E
Email Deliverability

Email Deliverability News: Latest Updates and Changes

Stay up to date with the latest email deliverability news. Provider policy changes, authentication requirements, and industry developments that affect your inbox placement.

Email deliverability rules change constantly. Gmail tightens enforcement, Microsoft adds new requirements, Yahoo updates thresholds — and if you miss an update, your emails start bouncing.

This page tracks the changes that matter. Updated regularly with provider policy changes, authentication requirement updates, and industry developments that affect whether your emails reach the inbox.

Bookmark this page. When something breaks, check here first.

Don't wait for the news to find you

Monitor your SPF, DKIM, DMARC, and blacklist status automatically. Get alerts when something changes.

April 2026

Microsoft kills Basic Auth for SMTP on April 30

April 30, 2026 — Microsoft's deadline for removing Basic Authentication from Exchange Online SMTP AUTH. Since March 1, Microsoft has been rejecting an increasing percentage of Basic Auth SMTP submissions, ramping up to 100% rejection on April 30.

After this date, applications and devices using username/password authentication for SMTP will stop working entirely. App passwords cannot be regenerated. Organizations must migrate to OAuth 2.0, Microsoft's High Volume Email service, or Azure Communication Services Email.

This primarily affects automated systems — scanners, printers, legacy CRMs, and custom apps that send email through Microsoft 365 via SMTP. If your infrastructure sends transactional email through Exchange Online, verify your authentication method now.

DMARCbis standard nears publication

The successor to RFC 7489 — known as DMARCbis — is expected to land as a Proposed Standard in 2026. The most significant change: the pct tag is removed entirely. Most receivers only ever respected pct=0 or pct=100, ignoring intermediate values or applying them unpredictably.

In its place, a binary t (testing) flag:

  • t=y — policy is in test mode, no enforcement
  • t=n — full enforcement

Other removed tags include rf and ri. New tags include np (non-existent subdomain policy) and psd (public suffix domain). Records still use v=DMARC1 — this is not a breaking change, and there is no "DMARC2."

If you're currently using pct for gradual rollout, plan to switch to the t flag once DMARCbis is formally published. See our guide on DMARC policy progression.

BIMI adoption still low despite growing support

Despite 72% email client support, only 8% of domains have a BIMI DNS record and less than 1% have a Verified Mark Certificate (VMC). The barrier remains cost — VMCs run $1,500+ annually — and the prerequisite of DMARC enforcement at p=quarantine or p=reject, which 36% of senders still haven't achieved.

That said, BIMI is increasingly tied to deliverability outcomes, not just branding. Strong DMARC enforcement combined with BIMI can reduce successful phishing attempts by approximately 60%, which providers factor into reputation scoring. Gmail and Yahoo have the most consistent BIMI support. If you're already at DMARC enforcement, setting up BIMI is worth the investment.

Inbox placement gap widens

Recent industry data shows a disconnect: despite a global deliverability health score of 86/100, only about 60–65% of emails actually reach a visible inbox location. The gap confirms what providers have signaled for years — technical authentication is necessary but not sufficient.

ISPs now layer behavioral signals (opens, clicks, replies, complaints) on top of authentication checks. Perfect SPF, DKIM, and DMARC with poor engagement still gets you filtered. The Asia-Pacific region shows the widest variation, with India at approximately 70% deliverability due to shared IP infrastructure and inconsistent authentication.

March 2026

Authentication is now table stakes everywhere

As of early 2026, SPF, DKIM, and DMARC are no longer optional for any sender at meaningful volume. Google, Yahoo, and Microsoft all enforce authentication requirements. The era of sending unauthenticated email to major providers is over.

If your domain doesn't have all three protocols configured and aligned, you're already losing mail. Use our free deliverability checker to test your setup.

May 2025

Microsoft enters the enforcement game

May 5, 2025 — Microsoft began enforcing bulk sender requirements for Outlook.com, Hotmail.com, and Live.com. Senders sending 5,000+ emails per day must now have:

  • SPF configured with accurate authorized IP addresses
  • DKIM signatures validating email integrity
  • DMARC published at minimum p=none, aligned with SPF or DKIM

Non-compliant messages go to Junk first. If left unaddressed, Microsoft will block them outright with error code 550 5.7.515.

This matters because Microsoft had been the last major provider without formal bulk sender enforcement. With Google, Yahoo, and now Microsoft all requiring authentication, there's nowhere left to hide.

What to do: Check your SPF, test your DKIM, and verify your DMARC. If you're sending to corporate Outlook/365 addresses, be aware that enterprise filtering (Mimecast, Proofpoint, Barracuda) may apply additional rules beyond Microsoft's baseline.

Late 2024 — Early 2025

Gmail ramps up enforcement to rejections

November 2024 onwards — Google escalated enforcement of its bulk sender requirements from warnings to active rejections. Messages from non-compliant senders that previously landed in spam now bounce with permanent failures.

Key thresholds Google enforces:

  • Spam complaint rate must stay below 0.3% (Google recommends below 0.1%)
  • SPF, DKIM, and DMARC all required for 5,000+ daily senders
  • One-click unsubscribe required in marketing emails
  • TLS encryption expected for message transmission

If your bounce rates spiked in late 2024, Gmail enforcement is the likely cause. Check your DMARC alignment and ensure all sending services are properly authenticated.

Yahoo mirrors Google's requirements

Yahoo and AOL aligned their sender requirements with Google's, requiring the same SPF, DKIM, DMARC authentication and spam rate thresholds. The 0.3% complaint rate ceiling applies across both providers.

September 2024

Apple Mail Privacy Protection continues to reshape metrics

Apple Mail Privacy Protection (MPP), active since iOS 15, now affects the majority of Apple Mail users — over 95% adoption. With Apple Mail representing roughly half of all email opens globally, open rates are fundamentally unreliable as a deliverability metric.

What this means in practice:

  • Open-based automations (re-engagement sequences, A/B tests on subject lines) produce misleading data
  • Click-through rates and conversions are now the reliable engagement signals
  • Sunset policies based on "last opened" dates will incorrectly suppress active subscribers on Apple devices

This isn't new, but many senders still haven't adapted their measurement. If you're still using open rates as your primary deliverability indicator, it's time to shift to clicks.

iOS 18 introduces AI-powered inbox changes

Apple's iOS 18 brought AI-generated email previews, new inbox categorization, branded sender icons, and digest-style views to Apple Mail. These changes affect how recipients interact with email — categorized inboxes mean your marketing emails compete for attention differently than before.

February 2024

Google and Yahoo announce bulk sender requirements

February 1, 2024 — Google and Yahoo's bulk sender requirements took effect, marking the biggest shift in email authentication enforcement in years. For the first time, major inbox providers formally required DMARC for high-volume senders.

The initial enforcement was soft — warnings and spam folder placement rather than outright rejection. This gave senders a runway to comply. That runway closed through 2024 and into 2025 as enforcement escalated.

The requirements that changed everything:

  • SPF authentication required
  • DKIM signing required
  • DMARC policy at minimum p=none
  • One-click unsubscribe for marketing email
  • Spam complaint rate under 0.3%

If you're still running p=none and haven't planned your progression to p=quarantine or p=reject, see our guide on DMARC policy progression.

What to watch for the rest of 2026

  • DMARCbis publication — The new standard will formalize removal of the pct tag and introduce the t testing flag. Plan your migration now
  • p=none becoming a liability — Providers increasingly treat p=none as a weak signal. Move toward p=quarantine or p=reject before it affects your placement
  • BIMI cost reduction — As adoption pressure grows, watch for more affordable VMC options and expanded provider support beyond Gmail and Yahoo
  • ARC (Authenticated Received Chain) — Becoming more important as email forwarding and mailing list scenarios need authentication preservation
  • MTA-STS adoption — More organizations requiring encrypted email transport via MTA-STS, preventing downgrade attacks
  • Google Gmailify/POP shutdown — Google stopped new Gmailify signups in Q1 2026 and will shut down POP-based "Check mail from other accounts" later this year. Users relying on Gmail to aggregate external accounts need to migrate to IMAP-based solutions

This page is updated regularly. Last updated April 4, 2026.

Related Articles