Enhanced Gmail spam filters target bulk email senders
Here's how to avoid spam folders by using SPF, DKIM, and DMARC records.
The fight against spam is never-ending, which is why Google and Yahoo have made some changes to the way they treat emails that come from bulk senders. The idea is to stop rubbish from filling Gmail and Yahoo inboxes, but some legitimate senders have been caught up as well.
If you send more than 5000 emails a day, you’re a bulk sender. There are email security protocols that you need to have in place, otherwise your messages can get marked as spam.
So let’s take a look at what those protocols are, and the steps you can take to fulfil them. There are three abbreviations you need to know:
- SPF (Sender Policy Framework), which identifies the servers that send mail from your domain.
- DKIM (DomainKeys Identified Mail), which uses a digital signature to add an authentication layer.
- DMARC (Domain-based Message Authentication, Reporting & Conformance), which defines the policy that recipients should follow if a message fails SPF and DKIM checks.
You can manage all three of these things by updating DNS TXT records for the domain that you send email from.
Different rules for bulk emailers
If you send, or are likely to send, more than 5000 emails per day then you need SPF and DKIM in place. DMARC is optional.
For sending broadcast-style messages like newsletters, we suggest that you use an email service like MailChimp or SendGrid. These services work hard to comply with current anti-spam regulations and preserve the reputation of their IP addresses. When you are sending thousands of emails per day, this is very valuable.
All email senders need SPF or DKIM
If you don’t send more than 5000 emails per day, you only need SPF or DKIM in place. Again, DMARC is optional.
We wrote about SPF records last year, after an earlier round of anti-spam policy changes at Google. If you took action then, and you’re not a bulk sender now, then there’s nothing you need to do.
You want your emails to end up in Gmail inboxes, not spam folders.
A deeper look at SPF, DKIM, and DMARC
While all three of these protocols help identify as a genuine email sender rather than a spammer, they each play a different role.
SPF (Sender Policy Framework)
SPF records are attached to your domain, via DNS TXT records. They publish the known sources (servers or IP addresses) of emails that come from your domain.
Email systems use SPF records to check if a message has been sent from one of the named sources. Anyone who tries to make emails look like they come from your domain will be caught out when the actual source of their messages isn't a match.
At a minimum, your SPF record should contain:
v=spf1 a mx ~all
The final “all” parameter controls how the receiving server will handle a message that fails an SPF check.
-
~all(with a tilde) is a soft fail, which means in most cases that the message will still be delivered. It might end up in a spam folder, or in an inbox but with an added warning. -
-all(with a dash) is a hard fail, and the message will probably be bounced back or deleted.
See the Knowledge Base for how to add MyHost’s mail servers to your SPF record.
DKIM (DomainKeys Identified Mail)
DKIM is an email authentication method designed to detect spoofing. Email spoofing is used by malicious actors to send emails that appear to be from a legitimate source (like your domain), but which are actually forged. DKIM helps verify the authenticity of the email and ensures that it has not been altered during transit.
When a DKIM record is in place, your emails are digitally signed with a private key. Recipients can verify that signature using the public key in your DKIM record.
There is more to adding a DKIM record than there is to adding an SPF record. See the Knowledge Base for a full run-through.
DMARC (Domain-based Message Authentication, Reporting and Conformance)
DMARC adds an additional layer by letting you choose a policy for how emails should be handled if they do not pass SPF or DKIM checks. It includes mechanisms for you to receive feedback reports about emails claiming to be from your domain. These can be useful if your domain is being "spoofed" by others.
For all email senders, DMARC is optional. The Knowledgebase explains what's involved in creating a DMARC record.
Gmail addresses causing problems?
Google's email sender guidelines are a very thorough resource for anyone struggling to get through to Gmail inboxes.
Main image by Hannes Johnson on Unsplash.
