DMARC in 2026: Gmail/Yahoo Enforcement
Short answer. Since February 2024 Gmail and Yahoo require bulk senders (more than 5,000 emails per day) to set up SPF, DKIM and DMARC together. Without it, messages land in spam or get rejected. DMARC ties SPF and DKIM to the From-header domain and sets a policy for handling messages that fail authentication: p=none (monitoring), p=quarantine (to spam) or p=reject (reject). In 2026 the recommended goal is a gradual move to p=reject.
What Gmail and Yahoo require
The major mail providers' new requirements for bulk senders include three mandatory elements:
- SPF — declares which servers may send mail for your domain.
- DKIM — a cryptographic signature on messages confirming their integrity and origin.
- DMARC — a policy tying SPF/DKIM to the From domain and defining the action on failure.
One-click unsubscribe (List-Unsubscribe) and keeping the spam rate below a threshold are also required.
DMARC without SPF and DKIM is meaningless. First set up both authentication mechanisms, achieve their "alignment" with the From domain, and only then tighten the DMARC policy.
How alignment works
DMARC passes if SPF or DKIM not only validated but is also aligned by domain: the checked domain matches the domain in the visible From field. Alignment is what distinguishes DMARC from a plain SPF check — it defends against spoofing of your domain.
DMARC policies: the enforcement path
| Policy | Action | When to use |
|---|---|---|
| p=none | Do nothing, just collect reports | Start: audit your mail sources |
| p=quarantine | Place in spam | Once legitimate mail consistently passes |
| p=reject | Reject the message | Final goal: full domain protection |
Example DMARC DNS record
The record is published as a TXT entry at _dmarc.yourdomain. Start with monitoring and report collection:
_dmarc.example.com. IN TXT "v=DMARC1; p=none; rua=mailto:dmarc-reports@example.com; ruf=mailto:dmarc-forensic@example.com; fo=1; adkim=s; aspf=s"When reports confirm that legitimate mail passes, move to a strict policy:
_dmarc.example.com. IN TXT "v=DMARC1; p=reject; rua=mailto:dmarc-reports@example.com; pct=100; adkim=s; aspf=s"How to check records with dig
You can verify a published DMARC record with:
dig +short TXT _dmarc.example.com
# Also check SPF:
dig +short TXT example.com | grep spf1Step-by-step rollout plan
- Set up SPF: list all legitimate sending servers.
- Enable DKIM signing on your mail server and publish the public key.
- Publish DMARC with
p=noneand a reporting address (rua). - Analyze reports and identify all sources of your mail.
- Move the policy to
p=quarantine, then top=reject. - Set up monitoring to catch broken authentication early.
Common mistakes
Jumping straight to p=reject without monitoring — and legitimate mailings (CRM, billing, marketing) start getting rejected. Forgetting third-party sending services that aren't aligned with your domain. Not watching the expiry and correctness of DNS records — a single typo breaks all authentication.
FAQ
Who do the Gmail and Yahoo requirements apply to?
Primarily bulk senders — from 5,000 emails per day. But setting up SPF, DKIM and DMARC is worthwhile for any domain to protect against spoofing.
Which DMARC policy should I start with?
With p=none for monitoring. Collect reports, make sure legitimate mail passes, and only then tighten to quarantine and reject.
Does DMARC work without SPF and DKIM?
No. DMARC relies on SPF and DKIM results with domain alignment. Set up both first, then DMARC.
What is alignment in DMARC?
It's the match between the domain that passed SPF or DKIM and the domain in the visible From field. Without alignment, DMARC isn't considered passed.
Check your domain's SPF, DKIM and DMARC records with the diagnostic tools on enterno.io — the email header analyzer traces the message path and verifies authentication. The security scanner and the SSL checker are also useful for overall domain hygiene.