In 2023, Google and Yahoo led the charge to strengthen email authentication standards and ensure inboxes are safer for everyone.
This major shift in the email ecosystem pushed the industry toward widespread adoption of DMARC (Domain-based Message Authentication, Reporting, and Conformance) policies to prevent fraudulent mail from reaching users’ inboxes.
Now, Microsoft and Apple are officially joining the cause.
Together, these four mailbox providers (Google, Yahoo, Microsoft, and Apple) account for approximately 90% of a typical Business-to-Consumer (B2C) email list. That means if you’re sending to any consumer audiences, you must meet these new standards or risk serious consequences: your email might be junked, rejected, or completely blocked.
Let’s break down exactly what’s changing, when these email compliance changes go into effect, and how you can make sure your emails continue reaching your audience.
Overview of new email compliance changes
The good news?
The new email sender requirements across Google, Yahoo, Microsoft, and Apple are fairly similar, meaning you won’t have to create four different email sender compliance strategies.
Instead, you’ll need to focus on proper authentication and ensure your practices align with a few key standards across SPF, DKIM, and DMARC.
Before we dive into the full breakdown, here’s the high-level goal for every sender in 2025:
- Authenticate your emails
- Publish and align your DMARC records
- Maintain list hygiene and consent
- Enable unsubscribe functionality
- Stay ahead of complaint thresholds
Sounds simple? It can be, especially if you have the right resources and help.
The Microsoft, Gmail, Yahoo, and Apple email sender requirements
Need a quick way to check if you’re covered?
Here’s a simple comparison across the four major mailbox providers:
| Google (Gmail) | Yahoo | Microsoft (Outlook, Hotmail) | Apple (iCloud Mail) | |
| Timeline | Enforcement began in 2024 | Enforcement began in 2024 | Begins May 5, 2025 | No formal enforcement date |
| Result of Non-Compliance | Non-compliant messages may be rejected. | Non-compliant messages may be rejected. | Microsoft has stated that non-compliant mail will be rejected. | Not specified |
| Error Codes | 550, 5.7.26 See more error codes here. | Not specified | 550; 5.7.515 Access Denied | Not specified |
| SPF | Required for all senders | Required for all senders | Required for bulk senders only | Required for bulk senders |
| DKIM | Required for all senders | Required for all senders | Required for bulk senders only | Required for bulk senders |
| DMARC policy | At least p=none required for bulk senders | At least p=none required for bulk senders | At least p=none required for bulk senders | At least p=none required for bulk senders |
| DMARC alignment | Required for bulk senders | Required to have at least a relaxed alignment for bulk senders | Required for bulk senders with a preference for SPF and DKIM alignment | Not specified |
| Valid Forward and Reverse DNS (PTR) | Required for all senders | Required for all senders | Email servers must have valid reverse DNS records. | Required for bulk senders |
| TLS Encryption | Required for all senders | N/A | N/A | Not specified |
| One-Click Unsubscribe | RFC 8058 required (one-click unsubscribe) | RFC 8058 required (one-click unsubscribe) | Visible unsubscribe link required | Visible option required |
| List-Unsubscribe Header | Required for all senders | Required for all senders | Not specified | Required for bulk senders |
| Unsubscribe Processing Timeline | Not specified | Within two days | Not specified | Immediately |
| Valid “From” / “Reply-To” Addresses | Required | Required | Required for bulk senders | Required for bulk senders |
| Bounce Handling / List Hygiene | Required | Expected | Recommended | Required |
| Spam Compliant Rate Threshold | <0.10% ideal; avoid >0.30% | Keep low | Not specified | Not specified |
Want an easy way to check if your email authentication meets these requirements? Plug your domain into our free DMARC checker and see where you need to make changes.
Check your
domain now
Enter your domain to see if it’s vulnerable to spoofing or if others are sending emails on your behalf. Instantly check your DMARC, SPF, and BIMI status with a detailed security report.
You’re not fully protected, learn more here.
Check your
domain now
Enter your domain to see if it’s vulnerable to spoofing or if others are sending emails on your behalf. Instantly check your DMARC, SPF, and BIMI status with a detailed security report.
You’re not fully protected, learn more here.
Check your
domain now
Enter your domain to see if it’s vulnerable to spoofing or if others are sending emails on your behalf. Instantly check your DMARC, SPF, and BIMI status with a detailed security report.
You’re not fully protected, learn more here.
Your Domain
Not protected AGAINST IMPERSONATION ATTACKS
DMARC NOT AT ENFORCEMENT
exampledomain1.com
Authentication Status for January 10, 2025
DMARC at Enforcement
SPF Record Configured
BIMI Ready
exampledomain1.com
Authentication Status for January 10, 2025
DMARC at Enforcement
SPF Record Configured
BIMI Ready
Key highlights about each email mailbox provider’s requirements
- Enforcement began in early 2024.
- Bulk senders (5,000+ daily) must have SPF, DKIM, and DMARC. (For non-bulk senders, SPF or DKIM is acceptable.)
- Messages failing DMARC could face rejection.
- Must offer one-click unsubscribe and maintain low spam complaint rates.
Read Google’s requirements here.
Yahoo
- Began enforcement in 2024.
- Very similar to Google’s requirements.
- Strong focus on unsubscribe mechanisms and user consent.
Read Yahoo’s requirements here.
Microsoft
- Enforcement begins May 5, 2025.
- Microsoft has stated explicitly that non-compliant mail will be rejected outright, not just sent to the junk or spam folder.
- Requires SPF and DKIM for bulk senders, a DMARC policy, valid From/Reply-To addresses, and transparent practices.
Note: Microsoft’s decision to immediately reject mail rather than initially push it to the junk or spam folder sends a strong signal about the importance of compliance. Waiting is no longer an option.
Read Microsoft’s requirements here.
Apple
- No firm enforcement timeline yet.
- Requires SPF, DKIM, and DMARC for bulk senders.
- Strong expectations around unsubscribe options and list hygiene.
Read Apple’s requirements here.
If you’re an email marketer worried about making these updates and aren’t sure how, you’ll need to work with your IT team. We created an easy template to send to your team to ensure your domains are covered:
The risk of rejection
Even though Microsoft is the latest major mailbox provider to announce updated email authentication requirements, they are taking the most visible approach. While we’ve seen some rejection notices and warnings from Google and Yahoo, Microsoft has gone a step further: they have explicitly stated that non-compliant emails will be outright rejected.
This move dramatically raises the stakes for all senders and sets a clear tone for the future of email authentication. It’s no longer enough to hope that non-compliant mail might simply be filtered into spam folders. Microsoft’s stance signals that the industry is moving toward a stricter, rejection-first model where proper authentication isn’t just encouraged. It’s essential.
“Microsoft’s commitment to sender requirements – matching what Google and Yahoo have already established – demonstrates that strong authentication isn’t just a best practice anymore, it’s the new law of the land. This has tremendous impact for senders of all sizes, from their security practitioners to marketers and everyone in between. When you authenticate your mail, you get the deliverability you deserve. Without authentication, you get rejected.”
– Seth Blank, CTO of Valimail
If your domain doesn’t meet the basic requirements for SPF, DKIM, and DMARC, your emails are at serious risk of being blocked. You’ll face error codes, a drop in deliverability, and potential disruptions to critical communications. Delaying compliance won’t just hurt your email performance; it could also damage your brand’s reputation and erode the trust you’ve built with your audience.
Simply put: 2025 will not be forgiving for senders who ignore authentication.
Check your compliance for free
Email authentication is mandatory across all four major email mailbox providers, and having visibility into your sending services is more important now than ever. Additionally, with Microsoft moving to 500-series SMTP rejections for non-compliant mail, many senders may not even see that their emails are being blocked.
These rejections will happen at the sending stage, meaning your vendors might see the error data, but unless you have direct SMTP visibility or robust reporting, you won’t even be aware of it.
DMARC reporting gives you visibility into those sending services, especially if you’re relying on third-party platforms that send on your behalf without surfacing any deliverability issues.
Get free, real-time visibility into your domain’s authentication health with Valimail Monitor. Our forever-free solution helps you spot problems with SPF, DKIM, DMARC, and alignment before they impact your ability to deliver email.
Even if your DMARC policy is set to p=none, you can (and should) be collecting RUAs (aggregate DMARC reports). This data gives you critical insights into:
- Whether your legitimate senders are passing authentication
- If unknown or unauthorized services are failing check
- Whether you’re ready to move toward full DMARC enforcement safely
Here’s what one user had to say about getting started with Monitor:
“Valimail has a free monitoring tool so you don’t have to jump into the deep end right away. You can really identify if you have significant issues that need to be investigated further. The DMARC changes for Google and Yahoo set off this firestorm and I am by no means a DMARC expert. Valimail graciously taught me the basics!”
– Damon P, G2 Review
What these requirements mean for the future of email
Why are these major mailbox providers implementing these changes? These requirements aren’t being implemented just for fun. They’re having a real impact and making inboxes safer for everyone.
Here’s why Google implemented these changes:
Months after the changes were implemented, Google publicized some interesting data on their email authentication and security efforts:
- 65% reduction in unauthenticated messages sent to Gmail users
- 50% more bulk senders started following best security practices
- 265 billion fewer unauthenticated messages were sent in 2024
“The intent behind this enforcement is to encourage stronger authentication practices across the industry, particularly for high-volume senders. While honoring safe senders ensures delivery aligned with user preferences, it may limit our ability to drive broader industry improvements in email security. High-volume senders often reach large audiences, and encouraging users to manually add them to their safe sender lists can be counterproductive, it increases the risk of spoofing and undermines long-term safety goals.”
– Puneeth at Microsoft
At Valimail, we also dug into the data, and we found that these requirements drove more than half a million of the top ten million domains to publish a DMARC record.
Want to dive into this data more and see how each industry stacks up?
Get help from the leaders in DMARC compliance
Navigating all these email authentication requirements can be overwhelming, especially if your mail starts getting rejected and you need a solution fast. But it doesn’t have to be.
Whether you’re just starting your DMARC journey or you need a fast track to email sending compliance before Microsoft’s rejections kick in, Valimail’s got you covered. In fact, we’ve helped other people just like you:
“[Valimail] was a fantastic resource as I navigate the upcoming sender requirements for Google and Yahoo. It was very easy to get personalized help to implement DMARC for our domains. I have logged on several times and found it very user-friendly. I have yet to integrate in other systems but look forward to doing so”
– Verified User, G2 Review
Our experts have helped many brands achieve DMARC enforcement quickly, safely, and confidently, and we’re ready to help you, too, by offering:
- White-glove service product support
- Partners with Microsoft, Google, and Yahoo
- Proven success in helping businesses of all sizes
FAQs about the new email compliance guidelines
What if my DMARC policy is just set to p=none?
That will satisfy the email compliance guidelines, but best practices recommend moving to a p=reject or p=quarantine policy to fully protect your domains.
Will the new Microsoft bulk sender requirements apply to one-to-one emails sent by employees from the same domain?
Generally, no.
The new requirements are aimed at bulk-sent messages (marketing emails, newsletters, and high-volume transactional mail), not individual, manually sent one-to-one emails from employees.
If an employee sends a personal email through Outlook or Gmail, they aren’t expected to include an unsubscribe link or meet bulk sender-specific rules. However, the domain as a whole is likely to be evaluated for total sending volume. If your combined sending (bulk campaigns + regular emails across your domain and subdomains) exceeds 5,000 emails per day to consumer inboxes, your domain will fall under compliance monitoring.
Sending volume is counted across your full domain and subdomains, so even if different platforms are sending, Microsoft (and others) may eventually treat them as one entity for enforcement.
If my DKIM and SPF pass, does that mean my DMARC alignment also passes?
Not necessarily.
Microsoft’s new requirements state that your DMARC policy must be at least p=none and that your mail must align with either SPF or DKIM (preferably both). However, alignment is different from simply passing authentication.
It’s common for emails, especially those sent through an ESP (Email Service Provider), to pass SPF authentication but fail SPF alignment. This happens when the Return Path (used for SPF) doesn’t match the domain in the visible From address. That’s OK, as long as DKIM is aligned and passes, because DMARC only requires one (SPF or DKIM) to both pass and align for the email to be considered DMARC compliant.
How can I ensure my subdomains are also compliant with these requirements?
It’s entirely possible (and often recommended) to configure SPF, DKIM, and DMARC authentication for subdomains separately. However, it’s important to know that you don’t always have to.
By default, a DMARC policy set at the top-level domain (e.g., yourdomain.com) will automatically apply to all subdomains, unless you specifically create subdomain policies. This means you can manage compliance for both your main domain and any subdomains without setting up DMARC records individually for each one, unless you want more control over how different subdomains are handled.
Are there any other mailbox providers that follow these rules?
There are a few other mailbox providers that follow these guidelines, but Microsoft, Apple, Google, and Yahoo, comprise 90% of the B2C inboxes. Following requirements for these will ensure you’re covered across all of the mailbox providers to get your mail delivered.
If you have further questions, check out some of the FAQs we went over in our latest video:
