Inbox privacy protection guidelines, brought to by Google and Yahoo 

As an email marketer, most likely you have seen, read, or discussed the new inbox privacy protection ‘rules’ instigated by Google and Yahoo.   At first glance they do not seem so different from the email authentication we have been using with, SPF, DMARC, DKIM and maybe BIMI.  For years most ESPs are using email authentication. 

At first, these might seem like a repeat of the email security measures we’re all used to, like SPF, DKIM, and DMARC. But let’s take a moment to clear something up for everyone, not just the tech-savvy among us. 

 Email Authentication: the process by which an ISP can verify the identity of the sender.  Before an email is considered deliverable to the inbox it’s scrutinized, authenticated, and examined right along with the sender and their sender reputation. 

So, are these the same policies from Google and Yahoo?

Google and Yahoo users get more SPAM than the average bear, therefore these mandated policies are designed to protect the consumer, their email users.  These polices came about because of increasing frustration with SPAM, with the added annoyance of the inability to unsubscribe from some of these messages.  

It’s always been in the CAN-SPAM Act’s for bulk senders to provide a working opt-out mechanism for email recipients, with an unsubscribe functioning URL or hyper link.   So, this is not new.  However, Google and Yahoo now impose stricter unsubscribe links and opt-out methods.  
Google and Yahoo guidelines require the unsubscribe process to be straightforward and honored within 2 days.  No longer will the sender state something like, it takes two weeks to process your unsubscribe request (a leeway from the CAN-SPAM Act’s which gave the senders a 10-day window to comply). Those messages seem to be designed to keep the subscriber active, because, as an email provider I know the mechanics to unsubscribe should take less than a minute AND as we suggested in 2014 these ISPs added another requirement: senders are required to implement one-click unsubscribe mechanisms. 

Before someone unsubscribes, the email must be set up for delivery.  The “new” requirements for bulk senders, they must authenticate their emails with SPF, DKIM and DMARC:


  • SPF is simply a way to authenticate incoming email.  The protocol allows the owner of the sending domain to stipulate which mail servers they use to send mail
  • DKIM (DomainKeys Identified Mail) is like a digital signature for emails, which helps to verify that the email was really sent from the domain it claims to be from and hasn’t been tampered with on its way to your inbox. This helps in fighting against spam and phishing verifying the authenticity of the email sender. 
  • DMARC (Domain-based Message Authentication, Reporting, and Conformance) is a policy framework designed to give email domain owners the ability to protect their domain from unauthorized use, commonly known as email spoofing. 

AND then there’s spam rate thresholds.  In Dundee’s (mailinglistservices) discussions about email deliverability, we’ve identified a benchmark for a well-managed email list at a bounce rate of 0.1%. As this rate creeps up toward 1.0%, Internet Service Providers (ISPs) and email reputation monitoring services begin to downgrade the sender’s IP reputation, affecting email deliverability. Many of the larger ISPs rely on sophisticated reputation systems to automate their spam filtering decisions. These systems often require senders to maintain a certain reputation score to make sure their emails are delivered without restrictions.  Falling below this score can lead to limited delivery rates.  

The new spam rate thresholds set by Google and Yahoo is a clear spam rate threshold of 0.3% for bulk emailers.  Email marketers exceeding this limit could affect deliverability.  Essentially email senders should maintain their lists, i.e. remove inactive users.

Are these new then?  Not really, but before this type of authentication mentions for email was suggested, not required.   We have been working with DMARC, DKIM, SPF and BIMI (Brand Indicators for Message Identification) for several years.   

However, these imposed guidelines represent a significant shift in email marketing, emphasizing the importance of privacy, security, and user consent.  Emails sent from a Gmail account through a third part service, like MailChimp, Constant Contact, and Dundee may face stricter scrutiny by Google (Gmail) and other ISPs.  This can affect how emails are filtered upon receipt, potentially leading to heightened chances of landing in spam folders.  To alleviate some of these issues: 

  • Make sure email authentication records (SPF, DKIM, DMARC) are correctly set up (your ESP should be able to assist)  
  • Regularly monitor your sender reputation and adjust your email sending practices as necessary. 
  • Keep your mailing lists clean and up to date, removing inactive or unengaged subscribers. 
  • Use best practices for email content and design to avoid triggering spam filters. 
  • Understand and comply with the sending limits of Gmail and Yahoo and adjust your email campaigns accordingly. 
  • And its suggested, to use a proprietary domain email address (e.g. instead of your free Gmail address to send your marketing messages.