In October 2023, Google and Yahoo jointly announced new requirements for anyone sending more than 5,000 emails a day to their users. The rules were to take effect in February 2024. They were, at the time, the biggest change to bulk email deliverability in more than a decade.
In October 2023, Google and Yahoo jointly announced new requirements for anyone sending more than 5,000 emails a day to their users. The rules were to take effect in February 2024. They were, at the time, the biggest change to bulk email deliverability in more than a decade.
Two years later, we have data. We know what got enforced, what got quietly delayed, what changed in practice, and what happened to the organisations that ignored the deadline.
Three main requirements for bulk senders (defined as anyone sending 5,000+ messages/day to Gmail users, with separate but similar thresholds for Yahoo):
p=none with a valid rua= reporting address. Receivers had to be sending aggregate reports somewhere.List-Unsubscribe and List-Unsubscribe-Post headers (RFC 8058), plus a spam complaint rate maintained under 0.3% (with a soft threshold at 0.1%).Google and Yahoo committed to enforcement through progressive throttling, increased spam classification, and eventual rejection for senders who failed to meet the requirements.
The February 2024 deadline arrived with, predictably, a lot of last-minute panic from companies that had ignored twelve months of warnings. Enforcement was initially soft — Google particularly started with tempo-rate limiting for non-compliant senders rather than hard rejections, which meant marketing emails got slower rather than getting blocked outright.
This was a reasonable call by Google. It gave senders time to see degraded deliverability in their own metrics and respond. It also meant a lot of senders didn't actually notice for weeks, because "delivery taking 4 hours instead of 4 minutes" doesn't show up on most marketing dashboards.
By spring 2024, enforcement had ratcheted up meaningfully. The cohort of senders getting hit hardest were:
The cohort that barely noticed: large enterprises with dedicated email ops teams who had seen the announcement in October and had months to comply, and small senders below the 5,000/day threshold who weren't in scope at all.
The soft 0.1% / hard 0.3% spam complaint rate was the requirement I thought would cause the most chaos. It turned out to be the requirement with the most interesting second-order effects.
Senders don't have visibility into their spam complaint rates by default. Gmail offers this data through Google Postmaster Tools, which requires domain verification and a dedicated setup — something the non-compliant cohort almost universally hadn't done. So the first time many senders discovered their complaint rate was too high was when their deliverability tanked and they went looking for the cause.
In practice, once senders got Postmaster Tools set up and started paying attention, a chunk of them discovered they'd been running at 0.5% or higher for years. This was the forcing function that finally got many organisations to clean up their lists, remove long-dead addresses, add preference centres, and stop mailing people who hadn't engaged in two years.
That cleanup, across thousands of senders, probably had more positive impact on the overall email ecosystem than the DMARC/DKIM requirements themselves. Fewer emails being sent to people who don't want them is a genuinely good outcome.
This one produced the most technical work across the industry, because it required actual code changes rather than DNS record updates. RFC 8058's List-Unsubscribe-Post header means the unsubscribe link must work via a single HTTP POST request, without a confirmation page, without a login, without any user interaction beyond the initial click.
The number of email platforms that had to rework their unsubscribe flows to comply was enormous. Even some of the major ESPs were non-compliant initially — Mailchimp, Klaviyo, and others rolled out updates in Q1 2024 specifically to meet the requirement. Self-built newsletter systems at organisations that had assumed their existing unsubscribe flow was fine were a particular casualty.
The unintended consequence: spammers figured out that List-Unsubscribe-Post triggers automatic unsubscribes from some clients (Gmail uses it when users hit the "unsubscribe" button in the UI), and started trying to exploit this for list-washing. The short-term solution was for bulk senders to require their ESPs to implement the One-Click header token variant correctly, which most have now done. This is the sort of edge case that makes "comply with the standard" a moving target.
Microsoft formally adopted largely the same requirements for Outlook.com and consumer Hotmail in 2025, with a slightly different threshold and an emphasis on DMARC specifically being required at p=none or higher.
The practical effect for bulk senders who were already Gmail/Yahoo-compliant was minimal — if you met Google's bar, you met Microsoft's. But the subset of senders who had been Outlook-first and under Google's radar (there are more of these than you'd think, particularly in B2B contexts) had to go through their own compliance push in 2025. The pattern was similar: soft enforcement first, ratcheting harder through the year.
Two years in, the compliance landscape has settled into three groups:
Compliant and monitoring — they have DMARC, SPF, DKIM properly set up, they're reading aggregate reports, they've migrated to p=quarantine or p=reject. Their deliverability is good and trending up because they're also getting reputation benefits from aligned, authenticated mail.
Compliant but not monitoring — they set up DMARC at p=none in early 2024 to meet the bar, never looked at a DMARC report, and are currently unaware that their authentication is slowly breaking as ESPs change infrastructure, new sending tools get added, and staff come and go. These domains pass a surface compliance check but are increasingly brittle. This is, in my estimation, the majority of mid-sized organisations.
Still non-compliant — smaller organisations below the strict threshold, charities, regional businesses. Their deliverability is mediocre but their volume is low enough that nobody's noticed in a systematic way. They're one phishing attack away from being a news story.
If you're running the domain for any organisation, you can find out which bucket you're in using a free audit at dmarcsentinel.com. Takes ten seconds. Tells you if your DMARC is published, what policy you're at, whether your SPF is valid and under the lookup limit, whether your DKIM selectors are correctly set up, whether your rua= reports are actually reaching a monitored destination, and where on the compliance spectrum you sit.
The point of the audit isn't just compliance — it's that the rules aren't going to get looser. Microsoft tightened in 2025. Google has been hinting at requiring p=quarantine or p=reject (not just p=none) for bulk senders, probably in 2026 or 2027. Every year, the floor rises.
If you're at p=none now because it was "enough" in 2024, you're going to be non-compliant by next year's standards. Moving from p=none to p=quarantine to p=reject takes months of monitoring to do safely, because you have to be confident that no legitimate mail flow will be rejected. Start the migration now, not when the deadline is announced. By the time the deadline is announced, you will not have time to do it properly.
Jon Morby has run email and DNS infrastructure since the early 1990s. He built DMARC Sentinel after watching too many agencies discover their clients' email was going to spam the hard way.
Founded by Jon Morby, whose team has been running UK servers since 1992. Hosting built by engineers who care about deliverability and uptime.
Get in touch →The domain owner is baffled. Everything is "correct." Nothing is working. Legitimate transactional mail is being rejected by receiving servers and landing in nobody's inbox.
The standards break more domains than any other wingle thing in email authentication
11/15 of the top UK digital marketing agencies had no DMARC policy at all, three had p=none and only one had it right. If that's the state of the agency's email security, imagine how badly configured their clients are!