In an ongoing effort to enhance email security and combat malicious messages, leading email service providers (ESPs) have been steadily improving their policies for bulk email senders.

The goal? To thwart domain spoofing and make it easier for ESPs like Google, Yahoo, and Microsoft to detect malicious content.

Google and Yahoo were the first major ESPs to impose new requirements, which took effect in February 2024. Soon after, Microsoft announced its plans to join the fray.

If your business relies on sending marketing emails to existing and potential customers, here’s what you need to know.

Who qualifies as a bulk sender?

Are you or are you not a bulk sender? That’s a question that has a slightly different answer depending on the ESP.

• Google: If you send more than 5,000 messages per day to Gmail accounts, you’re a bulk sender by Google’s standards. These senders must adhere to stricter authentication and compliance standards.
• Yahoo: Yahoo’s definition is a little looser, generally applying the term to those sending large volumes of email. Yahoo focuses on ensuring all bulk senders implement robust email authentication and easy unsubscribe options.
• Microsoft: Like Yahoo, Microsoft defines bulk senders as those who send high volumes of email, requiring them to comply with stringent email authentication protocols and best practices.

In short, if sending thousands of daily emails isn’t part of your marketing campaigns, the new requirements for bulk senders won’t apply to you. But if your company does qualify as a bulk sender, you’ll need to comply with ESP requirements to keep your email messages from landing in recipients’ junk folders.

Important Note: ESPs can classify your messages as spam even if they don’t classify your domain as a bulk sender. Trying to fly under the bulk sender radar will not allow you to avoid ESP content and protocol filtering.

4 best practices for staying compliant and improving open rates

Let’s face it—complying with the ESPs’ requirements requires measures bulk senders should already be taking. But if you’re not in the loop, here’s what you need to do.

1. Domain authentication

Google and Yahoo require bulk email senders to set up email authentication records for their sending domains, and we can assume Microsoft will too. This involves configuring three crucial email authentication protocols for verifying the legitimacy of the sender's domain and preventing email spoofing—SPF, DKIM, and DMARC:

• SPF records: Sender Policy Framework (SPF) records specify which mail servers can send email on your domain’s behalf. Configuring SPF records goes a long way toward preventing domain spoofing.
• DKIM signatures: DomainKeys Identified Mail (DKIM) adds a digital signature to your email messages. This signature allows the recipient’s email server to verify that the email indeed came from the claimed domain and that it hasn’t been altered in transit, which is especially important when you use shared services to send emails.
• DMARC policies: Domain-based Message Authentication, Reporting, and Conformance (DMARC) builds on SPF and DKIM by providing a way for domain owners to specify how email clients should handle messages that fail SPF or DKIM checks. Start with a "none" policy to monitor your email traffic and gradually move enforcement using "quarantine" or "reject" to block unauthentic emails.

These protocols help verify the sender's identity, protect against domain spoofing, and improve the overall trustworthiness of email messages. And while DMARC enforcement isn't an immediate requirement, all providers encourage its adoption, indicating that it may soon become mandatory.

2. Easy unsubscribe

This one’s obvious: Don’t make users jump through a bunch of hoops to opt out of your marketing emails. Simplifying the unsubscribe process helps maintain a positive sender reputation and reduces the risk of emails being marked as spam.

To improve the user experience and reduce spam complaints, ESPs mandate an "easy unsubscribe” feature—in other words, implementing a One Click Unsubscribe option that allows recipients to opt out of emails with minimal effort.

3. Don’t be spammy

All leading ESPs will enforce strict thresholds for reported spam rates. Domains with spam rates that exceed these thresholds will be blocked—bulk sender or not. Here's what you can do to stay compliant:

• Govern your email database: Regularly monitor hard bounces, honor users’ subscription preferences, and confirm opt-ins for folks that haven’t engaged for a while.
• Isolate sending infrastructure: Avoid sending marketing emails from the same systems you use for individual email and transactional emails.
• Send good content: It’s easy to succumb to the tyranny of lead-gen KPIs, but make sure you don’t send content that recipients will view as fluff. Respect your audience’s intelligence and avoid sending irrelevant or low-value content.

4. Follow DNS best practices for email security

Ensuring your email systems have valid DNS records is critical for email security. Configuring SPF, DKIM, and DMARC protocols will help. You should also regularly monitor and audit your DNS records for unauthorized changes. Using Domain Name System Security Extensions (DNSSEC) will help protect against DNS spoofing and keep the integrity of your DNS records strong.

You should also host your DNS with a reliable provider with robust security features, including DDoS protection and redundancy to ensure your DNS infrastructure remains secure and available. 

Start now

These moves from the major ESPs create a shared responsibility model between email senders and mailbox providers. If you haven’t already taken steps to keep your bulk sender status in good standing, start now by checking the stats of your domain authentication records using this online tool from Valimail.

If you’re already enforcing DMARC, consider amplifying your authenticated domain with a DigiCert Verified Mark Certificate (VMC), which displays your brand logo before recipients open the message. A VMC is like a stamp of completion for doing your due diligence to configure SPF, DKIM, and DMARC—and it’s a marketing move that will pay off for your brand.

The latest developments in digital trust

Want to learn more about topics like email security, Verified Mark Certificates, and digital trust best practices? Subscribe to the DigiCert blog to ensure you never miss a story.