Google & Yahoo DMARC Requirements 2026

Since February 2024, Google and Yahoo require all bulk email senders (5,000+ messages per day) to authenticate with SPF, DKIM, and DMARC. Microsoft Outlook followed with similar requirements effective May 5, 2025. Non-compliant senders face email rejection, spam filtering, and rate limiting.

This guide covers everything you need to know about the requirements, the enforcement timeline, and exactly what you need to do to stay compliant. Whether you manage a single domain or hundreds, the fundamentals are the same: authenticate your email, publish a DMARC policy, and monitor your compliance continuously.

Timeline of Requirements

Email authentication requirements have been rolling out in stages since early 2024. Here is the complete timeline of enforcement milestones that every email sender should know:

• February 2024— Google and Yahoo bulk sender requirements go live. Both providers begin requiring SPF, DKIM, and DMARC for senders exceeding 5,000 messages per day to their respective platforms. One-click unsubscribe headers become mandatory for marketing and promotional emails.
• April 2024— Google starts rejecting non-compliant traffic. After a two-month grace period, Gmail begins bouncing messages from bulk senders that lack proper authentication. Temporary errors (4xx) are issued first, giving senders a final warning before permanent rejections (5xx).
• November 2024— Gmail enforcement tightens further. Google increases rejection rates for non-compliant senders and begins applying stricter filtering to domains with DMARC policies of p=none that show signs of abuse. Spam rate thresholds are enforced more aggressively.
• May 5, 2025— Microsoft Outlook enforcement begins. Microsoft joins Google and Yahoo in requiring SPF, DKIM, and DMARC (at minimum p=none) for bulk senders. Non-compliant messages are initially routed to junk folders, with full rejection planned for later in 2025.
• 2026— Requirements fully enforced across all major providers. Google, Yahoo, and Microsoft now actively reject or quarantine non-compliant email. Other mailbox providers including Apple Mail and regional providers are adopting similar policies. DMARC enforcement is now the industry standard, not the exception.

What Google Requires

Google differentiates between regular senders and bulk senders (those sending 5,000 or more messages per day to Gmail addresses). The requirements escalate based on your sending volume:

For All Senders

• SPF or DKIM authentication— At minimum, you must have either a valid SPF record that authorizes your sending IP addresses, or DKIM signatures on your outbound email. Google recommends having both, but requires at least one.
• Valid forward and reverse DNS— Your sending IP addresses must have valid PTR (reverse DNS) records that resolve back to your domain. This is a fundamental requirement that many senders overlook.
• RFC 5321 and RFC 5322 compliance— Your messages must conform to Internet Message Format standards. This includes proper headers, valid From addresses, and correctly formatted message IDs.

For Bulk Senders (5,000+ Messages/Day)

• SPF AND DKIM AND DMARC— All three protocols are required. Your DMARC policy must be at least p=none. You must have both SPF and DKIM passing, and at least one must be aligned with your From domain (meaning the domain in the SPF check or DKIM signature matches the From header domain).
• One-click unsubscribe header— Marketing and promotional emails must include a List-Unsubscribe header with a one-click unsubscribe option (RFC 8058). Recipients must be able to unsubscribe with a single action, and unsubscribes must be processed within two days.
• Spam complaint rate below 0.3%— Your domain's spam complaint rate as reported in Google Postmaster Tools must stay below 0.3%. Google recommends maintaining a rate below 0.1% for optimal deliverability. Exceeding this threshold triggers progressive enforcement actions.

What Yahoo Requires

Yahoo's requirements are nearly identical to Google's and were announced in coordination. Yahoo applies these standards across all Yahoo Mail, AOL Mail, and other Verizon Media-operated mailbox services:

• SPF or DKIM for all senders— Every sender must authenticate their email with at least SPF or DKIM. Messages without any authentication are increasingly likely to be rejected or filtered to spam.
• DMARC for bulk senders— Senders exceeding the bulk threshold must publish a DMARC record with at minimum p=none. Yahoo uses this to validate that SPF or DKIM alignment exists for your domain.
• One-click unsubscribe— Like Google, Yahoo requires the List-Unsubscribe header with one-click functionality for subscription-based and marketing messages. Unsubscribe requests must be honored promptly.
• Valid reverse DNS— Sending IP addresses must have proper PTR records. Yahoo has historically been strict about reverse DNS validation and will reject connections from IPs without valid PTR records.

While Yahoo has not published a specific spam complaint threshold like Google's 0.3%, they use similar signals to determine sender reputation. Yahoo provides a Complaint Feedback Loop (CFL) program that senders should enroll in to monitor complaint rates.

What Microsoft Outlook Requires

Microsoft announced its own bulk sender requirements in April 2025, with enforcement beginning on May 5, 2025. These apply to Outlook.com, Hotmail.com, and Live.com recipients:

• SPF, DKIM, and DMARC required— Like Google and Yahoo, Microsoft requires all three authentication protocols for bulk senders. Your DMARC policy must be at least p=none, and SPF and DKIM must pass and align with your From domain.
• Phased enforcement— Microsoft initially routes non-compliant messages to the junk folder rather than rejecting them outright. This gives senders time to fix their configuration. However, Microsoft has stated that full rejection will follow for senders that remain non-compliant.
• Functional unsubscribe mechanisms— Microsoft requires that marketing emails include a visible and functional unsubscribe link. While they have not mandated the specific RFC 8058 one-click mechanism yet, they strongly recommend it.
• Clean mailing practices— Microsoft emphasizes list hygiene, transparent sending practices, and honoring bounce-backs. Senders must use valid From and Reply-To addresses and avoid deceptive subject lines.

Microsoft's entry into DMARC enforcement is significant because Outlook.com and its associated services represent a substantial portion of consumer and business email recipients. Combined with Google and Yahoo, these three providers cover the vast majority of consumer inboxes worldwide.

How to Check If You're Compliant

Before implementing changes, you need to understand your current compliance status. Inbox Insignia provides free tools that scan your domain's DNS records and report exactly what's configured, what's missing, and what needs to change:

• Domain Scanner — Run a comprehensive scan of your domain's SPF, DKIM, and DMARC records. You will receive a 0-100 compliance score along with specific findings categorized as errors, warnings, or passes. A score of 80 or above generally indicates compliance with Google and Yahoo requirements.
• DMARC Checker — Analyze your DMARC record in detail. This tool validates the syntax of your DMARC policy, checks for common configuration errors, verifies your reporting addresses, and confirms that your policy level meets the minimum requirements.
• SPF Checker — Validate your SPF record, count DNS lookups (you are limited to 10), identify included senders, and detect common issues like exceeding the lookup limit or using overly permissive mechanisms like +all.

A passing compliance check means your domain has valid SPF records authorizing your sending infrastructure, DKIM keys published and signing outbound email, and a DMARC record with at least p=none that specifies a reporting address. If any of these are missing or misconfigured, the tools will tell you exactly what to fix.

Step-by-Step Compliance Checklist

Follow these eight steps to bring your domain into full compliance with Google, Yahoo, and Microsoft requirements. Each step builds on the previous one:

1. Audit your current configuration. Use the Domain Scanner to get a baseline compliance score. Document which protocols are configured, which are missing, and what specific issues exist. This gives you a clear picture of the work ahead.
2. Inventory all email senders. List every service, application, and third-party platform that sends email on behalf of your domain. This includes your email provider (Google Workspace, Microsoft 365), marketing platforms (Mailchimp, HubSpot, SendGrid), transactional email services, CRM systems, helpdesk tools, and any custom applications. Missing a sender is the most common cause of authentication failures.
3. Configure SPF. Publish an SPF TXT record at your domain that includes all legitimate sending sources. Keep the total number of DNS lookups at or below 10. Use the~all (softfail) or -all (hardfail) mechanism to indicate that unauthorized senders should not be trusted.
4. Configure DKIM. Generate DKIM key pairs for each sending service and publish the public keys as DNS TXT records. Most email service providers supply the DKIM records you need to add. Verify that outbound emails are being signed by checking message headers.
5. Publish a DMARC record. Start with a monitoring policy: v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com. This meets the minimum compliance requirement and begins sending you aggregate reports about authentication results. See our How to Set Up DMARC guide for detailed instructions.
6. Verify alignment. DMARC requires that either SPF or DKIM is aligned with your From domain. This means the domain in the SPF check (envelope sender) or the DKIM signature (d= domain) must match the domain in your visible From header. Check your DMARC aggregate reports to confirm alignment rates are high.
7. Implement one-click unsubscribe. For marketing and promotional emails, add the List-Unsubscribe and List-Unsubscribe-Post headers to support RFC 8058 one-click unsubscribe. Most email service providers handle this automatically, but verify that the headers are present in your outbound messages.
8. Set up continuous monitoring. Compliance is not a one-time task. DNS records change, new sending services are added, and providers tighten enforcement. Use to monitor your domains continuously with automated scanning, drift detection, and instant alerts when something changes.

Common Compliance Issues

After auditing thousands of domains, these are the most common issues that prevent compliance with Google, Yahoo, and Microsoft requirements:

• Missing DMARC record. This is the single most common issue. Many domains have SPF and DKIM configured but have never published a DMARC record. Without DMARC, bulk senders cannot meet the requirements regardless of how well SPF and DKIM are set up. Adding a basic v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com record takes minutes and immediately brings you into minimum compliance.
• DMARC p=none with no monitoring. Publishing a DMARC record with p=none is only useful if you are actively reviewing the aggregate reports it generates. Many organizations publish the record and never look at the reports, missing critical information about unauthorized senders, authentication failures, and alignment issues. Use a monitoring tool to parse and analyze these reports automatically.
• SPF exceeding 10 DNS lookups. The SPF specification limits the total number of DNS lookups to 10. Each include:, a:, mx:, and redirect= mechanism counts as one lookup, and nested includes count toward the total. Exceeding 10 lookups causes SPF to return a permanent error (permerror), which is treated as a fail. Consolidate includes, remove unused senders, or use SPF flattening to stay within the limit.
• Third-party senders not authenticated. When you use services like Mailchimp, HubSpot, Zendesk, or Salesforce to send email from your domain, those services must be included in your SPF record and configured for DKIM signing with your domain. Simply having the service send email is not enough; you must explicitly authorize and authenticate each third-party sender in your DNS.
• Missing one-click unsubscribe. Many senders include a text-based unsubscribe link in the email body but do not include the required List-Unsubscribe and List-Unsubscribe-Post headers. Google specifically requires the RFC 8058 one-click mechanism in the email headers, not just a link in the message content. Check your email headers (not just the visible email body) to confirm the headers are present.

Frequently Asked Questions