Google & Yahoo Enforce New Requirements for Bulk Email Senders

As we know, cybersecurity threats evolve rapidly, and email remains a prime target for malicious actors. Recognizing this urgency, Google and Yahoo have implemented new standards for organizations that send bulk emails. These proactive measures aim to enhance email security, protecting both your brand reputation and your recipients’ safety.

In their October 2023 announcement, Google highlighted the increasing complexity and urgency of current cyber threats, prompting the rollout of these new standards for bulk email senders – which are those sending over 5,000 emails daily to Gmail users. Yahoo was quick to align with Google, updating its own requirements for bulk senders.

Traditionally, email lacked robust authentication protocols, allowing cybercriminals to exploit vulnerabilities for phishing, spoofing, and spam campaigns. The new requirements focus on robust email authentication to verify sender identity, alongside simplifying the process for users to unsubscribe from unwanted emails, thereby keeping inboxes clean.

There’s a security flaw in the way that email was first designed. This is highlighted by the popularity of phishing attacks. In 2022 alone, 854 000 domain names were reported for phishing. Email authentication is no longer an option if businesses want to protect themselves and their stakeholders from cybercriminals as well as ensure that email is delivered to the intended recipient.

This email design flaw leads to four main issues for organizations:


Cybercriminals can send emails from your domain defrauding staff, customers, and suppliers.


An email can be intercepted and changed without the knowledge of the sender or recipient.

Delivery issues

Legitimate email often lands in Spam and false positives cause business disruption.

Inadequate visibility and audit

Organizations have no active visibility of who is sending emails from their domains.

Core Requirements for Bulk Senders:

Email Authentication: Senders must ensure their emails pass both Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) checks, requiring updates to DNS settings to confirm sender identity and the authenticity of the email infrastructure used.

DMARC Compliance: It’s mandatory for the domains sending bulk emails to have a valid Domain-based Message Authentication, Reporting, and Conformance (DMARC) record. This enhances security by integrating with SPF and DKIM to prevent phishing and spoofing attacks.

Easy Unsubscription: Bulk senders must provide a straightforward, one-click process for recipients to opt-out of emails, with the system processing these requests within two days.

Spam Rate Threshold: Google introduced a groundbreaking spam threshold of below 0.3%, with Yahoo adopting a similar stance. This is aimed at improving email trustworthiness for users and maintaining sender reputation for bulk emailers.

Non-compliance with these requirements could result in emails being rejected or relegated to spam folders.


of cyber attacks start with an email

Does your organization send bulk emails?

Fortunately, you still have time to adapt:

February 2024: Monitoring begins, with potential impacts on non-compliant emails. This is your chance to identify and fix any issues.

April 2024: A portion of non-compliant emails will be rejected, increasing over time.

June 2024: All requirements become mandatory, including one-click unsubscribe.

Why These Changes Are Important

These updates represent fundamental email security practices, many of which are already met by conscientious senders. They address critical vulnerabilities in the original design of email that cybercriminals exploit. Vulnerabilities such as impersonation and interception, by ensuring that only authenticated, legitimate emails reach inboxes.

Take Action Now!

By embracing these new standards, you’re not just complying with regulations, you’re actively contributing to a more secure and trustworthy online environment for everyone. By prioritizing email security, you protect your brand, engage your audience, and contribute to a positive digital future. DMARC is the best technology standard to secure a business against fraudulent email activity. It thoroughly evaluates the source of an email to ensure that only legitimate emails ever reach an inbox.

Sendmarc is a leader in email security with scalable DMARC implementation for organizations of any size.If you’d like to see if your domain is vulnerable to impersonation, you can check its score here.


Interested in learning more about how Metrofile can help your business?

Fill out this form and one of our experts will be in touch to discuss how we can help you.