At the CSA Email Summit in April, Yahoo shared their early experiences with the new sender requirements implementation, introduced last year in collaboration with Google. Both Yahoo and Google have since provided additional insights, highlighting why these requirements are crucial—not just to fulfill a requirement, but for protecting domains, brands and, ultimately, subscribers.

Key takeaways – Progress observed

While progress has been made in adoption, there is still room for improvement. It looks like many senders still don’t fully understand the reasons behind these requirements. These measures are intended to protect, not penalise. Proper email authentication—using SPF, DKIM, and DMARC—is fundamental for maintaining email integrity and ensuring that messages come from legitimate sources. Mailbox providers always prioritise user protection by aiming for clean inboxes and delivering messages from legitimate senders.

The reasons behind the new sender requirements

The primary objective of these new requirements is to shield both senders and recipients from threats and malicious activities. Senders should be more concerned about domain hijacking and its potential impact on their business and user trust rather than emails being filtered or rejected. Recovering from a domain hijacking incident is far more challenging and can severely damage a company’s reputation compared to dealing with filtered emails.

Understanding DMARC and choosing the right enforcement policy

One area of confusion involves DMARC’s varying levels of protection through the policies. While a “p=none” policy meets the minimum requirement, it offers only very limited protection. This policy merely monitors email traffic without directing mailbox providers on how to handle unauthorised use of the domain. For effective protection, senders must implement “p=quarantine” or “p=reject” policies, which provide stronger safeguards with clear targeted instructions: “deliver into the spam folder” or “reject” the emails.

Challenges faced by small senders

Small businesses often face difficulties with email authentication due to limited resources and expertise, as well as simply having other priorities. There is a significant overall lack of education about the fundamental role of email authentication, particularly regarding the importance of DMARC enforcement, irrespective of the business size. Securing communication channels and protecting domain and brand reputation through proper email authentication are crucial for effective email marketing. In navigating these requirements, Email Service Providers (ESPs) can—and need to— particularly support small businesses.

For more on DMARC and its implementation challenges, check out this blog post.

No excuse for larger enterprises and joined effort

Larger enterprises should already have moved to at least “p=quarantine” or, preferably, “p=reject” policies. The risk of domain abuse is significant and affects sender reputation and many users. Yahoo and Google’s systems are designed to detect and protect against such abuse, but senders must also take proactive measures. Addressing domain abuse and email threats requires a collaborative effort from all stakeholders, not just mailbox providers.

Industry movement: Microsoft joins the initiative

Recently, Microsoft announced its intention to join Yahoo and Google in this initiative, highlighting the importance of these changes. Although specific details about Microsoft’s requirements and timeline are still forthcoming, their involvement highlights the industry’s shared recognition of the urgent need for improved protection measures. It’s likely that more organisations will join this effort in the future.

The path forward and the risk of staying behind

Mailbox providers are currently allowing a grace period by demanding a DMARC “p=none” policy, focusing on education rather than enforcement. However stricter requirements are very likely to follow. The transition is not a matter of “if” but “when”. Senders should act now by adopting DMARC with “p=quarantine” or “p=reject” policies to stay ahead of potential threats. Domains with only a “p=none” policy are more vulnerable and could become prime targets for malicious attacks as more senders adopt stricter policies.

Conclusion

Now is the time to take action!

Insights from Yahoo, Google and Microsoft deliver a clear message: the new sender requirements are designed to enhance protection across the ecosystem and stricter requirements are very likely to come sooner or later. By better understanding and correctly implementing email authentication including DMARC, senders can establish a solid foundation to be seen as legitimate senders, thereby optimising reputation and deliverability. It is never too early to take a step further and protect domains with DMARC policies like “p=quarantine” or “p=reject” — for the benefit of all involved.