TL;DR

Take some time over the next few days to enact a sequence of DNS changes to proactively protect against Gmail randomly deciding to stop delivering your emails.

Don’t send cold emails? Doesn’t matter. This happened to me and to three different startups I work with - and none of us really send any cold email.

Dalmatian Digest is a brief, occasional newsletter with practical, actionable operations tips for startup founders. You’re on this initial list because I think you’ll find it valuable.

If you would like to be removed, just hit the “unsubscribe” link at the bottom here.

If you have friends who might find this helpful, feel free to forward it on!

About

In 2024, Google and Yahoo implemented some significant changes to its email deliverability guidelines and requirements, primarily targeted at “bulk senders” (accounts sending more than 5,000 e-mails per day¹ ). These requirements were slowly rolled out & ramped up over time, and are now in full effect. They now require:

1. Domain authentication: this is what matters for you and I’ll cover further below. It involves making a number of changes in your DNS settings and Google admin console.

2. Easy-unsubscribe: only relevant if you’re actually sending bulk mail

3. Staying under reported spam thresholds: only relevant if you’re actually sending bulk, potentially unwanted mail

Theoretically, this shouldn’t affect many early startups, as bulk sending on this scale implies some maturity to the GTM motion.

In practice, I had it impact my own domain and the domains of three clients this fall - all accounts which certainly do not fall into the “bulk sender” category. One client was unable to send email for 3 days in the middle of trying to close an incredibly important enterprise deal.

Why it matters

Not being able to send email is crippling for most startups, and fixing this after your account is already having issues is not instant due to the time it can take for DNS changes to propagate.

What to do about it

I found Google’s instructions on how to do this pretty poorly sequenced, so here’s my own guide. The mildly annoying part of fixing this is that it’s making a few changes, in a specific sequence, over a period of time (you can’t just one-shot this because DNS changes take time to propagate).

This involves making changes to 3 records:

• SPF: Lists the servers allowed to send emails on behalf of your domain.

• DKIM: Adds a digital signature to your emails to prove they weren’t altered during delivery.

• DMARC: Defines what to do if an email fails SPF or DKIM checks (e.g., reject it, quarantine it, or allow it).

These instructions are for companies who are using Google as their email service, but it’s a similar process for other services. This is also assuming you aren’t using any other services to send e-mails - you’ll need to configure additional records if you are using any sending tools.

1. Check to see if you already have these 3 things configured. MX Toolbox is a good free tool for this.

   

2. If you don’t have anything configured, start with your SPF records.

   1. Log into your DNS provider (e.g. GoDaddy, AWS)

   2. Create a new TXT record with values:

      1. Host: @

      2. Value: v=spf1 include:_spf.google.com ~all

   3. Set live

   4. Wait (at least a few minutes, but DNS changes could take up to 48 hours to propagate)

   5. Confirm SPF records are now passing via MX Toolbox.

3. While you’re fixing your SPF records, you can fix your DKIM record as well.

   1. Log into your Google admin portal & navigate to the “authenticate email” page

   2. Hit “Generate new record”

   3. Create a new TXT record with the provided values and publish it

   4. Click “Start authentication”

   5. Check back (I’ve noticed this usually propagates within ~30 mins) with MX Toolbox to make sure the domain authenticates.

4. Finally, you need to update your DMARC record - wait until SPF & DKIM are both done to do this. Google recommends waiting 48 hours after setting up SPF & DKIM.

   1. First, set up a google group to receive DMARC notifications, such as [email protected]

   2. You can set up a basic record here that doesn’t actually do anything (my recommendation for starting until you need to dial it in to filter more out) that will let you still pass any domain checks. A “vanilla” record would look like:

      1. Type: TXT

      2. Host: _dmarc.yourdomain.com

      3. Value: v=DMARC1; p=none; rua=mailto:[email protected]

   3. Check that your record is properly formatted here

5. You’re done!

Want help handling this? Book a call here or shoot us an e-mail at [email protected].

1  If this is you and it’s working for you, congrats on the outbound machine and can I invest?