Why your email suddenly stopped arriving — and what Google, Microsoft and Yahoo now expect from you
For twenty years, sending email was something a business set up once and forgot. That era ended in 2024. The world’s largest mailbox providers — Google, Yahoo, and as of May 2025, Microsoft — now enforce technical requirements on senders. If your domain doesn’t meet them, your messages don’t go to the spam folder as a worst case. Increasingly, they are rejected outright.
If quotes, invoices or booking confirmations from your company have started disappearing, this is one of the first places to look.
What changed
In February 2024, Google and Yahoo introduced mandatory authentication requirements for anyone sending bulk volumes to their users. Microsoft followed in May 2025 for Outlook.com, Hotmail and Live addresses — and Microsoft went further: messages that fail authentication are now rejected with a permanent error (550 5.7.515), not quietly filtered.
The headline thresholds mention “5,000 messages per day”, which leads many small businesses to assume the rules don’t apply to them. That’s a misreading, for two reasons. First, the providers apply the same signals to all senders when scoring reputation — the threshold only determines when rejection is guaranteed rather than probabilistic. Second, your newsletter tool, your invoicing system and your booking platform send on your domain’s behalf, and their aggregate volume counts towards your domain’s reputation whether you track it or not.
The three records that decide your fate
The requirements come down to three DNS-level standards:
SPF (Sender Policy Framework) lists which servers are allowed to send email for your domain. Every SaaS tool you’ve connected — CRM, accounting software, marketing platform — needs to be authorised here, and the record has hard technical limits (a maximum of 10 DNS lookups) that are easy to break as tools accumulate.
DKIM (DomainKeys Identified Mail) is a cryptographic signature proving a message wasn’t altered in transit and genuinely comes from your domain. Each sending service needs its own key, published in your DNS.
DMARC (Domain-based Message Authentication, Reporting and Conformance) ties the two together. It tells receiving servers what to do with mail that fails authentication — and, critically, it tells you what’s happening, through aggregate reports that receivers send back to an address you specify.
All three providers now require at minimum a published DMARC record. A policy of p=none technically satisfies the requirement, but it offers no protection against impersonation — and providers are increasingly sceptical of domains that stay there indefinitely.
Why this is harder than it sounds
The individual records are short text strings. The difficulty is that they describe a moving system. A typical small business sends email through five to ten different services without realising it: the mail platform itself, an invoicing tool, a support desk, a newsletter service, an e-commerce platform, a calendar tool. Each one must be aligned in SPF or DKIM. Miss one, and that tool’s mail silently fails authentication. Add a new tool without updating DNS, and the same thing happens.
This is also why the common pattern — pay a consultant once, fix the records, move on — works for about six months. The records were correct on the day they were written. The business kept changing around them.
What to do this week
- Check where you stand. Run your domain through a checker and look at SPF, DKIM and DMARC status specifically — a free Merula account covers one domain and runs its first checks within minutes of signup.
- Inventory your senders. List every service that sends email with your domain in the From address. Ask each department — marketing tools are the most commonly forgotten.
- Publish DMARC with reporting enabled. Even at
p=none, the aggregate reports show you exactly who is sending as your domain — legitimate tools you forgot, and impersonators you didn’t know about. - Move towards enforcement. Once reports confirm all legitimate senders authenticate correctly, tighten the policy to
p=quarantineand thenp=reject. That’s the point at which spoofed mail in your name actually gets blocked.
The businesses that handle this well treat it like bookkeeping: not a one-time project, but a small, continuous discipline. The ones that don’t tend to find out from a customer asking why the invoice never arrived.
Merula watches your domain’s email authentication continuously and tells you when something needs attention — before your customers notice. Merula is in development and launches after summer 2026.