Specifically, they’re requiring that bulk senders use domains that have DMARC policies in place, and while that requirement is straightforward, some other requirements around this are causing quite a bit of confusion, so we thought we’d clear them up here.
Google’s requirements for bulk senders include these bullet points:
- Set up DMARC email authentication for your sending domain. Your DMARC enforcement policy can be set to none. Learn more
- Set up SPF and DKIM email authentication for your domain.
- For direct mail, the domain in the sender’s From: header must be aligned with either the SPF domain or the DKIM domain. This is required to pass DMARC alignment.
So, which is it? Do you need SPF and DKIM or just SPF or DKIM?
The answer, believe it or not, is both.
Set Up SPF and DKIM Email Authentication For Your Domain
For the purposes of our discussion (and for the purposes of the new Google and Yahoo requirements), “your domain” is the domain you’ll be using in the visible From: header of your emails. The directive is to set up SPF and DKIM email authentication for your domain, which means that:
- Your mail must be sent with a Return-Path (or bounce) domain for which an SPF record exists
- Your mail must be DKIM signed
So that covers SPF and DKIM, but what about SPF or DKIM?
From: Header Must Be Aligned With Either the SPF Domain or the DKIM Domain
DMARC is built on the two email authentication protocols, SPF and DKIM, and DMARC is designed to authenticate the use of the domain in the visible From: header of an email message. Since its release in 2014, DMARC has always required that either SPF pass and the SPF domain align with the From domain or that DKIM pass and the DKIM signing domain align with the From domain.
With these new policies, Google and Yahoo aren’t changing DMARC’s requirement for a pass verdict; either the SPF domain or the DKIM domain must align, just as it’s always been for DMARC.
DMARC Best Practices
Even though DMARC only requires an aligned pass for SPF or DKIM, it’s long been a best practice that messages sent with From domains with published DMARC policy to do so with both SPF and DKIM aligned if possible.
This “belt and suspenders” approach is meant to mitigate the risk of failures due to DNS hiccups, breakage due to forwarding, and other blips that might cause one authentication method to fail, but not the other. Implementing the best practice here and having both align is a way, and arguably the best way, to meet the Google requirements discussed above.
Unsure of whether or not your SPF and/or DKIM are aligned? Use Valimail Align to view and update your sending domain.