactional versus marketing. They don't tell their heuristics, but you don't think engineers who build web crawlers cannot build email classifiers? They have reliably been sorting my promotional emails from transaction emails for almost a decade now.

But off the top of my head when working on an email marketing platform: sender address, message subject and content, single message or bulk inbound at a given time, open rates, click rates, unsub rates, bounce rates. Part of sender reputation is ESPs building a profile of what kind of email you send from an address.

ryandrake|2 years ago

As a self-hoster for over a decade, setting up SPF, DKIM, and DMARC are pretty much once-and-done and free, so there's pretty much no downside. I'd be shocked if most self-hosters haven't set these up long ago.

RandomWorker|2 years ago

Agreed, self hosting for the last year now. It’s to do took me about a week to get it all working.

1over137|2 years ago

Yes, they are quite easy to set up. Yet I know several small ISPs that haven't done it yet. :(

illiac786|2 years ago

I don't know if self hosted but I regularly get emails from companies where this has not been set up. And not "Joe's Car Detailing" but rather "medium size gas provider" ...

vmfunction|2 years ago

Word, the truly hard part of self-hosting is IP warming, and fill out those dame form to FANNG to get white listed, it is a rabbit hole that take forever with no end.

TheCycoONE|2 years ago

DKIM, SPF, and DMARC are old hat and implemented by anyone serious for years. What's buried in this article is the required https://datatracker.ietf.org/doc/html/rfc8058 support for one-click unsubscribe posts. I don't see many messages in my inbox yet with that.

pests|2 years ago

I've seen a perverse dark pattern on one click unsubscribe. The page you land at has a button that lets you resubscribe! It looks non-obvious you've already unsubscribed and it looks like the regular two-click flow needing to enter your email address to confirm. Very sneaky.

jasonjayr|2 years ago

I understand that the request happens in the background by the MUA at the user's express consent, and the unsubscribe is not allowed to send back any ui/html/whatever to present to the user, but the RFC is missing any information about how a response ought to be handled, HTTP Status code wise? Retry if 400/500? Give user any affirmative or negative response that it succeeded or failed?

Analemma_|2 years ago

That's very odd to me. Where are you located? I'm in the United States and virtually all my newsletter/marketing emails have one-click unsubscribe these days. The only ones which don't are from foreign companies, e.g. I bought a day planner from Hobonichi and found they put their unsubscribe behind a login, to my irritation.

kragen|2 years ago

also it violates longstanding security measures against malicious prank unsubscribes; it means that if you forward an email list message to someone else, they can unsubscribe you without your consent as a prank

atesti|2 years ago

I have seen Outlook and other systems click on every link in our mailings. Using a sandboxed browser.

How can one click unsubscribe work here? Mail scanners, virus scanners and even Microsoft's own spam filters would probably click these links!

gwbas1c|2 years ago

> required support for one-click unsubscribe posts

The article gets it wrong. They imply that emails have to have one-click unsubscribe links, which isn't true. Emails need to include headers (described in your link,) which the mail client can use.

illiac786|2 years ago

How does that interact with crawlers, like what Microsoft does? (They visit every link in every email it seems) does it automatically unsubscribes you by error then?

pbronez|2 years ago

Unsubscribe links make me nervous. Such an obvious attack vector.

cassianoleal|2 years ago

> These mandates will only affect bulk senders, defined by Google as senders with volumes of 5000 or more messages to Gmail addresses in one day.

This is not a requirement for a personal self-hosted email.

StayTrue|2 years ago

If your personal self-hosted email routes outbound messages through a smarthost, it could affect you.

stefan_|2 years ago

Indeed, self-hosted email is commonly rejected despite doing all these things.

Google et al have successfully turned email into the domain of a few SaaS, and at half of them blatant spammers can message millions with no record of consent with the most obvious scams and have it delivered into the inbox. Hell, most spam these days I get from hacked Gmail accounts. The game is rigged, as they say.

sebazzz|2 years ago

No, but many of us are using Twilio Sendgrid and there it will apply to, especially if you don't have a dedicated IP.

StayTrue|2 years ago

In practice I think people who care about deliverability have already instituted these measures ... because spam blocking measures at Big Email are so opaque you’ve tried everything/anything. And it’s not that difficult.

jwr|2 years ago

I get plenty of spam through Gmail, and there is no easy way to report it, it also doesn't seem like they are the least bit interested in tackling the problem.

I wish they took a closer look at themselves and also applied these kinds of rules to themselves.

wakeupcall|2 years ago

I get >50% of my spam from legitimate hosts such as gmail and yahoo, which tick all the spf/dkim/dmark boxes.

spf/dkim/dmark helps with phishing/forgery, it does little to nothing for spam, even though this policy change makes it look like it's connected.

If I send spam through gmail, the spam is "authenticated".

spammers were among the first to implement these in an attempt to get higher score in spam filters. For quite a while dkim was positively correlated with spammyness for me.

Meanwhile.. does google even respond postmaster@ or abuse@ requests?

tikkun|2 years ago

My addition to title: “If you send >5000 emails a day.”

Posthaven has very helpful (free) tools for setting up this stuff. Also GPT has a good understanding of the dns records needed.

kaetemi|2 years ago

Is there any service that can process DMARC report e-mails? Those mails with zips with indecipherable XMLs inside them are a bit useless. Something that takes the junk, gives a nice human readable dashboard, and informs me if something is wrong, would be nice.

donmcronald|2 years ago

The DMARC industry is nuts. Most services charge a lot for what amounts to retrieving emails and doing a little XML parsing. It’s mostly transient data too, so it’s not like paying for a ton of redundancy is worth it.

IMHO, they’ve taken something that should be simple and turned it into a complex system that needs a ton of infrastructure because they all want a SaaS business. Everyone pays for the cost of scaling when simple sharding would do for most users.

I’d love to have a simple, self hosted DMARC analyzer running on something like PocketBase.

rbut|2 years ago

Postmark have a free DMARC service [1] that emails you a report once a week. I use it for all my domains. Note that they also have a paid offering, but this one is free.

[1] https://dmarc.postmarkapp.com

linuxalien|2 years ago

Mailhardener and dmarcdigests are 2 that I've used. Dmarcdigests also has a free version through postmark that sends you a summary email weekly instead of a dashboard. I personally like mailhardener, I felt the dashboard was better and easier to understand.

hannob|2 years ago

Not a service, but I can offer an opensource script to give a basic summary: https://github.com/hannob/rpter

If there's demand, I could start a SaaS business for it :-)

wetoastfood|2 years ago

I’ve been using DMARC Digests for a year and haven’t had any issues. Was quick to set up.

reddalo|2 years ago

I tried EasyDMARC in the past [1], it's easy to use but the free plan is very limited and the cheapest plan is a bit too pricey for me.

[1] https://easydmarc.com/

freddieleeman|2 years ago

https://URIports.com/dmarc offers services starting at just $1 monthly for up to 3 domains. It's GDPR compliant and includes features like notifications, hosted MTA-STS for protection against Man-in-the-Middle (MiTM) downgrade attacks, and much more.

technion|2 years ago

A fairly big deal is being made of this, but dmarc has been a signal for a long time and there's a good chance half your mail has been randomly landing in junk folders if you don't have it setup right. This may actually help people by making them realise that.

pqvst|2 years ago

From Q1 2024, Gmail and Yahoo will require senders to have SPF, DKIM, and DMARC. Also, spam complaints must be kept below 0.3%.

I recently added DMARC monitoring to some of my domains through CloudFlare.

EGreg|2 years ago

Unsubscribe HAS to require an authenticated session. What do they mean by “single click”?

Otherwise anyone who receives a forwarded email can unsubscribe you! Right?

At least we can email the peson to say they’ve been unsubscribed, as a transactional email? And give them a chance to resubscribe and prevent such unsubscriptions — or what?

Enable easy unsubscription: Senders will need to implement a single-click unsubscribe link within emails if they haven’t already, to allow recipients to easily opt out.

hedora|2 years ago

It certainly does not require authentication. Have you used unsubscribe flows? Normally, you click once, it goes to a web page that displays your email address, and has an "I'm sure" button, and maybe some checkboxes to only partially unsubscribe.

If you really care about people being maliciously unsubscribed from marketing materials they forwarded around, then you can be one of the sites that sends a final "you have been unsubscribed" confirmation email.

nottorp|2 years ago

> Otherwise anyone who receives a forwarded email can unsubscribe you! Right?

Yes, I have nightmares where I dream that someone else unsubscribes me from all those informative mailing lists that I NEVER OPTED IN TO.

max_|2 years ago

I use cloudflare's email remailer. i.e emails are mailed from from & to my Gmail via cloudflare. Using a custom email domain.

Does this mean that my emails will no longer be sent?

corney91|2 years ago

DMARC only requires SPF or DKIM to pass, so the mail will pass of it's DKIM signed.

darylteo|2 years ago

I think you can set a ARC header for forwarders.

d3w4s9|2 years ago

Slightly off-topic: it seems that Outlook has given up fighting spam and isn't even in such conversations. I have a decades-old hotmail.com email address that is getting spams daily in the inbox, while a similarly old gmail.com almost always filters them out. Well, Gmail occasionally flags false positives but never false negatives. This is getting so bad that I have completely moved off that hotmail.com address.

rebelde|2 years ago

Microsoft, like the old Microsoft, seems to completely reject all these modern methods and use their own instead. So, you get a lot of spam and my legitimate emails are rejected.

TheCaptain4815|2 years ago

I’d say the only real worry for “black hat emailers” is the spam rate monitoring. Everything else is fairly trivial to comply by, but lowering the spam compliance threshold could really put a wrench in a lot of sales outreach campaign.

The market(Google and others) was forced to act because how laughably easy the Can-Spam act is to stay compliant while legally mass spamming.

LanzVonL|2 years ago

That's so weird considering those two domains are the source of ALMOST all the spam I've seen over the last couple decades.

hedora|2 years ago

> Gmail and Yahoo are getting serious about spam monitoring and senders will need to ensure they’re keeping below a set spam rate threshold.

Does anyone know what this sentence means? Is this “the user said this is spam”, or “the gmail spam filter false positives 10% of the time; don’t be part of the 10%, or it’ll permaban you”?

cnees|2 years ago

Gmail postmaster tools says, "This dashboard shows the percentage of user-reported spam vs emails that were sent to the inbox for active users. Emails delivered directly to the spam folder are not included in the spam rate calculation. Only emails authenticated by DKIM are eligible for spam-rate calculation."

The threshold for the number defined above is 0.3%; that's the point where Gmail starts penalizing the sender by putting their emails in spam folders.

nulbyte|2 years ago

In my experience, it means nothing. Most of the spam I get to my Gmail account comes from other Gmail users using Gmail, and I don't believe Google will do anything to hold themselves accountable.

gwbas1c|2 years ago

I can't wait for this to take effect.

It seems that every time I buy something or someone gets ahold of my email address, I get added to a SPAM list.

I can't wait for all of these to be blocked.

For example: I recently elected a benefit, and the company added me to a SPAM list for weekly deals 100% unrelated to the benefit. They even ignored the fact that I unsubscribed.

mrWiz|2 years ago

I've started using this approach to combat spam that ignores unsubscribe attempts:

1. Report each and every offending email to the FTC: https://reportfraud.ftc.gov/#/

2. Forward the "report received" email that the FTC sends you to support@spamming_domain.com and explain how and why you're reporting them

3. That's it. I've had a 100% success rate with this approach

zie|2 years ago

I promise, these changes won't fix that.

navigate8310|2 years ago

Having DMARC to allow all emails is still stupid. They should have added a mandatory reject policy.

tgsovlerkhgsel|2 years ago

I hope the <0.3% spam limit is low enough to force companies to stop with the usual "congratulations, you unsubscribed from newsletter 13 (but will continue to get newsletters 1-12 and 14-39)" bullshit.

h0nd|2 years ago

Yahoo cracked down on my wanted emails - they simply deleted my first 10 years of emails.

repeek|2 years ago

How does the one-click unsubscribe not get triggered by enterprise SPAM tools like Mimecast or Barracuda?

flemhans|2 years ago

How are they counting the 5,000/day? Per sender email? IP?

snowwrestler|2 years ago

Per sending domain name, it appears.

hsbauauvhabzb|2 years ago

Please describe ‘easily unsubscribe’ - subjective terms like this don’t work when you’re dealing with the profit focused marking department of scumcorp.

I don’t want to log into your service or explain why I want to unsubscribe or chose which mailing lists I want to unsubscribe from (read: All of them) nor do I want to deal with your dark patterns such as colouring the ‘cancel my request to unsubscribe’ button green and ‘yes really unsubscribe me’ red.

dexwiz|2 years ago

  Senders will need to implement a single-click unsubscribe link within emails if they haven’t already, to allow recipients to easily opt out.
It does in the article. The industry has clear definitions for things like one click unsubscribe versus two click confirmation.

freddieleeman|2 years ago

For those interested in testing their email for SPF, DKIM, and DMARC compliance or eager to learn about these mechanisms that enhance email security and prevent spoofing, check out https://learnDMARC.com. This is a site I developed to promote adoption and share knowledge. It includes a challenging quiz, tough even for professionals. I'd be keen to know your scores on the first attempt – honesty counts!

ksjskskskkk|2 years ago

harder part is knowing the hacks from your dns provider that prevents things from working right.

I've spent two weeks on a domain with limited registrar options because their dns manager lied about supporting larger public keys in txt records.

flumpcakes|2 years ago

This is great! I scored 60% because I didn't realise 5321 HELO was also checked. That's news to me, I've never seen that before. I got 90% on my 2nd attempt :)

Also I think there was one question that was a mistake, it had a policy along the lines of:

v=DMARC1; p=reject; <stuff...>; pct=0; <stuff...>

I answered that a failing message would have an effect of p=none, but the right answer was apparently p=quarantine. Is that right, considering pct=0? (Unless I was blind and the pct wasn't set to 0 in the question...)

Kirce|2 years ago

If I scroll the DMARC Results on mobile Firefox, the right column doesn't scroll, while the rest of the table does. The results where all green, as expected :)

superhumanuser|2 years ago

This is beautiful and fun to use!

Thank you thank you.

binkHN|2 years ago

Super slick site!

anticorporate|2 years ago

I find much of the discourse on these changes to be pretty amusing. It's a lot of sales and marketing teams asking how they can tweak things at a technical level so that they can keep doing the same things they've always been doing.

You can't. That's the point. Stop.

I mark all commercial email as spam. I never asked for it, I don't want it. I don't really care if you carefully constructed a form in such a way to be compliant with the laws in my country. I don't care how your BDR found me. I don't ever want to hear from you. If I didn't ask for it, it's spam, I'm marking it spam, and I hope people who use Gmail and Yahoo do the same.

izzydata|2 years ago

Indeed I do. Any email I didn't explicitly ask for that isn't a unique personal email I mark as spam. Although I also stopped using Gmail in favor of Proton.

codalan|2 years ago

Sometimes I wonder if their mindset is, "Hey, even if only .05% engage w/ the marketing email, that's still > 0%!".

Maybe their mindset should really be, "Hey, we're annoying 99.95% of our users who did not consent to these emails, and > 50% will be turned off to our product and will associate our brand to that of a needy, attention-grabbing parasite".

If I wanted these emails, I would have opted in.

Instead, not only do they automatically opt you in, but they'll re-opt you in after you've unsubscribed. I've had it happen a year or two later; suddenly, I'm back on their spam list.

It's become so bad now that I can't even let a shopping cart sit anymore without getting a nagmail saying "HEY YOU NEED TO FINISH CHECKING OUT NOW1!!!".

That email is the reminder to empty my cart and never do business with them again.

Seriously, STFU and leave me alone. If your sales and marketing team insist on these tactics, you need to fire them and hire people who get it.

simscitizen|2 years ago

Mandatory DMARC basically breaks all e-mail forwarding services (SPF doesn't survive forwarding due to modification of Return-Path). I think ARC/RFC8617 is supposed to be the fix for that, but it's not even standardized yet. This seems like a rather big issue?

mjw1007|2 years ago

Have Google actually documented what they mean when they say DMARC is mandatory?

Does a DMARC record with p=none count?

Does DMARC with an SPF record that that places no restrictions count?

illiac786|2 years ago

That is a massive problem for me indeed, if true.

red_admiral|2 years ago

I hope this also applies to T&C spam - the thing where a company reminds you that they exist once a month by e-mailing you about a minor change to the wording of their terms and conditions, and because it's "important legal information" it overrides your opt-out preferences. If I think someone is taking the piss, I flag these as spam, and if more than 0.3% of the population did this then companies would think twice about this tactic.

ubermonkey|2 years ago

Mailgun is a spammer, so, like, cry me a river?

I have them blocked at the server level because of how much spam they were sending me. They clearly do zero enforcement of opt-in.

jdhawk|2 years ago

how are they supposed to enforce it?

sylware|2 years ago

Abusive, SPF is plenty enough unless you cannot map the domain with the right IPs due to DNS trickery (rotation, etc), then you would need an IP agnostic way to do some checks, hence the cryptographic DNS based signature.

That said, with no-DNS email addresses, SPF comes for free (alice@[x.x.x.x] bob@[ipv6:...]).

Namely, if SPF does pass, cryptographic DNS based signature mecanisms are excessive and must not be used to score.

chuckadams|2 years ago

SPF only authenticates the envelope-from, whereas it's DKIM that takes care of the From: header. Without DKIM, one can easily do "EHLO randomspamdomainboughtyesterday.com" and "From: accounts@citibank.com". SPF is about the transport, DKIM is about the content.

And to round it out, DMARC tells the receiver what to do when the SPF or DKIM tests fail, namely "report", "quarantine", or "reject". Not sure why they're requiring it when it doesn't affect a spam verdict. Maybe it's so those who run a misconfigured server can't complain if their mail is being dropped silently, google and yahoo can just tell them to switch the policy to "report".

ericpauley|2 years ago

IP addresses get reused, private keys don’t.

Aside from SPF being around first DKIM makes far more sense.