Here it is, the 2025 Spam Resource MAGY (Microsoft, Apple, Google, Yahoo) Bulk Sender Compliance Guide. This contains almost everything you need to know (I think? I hope?) about how to comply with modern email bulk sender requirements as mandated by the largest consumer mailbox providers. If you want to know how to maximize deliverability and inbox placement for your email newsletters and/or emial marketing, then this is the guide for you.
Read on to learn more, but know that it boils down to a handful of things that were previously best practice recommendations for deliverability excellence, which are now requirements that these two mailbox providers are saying that senders must implement. Those that don’t implement these requirements risk being blocked and unable to get your mail delivered to the inbox successfully.
This guide breaks down the requirements defined by the top four consumer mailbox providers, aka MAGY – Microsoft (Outlook.com), Apple (iCloud), Google (Gmail), and Yahoo (Yahoo Mail, AOL, and others).
Go Straight to the Source
Don't just take my word for it! Each of these mailbox providers have published specific documentation laying out the specific requirements for email senders wishing to deliver mail successfully to their users.Here’s where you can go to find that information directly from each:
- Microsoft (announcement, requirements, and FAQ)
- Apple (requirements)
- Google (announcement, requirements, and FAQ)
- Yahoo (announcement, requirements and recommendations)
Here now find my overview and recommendations, what you need to do to ensure compliance with the latest sender requirements.
Domain and Email Authentication Requirements
Send as yourself (only): Don't send mail as a domain you don't own. Go buy a domain name, if you don't already have one. The days of sending newsletter emails with a Gmail from address are over, unfortunately. This was a common configuration in the past, but the rise of email authentication, and DMARC domain protection, have fully eliminated this ability.Some providers will rewrite your from address as needed, if you use a domain that is not compliant with these requirements. While that helps you out in a pinch, it isn’t great for long term deliverability success. You want mailbox providers to recognize you as YOU, not as a part of a large blob of clients from sending platform XYZ.
DKIM Required: You MUST configure DomainKeys Identified Mail (DKIM) email authentication for your domain when sending from an ESP, email marketing or newsletter platform. The defaults -- which sometimes include default DKIM authentication -- are not good enough. The mailbox providers are saying that "alignment" is required, meaning that an authenticated domain (DKIM or SPF domain) must match your from domain. Mailbox provider defaults don't comply and if you don't fully authenticate your sending domain, you're going to have deliverability trouble.
You also need to implement DKIM email authentication for every platform you send mail from, including Google Workspace, Godaddy, Microsoft 365 or anywhere else you may be hosting your individual user mailboxes.
DKIM email authentication helps make it easier for mailbox providers like Gmail and Yahoo to know that mail you send is legitimately authorized by you. Making it easier to identify your good mail makes it easier for them to identify (and block) bad mail and protect from threats from bad guys.
Follow those instructions for any and all platforms you use. Meaning, if you send business email (one-to-one) from Microsoft O365, and you use Constant Contact to send newsletters, set up DKIM for both.
Here's some helpful DKIM configuration links:
- How to implement DKIM for Mailchimp (ESP/newsletter mail)
- How to implement DKIM for Klaviyo (ESP/newsletter mail)
- How to implement DKIM for AWeber (ESP/newsletter mail)
- How to implement DKIM for Constant Contact (ESP/newsletter mail)
- How to implement DKIM for iContact (ESP/newsletter mail)
- How to implement DKIM for Microsoft O365 (business mail)
- How to implement DKIM for Google Workspace (business mail)
Here's how to configure SPF for your domain, when you host your mailboxes at either of the top two providers:
- How to implement SPF for Microsoft 365 (business mail)
- How to implement SPF for Google Workspace (business mail)
DMARC is an email authentication protocol that allows for monitoring of your domain for phishing and spoofing, and protect against phishing and spoofing, by giving you the ability to tell mailbox providers (like MAGY) to reject mail if it supposedly comes from your domain but does not pass email authentication checks.
DMARC is security-oriented, but the MAGY providers (and others) mandate it because making sure that your mail is fully authenticated and protected helps them better tell good mail apart from bad mail. The providers allow for a minimum DMARC policy of p=none, but this doesn’t fully protect your email domain against phishing and spoofing. Consider signing up for a DMARC service, so that you can better understand what DMARC is and how it can help you protect domains by moving to a p=quarantine or p=reject policy in the future.
To learn more about DMARC policies and getting started with DMARC, read my article DMARC, the quick and dirty way (and read the postscript update there as well).
Permission and List Management Requirements
Send wanted mail. The goal is to keep spam complaint rates very low. Google’s asking you to keep spam complaint rates under .1% and warning that regularly exceeding .3% could lead to your email being rejected. Microsoft specifically instructs you to use accurate subject lines, avoid deceptive headers, and ensure that recipients have consented to receive your email messages.Don’t buy lists or get email addresses from third parties. Purchased lists or third party lists will have higher complaint rates, which put you at risk of running afoul of the new “keep spam complaints low” requirements mentioned above. Beyond that, engagement – the amount of interactions your email will receive from subscribers – will be below average. Gmail and Yahoo (and others) will notice this. This will make it more likely for your mail to go to the spam folder, not the inbox. And avoid cold leads.
Make it easy to unsubscribe. Obvious, clear link, nothing silly like using a white-on-white unsubscribe link. If you’ve read Yahoo and Google’s requirements, they talk about "RFC 8058" and "one click unsubscribe" or "list unsubscribe" handling. Ignore it. You don’t implement this – your email sending platform does. It is configured in hidden email headers by your ESP/newsletter sending platform. This has nothing to do with the body of your email messages -- not those links, and not the usual profile or subscription center that you might be linking to in those messages.
Process bounces properly. This will affect you everywhere, but Microsoft specifically warns that senders must process bounces and suppress invalid addresses. This means, after you receive a "user unknown," "mailbox full," or other rejection in response to an email campaign, you can't just keep attempting to send more mail to it in the future, forever. There's often some strategy around when to suppress or retire bouncing addresses, but at the end of the day, somebody who continues to attempt mail to addresses that don't accept mail will have a very strong chance of being labeled as a bad sender (and blocked) eventually.
Google Postmaster Tools. Sign up for GPT, a domain reputation portal, where Google provides you feedback based on what they’re able to tell from your email sends to Gmail users. This is going to be a very important tool to identify your domain’s sending reputation. While the data is specific only to Gmail, if you employ best practices across the board, what works at Gmail is likely to work elsewhere. Thus, use Gmail as your north star to guide your sending practices across the board.
Google has been adding updated compliance measures to GPT throughout 2024 and 2025, and they continue to improve these features over time. Some bits are something of a work in progress and may occasionally be buggy – keep that in mind, but even with occasional limitations, GPT is extremely useful to email senders.
Aboutmy.Email: Familiarize yourself with this free testing tool for email senders created by Steve Atkins of Word to the Wise. The testing process starts by having you send an email to a unique address, and then their system generates a report for you showing results for a number of very useful tests, including compliance with these requirements.
SNDS: Microsoft has a reputation portal called Smart Network Data Services (SNDS), but I only recommend signing up for this if you are a dedicated IP address sender. As of this writing, its focus is on IP reputation, and it does not provide any domain-related feedback, nor any feedback related to compliance with these requirements. In my days as director of deliverability for a large email marketing platform, I found SNDS very useful for dedicated IP senders, so YMMV, depending on how much mail you send and what kind platform you utilize to send that mail.
Google and Yahoo announced their requirements back in October 2023, and implemented compliance measures starting at various points in 2024.
It is safe to say that compliance is actively taking place today (across all of MAGY, if you read this after May 5, 2025).
I only send 100 emails a day, do I have to comply? Microsoft and Google define a bulk sender as an email sender who sends 5,000 or more email messages to a given mailbox provider in a day. Yahoo mentions bulk sender as well, but does not specify a specific threshold. Apple does not mention any sort of volume distinction. To comply as broadly as possible and to maximize inbox reach, if you send any significant amount of mail, consider yourself a bulk sender and comply with these requirements. TL;DR? Yes, comply.
What about TLS? Google did mention TLS as a sender requirement, yes? TLS refers to “Transport Layer Security” which helps ensure that emails are transmitted over the internet – handed off between mail servers – using encrypted connections between those servers. This is stuff that your email platform handles. You don’t have to put any special code in your email message to ensure TLS compliance. Gmail has effectively required TLS for years.
What about subdomains? If I wanted to send mail as newsletter@email.spamresource.com, that would be me setting up a subdomain called “email.” It is indeed possible to configure DKIM and DMARC for subdomains (though it isn’t strictly necessary for DMARC – you can set that at the top level (main level) of your domain and that covers subdomains). All doable, but outside of scope for this FAQ. Click here to learn more about subdomains in email.
What about other mailbox providers? It's not just about MAGY! Many other mailbox providers have similar requirements and as I have said many times before, these new written requirements are simply codified version of well known best practices for email sending going back for a number of years. Meet this mandate across the board and you’ll be in good shape for deliverability success.
I implemented DKIM and DMARC but I’m still going to the spam folder. What gives? Keep in mind that you can have all the technical bits right but still, your mail lands in the spam folder. Why? Bad sending reputation. Unwanted mail. Low engagement. Too many complaints. DMARC does not prevent spam folder delivery. DKIM does not prevent spam folder delivery. Consult your friendly neighborhood deliverability consultant for further assistance.
Can I have multiple DMARC or SPF records for the top level of my domain? No. Sometimes people get confused when it comes to configuring DMARC or SPF and accidentally implement it twice, usually based on conflicting guidance. Read here for more guidance on why double DMARC records don’t work. Same goes with SPF – you should only see one SPF record, when performing an SPF record for your domain name.
What about multiple DKIM records? You can configure DKIM for multiple providers (sending platforms), so yes, you can and should implement the multiple DKIM records necessary to support those providers. Some providers (ESP/newsletter platforms) will even ask you to implement two or three DKIM DNS records, for reasons of flexibility and security. Do as they recommend. For some of my domains, I have DKIM DNS records in place for Constant Contact, AWeber, Mailchimp AND Google Workspace (Gmail). This does not pose any issues other than showing me a long list of DNS records when I look up my domain settings.
Does DKIM email authentication really matter? Yes, even before all of the scrambling to help senders toward compliance with this as a requirement, it was already a best practice. I have long said that configuring DKIM authentication is that "one weird trick" most likely to help a newsletter or marketing sender (large or small) improve their chances of getting mail delivered to the inbox. There are caveats and complications, but I still stand by that statement.
I need more setup help for a specific email platform! Look here for a directory of email service provider platforms and Yahoo/Google compliance guidance and setup instructions for each. Most of these were published before Microsoft “joined the party,” but since the guidance from all four providers is very similar, these guides remain a good place to start.
How to Test and Monitor
Testing and monitoring for compliance can be tricky and confusing. No methodology will be perfect, but here’s where you should start.Google Postmaster Tools. Sign up for GPT, a domain reputation portal, where Google provides you feedback based on what they’re able to tell from your email sends to Gmail users. This is going to be a very important tool to identify your domain’s sending reputation. While the data is specific only to Gmail, if you employ best practices across the board, what works at Gmail is likely to work elsewhere. Thus, use Gmail as your north star to guide your sending practices across the board.
Google has been adding updated compliance measures to GPT throughout 2024 and 2025, and they continue to improve these features over time. Some bits are something of a work in progress and may occasionally be buggy – keep that in mind, but even with occasional limitations, GPT is extremely useful to email senders.
Aboutmy.Email: Familiarize yourself with this free testing tool for email senders created by Steve Atkins of Word to the Wise. The testing process starts by having you send an email to a unique address, and then their system generates a report for you showing results for a number of very useful tests, including compliance with these requirements.
SNDS: Microsoft has a reputation portal called Smart Network Data Services (SNDS), but I only recommend signing up for this if you are a dedicated IP address sender. As of this writing, its focus is on IP reputation, and it does not provide any domain-related feedback, nor any feedback related to compliance with these requirements. In my days as director of deliverability for a large email marketing platform, I found SNDS very useful for dedicated IP senders, so YMMV, depending on how much mail you send and what kind platform you utilize to send that mail.
Other Frequently Asked Questions
What is the actual timeline for enforcement? In April 2025, Microsoft announced that enforcement begins on May 5, 2025, and that they’ll initially route mail from non-compliant senders to the Junk (spam) folder. They suggest that they’re likely to block non-compliant mail in the future.Google and Yahoo announced their requirements back in October 2023, and implemented compliance measures starting at various points in 2024.
It is safe to say that compliance is actively taking place today (across all of MAGY, if you read this after May 5, 2025).
I only send 100 emails a day, do I have to comply? Microsoft and Google define a bulk sender as an email sender who sends 5,000 or more email messages to a given mailbox provider in a day. Yahoo mentions bulk sender as well, but does not specify a specific threshold. Apple does not mention any sort of volume distinction. To comply as broadly as possible and to maximize inbox reach, if you send any significant amount of mail, consider yourself a bulk sender and comply with these requirements. TL;DR? Yes, comply.
What about TLS? Google did mention TLS as a sender requirement, yes? TLS refers to “Transport Layer Security” which helps ensure that emails are transmitted over the internet – handed off between mail servers – using encrypted connections between those servers. This is stuff that your email platform handles. You don’t have to put any special code in your email message to ensure TLS compliance. Gmail has effectively required TLS for years.
What about subdomains? If I wanted to send mail as newsletter@email.spamresource.com, that would be me setting up a subdomain called “email.” It is indeed possible to configure DKIM and DMARC for subdomains (though it isn’t strictly necessary for DMARC – you can set that at the top level (main level) of your domain and that covers subdomains). All doable, but outside of scope for this FAQ. Click here to learn more about subdomains in email.
What about other mailbox providers? It's not just about MAGY! Many other mailbox providers have similar requirements and as I have said many times before, these new written requirements are simply codified version of well known best practices for email sending going back for a number of years. Meet this mandate across the board and you’ll be in good shape for deliverability success.
I implemented DKIM and DMARC but I’m still going to the spam folder. What gives? Keep in mind that you can have all the technical bits right but still, your mail lands in the spam folder. Why? Bad sending reputation. Unwanted mail. Low engagement. Too many complaints. DMARC does not prevent spam folder delivery. DKIM does not prevent spam folder delivery. Consult your friendly neighborhood deliverability consultant for further assistance.
Can I have multiple DMARC or SPF records for the top level of my domain? No. Sometimes people get confused when it comes to configuring DMARC or SPF and accidentally implement it twice, usually based on conflicting guidance. Read here for more guidance on why double DMARC records don’t work. Same goes with SPF – you should only see one SPF record, when performing an SPF record for your domain name.
What about multiple DKIM records? You can configure DKIM for multiple providers (sending platforms), so yes, you can and should implement the multiple DKIM records necessary to support those providers. Some providers (ESP/newsletter platforms) will even ask you to implement two or three DKIM DNS records, for reasons of flexibility and security. Do as they recommend. For some of my domains, I have DKIM DNS records in place for Constant Contact, AWeber, Mailchimp AND Google Workspace (Gmail). This does not pose any issues other than showing me a long list of DNS records when I look up my domain settings.
Does DKIM email authentication really matter? Yes, even before all of the scrambling to help senders toward compliance with this as a requirement, it was already a best practice. I have long said that configuring DKIM authentication is that "one weird trick" most likely to help a newsletter or marketing sender (large or small) improve their chances of getting mail delivered to the inbox. There are caveats and complications, but I still stand by that statement.
I need more setup help for a specific email platform! Look here for a directory of email service provider platforms and Yahoo/Google compliance guidance and setup instructions for each. Most of these were published before Microsoft “joined the party,” but since the guidance from all four providers is very similar, these guides remain a good place to start.
I've got more questions. Well, you could always drop me a line, but before you do that, be sure to read the FAQ included in the Microsoft announcement, and see Google's FAQ on the topic of email sender compliance, too.
1
Comments
Hi Al, This was a fantastic read! Thank you for sharing your expertise. Your articles has been really helpful (guiding) in implementing / testing our email campaigns.
ReplyDelete