Studio Agency
[email protected] +1 (514) 239-9344
Email Deliverability in 2025: The DMARC Enforcement Update

02 Jul 2025

Email Deliverability in 2025: The DMARC Enforcement Update

Google and Yahoo's DMARC enforcement is now strict for bulk senders. Here is your complete step-by-step checklist to stay compliant and protect your sender reputation.

In February 2024, Google and Yahoo began enforcing stricter email authentication requirements for bulk senders — anyone sending more than 5,000 emails per day to Gmail addresses. The requirements have significant implications for email marketing programmes that haven't kept up with authentication standards. If you're seeing deliverability issues, or if you've received warnings in your email service provider's dashboard, this is likely the cause.

What changed and why

Email authentication has existed for years: SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) were already widely adopted. What's new is the enforcement of DMARC — Domain-based Message Authentication, Reporting, and Conformance — specifically at a policy level that actually rejects unauthenticated mail.

DMARC had been deployable since 2012, but many organisations set it to p=none (monitoring mode) and never advanced to actual enforcement. Google and Yahoo's requirement is that bulk senders have DMARC configured at a minimum of p=none, with SPF and DKIM passing, and a working postmaster address. More significantly, they're making clear that p=quarantine or p=reject policies will become expected as standards evolve.

The full compliance checklist

1. Verify your SPF record

Your domain's SPF record tells receiving mail servers which IP addresses are authorised to send email on behalf of your domain. Check that your SPF record includes all services that send email in your name — your ESP (Mailchimp, Klaviyo, HubSpot, etc.), your transactional email service (SendGrid, Postmark, etc.), and any other sending infrastructure.

Common mistake: organisations accumulate SPF includes from old services they no longer use, and the record exceeds the 10 DNS lookup limit, causing SPF failures. Audit your SPF record with a tool like MXToolbox and remove obsolete includes.

2. Verify DKIM is configured for all sending domains

DKIM adds a cryptographic signature to your outgoing email that proves the message hasn't been tampered with in transit. Your ESP almost certainly supports DKIM — check that you've added their DKIM DNS records to your domain.

If you send from multiple subdomains (newsletters from [email protected], transactional from [email protected]), DKIM must be configured for each. Check each sending address.

3. Configure DMARC

Add a DMARC TXT record to your DNS at _dmarc.yourdomain.com. At minimum:

v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected];

The p=none policy means "report but don't reject." This is the starting point. Set up the reporting mailbox and begin reviewing the aggregate reports (daily) to understand what's passing and failing before moving to a stricter policy.

4. Set up a postmaster/abuse address

Google requires that your domain has a functioning postmaster address ([email protected]) and abuse address ([email protected]). These don't need to be actively monitored in detail, but they must exist and accept email. Add these as aliases to a monitored inbox.

5. Enable easy unsubscribe

Google's requirements include support for one-click unsubscribe (RFC 8058). Major ESPs have added List-Unsubscribe headers automatically — verify this in your ESP settings. For custom sending infrastructure, add the List-Unsubscribe and List-Unsubscribe-Post headers to all bulk email.

6. Review your complaint rate

Google's Postmaster Tools (free, available at postmaster.google.com) shows your spam complaint rate for mail sent to Gmail. The target is below 0.1%. Above 0.3% triggers deliverability impacts. Review this monthly — a sudden spike in complaints is the early warning signal for a deliverability problem before it reaches inbox-level impact.

The path to p=quarantine and p=reject

The long-term standard is moving toward p=reject — email that fails DMARC authentication is rejected outright by receiving servers, not just sorted to spam. This is the right destination. The path there:

  1. Deploy p=none and collect 30-60 days of DMARC aggregate reports
  2. Identify all legitimate sending sources and ensure they pass SPF and DKIM
  3. Move to p=quarantine with a subdomain policy first (sp=quarantine)
  4. Monitor for 30 days, address any failures
  5. Move to p=reject

If you need help auditing your email authentication setup or diagnosing deliverability issues, get in touch. This is a common engagement for us right now.

← Back to Insights

More in email-marketing

Related insights

Email Marketing Benchmarks 2026: What Good Looks Like by Industry
email-marketing 27 Mar 2026

Email Marketing Benchmarks 2026: What Good Looks Like by Industry

Open rates, click rates, and revenue per email across 12 industries — based on our client data from 2.4 million sends in the last 12 months.
Email Sequences That Actually Get Responses: 7 Templates We Use
email-marketing 08 Apr 2025

Email Sequences That Actually Get Responses: 7 Templates We Use

Most cold and nurture email sequences die after one email. Here are 7 sequence templates across different scenarios — with the subject lines, timing, and psychological triggers that drive replies.

Enjoyed this article?

We write about web design, CMS development, and performance. Work with the team behind the insights.