MAGY — Microsoft, Apple, Google, Yahoo — are the four mailbox providers that together process the email of approximately 77% of the world's email users. When these four providers aligned on a common set of bulk sender requirements in 2024 and 2025, they created the most significant shift in email compliance requirements since the CAN-SPAM Act of 2003. Understanding exactly what each provider requires, when enforcement began, and how to verify compliance is now foundational knowledge for any commercial email sender. This is the definitive 2026 guide to MAGY compliance — with provider-specific details, verification procedures, and enforcement consequences.
What MAGY Means and Why All Four Providers Now Enforce
The term MAGY (Microsoft, Apple, Google, Yahoo) describes the four dominant global mailbox providers that have aligned on common bulk sender requirements. The convergence of these providers around similar authentication, unsubscribe, and spam rate requirements creates a de facto global email compliance standard that commercial senders cannot ignore — the alternative is degraded deliverability at 77% of all email destinations simultaneously.
The MAGY alignment story: Google and Yahoo announced their bulk sender requirements in October 2023, effective February 2024. The requirements applied to senders sending 5,000+ messages per day to Gmail or Yahoo. Apple followed with similar requirements enforced through iCloud Mail filtering updates. Microsoft announced and began enforcing equivalent requirements starting May 5, 2025, completing the MAGY alignment. The industry shorthand shifted from "Gmail/Yahoo requirements" to "MAGY requirements" as Microsoft's enforcement crystallised the four-provider consensus.
Two years after the initial Gmail/Yahoo enforcement, the 2026 data reveals that approximately 30% of commercial senders are still at least partially non-compliant — particularly with the one-click unsubscribe requirement (the most frequently missing element even among senders who have implemented authentication). Non-compliance is most concentrated among smaller senders who were below the 5,000 message/day threshold at the original announcement but who have since grown above it.
Gmail/Google Requirements (Enforced February 2024)
Google's requirements apply to all senders sending 5,000 or more messages per day to Gmail addresses. The requirements:
1. Email authentication (all senders, not just bulk): SPF or DKIM must pass for every email sent to Gmail. This applies to all senders, not just bulk senders above the 5,000/day threshold. Gmail has been filtering unauthenticated email for years; the 2024 announcement formalised the requirement.
2. DMARC record (bulk senders above 5,000/day): The sending domain must have a published DMARC record. The policy level (p=none, p=quarantine, p=reject) does not matter for the initial requirement — any published DMARC record satisfies the base requirement. The sending domain's DMARC record must be at p=none or higher; no DMARC record at all is non-compliant for bulk senders.
3. From address alignment: The From: header domain must align with either the SPF-authenticated MAIL FROM domain or the DKIM signing domain. This is the DMARC alignment requirement — the From: header must match one of the authenticated domains, not be a different unrelated domain.
4. One-click unsubscribe (bulk senders above 5,000/day): Commercial email must include a one-click unsubscribe mechanism implemented per RFC 8058. This requires two specific email headers: List-Unsubscribe: <https://your-unsub-url> AND List-Unsubscribe-Post: List-Unsubscribe=One-Click. When Gmail receives a one-click unsubscribe action from a recipient, it sends an HTTP POST to the URL in the List-Unsubscribe header. The sender must process this POST and unsubscribe the recipient within 2 business days.
5. Spam complaint rate below 0.10%: Gmail Postmaster Tools spam rate must remain below 0.10%. Senders consistently above this threshold face increasingly aggressive filtering. The operational target is below 0.05% to maintain a safety margin.
# Gmail compliance verification — check outbound email headers: List-Unsubscribe: <https://unsub.brand.com/out?token=TOKEN> List-Unsubscribe-Post: List-Unsubscribe=One-Click # Both headers required — List-Unsubscribe-Post alone is insufficient # List-Unsubscribe without -Post allows mail clients to show unsub button # but Gmail's own one-click handling requires the -Post header # Verify DMARC record published: dig TXT _dmarc.yourdomain.com # Must return a valid DMARC record at any policy level # Verify SPF/DKIM pass in delivered email: # Check Authentication-Results header in a received Gmail message: # dkim=pass header.i=@yourdomain.com (DKIM aligned) # spf=pass (SPF passes) # dmarc=pass (DMARC alignment passes)
Yahoo Mail Requirements (Enforced February 2024)
Yahoo Mail requirements align closely with Gmail's, with enforcement beginning simultaneously in February 2024. Yahoo applies requirements to bulk senders above 5,000 messages/day:
Authentication: SPF and DKIM must both pass. Yahoo requires both — not SPF or DKIM, but both SPF and DKIM. This is slightly stricter than Gmail's "SPF or DKIM" requirement. The From: domain must align with either the SPF MAIL FROM domain or the DKIM signing domain.
DMARC: The sending domain must have a published DMARC record at p=none or higher. Yahoo also has specific handling for DMARC forensic reports (RUF) — Yahoo discontinued sending forensic reports to protect user privacy, but aggregate reports (RUA) continue.
One-click unsubscribe: Identical requirement to Gmail — List-Unsubscribe and List-Unsubscribe-Post headers required, processed within 2 business days.
Spam rate: Below 0.30% (Yahoo's threshold is higher than Gmail's 0.10%). However, maintaining below 0.10% satisfies both providers simultaneously — the more conservative Gmail threshold covers Yahoo compliance.
Yahoo Sender Hub: Yahoo's equivalent of Gmail Postmaster Tools. Register at senders.yahooinc.com. After registration and domain verification, the Insights dashboard shows per-sender delivery rates and complaint data. Unlike Postmaster Tools which is available to any sender, Yahoo Sender Hub requires active registration — passive monitoring is not available.
Yahoo FBL enrollment: Yahoo's Complaint Feedback Loop (CFL) provides per-message complaint reports for enrolled senders. Enrollment at senders.yahooinc.com/feedback-loop. FBL complaint reports must be processed to suppress complainers — Yahoo monitors whether senders are acting on FBL data.
Microsoft Requirements (Enforced May 2025)
Microsoft announced new sender requirements in April 2025 and began enforcement on May 5, 2025 — initially routing non-compliant bulk senders to the Junk folder, with the policy progressing toward rejection for persistent non-compliance. Microsoft's requirements apply to all commercial senders, not just those above a volume threshold:
SPF: The sending IP must be listed in the SPF record for the MAIL FROM domain. Microsoft enforces SPF alignment more strictly than some other providers — SPF softfail (~all) is not treated the same as SPF pass.
DKIM: Email must be DKIM signed, and the signing domain (d=) must match the From: header domain or its organisational parent. Microsoft specifically checks DKIM alignment against the From: domain — signing with a shared ESP domain while using a different From: domain fails Microsoft's alignment check.
DMARC: The From: domain must have a published DMARC record. Microsoft applies enforcement to both Outlook.com (consumer) and Microsoft 365 (enterprise/business) email.
One-click unsubscribe: Required per RFC 8058, same as Gmail and Yahoo.
Valid PTR record: Microsoft has historically required valid PTR (reverse DNS) records for sending IPs — this requirement predates the 2025 announcement and remains in force. The Google DMARC SMTP rejection data documented elsewhere on this site reveals PTR misconfiguration as a major source of Gmail rejections; the same applies at Microsoft.
SNDS enrollment: Microsoft's Smart Network Data Services (SNDS) provides reputation monitoring for sending IPs. Enrollment at postmaster.live.com. SNDS registration is required for full visibility into Microsoft-side reputation signals, including spam trap hit data and complaint rate per IP.
JMRP modernisation: Microsoft JMRP (Junk Mail Reporting Program) has been rebuilt on a new platform as of 2025-2026. Senders already enrolled in the old JMRP need to re-enroll in the new system to continue receiving complaint data. The new JMRP system provides complaint data through the SNDS interface.
Apple iCloud Mail Requirements (Enforcing 2025-2026)
Apple iCloud Mail has been progressively strengthening its sender requirements, with the most significant enforcement changes occurring through 2025-2026 as iOS 26 Apple Intelligence capabilities roll out. Apple has not published a formal "bulk sender requirements" document in the same format as Gmail and Yahoo, but the practical requirements for avoiding spam folder placement at iCloud Mail are consistent with the MAGY standard:
Authentication: SPF and DKIM are required. Apple's filtering places significant weight on DKIM authentication — DKIM failure at Apple Mail generates more aggressive filtering than at some other providers. The DKIM signing domain must align with the From: domain (the same DMARC alignment requirement that applies at Gmail and Yahoo).
DMARC: Apple references DMARC as a factor in its filtering decisions. Publishers and senders who have DMARC at p=quarantine or p=reject tend to receive better inbox placement at Apple Mail than those at p=none or without DMARC.
BIMI support: Apple Mail supports BIMI — both VMC (Verified Mark Certificate) and CMC (Common Mark Certificate) — for verified logo display in the inbox. While BIMI is not formally required, its presence is a positive trust signal at Apple Mail that correlates with better inbox placement.
Engagement signals: Apple's AI filtering (Apple Intelligence, iOS 18/26) evaluates content quality and engagement history. Authentication is necessary but not sufficient for Primary inbox placement at Apple Mail — engagement signals and content quality are increasingly important factors for avoiding the Promotions tab routing that iOS 18.2+ introduced.
One-click unsubscribe: Apple's client-side unsubscribe button in Apple Mail for iOS (introduced in iOS 16) reads the List-Unsubscribe header. The same RFC 8058 List-Unsubscribe-Post header that Gmail requires also enables Apple's one-click unsubscribe presentation.
Requirements That Apply to All Four Providers
The requirements that are consistent across all four MAGY providers, representing the complete minimum compliance standard for commercial email in 2026:
| Requirement | Gmail | Yahoo | Microsoft | Apple |
|---|---|---|---|---|
| SPF pass | Required | Required | Required | Required |
| DKIM pass, aligned with From: | Required | Required | Required | Required |
| DMARC record (any policy) | Required (bulk) | Required (bulk) | Required | Recommended |
| One-click unsubscribe (RFC 8058) | Required (bulk) | Required (bulk) | Required | Supported |
| Valid PTR record | Required | Required | Required | Required |
| Spam rate below 0.10% | Required | 0.30% threshold | Enforced | Enforced |
| TLS for SMTP | Required | Required | Required | Required |
Verifying Your Compliance: Provider-by-Provider Checklist
▶ MAGY Compliance Verification Checklist
dig TXT _dmarc.yourdomain.com. A valid DMARC record must be returned. Minimum: v=DMARC1; p=none; rua=mailto:reports@yourdomain.com. Any policy level satisfies the requirement; p=reject provides maximum protection.dig -x [IP]. The PTR record must return a hostname. Then run dig A [hostname] — the result must include the original IP. Both directions must match (FCrDNS validation).What Happens When You Fail: Enforcement Consequences
Each MAGY provider enforces non-compliance differently, with different severity and different remediation paths:
Gmail enforcement: Graduated. Authentication failure → increased spam filter scrutiny → spam folder placement → eventual rejection for repeated non-compliance. Spam rate violation → immediate spam folder placement → warning in Postmaster Tools → potential sending block for persistent violation. Google provided a grace period in Q1 2024 before full enforcement; as of 2026, full enforcement is in effect for all senders above the threshold.
Yahoo enforcement: More aggressive than Gmail for authentication failures. Missing DKIM for bulk senders → immediate spam folder routing. SPF failure → bulk rejection. Yahoo has less tolerance for authentication gaps than Gmail in practice, despite similar formal requirements.
Microsoft enforcement: As of May 5, 2025, non-compliant bulk senders were initially routed to Junk. Microsoft announced progression toward outright rejection for persistent non-compliance. The Microsoft 365 email platform additionally applies Copilot-driven filtering that creates further visibility challenges beyond the authentication compliance layer.
Apple iCloud: AI-driven filtering without formal binary enforcement. Non-authenticated email faces significantly higher spam probability scores. The enforcement is probabilistic and content-dependent rather than rule-based like Gmail's and Yahoo's — making it harder to diagnose but equally consequential for inbox placement.
MAGY compliance in 2026 is binary from a business perspective: compliant programmes deliver to 77% of the world's email users at full efficiency; non-compliant programmes face degraded delivery to 77% of the world's email users. The compliance requirements are not technically difficult — they are configuration tasks that most email operations teams can complete in a day or two. The only remaining non-compliance is failure to prioritise the configuration work. In 2026, that failure has measurable, ongoing commercial costs that compound every day compliance is delayed.