Well, the day we’ve all been talking about has finally arrived. For the better part of a year, we’ve been educating, preparing, and helping clients get ready for Gmail’s new sender requirements. It’s been a whirlwind of setting up SPF, DKIM, and DMARC records.
But as of this month, November 2025, the game has officially changed.
https://support.google.com/a/answer/14229414
I’ve been watching deliverability reports closely, and it’s clear: Google has flipped the switch from "education" to "active enforcement." The grace period is over.
What does this mean? Until now, many non-compliant messages were simply routed to the spam folder. That was bad, but this is worse. Gmail is now issuing temporary or even permanent rejection codes for email that doesn't meet their standards. Your messages aren't just being hidden; they're being blocked entirely.
This isn't a theoretical threat anymore. It's live. If you’ve been putting this off, now is the moment to stop.
What's Being Enforced? The Full Checklist
This whole initiative, which both Gmail and Yahoo announced back in late 2023, was always about one thing: trust. It’s about cleaning up the inbox, fighting spam, and making it harder for malicious actors to impersonate legitimate brands (like yours).
While the rules for "bulk senders" (those sending over 5,000 emails a day) are stricter, the truth is that these requirements represent the new baseline for everyone.
Here’s a breakdown of exactly what Gmail is now rejecting email for. I've grouped them into the three main areas I focus on with my clients: Authentication, Infrastructure, and User Experience.
Pillar 1: Authentication (The "Are You Who You Say You Are?" Test)
This is the big one. Gmail wants cryptographic proof that you are authorized to send email from your domain.
- You must have both SPF and DKIM: This is no longer an "either/or" situation. Sender Policy Framework (SPF) says which servers can send for you, and DomainKeys Identified Mail (DKIM) adds a digital signature to prove the email came from you and wasn't tampered with. You need both.
- You must have a DMARC record: This is the capstone. Domain-based Message Authentication, Reporting, and Conformance (DMARC) tells receivers what to do if an email fails SPF or DKIM. Gmail's minimum requirement is a `
p=none` policy. While this is just "monitoring" mode and doesn't block anything itself, it’s a non-negotiable first step. It also unlocks the reporting that shows you who is sending on your behalf. If you're new to this, I wrote a post explaining the implications of a p=none policy that's a good place to start. - Your 'From:' header must align: This is the core of DMARC. It’s not enough to just pass SPF and DKIM. The domain used in your visible "From:" address (what the user sees) must match the domain in your SPF or DKIM signature. This is what stops spoofing.
Infrastructure (The "Is Your House in Order?" Test)
This part is a bit more technical, but it’s just as critical. It's about basic, professional sending hygiene.
- Valid Forward and Reverse DNS: This is a classic mail server check. Your sending IP address must have a forward DNS record (a "hostname," like `
mail.yourdomain.com`) that points to that IP, and a reverse DNS record (PTR) that points that IP back to the same hostname. It’s a way of proving your server isn't a random, hijacked computer on a home network. - Use a TLS Connection: Your emails must be sent over a secure, encrypted connection. Any modern Email Service Provider (ESP) does this by default, but if you're running your own mail servers, this is a must-check.
- Format Messages Correctly (RFC 5322): This just means your email headers (the `
From:`, `To:`, `Subject:`, etc.) follow the standard internet format. Again, any good ESP handles this, but it’s a reason rejections can happen.
Pillar 3: User Experience (The "Do People Want Your Email?" Test)
This, to me, is the most important part for long-term success. Gmail is empowering users and holding you accountable for their reactions.
- Keep Spam Rate Under 0.3%: This is the killer. Gmail doesn't want its users to complain about your mail. This spam rate is not based on how many emails you send to the spam folder; it's based on how many users actively click the "Report Spam" button on your messages. If your rate creeps above 0.3%, you will face delivery problems and lose mitigation support. The only way to track this is to set up a free Google Postmaster Tools account. If you do nothing else today, do this.
- One-Click Unsubscribe: For all marketing and promotional messages, you must include a clear, one-click unsubscribe link. This isn't just the link in the footer; it's also the `
List-Unsubscribe` header that powers Gmail's "Unsubscribe" button at the top of the email. - Honor Unsubscribes within 48 Hours: When someone clicks that link, you have two days to remove them. Period. In practice, this should be instant. If your unsubscribe process is manual or runs on a weekly batch, you are no longer compliant.
What You Need to Do Right Now
If you haven't completed this checklist, you are actively risking email rejection. The "it's only for bulk senders" excuse is gone. These are the new rules of the road.
- Check Your Records: Go to a site like MXToolbox and look up your domain. Do you have an SPF record? Do you have a DKIM record? Most importantly, do you have a DMARC record (even if it's `
p=none`)? - Sign Up for Google Postmaster Tools: You cannot manage what you cannot measure. You must know your spam complaint rate. This is the only way to see what Gmail sees.
- Test Your Unsubscribe Link: Go subscribe to your own newsletter. Click the unsubscribe link. Does it work in one click? Are you removed from the list immediately?
- Start Monitoring DMARC: That `
p=none` record isn't just for show. It tells receivers to send you DMARC reports, which are XML files showing who is sending email from your domain and if it's passing authentication. These reports are unreadable on their own, which is exactly why DMARC monitoring platforms like Suped exist. We process those reports into a human-friendly dashboard so you can see if your marketing tool is failing DKIM or if a scammer is trying to spoof your domain.
This isn't a drill. Gmail has spent a year warning us, and now the enforcement is live. This is a good thing for the email ecosystem, but it means we all have to step up our game. Don't wait until your customers start missing invoices or your marketing emails fall into a black hole. The time to act is now.
