The Short Version: Email Authentication Is Now Mandatory
If you send email from a business domain, Google, Yahoo, and Microsoft now require you to prove that your emails are legitimate. Emails that fail authentication checks get sent to spam or rejected outright.
This is not a future plan. Google started enforcing these rules in February 2024 and escalated to permanent rejections in November 2025. Yahoo followed a similar timeline. Microsoft joined in May 2025. Together, these three providers handle the vast majority of consumer and business email worldwide.
For small and mid-size businesses, the message is simple: if you have not set up SPF, DKIM, and DMARC on your domain, some of your emails are already bouncing or landing in spam. You may not even realize it.
Run a free deliverability check on your domain to see exactly where you stand. It takes about 10 seconds.
What Google Requires (and Why It Matters for Everyone)
Google divides senders into two categories: regular senders and bulk senders (those who send roughly 5,000 or more messages per day to personal Gmail accounts).
Requirements for All Senders
- SPF or DKIM authentication (at least one is required on every email you send)
- Valid forward and reverse DNS records (PTR records) for your sending IP
- TLS encryption when transmitting email
- Messages must conform to the Internet Message Format standard (RFC 5322)
Additional Requirements for Bulk Senders (5,000+/day)
- Both SPF and DKIM (not just one)
- A DMARC record with at least
p=none(a monitoring-only policy counts) - DMARC alignment: your From: domain must match either the SPF or DKIM domain
- One-click unsubscribe on marketing and promotional emails (via RFC 8058 headers), honored within 2 days
- Spam rate below 0.3% as reported in Google Postmaster Tools (Google recommends staying below 0.1%)
Important detail: once Google classifies your domain as a bulk sender, that status is permanent. It does not reset if you reduce your sending volume.
Even if you send far fewer than 5,000 emails per day, the "all senders" requirements still apply. And practically speaking, setting up all three protocols (SPF, DKIM, DMARC) protects you regardless of volume. Our SPF Checker and DMARC Checker can verify individual records if you want to check them one at a time.
What Yahoo Requires
Yahoo's requirements are similar to Google's but with some notable differences:
- SPF required with valid records specifying allowed sending IPs
- DKIM required with a minimum 1024-bit key length
- DMARC strongly urged and required for alignment verification
- One-click unsubscribe required, honored within 2 days
- Spam rate threshold enforced (Yahoo does not publicly disclose the exact number)
The biggest difference: Yahoo does not publish a specific volume threshold for "bulk sender" classification. They intentionally keep their definition broad, which means even moderate-volume senders should assume these rules apply to them.
What Microsoft Now Requires (New as of May 2025)
In April 2025, Microsoft announced that Outlook.com, Hotmail, and Live.com would enforce the same style of requirements. Enforcement began on May 5, 2025. For businesses that send email to any Microsoft-hosted addresses, this closed the last major gap.
- SPF, DKIM, and DMARC all required for high-volume senders (5,000+ messages/day)
- DMARC must have at least
p=noneand align with either SPF or DKIM - Non-compliant messages are routed to Junk, with permanent rejections for domains that persistently fail
- A functional unsubscribe link is required in marketing messages
With Google, Yahoo, and Microsoft all enforcing authentication requirements, there is no longer a major email provider where unauthenticated email will reliably reach inboxes.
The Enforcement Timeline: From Warnings to Rejections
Understanding where we are in the enforcement timeline helps explain why some businesses are just now feeling the impact:
| Date | What Happened |
|---|---|
| October 2023 | Google announces new sender requirements |
| December 2023 | Yahoo announces matching requirements |
| February 2024 | Google and Yahoo begin enforcement (soft: temporary errors, spam filtering) |
| April 2025 | Microsoft announces similar requirements for Outlook |
| May 2025 | Microsoft begins enforcement (junk routing, then rejections) |
| November 2025 | Google escalates to permanent rejections (550 errors). The grace period is over. |
During the soft enforcement period (Feb 2024 to Oct 2025), Google sent temporary error codes (421) as warnings. Many non-compliant emails were still delivered, just routed to spam. This gave senders time to fix their setup.
Since November 2025, Google responds with permanent 550 rejection codes. The email is not delivered at all. It bounces. Your email service provider may notify you, or it may fail silently depending on your setup.
What This Means for SMBs Sending Under 5,000 Emails/Day
Most small and mid-size businesses send far fewer than 5,000 emails per day. You might think these rules do not apply to you. That is a risky assumption for several reasons:
- The "all senders" baseline still requires SPF or DKIM. Without at least one of these, even a single email to a Gmail user can end up in spam.
- Yahoo does not publish a volume threshold. Your 200 emails per day might qualify as "bulk" in Yahoo's system.
- Microsoft's requirements apply at 5,000/day, but their spam filtering algorithms give preference to authenticated email at all volumes.
- Third-party senders inflate your volume. If you use Mailchimp, HubSpot, Salesforce, or any tool that sends email on your behalf, those messages count toward your daily total from the domain.
- DMARC protects your brand. Without DMARC, anyone can send emails pretending to be from your domain. This is not just a deliverability issue; it is a security issue.
The practical advice: set up all three protocols regardless of your sending volume. The effort is minimal (about 10 minutes of DNS configuration), and the protection is significant.
How to Check If You Are Compliant
The fastest way to check is to run a MailScore scan on your domain. In about 10 seconds, you will see:
- Whether your SPF record exists, is valid, and does not exceed the 10-lookup limit
- Whether DKIM is configured for your sending services
- Whether your DMARC record exists and what policy it enforces
- Whether your MX records are properly configured
- Whether your sending IP is listed on any email blacklists
You can also check individual records with our free tools: SPF Record Checker, DMARC Record Checker, or the full email deliverability checker.
If you need step-by-step instructions for setting up the DNS records, our guide to setting up SPF, DKIM, and DMARC covers Google Workspace, Microsoft 365, and generic providers with exact records to copy.
Common Compliance Mistakes
Based on scans across domains of all sizes, these are the most common issues we see:
- No DMARC record at all. Many businesses have SPF and DKIM but never added DMARC. All three providers now expect it.
- SPF record with too many DNS lookups. SPF has a 10-lookup limit. Exceeding it causes the entire record to fail, which means SPF authentication fails for every email you send.
- Forgotten sending services. You added Mailchimp to your SPF record two years ago, then started using HubSpot. HubSpot is not in your SPF, so its emails fail authentication.
- DKIM not enabled in the email provider. Some providers (like Google Workspace) have DKIM available but not turned on by default. You need to generate the key in the admin console and add the DNS record.
- DMARC stuck at p=none forever. A monitoring-only policy satisfies the minimum requirement, but it provides no protection against spoofing. Plan to move to
p=quarantineand eventuallyp=rejectas you gain confidence in your setup. - No List-Unsubscribe header. The one-click unsubscribe requirement applies to marketing messages. If your email tool does not add the proper headers automatically, you need to configure it or switch to one that does.
What Happens If You Do Nothing
The consequences are concrete and measurable:
- Bounced emails: Since November 2025, Google permanently rejects non-compliant bulk sender messages. They are not delivered. Period.
- Spam folder: Non-compliant emails from lower-volume senders often land in spam across all three providers.
- Damaged sender reputation: Once your domain reputation drops, even compliant emails may face additional scrutiny. Reputation is easier to maintain than to rebuild.
- Lost revenue: Invoices, order confirmations, appointment reminders, and marketing emails that do not reach inboxes directly impact your bottom line.
- Spoofing vulnerability: Without DMARC, phishers can send emails that appear to come from your domain. If a customer gets scammed by a fake email from "your" domain, the trust damage is real.
A Compliance Checklist for 2026
Here is what every business should have in place today:
- SPF record that includes all services authorized to send email on your behalf, with fewer than 10 DNS lookups
- DKIM signing enabled for every sending service (email provider, marketing tool, CRM, transactional email service)
- DMARC record with at least
p=none(start here, then tighten top=quarantineafter monitoring reports for 2-4 weeks) - One-click unsubscribe via List-Unsubscribe and List-Unsubscribe-Post headers on all marketing emails
- Spam rate monitoring via Google Postmaster Tools (free, set up takes 5 minutes)
- Regular checks on your authentication setup (records break when providers change configurations or when you add new sending services)
For step 6, MailScore's monitoring plans ($9/month) scan your domain on a schedule and alert you the moment something breaks. See pricing for details.
The Bottom Line
Email authentication is no longer optional. Google, Yahoo, and Microsoft have made that clear through 18 months of gradual enforcement that culminated in permanent rejections. The good news: the fix is straightforward. Set up SPF, DKIM, and DMARC, keep your spam rate low, and monitor your setup regularly.
Check your domain now to see if you are compliant. It is free, takes 10 seconds, and shows you exactly what to fix.