These Are No Longer Recommendations. They’re Requirements.

In October 2023, Google and Yahoo announced new email authentication requirements for bulk senders — effective February 2024. At the time, many senders treated them as future guidance.

Two years later, the enforcement reality is clear:

  • Non-compliant bulk email to Gmail is rejected at the SMTP level — not sent to spam, but blocked before it ever reaches a mailbox
  • Microsoft followed with equivalent requirements starting May 5, 2025, extending coverage to Outlook.com and Hotmail
  • Google reports 265 billion fewer unauthenticated messages reached Gmail users after enforcement began
  • Only 49% of bulk senders made changes to comply, per a Mailgun survey — meaning roughly half of all bulk senders are operating at some level of non-compliance risk

If you send more than 5,000 emails per day to Gmail or Yahoo addresses, this checklist is for you.

⚡ Check your compliance right now: Run the free DNS Checker → — instant SPF/DKIM/DMARC grade, no signup.

Who These Requirements Apply To

Google and Yahoo define a “bulk sender” as any sender that transmits 5,000 or more messages per day to Gmail accounts (Google) or Yahoo accounts (Yahoo).

Some requirements apply to all senders, regardless of volume. The table below clarifies:

RequirementAll sendersBulk senders (>5K/day)
SPF or DKIM authenticationRecommendedRequired
Both SPF and DKIMRequired (Google specific)
DMARC record publishedRequired
DMARC alignment (SPF or DKIM)Required
One-click unsubscribeRequired (marketing/subscribed)
Honor unsubscribes within 2 daysRequired
Spam rate below 0.10%Best practiceEnforced threshold
Spam rate below 0.30%Hard enforcement (temporary rejection/filtering)

The Complete 2026 Compliance Checklist

Requirement 1: Publish a Valid SPF Record

What it means: Your sending domain must have a TXT record in DNS that lists all authorized mail servers.

How to verify:

nslookup -type=TXT yourdomain.com

Look for a record beginning with v=spf1.

Or use: MXToolbox SPF Lookup

What a valid SPF record looks like:

v=spf1 include:_spf.google.com include:sendgrid.net -all

Common failures:

  • No SPF record exists at all
  • More than 10 DNS lookups (causes PermError)
  • SPF record lists +all (authorizes any server — effectively no authentication)
  • Missing sending sources (if you send from an ESP that’s not in your SPF record, those sends fail SPF)

Fix if failing:

  1. Identify all services that send email on behalf of your domain (marketing ESP, CRM, helpdesk, transactional provider)
  2. Add include: directives for each
  3. End with -all (hardFail) or ~all (softFail)
  4. Verify total DNS lookup count stays under 10

Requirement 2: Configure DKIM Signing With Your Own Domain

What it means: Every email you send must carry a valid DKIM signature. For DMARC alignment, the DKIM signing domain (d= tag) must match or be a parent domain of the From address.

How to verify: Send a test email to Gmail and check the email headers for:

DKIM-Signature: v=1; a=rsa-sha256; d=yourdomain.com; ...
Authentication-Results: dkim=pass (yourdomain.com)

Or forward a test email to check-auth@verifier.port25.com for a complete authentication report.

Common failures:

  • DKIM is not configured at all
  • DKIM is signing with the ESP’s domain (sendgrid.net, mailchimp.com) instead of your domain — DKIM alignment fails for DMARC
  • DKIM key is less than 1024 bits (rejected by major providers)
  • DKIM selector record is not published in DNS

Fix if failing:

  1. Log in to your ESP and find DKIM settings
  2. Generate a DKIM key pair (2048-bit recommended)
  3. Publish the public key as a DNS TXT record at [selector]._domainkey.yourdomain.com
  4. Enable DKIM signing in your ESP pointing to your domain, not the ESP’s generic domain
  5. Verify using the port25 check or MXToolbox DKIM Lookup

Requirement 3: Publish a DMARC Record at p=none or Higher

What it means: Your domain must have a DMARC TXT record published at _dmarc.yourdomain.com. The policy can be at p=none (monitoring only) — but the record must exist.

For full compliance and best protection: Move to p=quarantine or p=reject as quickly as possible.

How to verify:

nslookup -type=TXT _dmarc.yourdomain.com

Look for a record beginning with v=DMARC1.

A minimum-compliant DMARC record:

v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

A fully enforced DMARC record:

v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com; ruf=mailto:dmarc@yourdomain.com; pct=100; adkim=r; aspf=r

Common failures:

  • No DMARC record at all
  • p=none with no plan to move toward enforcement (technically compliant but provides no protection)
  • rua= address that is not being monitored (reports are being sent but nobody reads them)
  • DMARC policy doesn’t cover subdomains (add sp= tag for subdomain policy)

Requirement 4: Ensure DMARC Alignment Passes

What it means: DMARC alignment requires that either:

  • The SPF Return-Path domain aligns with the From domain, OR
  • The DKIM d= domain aligns with the From domain

Simply passing SPF and DKIM is not enough — the domains must align.

How to verify: Check your DMARC aggregate reports (RUA). Look for dkim_aligned and spf_aligned fields. Both should show passing counts for your legitimate email.

Alternatively, use a DMARC analyzer (Dmarcian, PowerDMARC, InboxStack) to visualize alignment reports.

Common failures:

  • ESP uses its own Return-Path domain — SPF misalignment
  • ESP signs DKIM with its own domain — DKIM misalignment
  • Both SPF and DKIM misaligned — DMARC fails entirely

Fix if failing:

  1. Configure a custom bounce domain in your ESP (a subdomain of your sending domain, e.g., bounce.yourdomain.com) — fixes SPF alignment
  2. Configure custom DKIM signing in your ESP using your own domain — fixes DKIM alignment
  3. Verify alignment in your next DMARC aggregate report

Requirement 5: Keep Spam Rate Below 0.10%

What it means: The percentage of your emails that Gmail recipients mark as spam must stay below 0.10%. Crossing 0.30% triggers temporary rate limiting and filtering. Sustained violations lead to permanent sending restrictions.

How to monitor: Google Postmaster Tools — Spam Rate dashboard. Available for senders authenticating with your domain.

How to stay compliant:

  • Only send to subscribers who explicitly opted in
  • Include a clear, easy-to-find unsubscribe link in every marketing email
  • Suppress inactive subscribers from regular campaigns (90–180 day inactivity threshold)
  • Remove subscribers who complain immediately
  • Never purchase email lists or add contacts without explicit consent

If you’re above 0.10%:

  • Immediately stop sending to your lowest-engagement segments
  • Review recent campaigns for content or subject line triggers
  • Check whether list hygiene reveals a significant stale or invalid segment
  • Enroll in Yahoo’s Complaint Feedback Loop to receive complaint data directly

Requirement 6: Implement One-Click Unsubscribe

What it means: All marketing and subscribed commercial email must include:

  • A List-Unsubscribe header with a mailto: and/or https: option
  • A List-Unsubscribe-Post: List-Unsubscribe=One-Click header for one-click functionality
  • Processing of unsubscribe requests within 2 business days

What it looks like in email headers:

List-Unsubscribe: <https://yourdomain.com/unsubscribe?token=abc123>, <mailto:unsubscribe@yourdomain.com?subject=unsubscribe>
List-Unsubscribe-Post: List-Unsubscribe=One-Click

How to verify: Send a test email to Gmail. In Gmail, click the three-dot menu and select “Show original.” Check for List-Unsubscribe headers.

Common failures:

  • No List-Unsubscribe header at all
  • Unsubscribe link requires login or additional confirmation steps (violates “one-click” requirement)
  • Unsubscribes not processed within 2 days
  • Unsubscribe link is buried in the email footer and not in headers

Fix if failing: Most modern ESPs (Mailchimp, SendGrid, Brevo, Amazon SES) include List-Unsubscribe headers automatically when configured correctly. Enable this feature in your ESP settings and verify headers are present in sent email.

Microsoft Outlook / Hotmail: What Changed in May 2025

Microsoft enforced equivalent requirements starting May 5, 2025, for Outlook.com and Hotmail.com recipients. The requirements mirror Google’s with some additional Microsoft-specific considerations:

  • SPF, DKIM, and DMARC are now required for bulk senders
  • Outlook uses ARC (Authenticated Received Chain) authentication for forwarded messages — configure ARC if your recipients forward a lot of email
  • Microsoft SNDS (Smart Network Data Services) provides feedback loop data — enroll your sending IPs
  • Microsoft’s AI-based filtering is more aggressive than Gmail’s for new domains and volume spikes; warmup and engagement quality are more critical

Quick Diagnostic: Are You Compliant Right Now?

Run these five checks in 10 minutes:

Check 1 — SPF: Go to MXToolbox.com/spf.aspx and enter your domain. Verify the record exists and all your sending sources are listed.

Check 2 — DKIM: Forward any recent email you sent to check-auth@verifier.port25.com. Check the response for dkim=pass (your domain).

Check 3 — DMARC: Go to MXToolbox.com/dmarc.aspx and enter _dmarc.yourdomain.com. Verify the record exists.

Check 4 — DMARC Alignment: Log in to Google Postmaster Tools. Check Authentication summary and verify DMARC passing percentage is high.

Check 5 — Spam Rate: In Google Postmaster Tools, navigate to Spam Rate and verify the line stays below the 0.10% threshold indicator.

If any check fails, follow the fixes in the relevant section above — or use InboxStack’s authentication monitor to get a consolidated view across all checks.

Compliance Status by Requirement

Use this table to track your setup:

RequirementStatusPriorityNotes
SPF record publishedComplete / In progress / Not startedCritical
DKIM with own domainComplete / In progress / Not startedCritical
DMARC record publishedComplete / In progress / Not startedCritical
DMARC alignment passingComplete / In progress / Not startedCritical
Spam rate below 0.10%Complete / In progress / Not startedCritical
One-click unsubscribeComplete / In progress / Not startedRequired for marketing
DMARC at enforcement (p=quarantine/p=reject)Complete / In progress / Not startedStrong recommendation
Microsoft SNDS enrollmentComplete / In progress / Not startedRecommended for B2B
Yahoo CFL enrollmentComplete / In progress / Not startedRecommended

Frequently Asked Questions

What happens if I don’t comply with Google’s bulk sender requirements?

For bulk senders (>5,000 emails/day to Gmail), non-compliant email is rejected at the SMTP level — not delivered to spam, but blocked before reaching any inbox. Lower-volume non-compliant senders face increasingly aggressive spam classification.

Does DMARC at p=none satisfy Google’s requirement?

Yes — Google requires a DMARC record to exist with at least p=none. However, p=none provides no protection against spoofing and email forgery. Google recommends moving to p=quarantine or p=reject, and enforcement of this stricter requirement may expand over time.

Do these requirements apply to transactional email?

Yes. The requirements are domain-based, not email-type based. If your transactional email sends from the same domain as your marketing email, it’s subject to the same rules. Transactional-only domains used in isolation may operate under different volume thresholds, but authentication compliance is still best practice.

What does “one-click unsubscribe” mean exactly?

It means a recipient must be able to unsubscribe from marketing email in a single click — without being required to log in, fill out a form, or confirm the unsubscribe. The List-Unsubscribe-Post header enables Gmail to place an “Unsubscribe” button next to your sender name, directly in the Gmail interface.

My emails were passing before — why are they failing now?

Common causes: a new ESP was added to your sending stack and wasn’t added to your SPF record; DKIM keys were rotated without updating DNS; a configuration change broke DMARC alignment; or your sending volume crossed the 5,000/day threshold that triggers stricter enforcement. Run the diagnostic checks above to identify which requirement is now failing.

Related reading:

The InboxStack Brief

Stay ahead of every inbox change

Weekly digest — authentication shifts, blacklist actions, provider policy updates. Free.