MailShield
All posts
Guides

Google & Yahoo DMARC Requirements 2026: What You Need to Know

7 min
Google & Yahoo DMARC Requirements 2026: What You Need to Know

In February 2024, Google and Yahoo introduced new requirements for email senders. The core message was clear: if you send email to Gmail or Yahoo users, you need proper authentication. Since then, these requirements have only gotten stricter, and enforcement is now fully active.

If you send more than 5,000 emails per day to Google or Yahoo addresses, or if you want to maintain good deliverability for any volume, here's exactly what you need to have in place.

The requirements

Both Google and Yahoo require the following for all senders:

  • SPF or DKIM authentication: at minimum, your domain must pass either SPF or DKIM. In practice, you should have both.
  • Valid forward DNS (FCrDNS): the IP address your email comes from must have a valid PTR record that resolves back to the sending IP.
  • Low spam complaint rates: Google specifically requires that your spam complaint rate stays below 0.3%, and ideally below 0.1%.
  • RFC 5322 compliance: your emails must conform to basic email formatting standards.

Additional requirements for bulk senders (5,000+ daily)

If you send more than 5,000 messages per day to Gmail addresses, you must also:

  • Set up DMARC: your domain must have a DMARC record. At minimum p=none is required, but Google recommends moving toward quarantine or reject.
  • Align your authentication: the domain in your From header must align with either your SPF domain or DKIM signing domain. This is DMARC alignment.
  • Support one-click unsubscribe: marketing and subscription emails must include a List-Unsubscribe header with one-click functionality.
  • Use a TLS connection: email must be transmitted over a TLS-encrypted connection.
These are not suggestions. Google actively rejects or rate-limits email that doesn't comply. Yahoo applies similar filtering. Non-compliance means your emails go to spam or don't arrive at all.

What this means for your organization

For most businesses, the practical impact is straightforward: if you haven't set up proper email authentication, you're already losing emails. This affects:

  • Marketing campaigns: newsletters and promotional emails are the first to get filtered. Low deliverability means wasted budget and missed conversions.
  • Transactional emails: password resets, order confirmations, and invoices that don't arrive erode customer trust.
  • Internal communication: if your domain lacks authentication, even emails to clients and partners may be flagged as suspicious.

How to comply: the checklist

Here's exactly what to do:

  • Publish an SPF record listing all services that send email as your domain. Keep it under 10 DNS lookups.
  • Set up DKIM signing for every service that sends email on your behalf. Each service needs its own DKIM key published in DNS.
  • Publish a DMARC record at _dmarc.yourdomain.com. Start with p=none and a reporting address (rua) to receive aggregate reports.
  • Monitor your DMARC reports to identify all legitimate senders and fix any authentication failures.
  • Move to p=quarantine and then p=reject as your authentication coverage improves.
  • Ensure one-click unsubscribe is implemented for all marketing email.
  • Monitor your spam complaint rate in Google Postmaster Tools.

The enforcement timeline

Google and Yahoo started enforcement in February 2024. Since then:

  • April 2024: Google began rejecting a percentage of non-compliant bulk sender traffic
  • June 2024: One-click unsubscribe enforcement began for bulk senders
  • 2025-2026: Enforcement has continued to tighten, with non-compliant email increasingly rejected rather than just deferred

If you're still running p=none, you're technically compliant with the minimum requirement. But Google has been clear: moving toward enforcement (quarantine or reject) is strongly recommended, and future requirements may mandate it.

Check your compliance now

MailShield checks all of these requirements automatically. Add your domain and we'll show you exactly where you stand: which protocols are configured, which senders pass authentication, and what you need to fix to comply with Google and Yahoo's requirements.

Our security score gives you a single number that reflects your overall compliance. Track it over time as you improve your setup, and share it with stakeholders who need to know your organization's email security posture. Free for up to 2 domains.

Frequently asked questions

What are Google's DMARC requirements for 2026?

Google requires all senders to have SPF or DKIM authentication. Bulk senders (5,000+ emails/day to Gmail) must additionally have a DMARC record, proper alignment, one-click unsubscribe, and a spam rate below 0.3%. Enforcement has been tightening since 2024, with non-compliant email increasingly rejected.

Do I need DMARC if I send fewer than 5,000 emails per day?

Yes. While the strictest requirements target bulk senders, Google and Yahoo recommend DMARC for all senders. Even low-volume senders benefit from DMARC to prevent domain spoofing and improve deliverability. A p=none policy with reporting is a good starting point.

What happens if I don't comply with Google's email requirements?

Non-compliant email may be deferred, sent to spam, or rejected outright. Google has progressively increased enforcement since April 2024. If your domain lacks proper authentication, your emails may stop reaching Gmail and Yahoo inboxes entirely.

Check your domain now

See your email security score in under a minute. Free for up to 2 domains.

Get Started FreeMore articles