Google & Yahoo Email Sender Requirements 2026
Check SPF, DKIM, DMARC, alignment, TLS and unsubscribe setup against the current Google and Yahoo sender rules.
Takes ~10 seconds
Google and Yahoo now expect senders to prove that their emails are authenticated, aligned, easy to unsubscribe from, and not generating high spam complaints. For normal business email, this means your domain should have proper SPF or DKIM. For bulk senders, the bar is higher: SPF, DKIM, DMARC, alignment, TLS, and unsubscribe requirements all matter. Google and Yahoo both list DMARC and authentication as core sender requirements for bulk email.
If your domain is missing one of these records, your emails may still send — but they are more likely to land in spam, be delayed, or be rejected.
Who must comply?
These requirements matter for almost every organization that sends email from its own domain, but they are especially important for:
- SaaS companies sending product or onboarding emails
- Ecommerce stores sending order and marketing emails
- Newsletters and mailing lists
- Google Workspace and Microsoft 365 users
- Mailchimp, Klaviyo, Brevo, HubSpot, or CRM senders
- Transactional senders using services like Mandrill, SendGrid, Postmark, or Amazon SES
- Any domain sending high-volume email to Gmail, Yahoo, AOL, or Outlook users
Google defines bulk senders as domains sending large daily volumes to personal Gmail accounts. Yahoo also separates normal senders from bulk senders and requires stronger authentication for bulk email.
The 3 DNS records every sender should understand
Email authentication mainly depends on three DNS records:
1. SPF
SPF tells receiving mail servers which servers are allowed to send email for your domain.
Example:
v=spf1 include:_spf.google.com include:sendgrid.net -allSPF helps verify the sending server, but it has limits. If email is forwarded, SPF can break. That is why DKIM is also important.
2. DKIM
DKIM adds a cryptographic signature to your email. It proves that the message was authorized by your domain and was not modified in transit.
Most email providers give you one or more DKIM DNS records to add.
Example selector record:
google._domainkey.example.comDKIM is one of the most important records for Gmail and Yahoo deliverability because it survives forwarding better than SPF.
3. DMARC
DMARC tells receiving servers what to do when email fails SPF or DKIM authentication.
Example starter DMARC record:
v=DMARC1; p=none; rua=mailto:dmarc@example.comGoogle says DMARC tells receiving servers whether to deliver, quarantine, or reject messages that fail authentication.
DMARC policy: p=none vs quarantine vs reject
Your DMARC policy controls how strict your domain protection is.
p=none
v=DMARC1; p=none; rua=mailto:dmarc@example.comThis is monitoring mode. Failed messages are not blocked by your policy.
Best for:
- First DMARC setup
- Auditing all email sources
- Finding forgotten senders
- Avoiding accidental email disruption
p=quarantine
v=DMARC1; p=quarantine; rua=mailto:dmarc@example.comThis tells receivers to treat failed messages as suspicious. They may go to spam or quarantine.
Best for:
- Domains that already know their legitimate senders
- Gradual enforcement
- Reducing spoofing risk
p=reject
v=DMARC1; p=reject; rua=mailto:dmarc@example.comThis tells receivers to reject messages that fail DMARC.
Best for:
- Mature domains with clean SPF/DKIM alignment
- Brands at risk of phishing
- Domains that have completed DMARC monitoring
p=none, monitor reports, fix all senders, then move to quarantine, and finally reject when confident.What is DMARC alignment?
DMARC does not only check whether SPF or DKIM passes. It also checks whether the authenticated domain matches the visible “From” domain.
Example visible From address:
From: billing@example.comFor DMARC to pass, either:
- SPF must pass using a domain aligned with
example.com, or - DKIM must pass using a domain aligned with
example.com
Yahoo states that relaxed alignment is acceptable and that the From header domain must align with either the SPF or DKIM domain. Google also recommends full alignment for reliable authentication.
Google & Yahoo sender checklist
Use this checklist before sending serious volume.
Required or strongly recommended DNS setup
- SPF record exists
- SPF includes all sending platforms
- DKIM is enabled for every sender
- DMARC record exists
- DMARC has a valid policy:
p=none,p=quarantine, orp=reject - The From domain aligns with SPF or DKIM
- No duplicate SPF records
- DNS records are valid and not broken
- Mail is sent over TLS
- Reverse DNS is configured for dedicated sending IPs
Bulk sender requirements
Bulk senders should also check:
- SPF and DKIM both pass
- DMARC passes
- Spam complaint rate stays below 0.3%
- Marketing emails include unsubscribe
- One-click unsubscribe is supported where required
- Unsubscribe requests are honored quickly
- Messages follow RFC email formatting standards
Yahoo lists easy unsubscribe and low spam complaints as bulk-sender requirements, including keeping spam complaints below 0.3%.
Example DNS setup by platform
Google Workspace
Typical SPF:
v=spf1 include:_spf.google.com ~allDKIM: Enable DKIM inside Google Workspace Admin, then publish the DKIM TXT record Google provides.
DMARC starter:
v=DMARC1; p=none; rua=mailto:dmarc@example.comMicrosoft 365
Typical SPF:
v=spf1 include:spf.protection.outlook.com ~allDKIM: Enable DKIM in Microsoft 365 Defender or Exchange admin center, then add the CNAME records Microsoft provides.
DMARC starter:
v=DMARC1; p=none; rua=mailto:dmarc@example.comMailchimp
Mailchimp usually requires domain authentication using DKIM CNAME records and sometimes SPF-related configuration.
Example DMARC:
v=DMARC1; p=none; rua=mailto:dmarc@example.comCommon mistakes that cause Gmail or Yahoo delivery problems
Multiple SPF records
A domain should have only one SPF record. This is wrong:
v=spf1 include:_spf.google.com ~all
v=spf1 include:sendgrid.net ~allCorrect version:
v=spf1 include:_spf.google.com include:sendgrid.net ~allMissing DKIM for marketing tools
You may have DKIM enabled for Google Workspace but not for Mailchimp, Klaviyo, HubSpot, SendGrid, or another sender. Each sender needs to be authenticated.
DMARC exists but does not pass
Having a DMARC record is not enough. Your messages must also pass SPF or DKIM with alignment.
Using a strict DMARC policy too early
Moving directly to p=reject can break legitimate email if all sending services are not aligned.
Forgotten senders
Old CRMs, invoice systems, support desks, and newsletter tools often send from your domain but are not included in SPF or DKIM.
One-click domain check
Before changing DNS, scan your domain first.
Check your email authentication
Use MXScan to check SPF, DKIM, DMARC, MTA-STS, TLS-RPT, BIMI, and other email security records in one place.
Enter your domain and see what is missing before Gmail or Yahoo rejects your emails.
Recommended rollout plan
Step 1: Audit your current records
Check:
- SPF
- DKIM
- DMARC
- MX records
- MTA-STS
- TLS-RPT
- BIMI
- Blacklist status
- Mail server TLS
Step 2: List all sending services
Create a list of every platform that sends email from your domain. Examples:
- Google Workspace
- Microsoft 365
- Mailchimp
- Klaviyo
- SendGrid
- Postmark
- Mandrill
- HubSpot
- Zendesk
- Stripe
- Shopify
- CRM or custom SMTP server
Step 3: Fix SPF and DKIM
Make sure every sender is authenticated.
Step 4: Add DMARC in monitoring mode
Start with:
v=DMARC1; p=none; rua=mailto:dmarc@example.comStep 5: Review DMARC reports
Find unknown or failing senders.
Step 6: Move toward enforcement
After everything is aligned, move to:
v=DMARC1; p=quarantine; rua=mailto:dmarc@example.comThen later:
v=DMARC1; p=reject; rua=mailto:dmarc@example.comFinal checklist
Before sending high-volume email, confirm:
- Your SPF record is valid
- DKIM is enabled for all senders
- DMARC exists
- DMARC alignment passes
- You are not using duplicate SPF records
- Marketing emails have unsubscribe links
- One-click unsubscribe is supported where needed
- Complaint rates are low
- Your mail servers support TLS
- Your domain is not blacklisted
Test your domain now
MXScan helps you find missing or broken email security records before they damage your deliverability.
Run a free email security scan and check your SPF, DKIM, DMARC, MTA-STS, TLS-RPT, and BIMI setup.
FAQ
Do I need DMARC if I only send normal business email?
Yes, it is strongly recommended. Even small domains can be spoofed. DMARC helps protect your domain and gives receiving servers more confidence.
Is p=none enough?
For monitoring, yes. For long-term protection, no. p=none does not block spoofed email. It is best used as a starting point before moving to quarantine or reject.
Do I need both SPF and DKIM?
For bulk sending, yes. For normal sending, at least one may be enough in some cases, but using both is much safer.
Why does DMARC fail even when SPF passes?
Usually because SPF passed for a different domain, not the visible From domain. That means SPF passed technically, but DMARC alignment failed.
Can I use Google Workspace and Mailchimp together?
Yes, but your SPF/DKIM setup must include both. Google Workspace authentication does not automatically authenticate Mailchimp or other third-party senders.
Will DMARC guarantee inbox placement?
No. DMARC helps authentication and trust, but inbox placement also depends on reputation, spam complaints, content quality, engagement, and sending behavior.
Stay compliant with Google & Yahoo in 2026
Create a free account to monitor DMARC reports, track alignment, and catch broken records.
Start Free Monitoring