Instant Email Domain Score
By joining forces with Sendmarc, VirtueUK is committed to offering enhanced security measures, ensuring that sensitive data and communications are protected from cyber-attacks. Check your email domain score instantly here.
Interested in a Free Phishing Security Test?
VirtueUK are partners with KnowBe4, the world's largest security awareness training and simulated phishing platform.
If you're interested in assessing the Phish-prone percentage of your users, contact us to arrange a free simulated phishing attack.
If you're interested in assessing the Phish-prone percentage of your users, contact us to arrange a free simulated phishing attack.
Interested in our Cybersecurity Framework?
Visit our article on how to organise an effective cybersecurity strategy to download a copy of our framework.
Email authentication has shifted from a “best practice” to a hard requirement and the latest announcements from Google, Microsoft, and other email providers make it clear:
DMARC compliance is now expected from every organisation, regardless of email volume.
In 2024, Google’s policies applied mainly to bulk senders sending more than 5,000 messages per day. In November 2025 however, Google has confirmed that stricter authentication enforcement will apply at a broader level, a clear indication that major providers are signaling non-authenticated emails are no longer acceptable.
Microsoft is moving in the same direction, and because the major mailbox providers tend to align their policies, we’re now entering a global shift where DMARC is no longer a “nice to have”, it’s essential infrastructure.
Below, we break down the new rules, what they mean, and the practical steps you need to take now.
What is DMARC?
DMARC is an open email authentication protocol designed to give domain owners control over how unauthenticated messages are handled. By building on the foundations of SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail), DMARC enables domain owners to specify how emails failing authentication should be treated—whether they are quarantined, rejected, or allowed through. Critically, DMARC also provides reporting, giving organisations visibility into who is sending email on their behalf and whether those messages pass authentication.
How DMARC Works
- SPF validates that an email message is sent from an authorised server.
- DKIM attaches a cryptographic signature to verify the sender’s identity.
- DMARC ties these technologies together, instructing receiving servers what to do if a message fails authentication—and providing feedback via reports.
Why DMARC is Important
Highlighting the importance of DMARC, the UK’s National Cyber Security Centre (NCSC) states, “Implementing DMARC is an essential measure to protect your organisation’s email domain from being misused by attackers for phishing or fraud.”
Email-based attacks are among the most pervasive threats facing organisations today. Phishing campaigns can lead to financial losses, data breaches, and reputational damage. Spoofed emails impersonating executives or trusted brands can deceive even vigilant recipients. DMARC prevents these threats by making it far more difficult for attackers to send fraudulent email from domains you own.
Benefits of DMARC:
- Prevents unauthorised use of your domain in email communications
- Protects customers, partners, and staff from phishing
- Preserves brand integrity and trust
- Provides actionable reporting for ongoing improvement
- Supports regulatory compliance and due diligence
Why This Is Happening Now
Phishing, spoofing, and email-based impersonation continue to rise sharply. Attackers no longer “spray and pray”, they impersonate charities, SMEs, suppliers, schools, finance teams, NHS trusts, and even local councils.
Email providers have finally reached the point where strong authentication has become a gatekeeper requirement, not optional guidance.
Google, Yahoo, and Microsoft are tightening enforcement because:
- Too many domains still send unauthenticated email
- Spoofing and brand impersonation are at all-time highs
- AI is making phishing campaigns more convincing
- Providers want to protect users and maintain inbox trust
As a result, the providers are turning the screw – something the industry has predicted for years. And this time, there are no “light-touch” exceptions.
Google’s New Requirements (November 2025)
Google has now announced that all senders, not just traditional bulk senders – should meet strict authentication standards if they expect their email to reach inboxes reliably.
This includes:
- Mandatory SPF and DKIM
- DMARC required for the sending domain
- Alignment between SPF, DKIM and DMARC
- Lower spam tolerance
- Stricter identity checks
- The potential for rejecting messages outright when requirements are not met
These changes move Google beyond the softer approach used in 2024, signaling a more assertive stance on email identity and trust.
Does Google’s November 2025 Enforcement Apply to Everyone?
This part is important and often misunderstood:
Google’s strict November 2025 enforcement phase still applies specifically to bulk senders, those sending 5,000+ messages per day to Gmail personal accounts.
Google has confirmed:
- The 5,000-per-day threshold remains the formal definition of a bulk sender
- Only bulk senders fall under the full enforcement actions taking effect in November 2025
- Non-compliant bulk senders may have email deferred, blocked, or rejected at SMTP level
- Smaller-volume senders are encouraged – but not yet forced – to meet all requirements
This means the harshest enforcement applies only once your domain crosses the 5,000-messages-per-day threshold.
However:
- Google still expects SPF, DKIM, and DMARC from everyone
- Lack of authentication can still impact inbox placement, even for low-volume domains
- As enforcement tightens year by year, all senders should assume these requirements will eventually become universal
So, while November 2025 focuses on bulk senders, the industry trend makes it clear: universal authentication is the new norm.
Microsoft Will Follow Suit
Microsoft has already tightened its own sender requirements and, throughout 2025, continues to align with Google’s direction:
- Rejecting non-authenticated messages
- Enforcing DMARC and DKIM alignment
- Strengthening spam filtering
- Increasing scrutiny of sending domains
- Preparing similar enforcement across consumer and business mailboxes
Microsoft historically mirrors Google’s changes, so organisations should expect similar policies affecting everyone – not just bulk senders – in the near future.
It’s No Longer Just About 5000+ Emails a Day
While Google’s stricter November 2025 enforcement applies to bulk senders, the expectation of authentication now applies to everyone.
Any organisation sending email to Gmail, Outlook, Hotmail, Yahoo, or iCloud should assume that:
- Non-authenticated email may be deprioritised
- Deliverability may steadily decline
- Reputation scores will be impacted
- Providers will tighten criteria year after year
You don’t need to be a major sender anymore, simply using a domain for email puts you in scope.
This applies to:
- Charities communicating with donors
- Retailers and ecommerce businessesSMEs emailing customers and suppliers
- Schools, councils, and public sector bodies
- Professional services
- Any organisation sending transactional or operational email
Why You Must Act Now
Nearly all email and marketing platforms (Mailchimp, HubSpot, Campaign Monitor, SendGrid, etc.) have issued their own warnings. Many already refuse to send from non-authenticated domains.
This gradual tightening, followed by enforcement, is exactly what the industry anticipated.
If you wait until rejection notices appear, the damage will already be done:
- Emails fail to deliver
- Invoices and confirmations don’t arrive
- Customer and donor communication breaks
- Internal operations are disrupted
- Reputation and trust takes a hit
2025 is the year to get ahead of these requirements, not react to them.
What Your Organisation Should Do Next
- Deploy SPF, DKIM, and DMARC (correctly): Correct alignment is crucial.
- Start with “p=none” but work towards “quarantine” or “reject”: This protects your domain and aligns with future enforcement.
- Monitor DMARC reports: This provides visibility into who is sending email on your behalf.
- Identify all systems that send email from your domain: This includes:
- CRM platforms
- Donor systems
- Marketing tools
- Invoicing / accounting services
- Booking and ticketing systems
- Website contact forms
- Cloud apps and third-party systems
- Partner with experts: Misconfigurations are common – and often the reason organisations fail authentication checks.
How Virtue UK Can Support You
Virtue UK helps organisations:
- Achieve and maintain full DMARC, SPF, and DKIM compliance
- Monitor alignment and detect issues
- Identify and validate every sending source
- Resolve misconfigurations quickly
- Protect domains from spoofing and impersonation
- Ensure ongoing compliance with Google and Microsoft’s 2025 requirements
With the major providers tightening rules and enforcement becoming more aggressive, now is the time to modernise your email authentication.