Bulk Sender Guidelines for Marketing Cloud Engagement: Addendum

Gmail and Yahoo bulk sender guidelines will see gradual enforcement in 2024. Marketing Cloud Engagement users sending with authenticated domain products already meet requirements for email construction and authentication. Suggested practices such as commercial and transactional message separation, obtaining permission to send, and focusing on engaged subscribers, can be met with existing features.

Review Gmail and Yahoo's guidelines and our Help page on the topic. Then use the sections below to examine your sending compliance in detail. 
 

Bulk Sender Guidelines for Marketing Cloud Engagement (help.salesforce.com)
Gmail Email Sender Guidelines (google.com)
Yahoo Email Sender Requirements (yahoo.com)
 

Authentication

Domains configured as SAP or Private Domain meet authentication requirements by including an SPF policy, signing messages with DKIM, and setting a DMARC policy. 

• To verify that your domain is properly authenticated, you can use a third-party site such as aboutmy.email, mail-tester.com, or mailgenius.com. Please note that these tools are unaffiliated with Salesforce. Customers can choose to use such email testing tools or not at their sole discretion. We encourage you to review any email testing platform's privacy policy to fully understand how your information will be treated and make an informed decision accordingly.
• Use of the Add Email Address and Register Domain functions in From Address Management will not authenticate those addresses. Use SAP and Private Domain. 
• When sending with a Private Domain whose base domain does not match the SAP domain (e.g., sending with secondbrand.com when the SAP domain is e.firstbrand.com), SPF alignment will not be achieved unless multi-bounce domain is enabled. Request multi-bounce domain with a support case.
• Gmail: Senders should sign up for Postmaster Tools and regularly review data Gmail provides to ensure spam rates are below their threshold.
  Yahoo: Authenticated domains are enrolled in the Complaint Feedback Loop at time of configuration. Data can be found in the _Complaint data view. For detailed reputation directly from Yahoo, reach out to Yahoo about Email and Deliverability Performance Feeds

Infrastructure

IP Addresses

Marketing Cloud sending IPs have forward and reverse (PTR) records set and aligned with each other, meeting this requirement.

Marketing Cloud inbound MTAs are the first stop in a message’s journey through our processing apparatus. All messages are acknowledged with a 250 OK, though they may be discarded after assessment of the sender and message contents, downstream of the accepting MTA. Initial acceptance by our MTAs may create the appearance of an open relay. Our MTAs relay only properly-formed messages from authenticated senders. 

TLS Sending

Marketing Cloud sends are transmitted over TLS wherever possible ("opportunistic TLS"). 

Monitoring

Spam Complaints

Complaints received from service providers can be accessed at the subscriber level from the _Complaint data view and in aggregate with a variety of reporting methods.

Gmail does not provide individual spam complaints. To see your Gmail complaint rate, enroll in access for Postmaster Tools.
 

DMARC

Marketing Cloud helps users meet DMARC requirements, but to gain insight into authentication failures, enlist the aid of a DMARC reporting tool. While DMARC was designed to protect against malicious senders, reviewing failure reports can also identify legitimate but misconfigured messages. Smaller volume senders might consider routing failure reports directly to an inbox they manage. 

Make changes to your delegated domain's DMARC policy with a support request.
 

Unsubscribes: List-Unsubscribe

Commercial messages include one-click unsubscribe functionality by default. No additional configuration is necessary. One-click unsubscribe is supported by List-Unsubscribe and List-Unsubscribe-Post headers -- learn more at List-Unsubscribe Header Unsubscribe. 

Confirm the presence of List-Unsubscribe headers by comparing your message headers with this example:

List-Unsubscribe: <https://click.email.mycompany.com/subscription_center.aspx?jwt=eyJhbDciOiJIUzI1BiIsInR5cCI6IkpXVCJ9.eyJtaWQiOiI3MzI2MzUwIiwicyI6IjI4NTEzMDMzMCIsImxpZCI6IjMxNTU4NyIsImoiOiIxMDQ3MDEyIiwiamIiOiIxIiwiZCI6IjcwMjI4In0.599OYI57-05u8_GYWvOywnb1BzOQrcUjOGYfFOlxtHM>, <mailto:leave-fcae177170610c4a1a4c342838-fe3616653065077d761770-fea015702433047c77-fe931373776c077875-ffce15@leave.email.mycompany.com>
List-Unsubscribe-Post: List-Unsubscribe=One-Click

There are a number of third party tools (such as aboutmy.email, mail-tester.com, mailgenius.com, etc.) that can assist with reviewing the message header for presence of the list-unsubscribe. Please note that these tools are unaffiliated with Salesforce. Customers can choose to use such email testing tools or not at their sole discretion. We encourage you to review any email testing platform's privacy policy to fully understand how your information will be treated and make an informed decision accordingly.

List-Unsubscribe HTTP URI Source

The HTTP method of the List-Unsubscribe header used for one-click unsubscribes is generated from the subscription_center_url brand tag assigned to each business unit. Alterations to List-Unsubscribe values are not currently supported.

If subscription_center_url has been modified to target a custom CloudPage and your templates use the %%subscription_center_url%% personalization string, open a support case to notify us. We can set List-Unsubscribe to a generic subscription center without affecting the behavior of standard unsubscribe links, or assist with alternatives. 

SSL on HTTP List-Unsubscribe URLs

The List-Unsubscribe one-click standard requires the use of HTTPS. As in the example header, the default subscription_center_url is hosted on the click subdomain. If the SAP click subdomain has not been secured, visit Domain SSL Certificates to provision a certificate.

DKIM Required

The List-Unsubscribe one-click standard requires a DKIM signature, which is included on sends from SAP and Private Domains. 

List-Unsubscribe domain reputation

Mailbox providers (like Gmail and Yahoo) control whether or not the list-unsubscribe shows in their inbox to a subscriber. Sender reputation seems to have an impact on whether the option is presented. If SAP was recently configured on a brand new base domain, one-click unsubscribe links may not begin appearing until sufficient volume and engagement is seen on the domain. This does not mean emails are missing the list-unsubscribe header. As noted above, you can examine the message header to confirm the presence of list-unsubscribe. 

Frequently Asked Questions (FAQ)

Is my deliverability affected by email authentication enforcement?

Review bounce responses for mentions of DMARC, DKIM, and SPF.

Is my domain is authenticated?

Navigate to From Address Management within the Setup menu to see a list of verified sending domains. Only those marked as SAP or Private Domain are authenticated domains.