Effective February 1, 2024, Google and Yahoo will roll out new email sender requirements. This change may prevent your emails from reaching customers, so compliance with the new requirements should be considered mandatory — and all types of emails, whether transactional, marketing, or something else, must comply.
These changes are meant to protect recipients from spam by making it easier for Google and Yahoo to identify fraudulent emails.
Who needs to comply?
Even if you send only transactional emails, it’s important to authenticate your domain to ensure that your email campaigns still reach your audience. As the email industry trends toward requiring authentication for all senders, it’s likely that providers other than Google and Yahoo will follow in their wake.
Those who send 5,000 or more messages a day to Gmail accounts will have additional requirements, which are detailed in the next section.
What are the new email sender requirements?
From Google’s support pages, all senders who send email to Gmail accounts and all domains and consumer email brands hosted by Yahoo Mail must meet the following requirements:
- Remove Gmail from your store’s “From:” address.
- Set up SPF or DKIM email authentication for your domain.
- Maintain spam rates below 0.10% and avoid reaching a spam rate of 0.30% or higher.
- Make sure that sending domains or IP addresses have valid forward and reverse DNS records (also known as PTR records).
- Use a Transport Layer Security (TLS) connection for transmitting email.
- Format messages according to the Internet Message Format standard.
Senders of 5,000 or more messages per day to Gmail accounts will also have the following requirements:
- While smaller senders should have SPF or DKIM set up, both are required for larger senders. DMARC email authentication confirms both protocols for your sending domain.
- Marketing messages and subscribed messages must support one-click unsubscribe and include a clearly visible unsubscribe link in the message body.
Email authentication
Senders will need to implement stronger email authentication by using industry standards such as SPF, DKIM, and DMARC. What does that mean?
Sender Policy Framework (SPF)
SPF records allow a sender to specify the IP addresses (or authorized mail servers) that are allowed to send mail for a specific domain. Service providers can then reject emails sent from an IP address that doesn’t match the SPF records for the email’s domain — like scamming and phishing emails.
DomainKeys Identified Mail (DKIM)
A DKIM record adds a digital signature to emails that your organization sends. Recipient email servers then perform a check to see if the signature from the email matches the DKIM record in your domain name system (DNS) settings. A matching signature indicates that the email content hasn’t been modified and is from a legitimate sender.
Domain-based Message Authentication, Reporting, and Conformance (DMARC)
DMARC is a policy that allows a sender to indicate that their messages are protected by DKIM and/or SPF, and tells a receiver what to do if neither of those authentication methods pass.
Email domains should match your website domain
Emails from public domain providers, like @gmail.com or @yahoo.com will (very) likely be marked as spam. This includes both marketing and order notification emails.
One-click unsubscribe links
Senders of 5,000 or more messages a day to Gmail accounts must implement one-click unsubscribe for marketing emails. If you have been or are planning to send email to residents of the European Union, this builds on the GDPR’s unsubscribe requirement, which states that unsubscribe options must be provided in every marketing communication.
The one-click mechanism is intended for machines, rather than humans, to trigger. For instance, Gmail allows users to unsubscribe from marketing emails directly from their inboxes. This functionality is what will become a requirement on February 1st.
What should you do to ensure compliance?
Merchants should transition to using email addresses associated with their own domain rather than public domain addresses like @gmail.com or @yahoo.com. Additionally, you must ensure your email setups are configured with proper authentication protocols (the SPF, DKIM, DMARC protocols described above) to improve email deliverability and comply with the new requirements. This move will help prevent your store emails from being marked as spam and ensure vital communication with customers remains uninterrupted.
Every email marketing platform will have a slightly different process. We recommend starting with the following actions:
- Review WooCommerce email settings (WooCommerce > Settings > Email) and settings of any plugins that you use to ensure that they send as your branded domain (e.g. me@mybrand.com), and not as your @gmail.com or @yahoo.com address.
- If your host delivers your store’s emails (most common), review your host’s documentation about authentication or confirm with customer support that your store’s emails are authenticated with SPF, DKIM, and DMARC. Each host will have a specific process, and they will help you ensure compliance.
- If you use plugins like WP Mail SMTP or MailPoet to deliver your store’s emails, you will need to follow their recommendations on how to authenticate your branded domain.
- You can check authentication yourself by sending a test email from your store to a service like mail-tester.com and ensuring that the authentication is valid. Placing a test order on your store is a good way to do this. Your test results should look like the image below.
How to change your sender email domain in your WooCommerce settings
Installations of self-hosted WooCommerce use WordPress’ default email sending capabilities for transactional messages, which are likely not configured in compliance with these new requirements. It is possible that your store’s sender email is set to your user email.
To check your settings and update your sender email address, navigate from your WordPress dashboard to WooCommerce > Settings > Emails.
Using your @gmail.com, @yahoo.com or similar public domain email address will likely cause emails to land in spam folders due to mismatch between the declared sender (servers of Gmail or Yahoo) and the actual sender (your website server).
If your personal email is used, update this field with a registered email address that uses your website’s domain name.
We recommend testing your different email campaigns to make sure that all are compliant and able to be delivered. You can also install plugins (like WP Mail Logging) that will check to see whether your transactional emails are sending. Check out the Woo email FAQ documentation for further guidance.
To change your sender email for your marketing communications, check in with your email marketing platform to find out where these settings are.
What’s next?
While the new requirements will be rolled out on February 1, 2024, enforcement will increase to full capacity by mid-2024. Non-compliant emails will land in users’ spam boxes or be rejected altogether. Lack of order confirmation emails could cause confusion for your customers, and a lack of marketing emails could negatively impact your revenue, so it’s important to achieve compliance as soon as possible.
For further guidance, check for documentation and updates from your email marketing provider and your hosting provider. Settings may vary from service to service, so it’s important to review all settings to help ensure your emails are securely delivered to your customers.
