A Guide to Google and Yahoo Authentication Changes in 2024

Significant changes are on the horizon for email communication. Google and Yahoo, are implementing authentication requirements and spam prevention changes, beginning to take effect in February 2024.

Read on to learn more about these changes and how ActiveCampaign plans to guide our customers through these changes.  

*Note: These changes do not impact customers who already have DKIM and DMARC set up. 

Understanding the shift: Google’s requirements

Best practices for bulk email senders are now *required* practices for Google and Yahoo delivery. Google and Yahoo, are implementing authentication requirements and spam prevention changes, set to take effect in the first quarter of the coming year. 

Google has outlined requirements slated to take effect beginning February 2024, impacting all senders, particularly bulk senders. Simultaneously, Yahoo is introducing a parallel set of requirements. These changes are designed to enhance deliverability, build trust and credibility, avoid spam filters, optimize sender reputation, and ensure uninterrupted communication.

What you need to know: Gmail’s Authentication Mandate
  1. Enable email authentication: One key aspect of Google’s requirements is the necessity for senders to set up DKIM email authentication. In addition to DKIM, a basic DMARC record will now also be required. While it’s highly encouraged that all senders set up DKIM and DMARC, there are greater implications on deliverability for bulk senders.  Note, these changes do not impact customers who already have DKIM and DMARC set up.

    Detailed guidelines for unauthenticated customers will be provided in the coming weeks to ensure a smooth transition and compliance. In the meantime, Check out this helpful guide to setting up your sending domains.
  2. Transition from @gmail to your own domain: To align with upcoming email authentication and spam prevention changes, it’s vital to discontinue the use of @gmail.com addresses in the sender’s email. Transitioning to a domain you own is strongly advised for seamlessly setting up authentication and complying with evolving standards. For customers without a current domain, you can easily purchase one within ActiveCampaign.

    Detailed guidelines for customers without a domain will be provided in the coming weeks to ensure a smooth transition and compliance.
  3. Keep spam complaints lower than 0.1%: To prevent recipients from being spammed with unwanted or irrelevant messages, Google is enforcing a spam rate threshold requirement. Starting in February, keeping spam complaints below 0.1% will be a mandatory requirement for senders.

    Want to learn more about how to keep your spam complaints low? Check out this article. For more information on monitoring spam complaints with Gmail see here.
The ActiveCampaign approach: What this change means for you

At ActiveCampaign, we’ve consistently led the way in guiding our customers to adopt best practices for a secure sending domain. We are fully committed to supporting our customers through these changes by providing the necessary tools to maintain compliance with evolving email deliverability standards.

We’re thrilled to introduce enhancements that will make it effortless for you to purchase and authenticate all of your domains directly within the platform in just a few minutes. Additionally, customer mail server domains will now be available to all plan tiers to offer full domain alignment.

We understand that this process can be intricate, especially for small and medium-sized businesses, and we’re here to guide you through every step.

*Note: These changes do not impact customers who already have DKIM and DMARC set up. 

Frequently Asked Questions

Who’s affected by this change?

These new requirements impact all senders, regardless of size, with a more noticeable impact on deliverability for bulk senders. Note, this does not impact 1:1 email sending via ActiveCampaign’s direct or automated 1:1 sales emails.

What happens if you don’t meet the new requirements?

Google and Yahoo will begin blocking mails that don’t meet their requirements, likely in the form of a specific bounce response for those messages that could lead to more permanent blocks on specific IPs or domains. 

This can damage reputation and have long-term consequences on deliverability rate, impacting directly customer engagement and email marketing-generated revenue.

Is sending volume a criterion for these requirements?

While Google has mentioned 5K daily sending as a criterion for defining a “bulk sender,” Gmail/Yahoo have clarified that the 5k limit on volume is not a “safe zone.” 

Yahoo explicitly stated that there is no minimum volume threshold where these requirements are applicable. Gmail is clear that even senders below the 5k limit can expect to be impacted. Therefore, we strongly encourage all customers to set up authentication, regardless of size.

Do customers need to wait for ActiveCampaign’s native authentication solutions to set up domain authentication? 

You do not need to wait for ActiveCampaign enhancements that will make it effortless for you to purchase and authenticate all of your domains directly within the platform. If you want to get ahead of these new requirements you can set up authentication by following these steps

What is DKIM?

DKIM (DomainKeys Identified Mail) is an email authentication method that employs public-key cryptography to digitally sign emails, ensuring that the message body and attachments remain unaltered during transmission. The aim is to safeguard your email security and maintain the integrity of your domain.

Malicious actors, such as spammers and hackers, may attempt to intercept your emails and send deceptive messages under your domain’s guise, ultimately harming your domain’s reputation. When recipients receive a high volume of fraudulent messages impersonating your domain, their patience wanes, and such emails often end up in their spam folders. As a result, your domain’s sender reputation may suffer, potentially placing you on a list of undesirable senders, a predicament you want to avoid.

DKIM is like a special seal or signature for emails. When someone sends an email, DKIM adds this unique signature to it, proving that the email is from a real and trustworthy sender. It’s a bit like when you receive a letter with an official seal on it, and you know it’s a genuine letter, not a fake one. This helps make sure that emails you get are safe and really from the people or companies they claim to be from, keeping you protected from potentially harmful or fake messages.

Why should you set up DKIM?

By implementing DKIM (DomainKeys Identified Mail), you establish and maintain a solid, long-term reputation with internet service providers (ISPs). This, in turn, assures your emails appear trustworthy to recipients. 

Emails bearing a DKIM signature serve as a clear indicator of your legitimacy and reliability as a sender. As a result, your messages are more likely to land in a recipient’s inbox rather than being relegated to their junk or spam folders. Over time, DKIM’s consistent use can have a notably positive impact on your domain’s overall reputation, significantly enhancing your email deliverability.

What is a DKIM record?

A DKIM record is like a digital lock that ensures the security and authenticity of emails. It’s a special code, stored in a DNS TXT record, that includes a public key. This code looks something like this:





In simple terms, it’s like a secret code that helps mail servers check if an email is real or fake. You add this code to your email, and when someone receives your email, their mail server uses this code to make sure your email is genuine. It’s like sealing an envelope with a special sticker to prove it hasn’t been tampered with.

How does DKIM work, and what is it used for?

DKIM works a bit like having a secret handshake for emails. It uses two keys, one private and one public. Here’s how it works:

  1. When you send an email, a special signature (like a secret handshake) is added using a private key.
  2. The recipient’s email server then uses a public key, which is like the other half of the secret handshake, to check the signature.
  3. If the handshake is correct, it means the email is genuine and nothing has been changed along the way.

In simple terms, DKIM helps ensure that emails are from who they claim to be from and that they haven’t been messed with during their journey. It keeps your emails safe and trustworthy.

What is DMARC?

DMARC, short for “Domain-based Message Authentication, Reporting & Conformance,” is like a guardian for your emails. It’s an email security standard that helps those who own a domain (like a website) monitor  who’s sending emails on their behalf. Think of it as a watchful protector.

Here’s how it works: DMARC tells email providers (like Gmail) what to do when they receive an email that claims to be from your domain. It can give one of three commands—none, quarantine, or reject.

  • None: Authentication checks are logged but no action is taken.
  • Quarantine: If the email seems a bit suspicious, it’s put in a separate area (quarantine) for further checking, just like a package held at the customs office.
  • Reject: If the email doesn’t pass the security checks, DMARC tells the email provider to reject it, like a club bouncer turning someone away at the door.

DMARC is like the bodyguard of your emails, making sure that only the real ones get through and protecting you from fake or harmful ones. It’s a way to keep your email domain safe from imposters and spammers.

Do I need DMARC?

Under Google and Yahoo deliverability requirements going into effect February 2024, all senders must have a basic DMARC record set up.

Here’s the deal: DMARC acts like your email guardian, protecting your domain from impersonation and phishing attacks. When your domain is impersonated in spoofed emails, it can harm your reputation with your audience and email providers. Even worse, if these phony emails are marked as spam, they tarnish your domain’s reputation, causing your legitimate emails to get stuck in the spam folder.

How does DMARC work?

DMARC is a tag team of two email authentication champs: DKIM (DomainKeys Identified Mail) and SPF (Sender Policy Framework).

  • DKIM (DomainKeys Identified Mail) makes sure the email you sent is the same email they received. It’s like a digital seal that guarantees your email wasn’t tampered with in transit.
  • SPF (Sender Policy Framework) checks that your email came from an authorized server. It’s like a bouncer checking your ID at the door to make sure you’re legit.

DMARC tells email providers this: “If either DKIM or SPF vouch for this email, let it in. If both fail or they’re absent, treat it as suspicious, and follow the rules we’ve set in our DMARC policy.” So, DMARC ensures that your emails are either welcomed with open arms or kept at arm’s length based on their authenticity. It’s your bodyguard against email fraudsters and a protector of your domain’s reputation.

Are there negative risks associated with DKIM authentication for low-volume senders?

There is a common perception that setting up DKIM is detrimental for low-volume senders as they may struggle to establish a domain reputation. However, after running the numbers for the ActiveCampaign customer base, we can definitively say that this is not true. Regardless of account size, DKIM has the same positive effect on overall open rates, whether the sender is small or large.

Will high-volume senders currently using AC authentication experience deliverability issues when purchasing a new domain?

Large senders may face disruption when transitioning to using their own authentication. Firstly, it’s essential to highlight that they are likely to experience more disruption if they don’t move off ActiveCampaign authentication, as Gmail and Yahoo may start blocking their messages outright. Moreover, the concern may not be as significant as it seems. If the domain in their “from” address has a positive reputation, incorporating it into the DKIM signature should enhance overall deliverability, even for large senders. This would primarily be a concern for someone using a brand-new domain, in which case they should follow standard precautions for a newly purchased domain, such as easing it in gradually.