What’s next after Gmail/Yahoo’s policy updates?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
Gmail and Yahoo's 2024 policy updates were a turning point, not a finish line. The real question isn't "what did they require?" but "what comes next, and are you ready for it?" The short answer is that the standards will keep moving, and the gap between prepared senders and unprepared ones will keep widening.
Here's where things are heading, and what you should actually do about it.
DMARC enforcement will get stricter. Right now, many senders scraped by with a DMARC policy of p=none, which monitors but doesn't block anything. That was the floor for 2024. The direction of travel is toward p=quarantine and then p=reject, which actually stop unauthenticated mail. If you're still sitting at p=none, you're living on borrowed time. Move to quarantine, watch your DMARC reports for a few weeks, then tighten to reject when you're confident nothing legitimate is failing.
BIMI is becoming a real signal, not just a nice-to-have. BIMI (Brand Indicators for Message Identification) lets your verified logo appear in the inbox next to your sender name. It requires DMARC at enforcement level to work, which is another reason to tighten your DMARC policy now. As more senders adopt it, inboxes that show logos will start feeling "off" when they don't. It's a trust signal recipients will start expecting.
More providers will align with these standards. Outlook and Microsoft 365 have their own enforcement direction, and Apple, Fastmail, and regional providers tend to follow when major inboxes prove a standard is workable. Designing your authentication stack around Gmail and Yahoo Mail's current requirements is a reasonable proxy for where the rest of the industry is headed.
Sender certification programs may fill gaps. Some providers are exploring formal certification paths where senders can demonstrate compliance and earn better inbox treatment in return. Nothing is standardized yet, but keeping your SPF, DKIM, and DMARC clean now puts you in a strong position if that changes.
Here's your priority order right now:
- Make sure SPF and DKIM are correctly configured and aligned with your sending domain (not just your ESP's defaults).
- Move your DMARC policy off
p=nonetowardp=quarantineorp=reject. - Make sure your one-click unsubscribe is working correctly and your complaint rate sits well below 0.1%.
- Consider BIMI once you're at DMARC enforcement. It's not urgent, but it's a natural next step once the foundation is solid.
The senders who treat these updates as a checklist to pass once will keep scrambling every time the rules shift. The ones who build the underlying habits, clean lists, proper authentication, low complaint rates, will barely notice the next update. (Of course, that's easier said than done when you're managing a real sending program.)
But you can check your current DMARC setup in seconds with our free DMARC Parser, or use the DMARC Generator if you need to build a record from scratch. If you're not sure where you actually stand, our SOS hotline is free and we'll walk through it with you ;)
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.