New Gmail Policy Causes “Mail Is Unauthenticated” Bounceback Error – How To Fix It?

New Gmail Email Policy Causes Mail Is Unauthenticated Bounceback ErrorNew Gmail Email Policy Causes Mail Is Unauthenticated Bounceback Error

If you didn’t already know, both Yahoo and Gmail announced new email authentication policies in October 2023 which were going to be implemented in February 2024. These new policies applied to all email users of the said platforms, but most affected the bulk email senders.

Due to these new policies, many users have reported observing the following email bounceback error when sending emails from different service providers to Gmail accounts:

gmail-smtp-in.l.google.COM: 550-5.7.26 This mail has been blocked because the sender is unauthenticated.

For many users and organizations, this is the first time they have encountered this error, and normally do not understand what it means, or how to fix it. This is where we come in.

If you or someone you know is unable to send emails to Yahoo, Gmail, or other email provider accounts and are seeing an “authentication” error message, then this guide is for you. Here, I have explained why such an error occurs, why it has been occurring as of recently, and what steps you can take to mitigate it and get those emails across to the recipients.

This post also discusses a brief backstory of email authentication so you can really grasp those concepts better.

What is email authentication?

In simple words, email authentication, or validation, is the process of verifying whether the ingress mail is coming from a legitimate source and is from the person whom it claims to be and to ensure that it has not been tampered with during the transfer.

Email servers use different processes and standards to confirm the authenticity of an email. This usually involves SPF, DKIM, DMARC, BIMI, and MTA-STS, all of which have been discussed in detail on the given links.

If an email fails validation, then it is up to the DMARC policy on how they want the mail server to handle it. If the policy is strict, then it may reject the email, in which case the recipient would have no clue that they were due an email, and the sender will receive a bounceback email, which is a typical email indicating that the email could not be delivered.

A bounceback email usually includes an error code or a statement indicating why the email could not be delivered. The “Mail is unauthenticated” error is delivered in such an email.

That said, the DMARC policy builds on the SPF and DKIM checks, which are detailed topics on their own and have been discussed separately. While understanding how DKIM and SPF work is not as important right now, it is important to understand how DMARC works. Knowing that will help you mitigate the bounceback error “Mail is unauthenticated”.

What is DMARC Policy?

To explain it briefly, DMARC judges what the results of the DKIM and SPF authentication are, and tells the mail server how to handle the email. It would either allow the email to land in the receiver’s Inbox, send it to the spam folder, or reject it altogether. The purpose of this policy is to reduce spoofing (since it can’t be eliminated).

The DMARC policy is stored as a TXT record on the DNS server of the domain. The tags and values defined in the record tell the mail server how to handle unauthenticated emails. A DMARC record looks like this:

v=DMARC1;p=quarantine;pct=100;adkim=s;aspf=r;rua=mailto:postmaster@itechtics.org;ruf=mailto:postmaster@itechtics.org

The value after the “p=” tag defines how unauthenticated emails are handled. These can be one of the following options:

  • none: DKIM and SPF checks do not affect email filtering and the emails are forwarded as-is. This option is mostly used for DMARC reporting.
  • quarantine: Emails that do not pass the DKIM and SPF checks are tagged and sent to the recipient’s spam folder.
  • reject: Emails that do not pass the DKIM and SPF checks are blocked and never delivered to the recipient.

As mentioned earlier, it is important to understand how each of these values affects the outcome of the unauthorized email, as this is what Gmail and Yahoo have updated in their authentication policies which have greatly affected their users worldwide.

Google’s & Yahoo’s requirements for email delivery

In Gmail’s announcement, they have focused on bulk email senders. However, the new policies also affect regular users who do not send emails in bulk.

Before proceeding further, it is important to understand which email accounts are considered “bulk email senders”.

Classification of bulk email sender

Email accounts that send out at least 5000 emails per day are identified as bulk email senders. These are usually email accounts used for marketing or financial receipt purposes. But there’s a catch.

It is not necessary that you currently send 5000 emails per day to be a member of the bulk email senders list. If you have sent at least 5000 emails on any given day in the past, your account will be considered a bulk email sender.

Moreover, it is noteworthy that if a domain sends more than 5000 emails in 24 hours, it is considered a bulk email sender. This is the accumulated emails sent from different email addresses but from the same domain.

New requirements for bulk email senders

The following list of requirements is now made mandatory for bulk email senders to be able to successfully deliver their emails:

  • DMARC Authentication

    Previously, DMARC authentication was optional. Gmail would allow bulk senders to successfully land emails in the recipient’s inbox even if they had not configured a DMARC record. However, this has now been made mandatory.

    As per their documentation, Google says that the bulk senders must have a DMARC record for their domain stored on the DNS. They are allowed to configure it with a “p=none” value, which means that the DMARC policy would do nothing with the rejected emails, but the DMARC record should exist.

    Domains sending bulk emails without a DMARC record would end up getting blacklisted.

  • Single-click unsubscription button

    The recipients of bulk emails should be able to successfully unsubscribe from receiving such emails with the click of a single button.

    These buttons are normally found at the bottom of advertisement emails and newsletters but were optional, and not all emails contained them. However, this has now been made mandatory.

  • Spam threshold to be less than 0.3%

    The spam rate refers to the number of emails that end up in the spam folder out of the total emails sent out.

    Both Google and Yahoo recommend that this number should be less than 0.3%, and Google is making this rule mandatory. If the spam percentage is above 0.3 percent, then the domain may be blacklisted by Google.

This concludes the new rules applied for bulk email Senders. However, the rules for regular users, who do not send 5000 emails per day, are a bit different.

New requirements for non-bulk email senders

Google has also released a guideline for non-bulk email senders, who should follow certain rules if they do not want their domains to be blocked or blacklisted.

  • Senders must have SPF and DKIM enabled.

    Learn how to configure SPF and DKIM.

  • Sending domains and IP addresses must have valid “PTR” records.

  • Your domain’s spam rate must be below 0.3%.

  • Your email format must follow IMF specifications as mentioned under RFC 5322.

  • Impersonating From: headers is not allowed and can reduce your mail delivery rates.

  • The domain in the sender’s From: header must match the domain in either the return-path header (SPF alignment) or the DKIM signature header (DKIM alignment).

  • Forwarded emails must be signed by ARC.

Combined with these new requirements, and the existing requirements that already existed for domain email senders, the following table summarizes the requirements and recommended settings for bulk and non-bulk email senders:

RequirementGeneral Email SendersBulk Senders
SPF/DKIM Email AuthenticationRequiredBoth SPF and DKIM Required
Forward and Reverse DNS RecordsRequiredRequired
TLS Connection for Transmitting EmailRequiredRequired
Spam Rates in Postmaster ToolsBelow 0.3% (ideally less than 0.1%)Below 0.3% (ideally less than 0.1%)
Message Format (RFC 5322)RequiredRequired
Impersonating Gmail From: HeadersProhibitedProhibited
ARC Headers for Forwarded EmailRecommended for regular forwardersRecommended for regular forwarders
List-id Header for Mailing List SendersRecommendedRecommended
DMARC Email AuthenticationNot givenRequired (DMARC enforcement policy can be set to none)
Alignment of From: Header with SPF/DKIM DomainNot givenRequired for direct mail to pass DMARC alignment
One-Click Unsubscribe and Visible Unsubscribe LinkNot mentionedRequired for marketing and subscribed messages
Google email authentication requirements for bulk and non-bulk senders

More information can be found in Google’s guidelines, where each of these requirements has been discussed in detail.

Google’s new mail policy implementation timeline

With these rules and policy updates, Google has also announced a plan to gradually implement and enforce these rules, leaving ample time for users to adjust their settings accordingly. This is what Google had planned to do:

in article
Google’s sender email policy enforcement timeline
  • February 2024

    Before February, Gmail had configured the DMARC policy to “p=none“. However, on February 1st, 2024, Google changed this to “p=quarantine“. This means that emails that do not authenticate successfully will be sent to the spam folder.

    This specifically affects the domains that are using the From: headers like “@gmail.com”.

    If your business email is something like “businessname@gmail.com” and not like “contact@businessname.com”, the DMARC authentication will fail since the domain in the From: header would not match with the domain in the DKIM header or envelop header, which would result in the emails being quarantined (sent to the spam folder).

    Note that if too many emails (≥0.3%) end up in the recipient’s spam folder, the domain could be blocked or blacklisted.

    Moreover, bulk email senders must configure their DMARC records, even if it is with the “none” value for the “p” tag. A percentage of messages that do not meet these requirements will start getting errors, or bounceback emails with errors. Initially, this would only be implemented for a small percentage of the emails that are not authenticated.

  • April 2024

    Starting in April 2024, Google will begin rejecting a certain percentage of non-compliant emails from the bulk senders. This means that the value for the “p” tag in the DMARC policy will be changed to “reject“.

    This is also the reason why so many people are seeing bounceback errors like “This mail has been blocked because the sender is unauthenticated” recently.

  • June 2024

    On 1st June 2024, Google will begin blocking bulk-sending domains that do not include a one-click subscription button in their emails. Note that this is a revised deadline defined by Google.

What happens if email is non-compliant with new policies

Both Google and Yahoo have defined their new emailing policies quite descriptively. There is no room for interpretation or errors. If your domain’s DMARC records are not compliant, or other defined policies are not met, your domain will become non-compliant and face serious repercussions.

For one, your email deliverability will be significantly impacted. Emails will begin ending up in the spam folder, or not being delivered at all. This will lead to quick violation of other rules, such as the spam threshold exceeding the 0.3% margin, which can eventually lead to your domain being temporarily blocked, or permanently blacklisted.

Therefore, it would be wise to make the necessary changes as soon as possible and get your email security tightened up.

What types of emails are impacted

Your business is more likely to be impacted by the new email policies if you are a bulk sender, and send more than 5000 emails in 24 hours. Only certain types of business require that kind of emailing power. Here are a few examples:

  • Newsletters
  • Password resets
  • Shipping notices
  • Account activity alerts
  • Product announcements
  • Content releases
  • Account confirmations
  • Purchase receipts
  • Sales announcements
  • Event invitations

Note that certain types of emails would not have the “unsubscribe” button, such as the password reset emails, which is why they would be exempted from such rules. However, the rest of the policies will still apply.

How to fix “Mail is unauthenticated” bounceback error

Check if domain satisfies policies

If you are experiencing a bounceback error for the emails that are being sent from your domain, the first thing you should do is find out the reason. To begin, you must first check your mail server and DNS configuration.

Use our Email Security & Deliverability Checker to verify if your SPF, DKIM, DMARC, BIMI, and other important records are configured correctly. Moreover, it also informs you if your domain is currently blacklisted across any IP history maintaining services.

If you find an issue with a DNS record or a policy, rectify it immediately.

Implement SPF, DKIM, and DMARC

If you haven’t already configured these, then start by configuring SPF and DKIM policies. If you are a non-bulk sender, then these should be sufficient. However, if your domain sends out more than 5000 emails in a day, you should also configure the DMARC record.

Click on the respective links below to learn how to configure each one:

Include easy single-click unsubscribe option

If you are a bulk email Sender and your egress emails do not contain an “unsubscribe” button, then it may be high time that you include them.

It is one of the mandatory requirements of Google to include a one-click unsubscribe button in the emails of bulk senders.

Closing words

Google announced its change of email policies back in October 2023 and started making the initial adjustments at the beginning of February 2024, allowing email senders almost 4 months to make the necessary adjustments.

In April, Google and Yahoo began rejecting a small percentage of non-compliant emails, further hardening email authentication and security.

That said, Google is yet to announce when they will implement hard rejection policies for non-compliant emails, but I guess that it will take a good year or two, for the rest of the email senders to implement the DKIM, SPF, and DMARC policies, and satisfy other requirements.

If you liked this post, Share it on:
Subhan Zafar is an established IT professional with interests in Windows and Server infrastructure testing and research, and is currently working with Itechtics as a research consultant. He has studied Electrical Engineering and is also certified by Huawei (HCNA & HCNP Routing and Switching).

Get Updates in Your Inbox

Sign up for the regular updates and be the first to know about the latest tech information