All You Need To Know About Gmail’s Feedback Loop Offering
Bird
Apr 1, 2014
1 min read
Key Takeaways
Gmail introduced an FBL pilot to help ESPs identify spammy senders.
Unlike traditional FBLs, Gmail provides aggregated spam complaint data, not ARF reports.
ESPs receive daily spam complaint percentages at the customer or campaign level.
Gmail requires strict adherence to Bulk Sender Guidelines (IP consistency, RDNS, SPF, DKIM, DMARC).
A new “Feedback-ID” header is required to identify customers, campaigns, and traffic types.
Gmail aggregates complaints per identifier, not across them, and ignores low-volume tags.
The FBL data arrives as a CSV attachment covering the previous day’s gmail.com messages.
ESPs must DKIM double-sign the headers to prevent spoofing.
Momentum supports multiple DKIM signatures using Lua policies and OpenDKIM.
Gmail only supports 1024-bit+ DKIM keys, treating shorter ones as unsigned.
Multiple ISPs provide FBLs, but Gmail’s model is unique and privacy-preserving.
Q&A Highlights
What is Gmail’s Feedback Loop (FBL)?
A pilot program for ESPs that provides aggregated spam complaint data, helping identify abusive senders without exposing individual user information.
How is Gmail’s FBL different from traditional feedback loops?
Traditional FBLs use ARF complaint reports containing individual spam complaint details.
Gmail instead provides aggregated daily percentages, protecting end-user privacy.
What does the aggregated report contain?
A daily CSV showing:
Percentage of spam complaints
Grouped by customer, campaign, or traffic type
Only for gmail.com recipients
What is the “Feedback-ID” header?
A required header that identifies the customer and optionally campaign or traffic type.
Format:
Feedback-ID: a:b:c:ESPid
a:b:c= optional identifiersESPid= required unique customer ID
Gmail aggregates based on each individual identifier.
What happens if tags have too few messages?
Gmail ignores low-volume identifiers to prevent misuse or accidental tagging noise.
Does Gmail group identifiers together?
No.
Each identifier is analyzed independently, even if they appear together in the same header.
How and when are FBL reports delivered?
Reports are sent once daily via email as a CSV attachment, containing the previous day’s data.
What sender requirements does Gmail enforce?
Senders must comply with Gmail Bulk Sender Guidelines, including:
Consistent sending IP
Valid RDNS
Same “From” address for bulk mail
SPF, DKIM, and DMARC usage (strongly recommended)
What are the DKIM requirements for the Feedback-ID header?
ESPs must:
Strip existing Feedback-ID headers
Insert a new one
DKIM sign it again (double-signing)
Use minimum 1024-bit DKIM keys
How does Momentum support Gmail’s FBL?
Momentum supports:
Multiple DKIM signatures via Lua policy
OpenDKIM for modern DKIM signing
Easy configuration of separate signing domains
Documentation provides sample Lua signing policies.
Which other ISPs offer feedback loops?
Several major ISPs offer FBLs, including:
AOL, Comcast, Cox, Fastmail, Hotmail, Mail.ru, OpenSRS, Rackspace, Yahoo!, Zoho, and others.
Most provide ARF-format reports, unlike Gmail.
Back in February, Gmail announced their Feedback Loop (FBL) pilot offering to ESPs to help them with identifying bad actors and spammers on their network.
Gmail introduces a pilot feedback loop offering
Gmail has been a major player in email history since 2004. For more fascinating insights about email's evolution, including Gmail's surprising origins, check out our 13 fun email facts. If you’d like to dive deeper, you can access the enrollment form.
For those of you who are unfamiliar with the process, here’s a brief recap. Feedback loops are essentially reports that ISPs provide to large volume senders about the number of recipients who mark their mails as spam. It’s a really important service that allows businesses to monitor their sender reputation with the ISPs and quickly take action for damage control if large numbers of recipients are marking their emails as spam. As you can already tell, this is pretty crucial for businesses that are dependent on email marketing as a main revenue stream.
Gmail’s feedback loop, however, differs from other ISPs
How does Gmail’s feedback loop work?
ESPs will first need to insert a feedback identifier header “Feedback-ID”. This header will identify the customer and or campaigns, mailings, and mail types. FBL reports will be generated based on these identifiers.
The “Feedback-ID” header will have a maximum of 4 fields, 3 are optional.
“Feedback-ID: a:b:c:ESPid”
“Feedback-ID” is the name of the header
“a:b:c” are the optional 3 fields which can be anything the ESP chooses (ie: campaign, mailing, traffic type)
“ESPid” is the only required field. This ID corresponds to an ESP customer and must be unique and persistent to that customer.
Gmail will aggregate data for the last 4 fields starting from the right side and ignore any extra fields. The data returned in the feedback report will be aggregated by the tag seen in the Feedback-ID header. Every tag will be included in the report and there are no limits on the number of total tags specified. However, Gmail will ignore tags with too few messages to prevent abuse.
FBL data will be aggregated by way of each identifier independently and not grouped across identifiers. Spam percentages will be reported across all the mails containing a given identifier, irrespective of the position in the identifier header. The FBL report will be sent in the form of a CSV attachment and contains data received by Gmail on the previous day by the ESP. This report is intended for gmail.com users and doesn’t support Google-Apps or Google hosted domains.
What are the DKIM requirements?
To prevent spoofing of the “Feedback-ID” header the ESP must strip any instances of this header first before inserting it and then DKIM sign it with the ESP’s domain key. This is in addition to any existing signature and is a practice commonly known as “double signing”.
There may only be up to 10 unique DKIM “d=” signing domains used to sign these headers but subdomains may be used as an alternative.
As far as DKIM key length is concerned, Gmail requires a minimum 1024-bit long key. According to the Gmail postmaster site, Gmail has been treating all emails signed with less than 1024-bit keys as unsigned since January 2013. They recommend affected senders with short keys to switch to RSA keys that are at least 1024-bits long.
How can we correctly implement Gmail’s FBL requirements in Momentum?
Multiple signatures are supported in the Momentum platform using Lua policy. OpenDKIM is now the preferred signing module in Momentum versions 3.6.0 and newer. More information about the Lua libraries for signing can be found in our documentation.
We’ve also created a simple OpenDKIM signing Lua policy that easily configures a second signing domain. You can find more info in our guide to the OpenDKIM signing Lua policy.
Which Other ISPs Provide Feedback Loops?
If you’re looking for more information on how feedback loops operate, do refer to the “Complaint Feedback Loop Operational Recommendations” RFC 6449 document. And while we’re talking feedback loops, it would make sense to share links to the other trusted FBL providers out there, in case you didn’t have them already.
Earthlink (email only): fblrequest@abuse.earthlink.net
Gmail (beta, for select ESPs only, sends aggregate reports for privacy reasons (not ARF)
IBM Smart Cloud (email only) postmaster@lotuslive.com
Rackspace (formerly Mailtrust)
Yahoo! (requires DomainKeys or DKIM and its is the only Domain-Based FBL provider)
Now, to sum up: it’s great news that Google now provides an FBL. It has some quirks and senders will need to do some configuration to get it to work for them. But for Momentum users, that will be a straightforward process. If any readers would like to share their experience with the new Google FBL, we’d love to hear your story. Feel free to leave feedback in the comments.
