All Collections
New Domain Authentication Requirements: How to Prepare
New Domain Authentication Requirements: How to Prepare
Written by Lori Naeger
Updated over a week ago

In the wake of Gmail’s recent announcement regarding email sender requirements, Yahoo is also poised to implement changes in its email authentication protocols. This requirement shift from major email service providers proves the evolving improvement of email communication standards. In this article, we’ll cover all the changes coming in February of 2024. While these changes can seem restrictive to email senders, requirements like domain authentication protect us from emails whose sole intention is negative or fraudulent.

Before Getting Started

The new requirements presented by major email clients focus on stopping spammers whose sole purpose is malicious activity. Small and large senders must have proper domain authentication, opt-in mailing lists, an easy way to unsubscribe, and a spam rate below 0.3% to avoid reduced email deliverability.

To ensure proper domain authentication, you will need an SPF record, a DKIM record, and a valid DMARC policy with at least a p=none. The “p” value tells the email client what to do with the messages that fail DMARC.

Domain Authentication

As of February 1st, 2024, Gmail and Yahoo will require email senders to have email domain authentication for their emails to reach the inbox. What does this mean exactly?

For your email domain to be fully authenticated, you’ll need an SPF record, DKIM record, and DMARC policy configured in your DNS settings with your domain provider. There is no exception; you’ll need all three to be completely authenticated.

SPF (Sender Policy Framework)

  • The Sender Policy Framework record, commonly known as an SPF record, is a record added to your DNS settings. The SPF record is used to specify which domains have authorization for email sending. Adding an SPF record to your domain indicates which domains or IP addresses are authorized to send emails on your behalf.


SPF validates the domain or IP address used to send the email message.

DKIM (DomainKeys Identified Mail)

DKIM stands for DomainKeys Identified Mail. It is an email authentication method designed to detect and prevent email spoofing, while also guaranteeing the integrity of email messages. DKIM allows the sender of an email to digitally sign the message, providing a cryptographic signature that can be verified by the recipient’s email server.


The DKIM record adds a second layer of security, effectively reducing the risks associated with spoofing and phishing.

DMARC Policy (Domain-based Message Authentication, Reporting, and Conformance)

DMARC is another type of email authentication. The DMARC Policy is an important step of email domain authentication; it establishes how email clients will receive messages that fail the DMARC authentication checks. A GMAIL and Yahoo requirement with the DMARC policy is that all senders have at least a “p” value in their DMARC policy.

To check if you need to update your DMARC Policy, you can utilize a third-party tool like MXToolBox or check with your domain admin. If no DMARC record is found, you can add the following DMARC policy to your domain, “v=DMARC1; p=none; adkim=r; aspf=r“. This will ensure you pass the requirements for sending through Benchmark Email.

Type: TXT Name: _dmarc Value: v=DMARC1; p=none; adkim=r; aspf=r


If you have a DMARC policy already in place, be sure to include a p policy such as “p=none” and make sure aspf and adkim are NOT set to strict.

Email messages not meeting the requirements below are likely to be filtered as Spam or rejected. Together, these authentication protocols contribute to a more secure email communication environment.


The DMARC policy verifies the alignment of SPF and DKIM with the from address of a sender. The p= policy tells the email client what they should do with an email whose DMARC failed, and when rua and ruf tags are configured, it provides reporting to the legitimate domain of the activity of other domains impersonating them.

One-click Unsubscribe

As a new requirement, all emails must include a one-click unsubscribe header. The one-click unsubscribe header is different from the unsubscribe link in the email’s footer. All emails delivered from Benchmark include the mandatory unsubscribe header, which asks the recipient in their inbox if they would like to unsubscribe from your mailing list.

The new one-click unsubscribe header is not visible in the email itself, only in the inbox. It will appear next to the From name in the email message. When you click on this, a pop-up will appear asking you to confirm your choice; that’s it. Recipients won’t have to fill out an Unsubscribe form, improving their email experience.


No action is required to add the one-click unsubscribe link; this has already been enabled in all BenchmarkONE accounts. Contacts who leverage the one-click unsubscribe in their inbox will be automatically unsubscribed from your mailing list.

Spam Complaint Rates

Keeping a low Spam complaint rate has always been a standard practice. However, with the coming changes, the new threshold is to keep a spam complaint rate under 0.10% and avoid reaching a complaint rate of 0.3%. The spam complaint rate is composed of emails marked as spam from the contact’s inbox. This statistic is tracked at the domain level and should be proactively monitored using Google Post Master tools.

If you are interested in knowing how many emails sent from BenchmarkONE Email are reported as spam, junk, abuse, or unwanted, you can check your account’s complaint rate using BenchmarkONE’s Complaint Report.

Email senders can monitor their domain’s spam rate using tools like Postmaster. Tools that track your domain sending can give you the following information.

  • Emails delivery status

  • Your domain’s influence on email delivery

  • Number of emails marked as spam, junk or abuse

  • Authentication of your emails

Frequently Asked Questions

What happens if my domain is already authenticated?

If you previously authenticated and have a valid DMARC record, no action is required.

How do I check if my domain is authenticated?

You can check your domain status directly from your BenchmarkONE account. To check your authentication records, log in to your account, then on the top right, click on your name and select Account Settings. Next, click on Account > Domain Authentication, and you will see a status for your domain. You can also run a check using MXToolbox.

What if I don’t authenticate my domain?

If you fail to authenticate your domain with SPF, DKIM, Custom Return and DMARC, we will adjust your From email address, and emails from BMO will be sent from an authenticated BenchmarkONE domain. For example, if your email address is, your domain would appear as:

What happens if I don’t own a domain and send from a public domain?

Customers using a public email address will have their from email adjusted to use an authenticated BenchmarkONE. For example, if your email address is, your domain would look like this:

However, because this is a shared domain, you have less control over your deliverability results. We encourage you to purchase a private domain for email sending immediately.

What if I send from multiple BenchmarkONE accounts?

Each BenchmarkONE account is unique from one another, including subaccounts. You must add an SPF and DKIM record for each account you send from. However, you do not need to add another DMARC record.

What if I send from different domains, do they all need to be authenticated?

Yes, you will need to authenticate the private domains in your account to ensure proper authentication.

What if I use more than one email service provider?

You will need to add an SPF and DKIM record for each email service provider you use; otherwise, you risk low deliverability. Please consult with your IT administrator to make sure all your records align.

Did this answer your question?