Defaults.Exposed

Defaults.Exposed › Reports

Are You Ready for Google & Yahoo's Email Sender Rules? (2026)

Published 2026-06-29

Figures as of 2026-06-29 · methodology v7. Aggregate census data across 261 million graded domains. See how we grade.

Part of the DMARC pillar — DMARC adoption, maturity and league tables, measured across the whole census.

Google and Yahoo began requiring email authentication from bulk senders in 2024, with Microsoft following — and most domains still don’t meet the bar. The rules are simple: if you send at volume, you must authenticate with SPF, DKIM and DMARC, keep spam complaints low, and make unsubscribing easy. The authentication part is where domains fail: only 53.21% publish SPF, 51.84% show DKIM, and just 24.89% have any DMARC record at all.

What the rules actually require

The shared requirements across Google, Yahoo and Microsoft for bulk senders:

Miss the authentication requirements and your mail is increasingly throttled, junked, or rejected — not because of content, but because you can’t be verified.

Where domains stand against the bar

RequirementDomains that meet it
SPF published53.21%
DKIM detectable51.84%
DMARC record present24.89%
DMARC actually enforcing10.59%

Around half of domains have SPF and DKIM, but the drop-off at DMARC is steep — and DMARC is explicitly part of the bulk-sender requirements. A domain with SPF and DKIM but no DMARC record does not fully meet the rules.

How to get compliant (free, in order)

  1. Publish SPF listing every service that sends as you.
  2. Turn on DKIM at your mail provider and publish the key.
  3. Add DMARC — start at p=none to confirm alignment, then move toward enforcement.
  4. Set up one-click unsubscribe and watch your complaint rate.

All four are configuration, not cost. The senders who get throttled are almost never the ones who couldn’t afford compliance — they’re the ones who didn’t know the bar moved.

Frequently asked questions

What do Google and Yahoo require from senders? SPF, DKIM and DMARC authentication, a low spam-complaint rate (under ~0.3%), and easy one-click unsubscribe. Bulk senders who don’t comply get throttled or rejected.

Do I need DMARC for Google/Yahoo, or just SPF and DKIM? DMARC too. The requirements call for a DMARC record on your sending domain. Only 24.89% of domains have one.

Does this apply to small senders? The strictest thresholds target bulk senders, but the same authentication is increasingly expected of everyone — and it’s what keeps your normal business mail out of spam regardless of volume.

How do I check if my domain complies? Run a free, private check (below) — it shows your SPF, DKIM and DMARC status against the requirements.

Check whether you meet the sender rules

Don’t find out from a delivery failure. Check your domain’s authentication privately and free, with exactly what to fix.

Check your domain → · Why emails go to spam → · Fix SPF → · Fix DMARC → · Aggregate data only. Data stored and processed in the EU.