DomainSecurityScanner
Email SecurityCompliance

Google, Yahoo & Microsoft Email Sender Requirements 2025: The Complete Compliance Guide

In 2024, Google and Yahoo changed the email game by mandating authentication for bulk senders. In 2025, Microsoft joined them. Here's everything you need to know to stay compliant and keep your emails out of spam folders.

Updated February 202615 min readCheck your compliance →
🛡️

Check Your Compliance Now

Don't read this entire guide if you just need to know if you're compliant. Our free tool checks everything in seconds.

Free Compliance Checker →

1. Timeline: When Requirements Were Enforced

Understanding the timeline helps you gauge how urgently you need to act. Here's the chronological breakdown:

  • October 2023: Google and Yahoo jointly announce new sender requirements
  • February 1, 2024: Google and Yahoo begin enforcement. Initial phase focuses on authentication (SPF, DKIM, DMARC)
  • April 2024: Google starts rejecting a percentage of non-compliant bulk email
  • June 1, 2024: One-click unsubscribe requirement enforced for bulk senders
  • November 2025: Google significantly ramps up enforcement, including temporary deferrals (4xx errors) and outright rejections (5xx errors) for non-compliant mail
  • April 2025: Microsoft announces Outlook sender requirements
  • May 5, 2025: Microsoft begins routing non-compliant bulk mail to Junk folder
  • Future: Microsoft plans full rejection of non-compliant mail

The trend is clear: email authentication is no longer optional. It's table stakes for email deliverability in 2025 and beyond.

2. Who Is Affected?

There are two tiers of requirements:

All Senders (any volume)

If you send any email to Gmail, Yahoo, or Outlook addresses, you need:

  • SPF authentication configured for your sending domain
  • DKIM authentication configured for your sending domain
  • Valid forward and reverse DNS records
  • TLS encryption for email transport
  • RFC 5322-compliant message formatting

Bulk Senders (5,000+ emails/day)

All three providers define a bulk sender as anyone sending 5,000 or more messages per day to their consumer email addresses. Bulk senders must additionally:

  • Publish a DMARC record (minimum p=none)
  • Pass DMARC alignment (SPF or DKIM domain aligns with From: header)
  • Implement one-click unsubscribe (RFC 8058)
  • Keep spam complaint rates below 0.3%
  • Configure DMARC aggregate reporting (rua= tag)

⚠️ Important: Google's bulk sender classification is permanent. Once your domain sends 5,000+ emails in a single day to Gmail, you're classified as a bulk sender forever — even if you reduce volume later. Plan accordingly.

3. Requirements for ALL Email Senders

SPF or DKIM Authentication

Every email you send must pass either SPF or DKIM authentication (ideally both). This is the baseline requirement that applies to everyone, not just bulk senders.

Without authentication, your emails are increasingly likely to be rejected or sent to spam, regardless of how many you send.

Valid DNS Records

Your sending domain and IP addresses must have valid forward DNS (A records) and reverse DNS (PTR records). The forward DNS must resolve to the IP that the PTR record points to (Forward-Confirmed reverse DNS, or FCrDNS).

TLS Encryption

All email must be transmitted over a TLS-encrypted connection. This is standard practice for modern email servers, but older or misconfigured servers may not support it.

4. Additional Requirements for Bulk Senders

DMARC Record

Bulk senders must publish a DMARC record at _dmarc.yourdomain.com with at minimum p=none. While p=none satisfies the requirement, Google recommends progressing to p=quarantine and eventually p=reject for maximum protection.

DMARC Alignment

The domain in your email's From: header must align with either the SPF domain (envelope sender) or the DKIM signing domain. This ensures that the visible sender matches the authenticated sender.

One-Click Unsubscribe

Commercial and promotional emails must include a List-Unsubscribe header that supports one-click unsubscribe (RFC 8058). Unsubscribe requests must be honoured within 2 days.

Spam Complaint Rate

Keep your spam complaint rate below 0.1% (Google's recommendation) and never exceed 0.3%. Monitor this through Google Postmaster Tools and Yahoo's Complaint Feedback Loop.

5. SPF: Sender Policy Framework Setup

SPF tells receiving servers which IP addresses are authorised to send email for your domain. It's a DNS TXT record at your root domain.

How to set up SPF

Add a TXT record to your domain's DNS:

v=spf1 include:_spf.google.com include:sendgrid.net -all

Replace the include: entries with your actual email providers. Common includes:

  • Google Workspace: include:_spf.google.com
  • Microsoft 365: include:spf.protection.outlook.com
  • SendGrid: include:sendgrid.net
  • Mailchimp: include:servers.mcsv.net
  • Amazon SES: include:amazonses.com

SPF Best Practices

  • Use -all (hard fail) instead of ~all (soft fail) for stricter enforcement
  • Keep your DNS lookup count under 10 (RFC 7208 limit). Use our compliance checker to verify
  • Never use +all, which allows anyone to send as your domain
  • Remove old/unused include: entries to reduce lookup count
  • Consider SPF flattening if you're approaching the 10-lookup limit

6. DKIM: DomainKeys Identified Mail Setup

DKIM adds a cryptographic signature to every outgoing email, proving it hasn't been tampered with in transit. Each email provider generates their own DKIM keys.

How to set up DKIM

  1. Generate DKIM keys through your email provider (Google Workspace, Microsoft 365, etc.)
  2. Add the CNAME or TXT record to your DNS as instructed by the provider
  3. Enable DKIM signing in your provider's admin panel
  4. Verify the signature using our compliance checker

DKIM Best Practices

  • Use 2048-bit RSA keys (1024-bit is considered weak)
  • Set up DKIM for every service that sends email on your behalf
  • Rotate keys periodically (at least annually)
  • Ensure your DKIM selector isn't in test mode (t=y)

7. DMARC: Domain-based Message Authentication Setup

DMARC ties SPF and DKIM together, telling receiving servers what to do when authentication fails. It's the cornerstone of Google, Yahoo, and Microsoft's requirements.

How to set up DMARC

Add a TXT record at _dmarc.yourdomain.com:

Starting point (monitoring only):

v=DMARC1; p=none; rua=mailto:[email protected];

Intermediate (send failures to spam):

v=DMARC1; p=quarantine; rua=mailto:[email protected]; pct=100;

Maximum protection (reject failures):

v=DMARC1; p=reject; rua=mailto:[email protected]; adkim=s; aspf=s;

DMARC Progression Path

  1. Start with p=none to monitor authentication results via aggregate reports
  2. Review reports and identify all legitimate sending sources, then fix authentication issues
  3. Move to p=quarantine so failed emails go to spam instead of inbox
  4. Graduate to p=reject where failed emails are blocked entirely

💡 Pro tip: Always include the rua= tag in your DMARC record. Google specifically calls this out as a requirement, and without aggregate reports, you're flying blind on authentication issues.

8. Understanding SPF/DKIM Alignment

Alignment is the most commonly misunderstood requirement. It means the domain in your visible From: header must match (or be a subdomain of) the domain authenticated by SPF or DKIM.

Relaxed vs Strict Alignment

  • Relaxed (default): Subdomains are allowed. mail.example.com aligns with example.com
  • Strict: Exact domain match required. mail.example.com does NOT align with example.com

For most organisations, relaxed alignment (the default) is sufficient. Strict alignment provides stronger protection but requires more careful configuration.

9. TLS Encryption Requirements

All three providers require that email is transmitted over TLS (Transport Layer Security). This encrypts the connection between mail servers, preventing eavesdropping.

Most modern email providers (Google Workspace, Microsoft 365, etc.) enable TLS by default. If you run your own mail server, ensure it's configured with a valid TLS certificate and supports TLS 1.2 or higher.

For additional security, consider implementing MTA-STS (Mail Transfer Agent Strict Transport Security), which enforces TLS for incoming email and prevents downgrade attacks.

10. Reverse DNS (PTR) Records

Every IP address that sends email for your domain must have a valid PTR (reverse DNS) record. The PTR record must point to a hostname that, when resolved forward (A record), returns the same IP address. This is called Forward-Confirmed reverse DNS (FCrDNS).

If you use a hosted email service (Google Workspace, Microsoft 365, SendGrid, etc.), PTR records are managed for you. If you run your own mail server, contact your hosting provider to set up the PTR record for your sending IP.

11. One-Click Unsubscribe Requirement

Bulk senders must include a List-Unsubscribe and List-Unsubscribe-Post header in commercial emails. This enables one-click unsubscribe (RFC 8058) directly from the email client without the recipient visiting an external page.

Example headers:

List-Unsubscribe: <https://example.com/unsubscribe?id=123>
List-Unsubscribe-Post: List-Unsubscribe=One-Click

Most email marketing platforms (Mailchimp, SendGrid, HubSpot, etc.) handle this automatically. If you send email programmatically, you'll need to implement these headers yourself.

12. Spam Complaint Rate Thresholds

This is the requirement you can't fix with DNS records alone. Your spam complaint rate must stay:

  • Below 0.10%, which is Google's recommended target
  • Never above 0.30%; exceeding this triggers enforcement

Monitor your spam rate using:

  • Google Postmaster Tools, essential for Gmail deliverability
  • Yahoo Complaint Feedback Loop (CFL) (sign up through Yahoo Sender Hub)

13. Microsoft Outlook: The New Player

In April 2025, Microsoft announced that Outlook.com, Hotmail.com, and Live.com would enforce the same authentication requirements as Google and Yahoo. Enforcement began on May 5, 2025.

Microsoft's Requirements

  • SPF must pass for the sending domain
  • DKIM must pass to validate email integrity
  • DMARC must pass with at minimum p=none, aligned with SPF or DKIM
  • Same 5,000/day bulk sender threshold

Enforcement Phases

  • May 2025 (current): Non-compliant mail routed to Junk folder
  • Future phase: Full rejection of non-compliant mail

The good news: if you're already compliant with Google and Yahoo's requirements, you're automatically compliant with Microsoft's. The requirements are nearly identical.

14. What Happens If You Don't Comply

Non-compliance is no longer a minor inconvenience. Here's what each provider does:

Google Gmail

  • Temporary deferrals (4xx errors): Your emails are delayed, often for hours
  • Rate limiting: Delivery is throttled, slowing your entire sending queue
  • Spam folder routing: Emails bypass the inbox entirely
  • Outright rejection (5xx errors): Emails bounced back, and the recipient never sees them

Yahoo Mail

  • Similar progressive enforcement to Google
  • Non-authenticated mail increasingly filtered to spam

Microsoft Outlook

  • Currently routing to Junk folder
  • Full rejection coming in future enforcement phase

🚨 Warning: Once your domain's reputation is damaged by non-compliance, it can take weeks or months to rebuild. Prevention is significantly easier than recovery.

15. The Complete Compliance Checklist

Use this checklist to verify your domain meets all requirements:

✅ All Senders

  • ☐ SPF record published and valid
  • ☐ DKIM configured for all sending services
  • ☐ Valid forward DNS (A records) for sending domains
  • ☐ Valid reverse DNS (PTR records) for sending IPs
  • ☐ TLS encryption enabled on mail server
  • ☐ Emails formatted per RFC 5322

✅ Bulk Senders (5,000+/day)

  • ☐ DMARC record published (minimum p=none)
  • ☐ DMARC alignment passes (SPF or DKIM aligned with From: domain)
  • ☐ DMARC aggregate reporting configured (rua= tag)
  • ☐ One-click unsubscribe headers in commercial emails
  • ☐ Spam complaint rate below 0.10% (never above 0.30%)
  • ☐ Google Postmaster Tools monitoring set up

✅ Best Practices (Recommended)

  • ☐ DMARC policy at p=quarantine or p=reject
  • ☐ DMARC pct=100 (applies to all email)
  • ☐ 2048-bit DKIM keys (not 1024-bit)
  • ☐ SPF uses -all (hard fail)
  • ☐ MTA-STS configured for inbound TLS enforcement
  • ☐ TLS-RPT configured for transport security reporting
  • ☐ BIMI record for brand logo display

Don't want to check manually? Our free compliance checker verifies most of these automatically. Just enter your domain and get instant results.

16. Frequently Asked Questions

When did Google and Yahoo start enforcing sender requirements?

Google and Yahoo began enforcing their new sender requirements on February 1, 2024. Enforcement has been progressively tightening since then, with Google ramping up rejections significantly in November 2025.

When did Microsoft start enforcing sender requirements?

Microsoft began enforcing bulk sender requirements for Outlook.com, Hotmail.com, and Live.com on May 5, 2025. Initially non-compliant emails are routed to Junk, with full rejection planned for a later phase.

What is the bulk sender threshold?

All three providers (Google, Yahoo, Microsoft) define bulk senders as those sending 5,000 or more emails per day to their consumer email addresses. Google notes this classification is permanent once triggered.

Do these requirements apply if I send fewer than 5,000 emails per day?

Yes, basic requirements apply to ALL senders. All senders must have SPF and DKIM authentication and valid DNS records. The additional requirements (DMARC, one-click unsubscribe, alignment) are technically for bulk senders, but Google recommends them for everyone and enforcement is expanding.

How can I check if my domain is compliant?

Use our free Email Sender Compliance Checker at domainsecurityscanner.com/tools/email-compliance-checker. Enter your domain and get instant results showing pass/fail for each requirement with a compliance percentage score. No signup or test email required.

Check Your Compliance Score

Enter your domain and instantly see if you meet Google, Yahoo, and Microsoft's requirements. Free, no signup, DNS-based, with results in seconds.

🛡️ Free Compliance Checker →

Related Reading