Since May 5, 2025, Microsoft has enforced authentication requirements on anyone sending more than 5,000 emails a day to Outlook.com, Hotmail, and Live.com. Fail them and your mail lands in Junk; leave it unfixed and you eventually get the hard bounce:
550; 5.7.515 Access denied, sending domain [yourdomain]
does not meet the required authentication level.
Microsoft was the last of the big three to do this. Gmail and Yahoo drew the same line in February 2024. So the standard is now unanimous across the mailbox providers that matter: authenticate, or don't bother sending at scale.
A year in, here's the pattern I keep seeing — a team gets the 550s, scrambles to fix SPF, DKIM, and DMARC, watches delivery recover, and declares victory. Then three months later the campaigns are back in spam and nobody understands why. Because they solved the wrong problem.
Authentication is the ticket, not the destination
Passing SPF, DKIM, and DMARC proves your mail is really from you. That's it. It gets you past the bouncer at the door. It says nothing about whether anyone inside wants you there.
Here's the baseline every high-volume sender now needs, and it's genuinely non-negotiable:
- SPF published in DNS, listing every service that sends on your behalf, and passing.
- DKIM signing your mail with a key published in DNS, and passing.
- DMARC with a policy of at least
p=none, and — this is the part people miss — alignment. The domain that passes SPF or DKIM has to match the domain in your visibleFrom:address. Plenty of senders "have DMARC" and still fail because nothing aligns.
If you use Klaviyo, Mailchimp, SendGrid, or any ESP sending under your domain, this applies to them too. Their mail has to align with your domain, not theirs.
Get this wrong and nothing else matters. Get it right and you've earned the right to compete on the thing that actually decides placement.
The thing that actually decides placement
Reputation and engagement. Full stop.
Google is explicit about it: keep your spam complaint rate below 0.10%, and never let it hit 0.30%. Cross that line and no amount of perfect DNS will save you — you become ineligible for the mitigations that would otherwise help. Microsoft and Yahoo watch the same signal.
What moves that number is not your SPF record. It's whether people open, reply, and want your mail — or delete it unread and hit "report spam." Mailbox providers infer "do humans value this sender" from behavior, and they weight it far more heavily than authentication, which by now they simply assume you have.
Authentication is table stakes you can finish in an afternoon. Reputation is a balance you either build or burn over months. The senders who confuse the two are the ones who "fixed deliverability" and then quietly lost the inbox again.
The one-click unsubscribe rule people underestimate
Both Google and Yahoo also require one-click unsubscribe (RFC 8058) for marketing mail, with requests honored within two days. Two headers do it:
List-Unsubscribe: <https://example.com/u/UNIQUE_TOKEN>
List-Unsubscribe-Post: List-Unsubscribe=One-Click
Your endpoint has to accept the POST, unsubscribe the person immediately with no login or confirmation step, and return a success code. And your DKIM signature has to cover both headers.
Counterintuitively, making it easy to leave protects you. Someone who can unsubscribe in one tap does that instead of clicking "report spam" — and a clean unsubscribe costs you nothing, while a spam complaint bleeds your reputation with every mailbox provider at once. Friction on the exit is a false economy.
A short deliverability checklist
If you send at any real volume, walk this list:
- Authenticate and align. SPF, DKIM, and DMARC passing, with
From:alignment — including every ESP and tool that sends as you. - Watch the complaint rate. Wire up Google Postmaster Tools and keep spam complaints under 0.1%. Treat 0.3% as a fire.
- Ship real one-click unsubscribe. Both headers, an endpoint that actually processes the POST, requests honored within 48 hours.
- Practice list hygiene. Prune unengaged addresses, suppress hard bounces, and never buy a list. Sending to people who don't want it is the fastest way to torch a reputation.
- Warm up new domains and IPs. Ramp volume gradually. A cold domain blasting 50,000 messages on day one looks exactly like a spammer.
- Segment by engagement. Send more to people who open and click, less to those who don't. Engagement is the signal; feed it.
Bottom line
The mailbox providers finished standardizing the entry requirements. That's the easy, one-time part, and if you're still getting 5.7.515 bounces a year later, fix your DNS today.
But authentication was never the game. It's the cover charge. The inbox goes to senders people actually want to hear from, and there's no DNS record for that. If your deliverability keeps slipping after you "fixed the auth," that's the tell: you passed the bouncer and still can't hold the room.
- deliverability
- DMARC
- SPF
- DKIM
- sender reputation



