Email Authentication - Google & Yahoo Changes - February 2024

As you may have already heard, Google & Yahoo! will require that domains have SPF, DKIM and DMARC records, from February 2024, when sending more than 5000 emails per day.

Note: The 5000 emails per day are all emails from all accounts on your domain, including marketing and transactional emails.

Those under the 5000 email threshold are still required to have either an SPF or a DKIM record.

SPF Record

If you have your emails hosted with us, our default SPF record is:

v=spf1 include:spf.stackmail.com a mx -all

The SPF record should be amended to include any other services you send through, such as your email marketing and transactional email services.

For example, if your also use MailChimp, this can be adjusted to:

v=spf1 include:spf.stackmail.com include:servers.mcsv.net a mx -all

Bonus: if your emails are hosted with us and you also use MailerLite, the record should be:

v=spf1 include:spf.stackmail.com include:_spf.mlsend.com a mx -all

See your other providers documentation for more information.

DKIM Record

If you host your emails with us, in the hosting control panel you’ll find the Domainkeys (DKIM) option. Select your domain from the dropdown and enter a selector (we recommend ‘r1’) and then click Add signature.

If we control your DNS hosting, it should actually be added but just go back to the control panel and go to DNS to ensure r1._domainkeys.yourdomain.com has been set up as a TXT record.

If your DNS is hosted elsewhere, next to your DKIM Signature, click Options and DNS, then copy down the ‘DNS Name’ and ‘DNS Value’. In your DNS host, you’ll have to create a TXT record with the name and value.

You should consult with your other providers for creating a DKIM record with them and then adding it to your DNS settings. You’ll need one DKIM record for each service provider.

DMARC Record

It is recommended that you allow all emails to be authenticated 48 hours prior to adding a DMARC record. That means having the DKIM records and SPF record activated 48 hours before.

A DMARC record is essentially a TXT record with the name _dmarc.yourdomain.com.

The minimum required value for the record is:

v=DMARC1; p=none;

The “v” value defines that the TXT record is a DMARC record and the “p” value determines what happens if the email passes or fails authentication. A p value of none indicates that nothing will happen.

It’s the safest option and the one recommended when starting out.

You can go a step further and add aggregate reporting. An example of that would be:

v=DMARC1; p=none; rua=mailto:youraddress@yourdomain.com.

Note please be careful with the email address you use – it wouldn’t be surprising to see an increase in spam to email addresses listed in your DMARC record.

If you use reporting, then you can determine the DMARC works correctly before increasing the policy to quarantine and then reject when you are 100% certain no important messages will fail your authentication.

We have added a DMARC Wizard to the Stack hosting control panel if you’d like to generate a more robust record.

Email Authentication - Google & Yahoo Changes - February 2024

SPF Record

DKIM Record

DMARC Record

Further Reading