Email Sender Requirements for Google, Yahoo and Microsoft
In February 2024, Google and Yahoo made email authentication mandatory for anyone sending more than 5,000 messages a day to their users. In May 2025, Microsoft applied the same logic to Outlook, Hotmail and Live. By November 2025, Google had moved from soft warnings to hard rejection: emails that fail the requirements are no longer filtered to spam but blocked at the SMTP (Simple Mail Transfer Protocol) level before they ever reach a mailbox.
These are not recommendations. They are enforced rules, and non-compliance means your messages disappear. Gmail alone blocks around 15 billion unwanted emails every day, yet only about 16% of domains worldwide have implemented DMARC (Domain-based Message Authentication, Reporting and Conformance), leaving the vast majority exposed to spoofing and deliverability failures (Red Sift, 2025 DMARC Adoption Report).
This guide covers what changed, the enforcement timeline from 2024 through 2026, what each provider requires, who is affected, the five core technical requirements, what happens when you do not comply (with actual SMTP error codes), the PCI DSS (Payment Card Industry Data Security Standard) v4.0 DMARC mandate that adds a second compliance layer for e-commerce, and a two-tier checklist you can run against your own setup today.
Enforcement timeline: from warnings to permanent rejection
The rollout was deliberate. Providers gave senders a window to adapt, then progressively tightened enforcement. Understanding the timeline matters because it explains why some senders saw no impact in early 2024 but started losing email in late 2025.
| Date | Event | Impact |
|---|---|---|
| October 2023 | Google, Yahoo and Apple announced new sender rules | Preparation period began |
| February 2024 | Google and Yahoo enforcement started | Non-compliant emails received temporary errors (421 codes) |
| April 2024 | Google began gradual rejection | Some non-compliant bulk sends were rejected |
| June 2024 | Google full enforcement | All non-compliant bulk sends affected |
| May 2025 | Microsoft (Outlook/Hotmail/Live) joined | Third major provider now enforcing the same rules |
| November 2025 | Google moved to hard enforcement | Temporary errors (421) replaced by permanent rejection (550) |
| 2026 | All four providers in full rejection mode | Non-compliant emails blocked at SMTP level |
In early 2024, many businesses treated this as a low-priority issue because the initial consequence was a temporary 421 error that resolved on retry. The sending platform retried automatically, the email eventually delivered, and the dashboard showed no problem. That grace period is over. Since November 2025, non-compliant emails receive a 550 permanent rejection. The message is not delivered, not filtered to spam, not delayed. It is gone.
What each provider requires
The four major mailbox providers now share a common baseline, but the details and enforcement approach differ. The industry has started calling them MAGY (Microsoft, Apple, Google, Yahoo) to reflect the coordinated front.
| Requirement | Gmail | Yahoo | Microsoft | Apple iCloud |
|---|---|---|---|---|
| Bulk sender threshold | 5,000+/day | 5,000+/day | 5,000+/day | Not specified |
| SPF (Sender Policy Framework) | Required | Required | Required | Required |
| DKIM (DomainKeys Identified Mail) | Required | Required | Required | Required |
| DMARC policy | Minimum p=none | Minimum p=none | Minimum p=none | Required |
| DMARC alignment | Required | Required | SPF or DKIM | Required |
| One-click unsubscribe | Required (RFC 8058) | Required | Strongly recommended | Required |
| Spam complaint ceiling | 0.1% target, 0.3% max | 0.3% max | 0.3% max | Not specified |
| Enforcement start | February 2024 | February 2024 | May 2025 | Not specified |
| Non-compliance response | 550 permanent rejection (Nov 2025+) | Aggressive filtering | Junk first, then rejection | Filtering |
The most critical row is the last one. Google no longer routes non-compliant emails to spam. It rejects them outright at the SMTP level. Microsoft takes a two-step approach: first Junk folder, then permanent rejection on repeated violations. Yahoo applies the most aggressive filtering among shared-infrastructure senders. Apple iCloud's rules are less publicly documented but require SPF, DKIM, DMARC and ARC (Authenticated Received Chain, a protocol that preserves authentication results when emails are forwarded).
Who is affected
Short answer: every organisation that sends email. The severity depends on volume.
Bulk senders (5,000+ emails per day)
This group faces the strictest requirements. SPF and DKIM (both, not either), a published DMARC record, one-click unsubscribe, spam complaint rate below 0.3%, valid PTR (Pointer Record, the reverse DNS entry that links an IP address to a domain) records and RFC (Request for Comments) 5321/5322 compliance. The 5,000 threshold is calculated per sending domain, not per email address. If you send marketing campaigns, order confirmations and transactional emails from the same domain, all of them count towards the total.
Low-volume senders (under 5,000 per day)
Not exempt. SPF or DKIM (at least one), valid PTR records and a low spam rate are expected. DMARC is not yet mandatory for this group but is strongly recommended. Google's documentation explicitly states that smaller senders will face stricter rules over time. Setting up authentication now avoids a rushed fix later.
Sectors that need to pay closest attention
- E-commerce. Order confirmations, shipping notifications and promotional campaigns generate high volume. A single Black Friday campaign can push a company past the 5,000 threshold for the first time.
- SaaS platforms. Onboarding sequences, product notifications and feature announcements create steady daily volume.
- Agencies and marketing consultancies. Anyone sending on behalf of clients is affected, and authentication failures on a client's domain reflect on the sending infrastructure.
- UK (United Kingdom) businesses with EU (European Union) and EEA (European Economic Area) customers. PECR (Privacy and Electronic Communications Regulations) in the UK and GDPR (General Data Protection Regulation) in the EU add a consent layer on top of the technical requirements. Non-compliance with sender rules does not excuse a parallel failure to obtain proper marketing consent under UK data protection law.
The five core requirements explained
The four providers converge on five expectations. Here is what each one means in practice. The SPF, DKIM and DMARC guide covers the full technical setup; this section gives the operational summary.
1. Email authentication: SPF, DKIM and DMARC
SPF declares which servers are authorised to send email on behalf of your domain. DKIM attaches a cryptographic signature to each message proving it was not altered in transit. DMARC ties the two together and tells receiving servers what to do with messages that fail both checks.
For bulk senders, all three are mandatory. The minimum DMARC policy is p=none (monitor only), but Google and Yahoo have both indicated that p=quarantine or p=reject will become mandatory in a future phase. Starting at p=none, reading DMARC aggregate reports for a few weeks, and then moving to p=reject is the recommended path.
DMARC alignment is the detail that trips up the most senders. The domain in the From header must match the domain that passes SPF or DKIM. If your Return-Path uses your ESP's domain instead of your own, SPF passes against the wrong domain and DMARC alignment fails. A custom Return-Path CNAME (Canonical Name) record fixes this.
2. One-click unsubscribe (RFC 8058)
Marketing and newsletter emails must include a List-Unsubscribe-Post header that allows the recipient to leave the list with a single action, no confirmation page, no login, no survey. Gmail and Yahoo surface this as a visible "Unsubscribe" button at the top of the message. Unsubscribe requests must be processed within two business days.
This requirement applies to marketing and promotional email only. Transactional email (order confirmations, password resets, account notifications) is exempt.
3. Spam complaint rate below 0.3%
Google operates a two-tier threshold:
- 0.1% target: Stay below this. It is the standard for a healthy sending programme.
- 0.3% absolute maximum: Crossing this triggers throttling, then spam-folder routing, then permanent rejection.
On a 10,000-address campaign, 0.3% means 30 complaints. The sender reputation guide explains how complaint signals compound, and the practical defence is permission-based list building. Subscribers who opted in through double opt-in expect your email and reach for the unsubscribe link instead of the spam button.
4. RFC 5321 and RFC 5322 compliance
Your emails must be correctly formatted according to the internet messaging standards: valid From header, correct date format, proper MIME (Multipurpose Internet Mail Extensions) structure and character encoding. Any professional ESP (Email Service Provider) handles this automatically. It becomes a concern only when you build custom sending infrastructure or migrate between platforms.
5. Valid PTR records
Every sending IP (Internet Protocol) address must have a valid forward and reverse DNS (Domain Name System) record. The PTR record links the IP back to a domain, confirming that the server is not an anonymous source. Missing PTR records flag the sender as suspicious before any content analysis even begins.
What happens when you do not comply
The consequences have escalated from invisible delays to outright message loss.
| SMTP code | Meaning | What it means for you |
|---|---|---|
| 421-4.7.26 | Temporary deferral, authentication failure | Email delayed, retried automatically, but delivery not guaranteed |
| 421-4.7.32 | DMARC alignment failure | From domain does not match SPF or DKIM domain |
| 550-5.7.26 | Permanent rejection, authentication failed | Email rejected, will not be retried, recipient never sees it |
| 550-5.7.1 | General policy rejection | Sender not trusted by the receiving server |
550 codes are permanent. The email is not delivered, does not reach the inbox, does not land in spam, does not appear in the Junk folder. It is rejected at the gate. For businesses that rely on email for order confirmations, invoices and password resets, this means critical messages disappear without a trace.
The damage does not stop at one campaign. High rejection rates degrade your sender reputation, which causes even compliant emails to be filtered to spam on subsequent sends. This domino effect is substantially harder to reverse than it would have been to prevent. Recovery typically takes weeks of reduced-volume, high-engagement sending to rebuild the reputation that a few days of non-compliance destroyed.
PCI DSS v4.0 and the DMARC mandate
Since 2026, PCI DSS v4.0 requires every organisation that processes credit card data to implement DMARC. This is a payment-security requirement, not an email-marketing requirement, but the practical effect is the same: if you run an e-commerce site that accepts card payments, you now face DMARC enforcement from two directions simultaneously.
Mailbox providers require DMARC for deliverability. Payment-security auditors require DMARC for PCI compliance. The technical implementation is identical, but the audit trail differs. PCI auditors expect documented evidence that DMARC is configured, monitored and acted upon.
For UK e-commerce businesses, this creates a three-layer compliance stack: email sender requirements (Google/Yahoo/Microsoft), data protection law (UK GDPR and PECR), and payment-card security standards (PCI DSS). The common denominator across all three is email authentication. Getting SPF, DKIM and DMARC right satisfies the technical requirement in all three frameworks.
Compliance checklist
Two tiers. If you send any email at all, start with the first. If you send more than 5,000 per day, complete both.
All senders
- SPF or DKIM configured and passing (at least one)
- Valid PTR (reverse DNS) record for every sending IP
- TLS (Transport Layer Security) encryption on outbound connections
- Spam complaint rate below 0.3%
- Emails formatted to RFC 5321 and RFC 5322
Bulk senders (5,000+ emails per day)
Everything above, plus:
- SPF and DKIM both configured and passing
- DMARC record published (minimum
p=none) - DMARC alignment passing (Return-Path or DKIM domain matches From domain)
- One-click unsubscribe (RFC 8058) in all marketing and newsletter emails
- Unsubscribe requests processed within two business days
- Spam complaint rate monitored via Google Postmaster Tools
Tools to verify: Google Postmaster Tools (Gmail reputation and spam rate), MXToolbox (SPF/DKIM/DMARC record validation), mail-tester.com (pre-send spam score), DMARC Analyzer or DMARCwise (aggregate report monitoring). The how to avoid spam filters guide walks through the diagnostic process step by step.
How MailGraf handles compliance
Email authentication is the first step in every MailGraf customer onboarding. SPF, DKIM and DMARC records are configured before the first campaign is sent, and the custom Return-Path CNAME is part of the same setup to ensure DMARC alignment from day one.
MailGraf's sending infrastructure is CSA (Certified Senders Alliance) certified, which adds IP reputation monitoring, proactive blocklist prevention and whitelisting with major European mailbox providers on top of the authentication stack. Spam complaint rates are tracked per customer and per campaign, and the platform flags accounts approaching the 0.3% threshold before the next send.
One-click unsubscribe headers are added automatically to every marketing email, and unsubscribe requests are processed instantly. Customers who migrated to MailGraf before the 2025 enforcement wave entered the hard-enforcement period with full compliance already in place, which meant zero disruption while competitors scrambled to fix broken DNS records.
Frequently asked questions
Does Gmail require SPF or DKIM?
For low-volume senders (under 5,000 emails per day), Gmail requires at least one: SPF or DKIM. For bulk senders (5,000+/day), Gmail requires both SPF and DKIM, plus a published DMARC record with at minimum a p=none policy. Since November 2025, emails from bulk senders that fail these checks are permanently rejected with a 550 error code.
Is a DMARC policy of p=none enough?
It meets the current minimum requirement, but p=none only monitors. It does not protect your domain from spoofing and it does not tell receiving servers to block forged messages. Google and Yahoo have both indicated that stronger policies (p=quarantine or p=reject) will become mandatory in a future phase. The recommended path is to start at p=none, read the DMARC aggregate reports for two to four weeks, fix any legitimate sources that are failing, and then move to p=reject.
Do these rules apply to transactional email too?
The authentication requirements (SPF, DKIM, DMARC) apply to all email sent from your domain, including transactional messages like order confirmations, password resets and account notifications. The one-click unsubscribe requirement applies only to marketing and newsletter email. Transactional email is exempt from the unsubscribe rule but not from authentication.
When did Microsoft join and how does it differ from Google?
Microsoft announced enforcement for Outlook, Hotmail and Live on 5 May 2025. The core requirements are the same (SPF, DKIM, DMARC minimum p=none). The main difference is in the enforcement approach: Google moved from warnings directly to permanent rejection (550 codes), while Microsoft first routes non-compliant emails to the Junk folder and escalates to permanent rejection on repeated violations.
What is the 0.3% spam complaint threshold?
It is the maximum percentage of recipients who mark your email as spam that Google, Yahoo and Microsoft will tolerate before taking action. On a 10,000-address campaign, 0.3% means 30 spam reports. Google's recommended target is actually 0.1%, with 0.3% as the absolute ceiling. Crossing the threshold triggers throttling first, then spam-folder routing, then permanent rejection on subsequent sends.
Do these rules apply to senders outside the UK?
Yes. The rules are enforced by the recipient's mailbox provider, not by the sender's location. If your subscribers use Gmail, Yahoo, Outlook or iCloud, your emails must comply regardless of where your business is based. A UK e-commerce business sending to Gmail users in the UK is subject to Google's sender requirements, plus UK GDPR and PECR on the consent side. A non-UK business sending to UK Gmail users faces the same technical requirements.
What is PCI DSS v4.0 and why does it require DMARC?
PCI DSS (Payment Card Industry Data Security Standard) v4.0 is the latest version of the security framework that governs how organisations handle credit card data. Since 2026, it requires DMARC implementation for all organisations that process card payments. The rationale is phishing prevention: DMARC stops attackers from sending forged emails that impersonate your payment-processing domain. For e-commerce businesses, this means DMARC is now enforced by both mailbox providers (for deliverability) and payment-security auditors (for PCI compliance).
If you want MailGraf to audit your authentication setup against the current sender requirements, get in touch and we will run the checks together.
Originally published: Apr 13, 2026
Professional email marketing platform.
Don't miss out
Get the latest email marketing tips and exclusive updates.