Gmail has announced the next phase of its email authentication enforcement, scheduled for November 2025. This marks a significant milestone in Google’s ongoing effort to reduce spam, strengthen trust in the inbox, and encourage responsible sending practices across the industry.
This update follows the original Gmail and Yahoo authentication requirements revealed in October 2023, with phased enforcement beginning in February 2024. Since then, Gmail has gradually applied stricter controls on unauthenticated and non-compliant mail. The new phase will introduce stronger bounce handling and clearer rejection messages for senders who have not implemented core authentication standards.
So, what is changing? Gmail will begin applying more consistent delivery interruptions, including temporary rate-limiting and, where issues persist, permanent failures. Messages that lack authentication through SPF or DKIM, or that use domains without a DMARC record and enforcement policy, will face disruption.
Google has also updated its bounce messages to highlight the reason for non-delivery more clearly. For example:
421 | 4.7.26
This email has been rate-limited because it is unauthenticated. Gmail requires all senders to authenticate with SPF or DKIM.
421 | 4.7.40
Rate-limited because the sending domain does not have a DMARC policy. Gmail requires all bulk senders to publish a DMARC record with a policy.
These enhanced responses are designed to remove ambiguity and guide senders toward corrective action. The message is direct: proper authentication is no longer optional. SPF or DKIM alone is not enough, and DMARC must reflect a policy that protects recipients, not just reports activity.
Organisations should take this opportunity to review their DNS records, confirm alignment across sending domains, and ensure DMARC policies meet modern standards. Brands that take proactive steps now will safeguard deliverability and demonstrate respect for user trust and inbox integrity.
For additional context, revisit our earlier post on the Gmail and Yahoo requirements.
Gmail’s updated bounce code reference page can be found here.
What steps has your team taken to prepare for these changes, and do you need help reviewing your authentication strategy to ensure continued inbox success?
