Defaults.Exposed › Reports
Are You Ready for Google & Yahoo's Email Sender Rules? (2026)
Published 2026-06-29
Figures as of 2026-06-29 · methodology v7. Aggregate census data across 261 million graded domains. See how we grade.
Part of the DMARC pillar — DMARC adoption, maturity and league tables, measured across the whole census.
Google and Yahoo began requiring email authentication from bulk senders in 2024, with Microsoft following — and most domains still don’t meet the bar. The rules are simple: if you send at volume, you must authenticate with SPF, DKIM and DMARC, keep spam complaints low, and make unsubscribing easy. The authentication part is where domains fail: only 53.21% publish SPF, 51.84% show DKIM, and just 24.89% have any DMARC record at all.
What the rules actually require
The shared requirements across Google, Yahoo and Microsoft for bulk senders:
- SPF and DKIM on your sending domain — both, not either.
- A DMARC record (at minimum
p=none, aligned with your sending). - Spam complaint rate kept low (Google’s guidance: stay under ~0.3%).
- One-click unsubscribe and honouring opt-outs promptly.
Miss the authentication requirements and your mail is increasingly throttled, junked, or rejected — not because of content, but because you can’t be verified.
Where domains stand against the bar
| Requirement | Domains that meet it |
|---|---|
| SPF published | 53.21% |
| DKIM detectable | 51.84% |
| DMARC record present | 24.89% |
| DMARC actually enforcing | 10.59% |
Around half of domains have SPF and DKIM, but the drop-off at DMARC is steep — and DMARC is explicitly part of the bulk-sender requirements. A domain with SPF and DKIM but no DMARC record does not fully meet the rules.
How to get compliant (free, in order)
- Publish SPF listing every service that sends as you.
- Turn on DKIM at your mail provider and publish the key.
- Add DMARC — start at
p=noneto confirm alignment, then move toward enforcement. - Set up one-click unsubscribe and watch your complaint rate.
All four are configuration, not cost. The senders who get throttled are almost never the ones who couldn’t afford compliance — they’re the ones who didn’t know the bar moved.
Frequently asked questions
What do Google and Yahoo require from senders? SPF, DKIM and DMARC authentication, a low spam-complaint rate (under ~0.3%), and easy one-click unsubscribe. Bulk senders who don’t comply get throttled or rejected.
Do I need DMARC for Google/Yahoo, or just SPF and DKIM? DMARC too. The requirements call for a DMARC record on your sending domain. Only 24.89% of domains have one.
Does this apply to small senders? The strictest thresholds target bulk senders, but the same authentication is increasingly expected of everyone — and it’s what keeps your normal business mail out of spam regardless of volume.
How do I check if my domain complies? Run a free, private check (below) — it shows your SPF, DKIM and DMARC status against the requirements.
Check whether you meet the sender rules
Don’t find out from a delivery failure. Check your domain’s authentication privately and free, with exactly what to fix.
Check your domain → · Why emails go to spam → · Fix SPF → · Fix DMARC → · Aggregate data only. Data stored and processed in the EU.