The world is not ready for Google & Yahoo’s bulk sending requirements: Now is the time to take action

In October 2023, Google and Yahoo jointly announced new requirements to help deliver “a safer, less spammy inbox” for users. 

The requirements will go into place on February 1, 2024 and are specific to bulk senders – those that send over 5,000 emails daily. 

What are the new Google and Yahoo requirements for bulk senders?

The new requirements for bulk senders cover three core tenants: 

  1. Authenticate the domains you send from
  2. Make it easy for people to stop receiving your emails
  3. Don’t spam

Sounds straightforward enough. But, the requirements for domain authentication are the most complex of the three, as there are multiple sub-requirements for users, including:

  1. Publishing a DMARC policy for each domain that sends mail with at least a policy of “none”.
  2. Setting up SPF and DKIM for each domain that sends mail. Note that both SPF and DKIM are required, unlike with DMARC which only requires one or the other.
  3. Aligning the domain in the sender’s `From:` header with either the SPF domain or the DKIM domain (for direct mail only).
  4. Ensuring that sending domains or IPs have valid forward and reverse DNS records using a Forward Confirmed DNS (FcrDNS). You can read more about FCrDNS here.

See more on the new requirements in Google’s support article.

Assessing readiness on a global scale with BIMI Radar

At Red Sift, we have been following the world’s readiness for DMARC for many years using our BIMI Radar. This tool looks at over 70,000,000 domains around the world to better understand trends in the adoption of DMARC and Brand Indicators for Message Identification (BIMI) across the Internet.

BIMI was introduced in 2021 and allows businesses to show their brand logo in the avatar slot of emails they send. BIMI can only be implemented and honored for organizations that have a DMARC enforcement policy of quarantine or reject at the root level and for all subdomains.

DMARC is a protocol that allows domain owners to obtain visibility to email services that are sending on their behalf, and also to block unauthorized senders. DMARC is the only protocol that can prevent illegitimate services from sending on behalf of a domain once that domain is at a policy of quarantine or reject.

For Google and Yahoo’s bulk sending requirements, BIMI Radar provides an interesting vantage point. Since it is only looking at static DNS records, it does not give complete visibility into which domains would fully pass Google and Yahoo’s requirements. But, it does give us an idea of who has not published DMARC records and therefore will definitely fail come February 2024. 

In examining this question of who in the world is not ready for Google and Yahoo’s new requirements, interesting trends start to emerge.

Please note all data points referenced in this article are from December 2023. 

91.38% of domains globally fail new requirements

At the highest level, the world does not look ready for the new bulk-sending requirements. 

When examining all 70,000,000 domains globally, 91.38% of email-sending domains have no DMARC record and therefore would fail the new Google and Yahoo requirements! 

But, given the variety of organizations and domains that are surfaced in BIMI Radar, and that not all domains included are email sending domains, it is important to go a layer deeper to try to identify those most likely to be impacted by the bulk sending requirements.

33% of global enterprises have no DMARC record

If we use publically traded companies as a proxy for large enterprises most likely to be bulk senders, a different picture begins to emerge.

Looking at the 2,380 corresponding domains we see around the globe, 33% have no DMARC record in place. 

If we investigate this on a per-country basis, a more optimistic picture starts to emerge. In the US, France and the UK for example, only 10-14% of organizations will definitively fail the new requirements.

Conversely, in Korea and Japan, 50% of large enterprises will fail. 

Country% that will fail Google and Yahoo Requirements
United States6.52%
United Kingdom14.58%

To see other countries, visit BIMI Radar.

40% of global enterprises likely pass new requirements

Checking which sending domains pass the requirements fully requires capturing an email in real-time to ensure that  FCrDNS is configured correctly, that there is DKIM or SPF alignment, and that the DKIM key is valid. More involved checks are also required for spam rates. Therefore on a global scale, it is impossible to get true readiness statistics for all senders that will definitively pass. 

But, we can use those that have previously deployed or could deploy BIMI as an approximation of those that are likely to pass the new requirements. This is because BIMI requires DMARC enforcement, SPF and DKIM configuration, and SPF or DKIM alignment. While this does not account for FCrDNS, it is reasonable to assume those that are BIMI ready have sending domains and IPs that have valid forward and reverse DNS records.

Therefore, using BIMI readiness as a proxy, we can see where in the world large enterprises are most likely to be ready for Google and Yahoo’s new requirements. 

Globally 39.87% of large enterprises would likely pass the new requirements. We see India and the Netherlands rising in overall readiness from this view, while Korea has a surprisingly low 2.02% of companies likely passing the new requirements.

Country% that would likely pass Google and Yahoo Requirements
United States75%
United Kingdom58.33%

To see other countries, visit BIMI Radar.

Using market indices to assess readiness

We can also get a proxy for readiness by examining different market indexes. This data provides interesting insight into the preparedness of the largest enterprises in different markets around the world.

We continue to see enterprises in the US and France being the most prepared. The larger indices in Europe and the UK represent those companies least prepared. 

Index% that will fail Google and Yahoo Requirements
CAC 40 (France)7.50%
S&P 500 (US)8.8%
Fortune 500 (US)9.22%
DAX (Germany)10.00%
FTSE 100 (UK)15.00%
Euronext 15018.92%
FTSE 250 (UK)21.31%

Where do we go from here?

Given that at the time of this blog’s publishing, we are just under a month away from the Google and Yahoo regulations for bulk senders going live, the most important takeaway from our findings is action. 

Businesses that send over 5,000 emails a day (or so) need to not only ensure that they have DMARC record in place, but that they SPF and DKIM in place, that there is SPF and DKIM alignment and that FcrDNS is configured correctly for every domain they send mail from. 

While BIMI Radar and other static tools are a great first step to make sure that DMARC records are in place, organizations should be using dynamic tools like Red Sift’s Investigate to make sure that the other criteria are met. 

With Red Sift Investigate, you can see if your email-sending domain will meet the new requirements in under a minute.

Check your readiness now

At Red Sift, we foresee these requirements from Google and Yahoo to be just the first step in ensuring that domains are fully authenticated. We foresee DMARC enforcement being the next logical step to the February 2024 requirements as those that meet the new requirements are essentially ready for DMARC enforcement. 

If you are looking to reach DMARC enforcement make sure to check out the award-winning Red Sift OnDMARC.


Rahul Powar

10 Jan. 2024



Recent Posts


Your guide to the SubdoMailing campaign

Billy McDiarmid

A significant number of well-known organizations have been attacked as part of what’s being called the SubdoMailing (Subdo) campaign that has been going on since at least 2022, research by Guardio Labs has revealed.   The scale of execution of this attack is staggering, and the impact is hugely damaging, but the goal is simple…

Read more

A confident deployment guide for TLS and PKI

Ivan Ristic

Our journey to better network transport security has been quite the ride, filled with ups and downs. Back in the ’90s, when SSL and the Netscape browser were just taking off, things were pretty hard. We were dealing with weak encryption, export restrictions on cryptography, and computers that couldn’t keep up. But over the…

Read more

Red Sift OnDMARC: The best Agari alternative for DMARC

Francesca Runger-Field

Looking for an alternative to Agari DMARC Protection that helps you safely and efficiently stop unauthorized use of your email-sending domains? You’re in the right place.  Here is your definitive comparison guide for Agari and Red Sift OnDMARC – one of the most popular Agari alternatives on the market.  Red Sift OnDMARC overview Red…

Read more

Red Sift OnDMARC: The best Valimail alternative for DMARC

Francesca Runger-Field

Looking for an alternative to Valimail that helps you safely and efficiently stop unauthorized use of your email-sending domains? You’re in the right place.  Here is your definitive comparison guide for Valimail and Red Sift OnDMARC – one of the most popular Valimai alternatives on the market.  Red Sift OnDMARC overview Red Sift OnDMARC…

Read more