These Are No Longer Recommendations. They’re Requirements.
In October 2023, Google and Yahoo announced new email authentication requirements for bulk senders — effective February 2024. At the time, many senders treated them as future guidance.
Two years later, the enforcement reality is clear:
- Non-compliant bulk email to Gmail is rejected at the SMTP level — not sent to spam, but blocked before it ever reaches a mailbox
- Microsoft followed with equivalent requirements starting May 5, 2025, extending coverage to Outlook.com and Hotmail
- Google reports 265 billion fewer unauthenticated messages reached Gmail users after enforcement began
- Only 49% of bulk senders made changes to comply, per a Mailgun survey — meaning roughly half of all bulk senders are operating at some level of non-compliance risk
If you send more than 5,000 emails per day to Gmail or Yahoo addresses, this checklist is for you.
⚡ Check your compliance right now: Run the free DNS Checker → — instant SPF/DKIM/DMARC grade, no signup.
Who These Requirements Apply To
Google and Yahoo define a “bulk sender” as any sender that transmits 5,000 or more messages per day to Gmail accounts (Google) or Yahoo accounts (Yahoo).
Some requirements apply to all senders, regardless of volume. The table below clarifies:
| Requirement | All senders | Bulk senders (>5K/day) |
|---|---|---|
| SPF or DKIM authentication | Recommended | Required |
| Both SPF and DKIM | — | Required (Google specific) |
| DMARC record published | — | Required |
| DMARC alignment (SPF or DKIM) | — | Required |
| One-click unsubscribe | — | Required (marketing/subscribed) |
| Honor unsubscribes within 2 days | — | Required |
| Spam rate below 0.10% | Best practice | Enforced threshold |
| Spam rate below 0.30% | — | Hard enforcement (temporary rejection/filtering) |
The Complete 2026 Compliance Checklist
Requirement 1: Publish a Valid SPF Record
What it means: Your sending domain must have a TXT record in DNS that lists all authorized mail servers.
How to verify:
nslookup -type=TXT yourdomain.com Look for a record beginning with v=spf1.
Or use: MXToolbox SPF Lookup
What a valid SPF record looks like:
v=spf1 include:_spf.google.com include:sendgrid.net -all Common failures:
- No SPF record exists at all
- More than 10 DNS lookups (causes PermError)
- SPF record lists
+all(authorizes any server — effectively no authentication) - Missing sending sources (if you send from an ESP that’s not in your SPF record, those sends fail SPF)
Fix if failing:
- Identify all services that send email on behalf of your domain (marketing ESP, CRM, helpdesk, transactional provider)
- Add
include:directives for each - End with
-all(hardFail) or~all(softFail) - Verify total DNS lookup count stays under 10
Requirement 2: Configure DKIM Signing With Your Own Domain
What it means: Every email you send must carry a valid DKIM signature. For DMARC alignment, the DKIM signing domain (d= tag) must match or be a parent domain of the From address.
How to verify: Send a test email to Gmail and check the email headers for:
DKIM-Signature: v=1; a=rsa-sha256; d=yourdomain.com; ...
Authentication-Results: dkim=pass (yourdomain.com) Or forward a test email to check-auth@verifier.port25.com for a complete authentication report.
Common failures:
- DKIM is not configured at all
- DKIM is signing with the ESP’s domain (
sendgrid.net,mailchimp.com) instead of your domain — DKIM alignment fails for DMARC - DKIM key is less than 1024 bits (rejected by major providers)
- DKIM selector record is not published in DNS
Fix if failing:
- Log in to your ESP and find DKIM settings
- Generate a DKIM key pair (2048-bit recommended)
- Publish the public key as a DNS TXT record at
[selector]._domainkey.yourdomain.com - Enable DKIM signing in your ESP pointing to your domain, not the ESP’s generic domain
- Verify using the port25 check or MXToolbox DKIM Lookup
Requirement 3: Publish a DMARC Record at p=none or Higher
What it means: Your domain must have a DMARC TXT record published at _dmarc.yourdomain.com. The policy can be at p=none (monitoring only) — but the record must exist.
For full compliance and best protection: Move to p=quarantine or p=reject as quickly as possible.
How to verify:
nslookup -type=TXT _dmarc.yourdomain.com Look for a record beginning with v=DMARC1.
A minimum-compliant DMARC record:
v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com A fully enforced DMARC record:
v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com; ruf=mailto:dmarc@yourdomain.com; pct=100; adkim=r; aspf=r Common failures:
- No DMARC record at all
p=nonewith no plan to move toward enforcement (technically compliant but provides no protection)rua=address that is not being monitored (reports are being sent but nobody reads them)- DMARC policy doesn’t cover subdomains (add
sp=tag for subdomain policy)
Requirement 4: Ensure DMARC Alignment Passes
What it means: DMARC alignment requires that either:
- The SPF
Return-Pathdomain aligns with theFromdomain, OR - The DKIM
d=domain aligns with theFromdomain
Simply passing SPF and DKIM is not enough — the domains must align.
How to verify: Check your DMARC aggregate reports (RUA). Look for dkim_aligned and spf_aligned fields. Both should show passing counts for your legitimate email.
Alternatively, use a DMARC analyzer (Dmarcian, PowerDMARC, InboxStack) to visualize alignment reports.
Common failures:
- ESP uses its own
Return-Pathdomain — SPF misalignment - ESP signs DKIM with its own domain — DKIM misalignment
- Both SPF and DKIM misaligned — DMARC fails entirely
Fix if failing:
- Configure a custom bounce domain in your ESP (a subdomain of your sending domain, e.g.,
bounce.yourdomain.com) — fixes SPF alignment - Configure custom DKIM signing in your ESP using your own domain — fixes DKIM alignment
- Verify alignment in your next DMARC aggregate report
Requirement 5: Keep Spam Rate Below 0.10%
What it means: The percentage of your emails that Gmail recipients mark as spam must stay below 0.10%. Crossing 0.30% triggers temporary rate limiting and filtering. Sustained violations lead to permanent sending restrictions.
How to monitor: Google Postmaster Tools — Spam Rate dashboard. Available for senders authenticating with your domain.
How to stay compliant:
- Only send to subscribers who explicitly opted in
- Include a clear, easy-to-find unsubscribe link in every marketing email
- Suppress inactive subscribers from regular campaigns (90–180 day inactivity threshold)
- Remove subscribers who complain immediately
- Never purchase email lists or add contacts without explicit consent
If you’re above 0.10%:
- Immediately stop sending to your lowest-engagement segments
- Review recent campaigns for content or subject line triggers
- Check whether list hygiene reveals a significant stale or invalid segment
- Enroll in Yahoo’s Complaint Feedback Loop to receive complaint data directly
Requirement 6: Implement One-Click Unsubscribe
What it means: All marketing and subscribed commercial email must include:
- A
List-Unsubscribeheader with amailto:and/orhttps:option - A
List-Unsubscribe-Post: List-Unsubscribe=One-Clickheader for one-click functionality - Processing of unsubscribe requests within 2 business days
What it looks like in email headers:
List-Unsubscribe: <https://yourdomain.com/unsubscribe?token=abc123>, <mailto:unsubscribe@yourdomain.com?subject=unsubscribe>
List-Unsubscribe-Post: List-Unsubscribe=One-Click How to verify: Send a test email to Gmail. In Gmail, click the three-dot menu and select “Show original.” Check for List-Unsubscribe headers.
Common failures:
- No
List-Unsubscribeheader at all - Unsubscribe link requires login or additional confirmation steps (violates “one-click” requirement)
- Unsubscribes not processed within 2 days
- Unsubscribe link is buried in the email footer and not in headers
Fix if failing: Most modern ESPs (Mailchimp, SendGrid, Brevo, Amazon SES) include List-Unsubscribe headers automatically when configured correctly. Enable this feature in your ESP settings and verify headers are present in sent email.
Microsoft Outlook / Hotmail: What Changed in May 2025
Microsoft enforced equivalent requirements starting May 5, 2025, for Outlook.com and Hotmail.com recipients. The requirements mirror Google’s with some additional Microsoft-specific considerations:
- SPF, DKIM, and DMARC are now required for bulk senders
- Outlook uses ARC (Authenticated Received Chain) authentication for forwarded messages — configure ARC if your recipients forward a lot of email
- Microsoft SNDS (Smart Network Data Services) provides feedback loop data — enroll your sending IPs
- Microsoft’s AI-based filtering is more aggressive than Gmail’s for new domains and volume spikes; warmup and engagement quality are more critical
Quick Diagnostic: Are You Compliant Right Now?
Run these five checks in 10 minutes:
Check 1 — SPF: Go to MXToolbox.com/spf.aspx and enter your domain. Verify the record exists and all your sending sources are listed.
Check 2 — DKIM: Forward any recent email you sent to check-auth@verifier.port25.com. Check the response for dkim=pass (your domain).
Check 3 — DMARC: Go to MXToolbox.com/dmarc.aspx and enter _dmarc.yourdomain.com. Verify the record exists.
Check 4 — DMARC Alignment: Log in to Google Postmaster Tools. Check Authentication summary and verify DMARC passing percentage is high.
Check 5 — Spam Rate: In Google Postmaster Tools, navigate to Spam Rate and verify the line stays below the 0.10% threshold indicator.
If any check fails, follow the fixes in the relevant section above — or use InboxStack’s authentication monitor to get a consolidated view across all checks.
Compliance Status by Requirement
Use this table to track your setup:
| Requirement | Status | Priority | Notes |
|---|---|---|---|
| SPF record published | Complete / In progress / Not started | Critical | |
| DKIM with own domain | Complete / In progress / Not started | Critical | |
| DMARC record published | Complete / In progress / Not started | Critical | |
| DMARC alignment passing | Complete / In progress / Not started | Critical | |
| Spam rate below 0.10% | Complete / In progress / Not started | Critical | |
| One-click unsubscribe | Complete / In progress / Not started | Required for marketing | |
DMARC at enforcement (p=quarantine/p=reject) | Complete / In progress / Not started | Strong recommendation | |
| Microsoft SNDS enrollment | Complete / In progress / Not started | Recommended for B2B | |
| Yahoo CFL enrollment | Complete / In progress / Not started | Recommended |
Frequently Asked Questions
- What happens if I don’t comply with Google’s bulk sender requirements?
For bulk senders (>5,000 emails/day to Gmail), non-compliant email is rejected at the SMTP level — not delivered to spam, but blocked before reaching any inbox. Lower-volume non-compliant senders face increasingly aggressive spam classification.
- Does DMARC at
p=nonesatisfy Google’s requirement? Yes — Google requires a DMARC record to exist with at least
p=none. However,p=noneprovides no protection against spoofing and email forgery. Google recommends moving top=quarantineorp=reject, and enforcement of this stricter requirement may expand over time.- Do these requirements apply to transactional email?
Yes. The requirements are domain-based, not email-type based. If your transactional email sends from the same domain as your marketing email, it’s subject to the same rules. Transactional-only domains used in isolation may operate under different volume thresholds, but authentication compliance is still best practice.
- What does “one-click unsubscribe” mean exactly?
It means a recipient must be able to unsubscribe from marketing email in a single click — without being required to log in, fill out a form, or confirm the unsubscribe. The
List-Unsubscribe-Postheader enables Gmail to place an “Unsubscribe” button next to your sender name, directly in the Gmail interface.- My emails were passing before — why are they failing now?
Common causes: a new ESP was added to your sending stack and wasn’t added to your SPF record; DKIM keys were rotated without updating DNS; a configuration change broke DMARC alignment; or your sending volume crossed the 5,000/day threshold that triggers stricter enforcement. Run the diagnostic checks above to identify which requirement is now failing.
- Related reading:
The InboxStack Brief
Stay ahead of every inbox change
Weekly digest — authentication shifts, blacklist actions, provider policy updates. Free.
