DMARC to be required at Gmail in 2024

If you dig into the newly published upcoming sender requirements from Google, you'll unearth three points that relate to DMARC. These are important enough that I wanted to highlight them specifically.

First, note that Gmail is moving to a "p=quarantine" policy for That means it is no longer safe to send mail as (anything) except when doing so via Gmail's infrastructure. This new policy update is Google telling the world to spam filter mail that says it's from a email address, but doesn't pass email authentication tests. This is a big deal. Gmail, Yahoo, and many other mailbox providers are going to filter unauthenticated messages much more harshly as a result.

My memory's a little fuzzy, but I remember a freemium SMB-focused ESP that had a free "newsletter service" that I think they've long since shut down. The platform let you send as yourself, so they served up an awful lot of mail with (somebody) as the from address, because Gmail is quite a popular home for email accounts. Even back then, sending "as" Gmail wasn't really a forward-looking best practice, and people asked me how XYZ platform could "get away with it." My theory at the time was that it was a combination of Google not publishing a DMARC policy for, plus, I rather suspected that Gmail was special casing that mail to help prevent deliverability issues. I never confirmed this, but there was a little bit of resentful questioning focused on "why can't I do it like they do?" Anyway, the point of my long and rambling story is that it is now clear that you can't do that any more. This was possibly the last loophole allowing you to theoretically, successfully, send mail using your freemail/webmail from address. This is the absolute end of that.

Next, Google is saying that if you send significant amounts of mail to Gmail subscribers, you'll need to implement a DMARC policy yourself. Right now, a policy of "p=none" is good enough. Don't expect that to be the case forever. It's time to learn about DMARC, publish your first DMARC policy, and set up monitoring so that you can start to see what DMARC reports tell you (usually best interpreted via a DMARC service dashbaord). This is going to be easy to get started, but it's going to get more complicated over time, so be prepared.

And finally, DMARC "alignment" is going to be necessary. Meaning you've got to sign the mail with DKIM for the domain used in the from address, or your return-path (SPF) header needs to be a domain that authenticates the send via SPF and matches the domain in your from address. If you implement DKIM properly, you're likely to be all set. But you'll need to test and make sure. And don't assume that your email sending platform (ESP or CRM) is going to magically take care of it for you. They'll often add a "third party" DKIM signature for all mail from their platform, or a specific return-path domain with an SPF record specific to their platform, but neither of these will pass DMARC alignment requirements.

Learn more about these DMARC-related Gmail requirements here.



  1. Re: "usually best interpreted via a DMARC service dashbaord" (sp) - can you recommend a good dashboard service, preferably free?


Comments policy: Al is always right. Kidding, mostly. Be polite, please and thank you.