What is SPF and do I need it?

SPF (Sender Policy Framework) is a DNS record that lists which mail servers are authorised to send email for your domain. Without SPF, anyone can send email pretending to be you, and receiving servers are likely to mark your emails as spam. Every domain that sends email should have an SPF record.

DKIM (DomainKeys Identified Mail) adds a digital signature to every email you send. Receiving servers check this signature against a public key in your DNS to verify the email was not tampered with in transit. DKIM significantly improves deliverability and is required by Gmail and Yahoo for bulk senders.

What is DMARC and why does it matter?

DMARC (Domain-based Message Authentication, Reporting and Conformance) is a policy record in your DNS that tells receiving mail servers what to do when an email fails SPF or DKIM checks — either do nothing (none), quarantine to spam, or reject outright. Without DMARC, your domain is vulnerable to email spoofing and phishing attacks.

How do I check if my email deliverability is set up correctly?

Enter your domain into InboxShield and it will instantly check your SPF, DKIM, DMARC, BIMI, and MTA-STS records, flag any problems, and give you step-by-step instructions to fix them. The tool is free and requires no account.

BIMI (Brand Indicators for Message Identification) is a DNS record that displays your brand logo in the inbox of supporting email clients like Gmail and Apple Mail. It requires a valid DMARC policy and a verified logo file. BIMI increases brand recognition and email open rates.

← Blog·Compliance·March 1, 2026·6 min read

Gmail and Yahoo's 2024 Sender Requirements: Is Your Domain Compliant?

Q: Why are my emails going to spam?

Emails land in spam when your domain is missing or misconfigured email authentication records: SPF, DKIM, and DMARC. SPF tells receiving servers which IPs are allowed to send on your behalf, DKIM adds a cryptographic signature to prove authenticity, and DMARC tells servers what to do if either check fails. InboxShield checks all three instantly and shows you exactly what to fix.

In February 2024, Gmail and Yahoo began enforcing new rules for all email senders. If you send email from a custom domain — even just a few emails a day — these changes affect you, and ignoring them means your emails may already be failing silently.

What changed in February 2024?

Google and Yahoo announced these changes in October 2023, giving senders roughly four months to comply. Starting February 1, 2024, they began enforcing a set of requirements for anyone sending email to Gmail or Yahoo Mail addresses.

The stated goal was to reduce spam, phishing, and email-based scams. The practical effect was that many legitimate businesses — particularly small ones that had never configured email authentication — started seeing their emails fail delivery or land in spam.

Who does this affect?

Google describes two categories of senders: bulk senders (those sending 5,000 or more emails per day to Gmail addresses) and all other senders. Bulk senders face the strictest requirements, but the guidelines apply in some form to everyone.

If you send email from a custom domain — you@yourcompany.com rather than a free Gmail or Yahoo address — these requirements apply to you.

The three core requirements

1. Email authentication must be set up

All senders must have valid SPF or DKIM records. Bulk senders must have both. And since May 2024, a DMARC record is required for bulk senders sending to Gmail.

In practice, Google recommends all senders have SPF, DKIM, and DMARC configured — even if you're not a bulk sender — because the bar for "bulk" can be reached more easily than you'd think, and having proper authentication is simply table stakes for modern email.

2. The spam complaint rate must stay below 0.3%

Google uses feedback loop data from Gmail users. When someone clicks "Report spam" on your email, that's recorded against your domain. If your complaint rate rises above 0.10%, Google will start routing your mail to spam. Above 0.30%, delivery may stop entirely.

You can monitor your spam complaint rate using Google Postmaster Tools — a free tool that shows your domain reputation and spam rate. If you're not already using it, set it up now.

3. Bulk senders must support one-click unsubscribe

If you send marketing or newsletter emails to 5,000+ Gmail addresses per day, your emails must include a one-click unsubscribe mechanism — specifically, the List-Unsubscribe and List-Unsubscribe-Post headers. Gmail surfaces this as a visible "Unsubscribe" link next to your sender name in the inbox.

Most modern email marketing platforms (Mailchimp, Klaviyo, HubSpot, etc.) handle this automatically. If you're sending bulk email through a custom solution or a less common provider, check that these headers are being set.

What Yahoo requires

Yahoo's requirements closely mirror Google's:

SPF and DKIM must be set up for the sending domain
DMARC policy must be present (even p=none counts)
Valid forward and reverse DNS records for sending IPs
Low spam complaint rate (monitored via Yahoo's Complaint Feedback Loop)
One-click unsubscribe for bulk senders

The compliance checklist

Use this checklist to verify your domain meets the requirements:

SPF record exists and is configured with the right mail servers
DKIM is enabled in your email provider's admin panel with a valid DNS record
DMARC record exists (at minimum p=none with an rua= address)
Your domain has been verified in Google Postmaster Tools
Spam complaint rate is below 0.10% in Google Postmaster Tools
Marketing emails include one-click unsubscribe headers (if sending in bulk)

What happens if you ignore this?

If you're a bulk sender and not compliant, Google and Yahoo will temporarily reject your emails with a 5xx error. These errors show up as bounces and are visible in your email service provider's delivery reports.

For lower-volume senders, the consequences are less dramatic but still real: higher spam placement rates, lower open rates, and gradually eroding sender reputation.

The frustrating part is that these failures are often invisible. Your email client shows "Sent." The bounce may go to a no-reply address you don't monitor. The recipient never tells you they didn't receive your email. Weeks can pass before you realise there's a problem.

How to check your status right now

The fastest way to know whether your domain is compliant is to run a live DNS audit. InboxShield Mini checks your SPF, DKIM, DMARC, BIMI, and MTA-STS records in under 30 seconds — no account required — and tells you exactly which records are missing or misconfigured and what to do about it.

Find out if you're compliant

Enter your domain and get a compliance check in 30 seconds. The free scan shows which records pass and which need fixing. The full report gives you the exact DNS values to add.

Check my domain — free