How to Setup DMARC to Meet Google’s New Requirements for Bulk Senders?

Google and Yahoo have unveiled a new email authentication policy that will be effective from February 1, 2024 . So, if you send **over 5,000 emails daily and haven’t aligned your email settings as per the new requirements, this guide is for you.

DMARC (RFC 7489) ties SPF and DKIM together by requiring alignment between the envelope sender and the visible From header. According to Google’s February 2024 bulk sender requirements, a DMARC policy of at least p=none is now mandatory for any domain sending 5,000+ messages per day to Gmail users.

Google’s February 2024 requirements were a turning point, says Brad Slavin, General Manager of DuoCircle. Before that, DMARC was a recommendation. Now it’s a gate - if your DMARC record is missing or set to p=none without a plan to enforce, your email deliverability to Gmail is at risk.

What are the New Requirements?

Bulk senders who dispatch more than 5,000 emails per day to Gmail users are subjected to authenticate their email-sending domains through SPF, DKIM, DMARC, and rDNS. Moreover, the **spam rate should be below 0.3% , and an **easy way to unsubscribe should exist. This practice would make users compliant with Google’s new policy and establish them as trusted senders with improved email deliverability and good domain reputation.

As of 2025, DMARC is mandatory under multiple compliance frameworks. CISA BOD 18-01 requires p=reject for US federal domains. PCI DSS v4.0 mandates DMARC for organizations processing payment card data as of March 2025. Google and Yahoo require DMARC for bulk senders (5,000+ messages/day) since February 2024, and Microsoft began rejecting non-compliant email in May 2025. The UK NCSC, Australia’s ASD, and Canada’s CCCS all mandate DMARC for government domains. Cyber insurers increasingly require DMARC enforcement as an underwriting condition.

This means that most of the emails will land in the primary inboxes, which would minimize the occurrences of false positives and increase the open and click-through rates.

How to Prepare for the New Requirements?

You can get in touch with experts or DIY the steps mentioned below-

STEP 1: Setup Email Authentication Protocols

To deploy DMARC for a domain that sends more than 5,000 emails daily, you first need to have SPF and DKIM in place.

To begin with SPF, create a **list of IP addresses that are authorized to send emails on behalf of your business and using your domain. Then, use an online SPF record generator to produce an SPF record; ensure that it begins with v=spf1 and ends with either ~all or -all mechanism. The ~all mechanism represents a softfail, which means receiving MTAs are instructed to place emails sent by unauthorized IP addresses in spam folders. The -all mechanism commands recipients’ MTAs to **reject the entry of illegitimate messages outrightly.

Next, generate DKIM keys using an **online DKIM record generator and publish the private key in your domain’s DNS. Then, finally, create DMARC record with a ‘quarantine’ or ‘reject’ policy. You can also implement the ‘none’ policy, but that is not at all effective against spoofing and phishing attacks.

Note: Bulk senders must ensure the domain in the “From” field in email account settings matches the domain authenticated in SPF or DKIM.

STEP 2: Maintain a Spam Complaint Rate of Lower than 0.3%

A spam complaint is registered when a recipient intentionally marks your email as spam._ The email spam rate refers to the percentage or proportion of unwanted, unsolicited, or irrelevant emails within a given set of emails._ It measures the **prevalence of spam messages compared to legitimate, desired emails in an email system or network.

A Domain owner needs to establish the following practices within their organization to maintain a spam complaint rate below 0.3%:

• Clean and update email lists by removing inactive or unsubscribed users.

• Craft **clear and relevant content to engage the audience while avoiding excessive use of capital letters, exclamation marks, or trigger words.

• Regularly monitor **email deliverability metrics like open and click-through rates to identify and address potential issues promptly.

• Implement a double opt-in process to confirm subscribers’ intentions and preferences, reducing the chances of unintentional sign-ups.

STEP 3: Don’t Impersonate Gmail Address in the ‘From’ Field

Specifically, refrain from setting a **Gmail address as the “From” address if it doesn’t belong to you. For instance, if you’re sending emails from a Yahoo account, then don’t display a Gmail address in the “From” field visible to recipients. Doing so could result in your emails being flagged as spam. Google takes a **strict stance on this, and starting in February, it will block senders engaging in such practices. So, **always use your business email address and ensure it matches the one set in your email account settings as the “From” address. This straightforward approach aligns with Google’s guidelines and enhances the chances of your emails reaching their intended recipients without being flagged as spam.

STEP 4: Make it Easy to Unsubscribe

Include a visible and **easy-to-use unsubscribe link in every email to respect users’ preferences promptly. If users find it challenging to unsubscribe, they may mark your emails as spam, which can negatively impact your email deliverability and sender reputation.

Summarizing Everything For You!

Google and Yahoo will implement a new email authentication policy starting February 1, 2024. This affects bulk senders dispatching over 5,000 daily emails to Gmail users. To comply, you must authenticate domains through SPF, DKIM, DMARC, and rDNS, maintain a spam rate below 0.3%, and ensure an easy unsubscribe option. Prepare by setting up email authentication protocols, maintaining a low spam complaint rate, avoiding Gmail impersonation in the ‘From’ field, and ensuring easy unsubscribes. Following these steps aligns with Google’s guidelines, minimizing false positives, enhancing open and click-through rates, and increasing overall email effectiveness.

Sources

• CISA Binding Operational Directive 18-01
• Microsoft Outlook DMARC Enforcement May 2025 (2025)
• PCI DSS v4.0 - DMARC Requirement (2025)
• RFC 7489 - Domain-based Message Authentication, Reporting, and Conformance (DMARC)