New Email Rules from Google and Microsoft: Is Your Business Ready?

Why the Rules Changed

To understand why Google, Yahoo, and Microsoft changed the rules, you need to understand a fundamental problem with email that has existed since the technology was invented in the 1970s. When email was created, there was no built-in way to verify who sent a message. Anyone could send an email claiming to be from any address — your bank, your solicitor, the CEO of your company, the Prime Minister — and the receiving system had no way to check whether it was genuine.

For the first few decades, this did not matter much. Email was used by a small number of people in universities and research institutions, and trust was assumed. But as email became the primary communication channel for billions of people and millions of businesses, the lack of verification became a catastrophic weakness.

Email fraud grew into a multi-billion-pound global problem. Criminals discovered they could send messages that appeared to come from legitimate companies — banks, delivery services, government agencies, trusted colleagues — and use those messages to steal money, harvest passwords, and install malicious software. These attacks are astonishingly effective. According to the UK's National Cyber Security Centre, phishing emails — fraudulent messages designed to trick recipients into revealing sensitive information — remain the single most common method used in cyber attacks against UK businesses.

Over the years, the email industry developed three technical mechanisms to address this problem. Think of them as three layers of protection that, together, allow a recipient to verify whether an email is genuinely from who it claims to be. The problem was that adopting these mechanisms was voluntary. Many businesses never set them up, either because they did not know they existed, or because they seemed too technical, or because their email provider never mentioned them.

By 2023, the major email providers — Google (Gmail), Yahoo, and Microsoft (Outlook) — had seen enough. They collectively decided to stop making verification optional. Starting in 2024, they began requiring senders to prove their identity. If you cannot prove your emails are genuine, they will be filtered, delayed, or blocked entirely.

This was not a decision made to inconvenience small businesses. It was a response to a genuine crisis. But the consequence for businesses that have not kept up is very real: emails that used to arrive in inboxes are now landing in spam folders, being delayed for hours, or being rejected outright — and the business owner often has no idea why.

What Google and Yahoo Changed in February 2024

In October 2023, Google and Yahoo jointly announced new requirements for anyone sending email to their users. The changes took effect in February 2024, and enforcement has been progressively tightening since then. Here is what they require, in plain language.

The Basic Requirements (All Senders)

If you send even a single email to anyone with a @gmail.com, @googlemail.com, @yahoo.com, @yahoo.co.uk, or @aol.com address, you must have proper email authentication set up on your domain. This means three things:

• A guest list for your domain — A published record that tells the world which email servers are authorised to send messages on behalf of your domain. If an email arrives at Gmail claiming to be from your domain, but it was sent from a server that is not on your guest list, Gmail will treat it with suspicion. This is the technical mechanism known as SPF.
• A digital seal on every message — Every email you send should carry an invisible digital signature that proves two things: the message genuinely originated from your domain, and the content has not been altered since it was sent. Think of it like a wax seal on a letter — if the seal is intact, the recipient knows the letter is authentic and unopened. This is the mechanism known as DKIM.
• A published policy for handling fakes — A record that tells Gmail, Yahoo, and other receiving servers what to do when they receive an email from your domain that fails the guest list check or the digital seal check. Should they deliver it anyway? Quarantine it? Reject it? Without this policy, receiving servers make their own decisions — and those decisions are increasingly harsh. This is the mechanism known as DMARC.

Additional Requirements for High-Volume Senders

If your business sends more than 5,000 emails per day to Gmail or Yahoo addresses — which typically applies to companies with large mailing lists, marketing campaigns, or automated notifications — additional requirements apply:

• One-click unsubscribe — Every marketing or bulk email must include a working one-click unsubscribe mechanism. Recipients should be able to opt out with a single click, not by filling in forms or sending emails to obscure addresses.
• Spam complaint rate below 0.3% — If more than three in every thousand recipients mark your email as spam, Google will begin throttling or blocking your messages. This is a very low threshold, and it means your email content must be relevant and wanted.
• Strict alignment on authentication — For high-volume senders, it is not enough to simply have authentication records. The records must align properly — meaning the domain in the "from" address must match the domain in the authentication records. Mismatches that might have been tolerated before are now flagged.

What Happens If You Do Not Comply

The consequences are graduated but real. At the mildest end, your emails may be delivered more slowly — delayed by minutes or hours rather than arriving instantly. Next, emails may be routed to the spam folder, where the recipient is unlikely to see them. At the harshest end, your emails may be rejected outright — bounced back to you with an error message, never reaching the recipient at all.

The particularly frustrating aspect for business owners is that these consequences often happen silently. You send an email. Your outbox shows it as sent. You assume it arrived. But it is sitting in the recipient's spam folder, or it was rejected and the bounce notification went to an address nobody monitors. The first sign of a problem is often a phone call from a client asking why you have not replied to their email — when the truth is, you did reply, but your reply never arrived.

What Microsoft Changed in May 2025

Following Google and Yahoo's lead, Microsoft announced similar requirements in late 2024, with enforcement beginning in May 2025. The requirements apply to anyone sending email to @outlook.com, @hotmail.com, @live.com, and @msn.com addresses.

Microsoft's Requirements

Microsoft's requirements mirror Google and Yahoo's in their essentials:

• Email authentication is required — The same three layers of verification (guest list, digital seal, and published policy) must be configured for your domain. Microsoft checks all three when deciding whether to deliver your email, send it to junk, or reject it.
• Stricter enforcement for high-volume senders — Like Google, Microsoft applies additional scrutiny to domains that send large volumes of email. High-volume senders must demonstrate clean sending practices, low complaint rates, and proper list management.
• Non-compliant emails go to junk or are rejected — Microsoft's enforcement follows the same graduated approach: non-authenticated emails are increasingly likely to be filtered to junk mail or rejected entirely.

Why Microsoft Matters for UK Businesses

While Gmail often dominates the conversation about email deliverability, Microsoft's changes are arguably more significant for many UK businesses. Outlook.com and Hotmail remain extremely popular in the UK, particularly among older demographics and in certain industries. Many business contacts still use @hotmail.co.uk or @outlook.com for personal communication, and a surprising number of small businesses still use these free services as their primary email. If your emails cannot reach Outlook and Hotmail addresses, you are cut off from a substantial portion of the UK market.

Moreover, Microsoft 365 (formerly Office 365) is the dominant business email platform in the UK. While Microsoft's 2025 requirements technically apply to their consumer email services (Outlook.com, Hotmail, Live.com), the authentication checks they perform on incoming email apply across their entire platform. This means that even businesses sending to other businesses using Microsoft 365 are subject to increasingly strict authentication requirements.

What Email Authentication Means for Your Business

If you have read this far and feel slightly overwhelmed by terms like SPF, DKIM, and DMARC, you are not alone. These are technical names for mechanisms that were designed by engineers, and they sound intimidating. But the concepts behind them are straightforward, and you do not need to understand how they work technically — you just need to understand what they do and why they matter.

Three Layers of Protection

Think of your email domain — the part after the @ sign in your email address — as your business premises. Email authentication is the security system for those premises. It has three components:

Layer 1: The Guest List

Imagine you are hosting a private event at your office. You give security a list of names — only these people are allowed in. Anyone who turns up claiming to be a guest but is not on the list gets turned away.

The first layer of email authentication works the same way. It publishes a list of servers that are authorised to send email on behalf of your domain. When Gmail or Outlook receives an email claiming to be from your domain, it checks the list. If the email came from a server that is on the list, it passes the first check. If it came from a server that is not on the list, it is treated with suspicion. This mechanism is known as SPF — but the important thing is not the name; it is the concept: a guest list that says who is allowed to send for you.

Layer 2: The Wax Seal

In centuries past, important letters were sealed with wax. The sender pressed their unique signet ring into the wax, creating a seal that served two purposes: it proved who sent the letter, and it proved the letter had not been opened or tampered with during delivery. If the seal was broken, the recipient knew something was wrong.

The second layer of email authentication is a digital version of this wax seal. Every email you send is stamped with an invisible digital signature that is unique to your domain. When Gmail or Outlook receives the email, it checks the signature. If the signature is valid, the email is genuine and unaltered. If the signature is missing or broken, the email may have been forged or tampered with. This mechanism is known as DKIM — but again, the concept is what matters: a wax seal that proves authenticity and integrity.

Layer 3: The Bouncer

You have a guest list and a wax seal. But what should happen when someone turns up who is not on the guest list, or presents a letter with a broken seal? You need a bouncer — someone at the door with clear instructions.

The third layer of email authentication is that bouncer. It is a published policy that tells receiving servers — Gmail, Outlook, Yahoo — what to do when an email from your domain fails the guest list check or the wax seal check. The policy can say one of three things:

• "Just make a note of it" — the email is delivered but the failure is logged. This is monitoring mode, useful when you are first setting up authentication and want to see what is happening without blocking any emails.
• "Quarantine it" — the email is sent to the recipient's spam or junk folder. They might find it, but probably will not.
• "Reject it" — the email is blocked entirely. It never reaches the recipient. This is the strictest and most protective setting.

This mechanism is known as DMARC, and it is the piece that ties the other two together. Without it, you have a guest list and a wax seal but no bouncer — and when fakes show up, nobody knows what to do with them.

Am I Affected?

If you are wondering whether these changes apply to your business, here is a simple way to work it out.

Do you send email to anyone with a Gmail address? Almost certainly yes. Gmail has over 1.8 billion users worldwide and is the most popular personal email service in the UK. Even if your direct clients use business email, their employees, family members, and personal contacts use Gmail. You are affected.

Do you send email to anyone with an Outlook, Hotmail, or Live.com address? Almost certainly yes. These Microsoft email services are the second most popular personal email addresses in the UK, particularly among the over-40 demographic. You are affected.

Do you send email to anyone with a Yahoo or AOL address? Probably yes. While Yahoo and AOL are less popular than they once were, millions of UK users still have these addresses. You are affected.

Are you a "bulk sender" (5,000+ emails per day)? If yes, the stricter requirements around unsubscribe mechanisms and complaint rates apply to you in addition to the basic authentication requirements. If no, the basic authentication requirements still apply to you — there is no exemption for low-volume senders.

The practical conclusion is straightforward: every UK business is affected. The only question is whether your email domain is already compliant or whether you need to take action.

How to Check If Your Domain Is Compliant

The good news is that checking your domain's compliance is free, takes about five minutes, and does not require any technical knowledge. Here are three methods, from simplest to most detailed.

Method 1: The Gmail Test

This is the quickest and most practical check. You need a personal Gmail account (if you do not have one, any colleague or family member with Gmail can help).

1. Send an email from your business email address to a Gmail address.
2. Open the email in Gmail.
3. Click the three dots in the top right corner of the email.
4. Select "Show original" from the menu.
5. A new window opens showing the technical details of the email.
6. Look for three lines near the top: SPF, DKIM, and DMARC.
7. Each one should show PASS.

If all three show PASS, your domain is properly authenticated and meets the basic requirements. If any show FAIL, SOFTFAIL, or are missing entirely, your domain has a gap that needs addressing.

Method 2: Online Testing Tools

Free tools like MXToolbox and mail-tester.com provide detailed reports on your domain's email configuration. For MXToolbox, visit their website and enter your domain name — it will check your authentication records and highlight any issues. For mail-tester.com, send a test email to the address they provide and they will score your email on a scale of one to ten, with specific recommendations for improvement.

Method 3: Ask Your Email Provider

Contact your email provider and ask a simple question: "Is my domain fully authenticated with SPF, DKIM, and DMARC?" A good provider will be able to answer this immediately and, if there are gaps, will offer to fix them. If your provider does not know what these terms mean, or cannot give you a clear answer, that tells you something important about the level of service you are receiving.

What to Do If You Are Not Compliant

If your checks reveal that your domain is not fully authenticated, do not panic. This is fixable, and for most businesses it can be resolved within a few days. Here is the path forward.

Step 1: Contact Your Email Provider

Your first call should be to your current email provider. Explain that you need full email authentication configured for your domain — SPF, DKIM, and DMARC. Many providers can set this up for you, often as part of your existing service. Some providers configure authentication automatically when you set up a domain; if yours did not, ask them to do it now.

Step 2: Verify the Configuration

After your provider has made changes, run the checks again. Send another test email to Gmail and check for PASS on all three authentication mechanisms. Use MXToolbox to confirm the records are in place. Do not take your provider's word for it — verify independently.

Step 3: If Your Provider Cannot Help

If your current provider cannot or will not configure full email authentication, it may be time to consider switching. This is not as disruptive as it sounds — a good email provider can migrate your existing email accounts, contacts, and historical messages to their platform with minimal downtime. The key is choosing a provider that handles authentication automatically, so you never have to think about it again.

A Good Provider Handles This Automatically

The most important thing to understand is this: you should not need to become a DNS expert to send email. Email authentication is a technical requirement, but it is your email provider's job to handle it, not yours. A well-run email provider configures all three layers of authentication automatically when you set up your domain. You should never have to log into a DNS control panel, copy and paste cryptic text records, or troubleshoot why your DKIM key is not aligning.

If your provider treats authentication as a DIY task that they document in a help article and leave you to figure out, that is a sign that they are not providing the level of service a business needs. A good provider does it for you, verifies it is working, and monitors it ongoing.

The Broader Trend: Where This Is Heading

The changes introduced by Google, Yahoo, and Microsoft in 2024 and 2025 are not the end of the story. They are the beginning of a permanent shift in how email works. Understanding where this is heading helps you make better decisions about your email infrastructure today.

Authentication Is Becoming Table Stakes

Five years ago, email authentication was a best practice — recommended but not required. Today, it is a requirement enforced by the three largest email providers in the world. Within the next few years, it will be as fundamental as having a valid email address in the first place. Domains without authentication will be treated the way websites without SSL certificates are treated today: with suspicion, warnings, and reduced trust.

Requirements Will Get Stricter

Google has publicly stated that their requirements will continue to tighten over time. The February 2024 changes were described as a "baseline" — the minimum acceptable standard. Future updates are likely to raise the bar further, potentially requiring stricter policies, additional encryption mechanisms, and more sophisticated sender verification. Businesses that meet only the current minimum may find themselves falling short of future requirements.

More Providers Will Follow

Google, Yahoo, and Microsoft were the first to enforce authentication requirements at scale, but they will not be the last. Corporate email platforms, government email systems, and regional email providers around the world are all moving in the same direction. The global consensus is clear: unauthenticated email is a security liability, and the era of "send whatever you want and hope it arrives" is ending.

The Reputational Dimension

Beyond deliverability, there is a growing reputational dimension to email authentication. Businesses that do not authenticate their email are, unwittingly, making it easier for criminals to impersonate them. If a fraudster sends a phishing email to your clients that appears to come from your domain, and your domain has no authentication in place, there is nothing to stop those fake emails from arriving. Your clients lose money or data, and your business's reputation suffers — even though you did nothing wrong. Proper authentication is not just about getting your own emails delivered; it is about protecting your brand from being used as a weapon.

How epost.plus Handles Compliance Automatically

If reading this article has made you worried about your email setup, here is the reassuring part: complying with these requirements does not have to be complicated, stressful, or expensive. The right email provider handles everything for you, automatically, from day one.

epost.plus is built on the principle that email security and authentication should be automatic, not optional. Here is what happens when a business sets up email on epost.plus:

• Full authentication from day one — Every domain is configured with all three layers of authentication the moment it is set up. The guest list, the digital seal, and the policy are all in place before you send your first email. There is nothing to request, configure, or wait for.
• Strictest protection level by default — The authentication policy is set to the strictest level: emails that fail verification are rejected outright. Many providers default to the weakest setting (monitoring only) and leave it to you to tighten it gradually. epost.plus starts at the top and keeps you there.
• Ongoing monitoring — epost.plus monitors email authentication continuously using Mail Hardener, a specialist monitoring platform. If anything changes — a DNS record is accidentally deleted, a new sending service is not properly authorised — the monitoring catches it before it becomes a deliverability problem.
• Advanced protection layers — Beyond the three core mechanisms, epost.plus implements MTA-STS (forcing encrypted connections from other servers), DANE (pinning encryption to verified certificates), and DNSSEC (protecting domain records from tampering). These go well beyond what Google, Yahoo, and Microsoft currently require — and they position your domain for future requirements that have not been announced yet.
• No action required from you — This is the most important point. As a business owner, you should not have to understand DNS records, authentication mechanisms, or compliance thresholds. You should be able to set up your email, start sending messages, and know that everything is handled. That is exactly what epost.plus provides.

Email plans are available through smartxhosting.uk, with options ranging from individual business email accounts to dedicated email servers for organisations with larger requirements. Every plan includes the same complete authentication stack — there is no "basic" tier that leaves you unprotected.

If you are not sure whether your current email setup meets the new requirements, you are welcome to contact the support team for a free assessment. They can check your domain's authentication status and advise on any gaps.

You can also pair your email with the eM Client desktop application, which is included with epost.plus business email plans and provides a full-featured desktop email experience with calendar, contacts, and task management built in.

Frequently Asked Questions

See Also

• How to Protect Your Business from Email Fraud
• How to Choose the Right Email Provider for Your UK Business
• Free vs Paid Email: An Honest Guide for UK Businesses