Last October Google announced that they would be tightening up their standards for what is acceptable in terms of large quantities of email from a single sending domain. Yahoo! made a similar announcement at the same time.

The first key point to be aware of is that Google and Yahoo have chosen to publicly announce that they’re tightening up their email acceptance  criteria. Not every organisation will necessarily be issuing a press release announcing that fact – bulk-email/spam can be such an annoyance to everybody. So we can be confident that other organisations will be making similar decisions, depending on their perceived scale of the problem, at a time that suits them. We have limited tools available to us to ensure consistent and reliable delivery to our recipients’ inboxes, other than following industry best-practice (which is all they’re asking us to do). It is entirely possible for one part of the University bulk-sending email carelessly to cause the rest of the collegiate University to have their outgoing email sent to spam folders, or rejected entirely. In theory only of course: we’re all far too professional for that to happen, right?

It is therefore vital that all IT Support Staff, in all parts of Oxford, consider and account for these requirements, particularly where they are using any kind of private or third-party bulk sending method. The Email Security Project is endeavouring to apply settings on behalf of the widest possible scenarios and situations but we know that edge-cases exist that may fall outside our visibility, scope, and remit.

Yahoo’s published requirements for bulk-senders

They have not specified a threshold above which these restrictions will apply. Email which fails these checks/requirements will either go to the recipients’ spam folders, or be rejected entirely. In that event a non-delivery report will be sent back to the sender. Spoofed email WILL count against their threshold.

• Email must be authenticated with SPF and DKIM.
• Your domain must have a published DMARC policy.
• ‘From’ headers in outgoing email must be aligned with either the values set in your SPF record, your DKIM record, or both.
• You must include a functional ‘list-unsubscribe’ header supporting one-click unsubscribing (RFC 8058 is recommended).
• A visible unsubscribe  link must be visible in the email’s body text (which can direct to a mailing preferences page).
• Unsubscribe requests must be honoured within 48 hours.
• Spam complaint rates must be below 0.3% (based on Google’s Complaint Feedback Loop service where users mark undesirable inbox content as spam).

Google’s published requirements for bulk-senders

 This is not an exhaustive list and Google’s other standard anti-spam recommended actions still apply.

• A threshold of 5000 emails per day. In our case this will be totalled across all ox.ac.uk subdomains which send outbound email.
• Email must be authenticated with SPF and DKIM.
• Your DNS must contain PTR records for sending domains.
• Your domain must have a published DMARC policy.
• You must include a functional ‘list-unsubscribe’ header supporting one-click unsubscribing (RFC 8058 is recommended).
• Unsubscribe requests must be honoured within 48 hours.
• Senders must remain under a ‘spam rate threshold’ (0.1% in Postmaster Tools) to ensure delivery to Gmail recipients.
• TLS connections must be used for transmitting email.
• Messages must be IME-formatted (RFC 5322).
• Don’t hide HTML or CSS content within your emails.
• Message From headers should only include one email address.

The Email Security Project has already comprehensively tested DKIM and DMARC (with basic SPF records already extant), both in a test environment, and for one subdomain.
The intention is to enable full DKIM and DMARC protection for the entire collegiate University in the next few days, well in advance of Google and Yahoo’s 1st February deadline.