Microsoft 365 - Email Authentication: Gmail/Yahoo and you

In Fall 2023 Google and Yahoo jointly announced significant changes to the requirements imposed on people sending to Google or Yahoo consumer accounts. Apple and other mailbox providers are beginning to announce or are quietly enforcing similar changes.

Whether you are an individual sender, a department communicator, a domain administrator or someone who forwards their mail, if you send email to @gmail.com or @yahoo.com addresses these changes could impact you.

For more background see IT News: New Email Sending Requirements

Overview of the change

Failure to follow the requirements set out by Google and Yahoo could result in your messages being marked as spam. At a high level what you need to understand about the change is the following:

  1. Email authentication must be in place for all domains sending email to Gmail or Yahoo recipients. These are DNS records that clearly define what systems and services are allowed to send mail using UW-Madison domains.
  2. Bulk mail such as newsletters, surveys, or other marketing style emails must allow recipients to opt-out and must support one-click unsubscribe. You will also need to process unsubscribe requests within 48 hours.
  3. Domain reputation can impact email delivery. Domain reputation is based on the user reported spam rates for a domain. In order to maintain a good domain reputation, user reported spam rates should never exceed .1% (1 in 1000 messages).

Google and Yahoo have both tried to be transparent about the requirements but they have also altered the language used in their FAQ during the rollout. Our understanding of how this will be enforced and the true impact to campus senders is still evolving.

What is an email domain?

When we refer to an email domain, we are talking about the portion of an email address to the right of the @ (e.g. bucky@wisc.edu). In the example wisc.edu is the email domain of the email address. wisc.edu is also referred to as the top level organization domain for UW-Madison. doit.wisc.edu is also a domain but it is an example of what is referred to as a subdomain of wisc.edu. Not every domain or subdomain supports email sending but there are well over 500 wisc.edu email subdomains that are associated with departments across campus or in use with campus affiliates.

What is email authentication (DMARC)?

Email authentication is part of how mailbox providers evaluate whether a message is from a legitimate sender or not. Email authentication looks at the email domain that will be visible to the recipient of the message, also known as the Header From, and compares it to other message attributes to determine if the message is legitimate. What message attributes are used to validate the sender and what actions the mailbox provider should take based on the results is defined by the DMARC standard proposed in RFC 7489. A more user friendly description of how DMARC works is available on the DMARC.org website.

What is one-click unsubscribe?

One-click unsubscribe goes beyond offering an unsubscribe link in the footer of your message. One-click unsubscribe inserts values in the email Header that allows email providers like Google and Yahoo to offer recipients a clear link at the top of the message to unsubscribe from all future mailings.

You don’t need to understand the details of the one-click unsubscribe standard but you should look for evidence that the marketing platform that you are using supports RFC 8058 compliant one-click unsubscribe options and you should enable it for your emails.

For more information see: One-click unsubscribe explained

How does this impact me as an individual sender?

The impact to you as a sender varies depending on how you are sending your messages and what type of mail you are sending. If you are sending email from your M365 account or to Google Groups, your mail is going to meet the email authentication requirements but will not meet requirements for bulk mail. If you are primarily emailing colleagues and collaborators at other institutions using your UW-Madison M365 account, your mail is fully compliant with the Google/Yahoo requirements but could still encounter delivery issues if our domain reputation is low.

Sending from Microsoft 365

In general, if you are sending mail using an email client such as Outlook desktop, Outlook on the web, Apple Mail or Thunderbird, you are sending mail from your M365 account.

  1. Email authentication: All mail sent from Microsoft 365 will comply with the email authentication requirements imposed by Google and Yahoo.
  2. Bulk mail: Microsoft 365 is not appropriate for sending bulk mail (newsletters, surveys, marketing mail) because it does not support one-click unsubscribe. Your messages may be rejected if they are classified as bulk marketing mail and do not include one-click unsubscribe. This can also have a negative impact on domain reputation. Please use the Eloqua service provided by the Marketing Automation team for distributing any mail that is likely to be classified as bulk.
  3. Domain reputation: The reputation of our domains will have an impact on the deliverability of your messages from M365.

Sending through Google Groups

If you are sending mail to @g-groups.wisc.edu or the legacy domain @lists.wisc.edu, you are sending through Google Groups.

  1. Email authentication: All mail sent via Google Groups will comply with the email authentication requirements imposed by Google and Yahoo.
  2. Bulk Mail: While Google Groups can be configured to allow recipients to unsubscribe, it does not meet the one-click unsubscribe requirement for sending bulk mail. Using Google Groups to send to a large group of external recipients is better than using your M365 account but you may still encounter difficulties sending to gmail or yahoo recipients. Google Groups is not recommended for sending out bulk mail.
  3. Domain reputation: Collectively campus sends a large volume of mail through Google Groups. Lacking one-click unsubscribe this may lead to higher user reported spam rates.

Sending through Campus Relay service

Many applications, servers and devices that are hosted on campus make use of the Campus Relay service to send mail to non UW-Madison recipients. Examples include multi-functioning printing devices, Shared Web Hosting sites, HRS, SIS and many other services. These services send mail using a variety of different email domains but are not required to login to Microsoft 365. Not all of this mail is capable of meeting the Google/Yahoo sending requirements and may be rejected or sent to spam.

  1. Email authentication: Most wisc.edu subdomains will meet the authentication requirements. However, any mail sent with an address in a different top level domain (e.g. pbswisconsin.org) may not. This is because we are only DKIM signing for the relay service, relay.mail.wisc.edu. If you are uncertain about whether your mail meets the email authentication requirements you can submit a Microsoft 365 - Email Authentication (DMARC) Introduction
  2. Bulk Mail: The application sending the mail through the Campus Relay service is responsible for supporting one-click unsubscribe. If you are sending newsletters or other forms of bulk mail via the Campus relay service, your application needs to offer and support one-click unsubscribe options.
  3. Domain reputation: Collectively campus sends a large volume of mail through the Campus Relay service and without proper controls in place this mail has the potential to negatively impact our domain reputation.

To find out more about the Campus Relay service see: Requesting SMTP Relaying for sending unauthenticated email

Sending from a marketing platform

There are any number of marketing platforms that are in use by campus to send newsletters, surveys, news briefs and other forms of bulk mail. Eloqua is the marketing automation platform supported by DoIT for use by campus. Other email service providers that are commonly used on campus include AmazonSES (Simple Email Service), Constant Contact, Emma, Mailchimp, Message Gears and Sendgrid.

  1. Email Authentication: Most email service providers offer the ability to authenticate the mail sent from their service. That does NOT mean that the mail sent from these services automatically complies with the Google/Yahoo requirements. Eloqua, supported by the Marketing Automation Team within DoIT, is the only service where you are guaranteed that your mail is fully compliant. If you are sending mail from any other service you should submit a Microsoft 365 - Email Authentication (DMARC) Introduction. We will be happy to help you determine if your mail meets the email authentication standards.
  2. Bulk Mail: The majority of the mail sent from these services is classified as bulk mail. Not all providers offer one-click unsubscribe options. You will need to check the documentation for the service you are using to determine what unsubscribe options are available, and enable them. You also need to process unsubscribe requests before your next mailing or within 48 hours of the request.
  3. Domain reputation: email sent from these email service providers and marketing platforms is far more likely to be viewed as spam by the recipient than any other campus mail. The best way to avoid having your mailings marked as spam is to only send to recipients who have opted-in to receive your email. In order to preserve our sending reputation you should also ensure that each recipient has a clear option to remove themselves from future emails through one-click unsubscribe.

Sending from Gmail with a wisc.edu address

Important: This is not recommended.

If you are sending from a gmail.com account and you have setup your From address to appear to be your @wisc.edu address or an address in one of the wisc.edu subdomains, you will start to encounter delivery issues. Unfortunately, using your wisc.edu address with your gmail account is not a supported configuration and can not pass email authentication checks. Your messages may already be delivering to some recipients junk folders and the only way to prevent this is to remove your wisc.edu address from your gmail.com account.

Domain reputation and the impact to Campus as a whole

The biggest challenge for campus is that while we see ourselves as a distributed organization with our separate identities reflected by our email subdomains, Google and Yahoo see us as a single organization represented by wisc.edu. Our current understanding of how they will enforce domain reputation is that all mail sent from wisc.edu and any of its subdomains will contribute to our overall reputation as a sender. That means that if one group allows its domain to be used in a manner that results in a high volume of user reported spam complaints, it could impact the domain reputation of the entire campus community.

Email authentication and careful evaluation of what services are allowed to send as our domains is going to be crucial to maintaining domain reputation.

Attention to recipient list hygiene is equally important. We need to make sure people actually want to receive the email we are sending by only sending to people who have opted-in to our mailings, allowing people the opportunity to unsubscribe, and monitoring engagement rates.

Actions for campus communicators

If you are responsible for sending out newsletters or marketing materials for your department you should be aware of the Google and Yahoo requirements and what it means for your emails. We have published a Best Practices Guide for using email marketing platforms to try to help.

The key takeaways are the following:

  1. Email Authentication: Please make sure that the email address that recipients see in the email they receive is actually approved for use with the marketing platform that you are using. The best practice guide links to documentation for some of the common platforms but we are here to help you. If you have questions about whether your email meets the email authentication requirements, you can submit a Microsoft 365 - Email Authentication (DMARC) Introduction.
  2. Bulk Mail: Newsletters, department updates and calls for research participation could all be considered marketing and promotional materials and need to adhere to the one-click unsubscribe requirements. Make sure that the recipients have opted-in to receive your mailing, don’t reuse email lists, and process unsubscribe requests within 48 hours.
  3. Domain reputation: UW-Madison as a whole sends out a high volume of newsletters and promotional material every day. Sadly these messages are much more likely to be marked as spam by the recipient than other campus communications. That makes it even more important to be aware of your audience and allow them to opt-out of future mailings.

Actions for email domain administrators

We see a lot of impersonation happening in our DMARC reports. Compromised systems from all over the world are frequently seen sending as our domains. The only way to prevent those spoofed messages from impacting our domain reputation is to publish a DMARC record with a “p=quarantine” or “p=reject” policy.

As a domain administrator it is important to protect your domain from abuse by publishing DMARC, SPF and DKIM records that clearly signal what systems and services are allowed to send as your domain. We recommend that all domains publish at least a DMARC “p=quarantine” policy with full (100%) enforcement so that mailbox providers like Google and Yahoo know that they should send messages from unapproved senders to Spam. This will also reduce the amount of user reported spam which directly impacts our domain reputation.

The goal is for all wisc.edu subdomains to publish a “quarantine” or “reject” policy to protect our reputation. If you are a domain administrator who supports a domain that still has either a policy of “p=none” or a “p=quarantine” policy with 0% enforcement, we can help you evaluate who is sending as your domain and determine when it is safe to move to stricter enforcement. For help looking at your domain sending profile, please submit a Microsoft 365 - Email Authentication (DMARC) Introduction.

More information about how DMARC works is available on the DMARC.org website.

Google and Yahoo: Mail Volumes

We have limited insight into what is being sent to Gmail and Yahoo recipients from wisc.edu and its subdomains. However, we do have access to DMARC reports. While not every wisc.edu subdomain shares their reports with us, most do. Here are the mail volumes that Google and Yahoo are reporting for the period 2/12/2024 - 3/20/2024:

Table of mail volumes received by Gmail and Yahoo
Max Messages/day Avg* Messages/day Avg* %Marketing**
gmail.com 332,000 165,000 72%
yahoo.com 70,000 27,000 84%

Footnotes on table calculations:
* - Average volumes were based on weekday (M-F) traffic only.
** - %Marketing is an estimate of the percentage of the mail that might be classified as bulk/marketing content. The estimate was developed based on the platform used to send the mail (Eloqua, Constant Contact, Emma, Mailchimp, etc). It is possible that some of the mail sent from those platforms could be classified as transactional mail. Similarly, mail sent from Microsoft 365 or Campus Relay was excluded from the calculation even though it is likely that some portion of the mail from those sources is considered marketing by Google/Yahoo.

Impact on Forwarded mail

The Google/Yahoo changes will have a significant impact on mail forwarding to those services. If you are forwarding your UW-Madison email to either a @gmail.com or @yahoo.com address you should expect that some percentage of your mail will not be delivered to the final destination mailbox.

For more information regarding the challenges with forwarding your email, please see Microsoft 365 - Set/Manage a Forward on a NetID or Service Account.

For most email clients, it is possible to connect a non UW email account concurrently with your @wisc.edu account. Microsoft Outlook desktop client is able to do so in a way that results in a single place to read and respond to messages from any number of different email accounts. We recognize that this may not meet everyone’s needs but it is likely the only way to avoid missing emails.



Keywords:
Google gmail gmail.com Yahoo yahoo.com authenticity authentication dmarc dkim spf eloqua mailchimp constant contact emma marketing newsletters reputation forward 
Doc ID:
136315
Owned by:
O365 S. in Microsoft 365
Created:
2024-03-26
Updated:
2024-05-10
Sites:
DoIT Help Desk, Microsoft 365