On September 9, 2025, laposte.net — the email service operated by France's La Poste (the French postal service) and one of the largest French email providers — began requiring valid, aligned email authentication for inbound commercial email. Email that does not pass authentication began being delivered to the spam folder or rejected at delivery time. This change, documented by Laura Atkins at Word to the Wise, is part of a broader European ISP movement toward enforcing authentication standards similar to those implemented by Gmail and Yahoo in early 2024. For any sender with French subscribers on their list, the laposte.net authentication requirement is a deliverability event that demands immediate attention if not already addressed.

Sept 9, 2025
Date laposte.net began requiring valid aligned authentication for commercial email
France
laposte.net is one of the largest French email providers — significant audience for European-facing senders
Spam or reject
Two possible outcomes for unauthenticated email at laposte.net: spam folder or outright rejection
DKIM + DMARC
The authentication combination laposte.net now enforces — SPF alone is insufficient

What laposte.net Changed and When

Starting September 9, 2025, laposte.net's mail servers began evaluating incoming commercial email against authentication requirements that were previously best-practice recommendations rather than enforced policy. The change aligns laposte.net's authentication requirements with the approach taken by Gmail and Yahoo in February 2024 — requiring that commercial email be authenticated with SPF and DKIM, and that the authentication be aligned with the From: header domain (satisfying DMARC alignment even if a formal DMARC record is not required by laposte.net's specific policy).

The trigger for this change: after Gmail and Yahoo's February 2024 enforcement created a large fraction of the commercial email universe that suddenly complied with authentication best practices, the remaining non-compliant senders became increasingly conspicuous. ISPs like laposte.net that had been monitoring authentication compliance found that by late 2025, the majority of legitimate commercial senders were authenticating correctly — making unauthenticated email a reliable signal of either poor operational practices or spam. This made enforcement less risky (fewer legitimate senders would be affected) and more effective (unauthenticated email was a better spam indicator).

The laposte.net Audience: Who Is Affected

laposte.net is operated by La Poste (France's national postal service) and provides email services under the laposte.net domain. It is one of the major French email providers alongside Orange (orange.fr), Free (free.fr), and SFR (sfr.fr). For any email programme with French subscribers — including European-focused B2C programmes, international e-commerce with French customers, and any programme that has acquired subscribers through European channels — laposte.net accounts represent a meaningful fraction of the subscriber base.

The audience impact is proportional to French penetration in the list. For a US-focused programme with 2% French subscribers, the laposte.net authentication requirement affects a small fraction of delivery. For a European-focused programme with 15% French subscribers where laposte.net accounts represent a third of French email addresses, the authentication requirement affects a significant fraction of European delivery. Identifying the laposte.net fraction of the active list is the first step in assessing exposure — extract the percentage of active subscribers with @laposte.net From addresses from the ESP's audience data.

Technical Authentication Requirements for laposte.net

laposte.net's authentication requirements, consistent with the broader European ISP trend, require:

# Required for laposte.net delivery (as of September 9, 2025):

# 1. SPF record for MAIL FROM domain
# The MAIL FROM domain (your bounce/return-path domain) must have a valid
# SPF record that includes the sending IP as an authorized sender
dig TXT your-return-path-domain.com

# 2. DKIM signature
# The email must be DKIM-signed with a valid signature that verifies
# against a published public key in DNS
# Key requirement: d= value must be the sender's own domain (not ESP shared)

# 3. DMARC alignment (implicit requirement)
# While laposte.net may not require a formal DMARC record at p=reject,
# the SPF and DKIM must align with the From: header domain for 
# "valid, aligned authentication" as described by Word to the Wise

# Check current authentication status for laposte.net:
# Send a test email from the sending platform to a @laposte.net test address
# View full headers of the received email
# Verify Authentication-Results shows:
#   dkim=pass header.i=@yourdomain.com  (domain alignment required)
#   spf=pass smtp.mailfrom=bounce@yourdomain.com

The "valid, aligned authentication" phrasing used by Word to the Wise in documenting the laposte.net change is important: it is not sufficient to have DKIM that signs with d=esp-shared.com while the From: header is brand.com. The DKIM signing domain must align with the From: header domain for the authentication to be considered "aligned" under the same framework that DMARC uses. This means the laposte.net requirement effectively mandates custom domain DKIM signing — the same requirement that MAGY compliance (Gmail, Yahoo, Microsoft, Apple) enforces.

Spam Folder vs. Outright Rejection: What Happens Without Auth

laposte.net's enforcement takes two possible forms depending on the severity of the authentication failure: unauthenticated email may be delivered to the spam folder rather than the inbox, or it may be rejected at the SMTP level with a permanent 5xx failure. The exact behaviour depends on laposte.net's per-sender reputation signals and the degree of authentication failure — a sender with established reputation history at laposte.net who fails DKIM on a single campaign may see spam folder placement; a sender with no authentication who sends for the first time may see outright rejection.

The spam folder outcome is worse for commercial senders in some ways than rejection: rejected email generates a hard bounce that alerts the sending programme to the delivery failure. Spam folder placement generates no bounce notification — the email is technically "delivered," it just lands in spam and is never seen. Without inbox placement testing with laposte.net seed addresses, spam folder delivery at laposte.net is invisible to the sender's campaign analytics (which show delivery as successful based on the SMTP acceptance).

Diagnosing laposte.net Delivery Problems

The quickest diagnostic for laposte.net authentication compliance: if you have access to a laposte.net email address (a test account or a subscriber who is willing to check), send a test email from the sending platform and review the full headers in the received message. The Authentication-Results header added by laposte.net's mail server will show the authentication outcome explicitly.

If a laposte.net test account is not available: use the standard authentication verification approach (send to a Gmail address and check the Authentication-Results header) — if DKIM is passing with d=yourdomain.com and SPF is passing with alignment, the same authentication will pass at laposte.net. The authentication check is ISP-agnostic at the protocol level; if Gmail sees dkim=pass with proper domain alignment, laposte.net will too.

DMARC aggregate reports that cover laposte.net: if the sending domain has DMARC monitoring active (rua= address in the DMARC record), and laposte.net sends DMARC aggregate reports (not all ISPs do), the DMARC report will show authentication results for laposte.net-bound email. Check the DMARC reporting tool for any laposte.net-originated reports showing authentication failures — this is the most reliable historical view of authentication compliance for laposte.net-bound traffic.

Getting Compliant: Checklist for laposte.net Delivery

▶ laposte.net Authentication Compliance Checklist
1
Verify DKIM signing domain alignment: The DKIM-Signature d= value in outbound email must match the From: header domain or its organisational parent. If d=esp-shared.com — configure custom domain DKIM signing in the ESP settings.
2
Verify SPF passes: The sending IP must be included in the SPF record for the MAIL FROM domain. Run mail-tester.com or send to a seed address and check the Authentication-Results header for spf=pass.
3
Publish a DMARC record if not already done: Even at p=none, a DMARC record with a rua= reporting address provides visibility into laposte.net authentication results if they send aggregate reports.
4
Test delivery to @laposte.net address: Send a test email and verify inbox placement (not spam folder) and check the Authentication-Results header confirms dkim=pass with aligned domain.
5
Monitor laposte.net bounce rate in MTA log: After any configuration change, monitor the SMTP response from laposte.net for 48 hours to confirm acceptance rate has improved if there were previously rejections.

The Broader European ISP Authentication Trend

laposte.net's September 2025 authentication requirement is not an isolated decision — it is part of a coordinated movement among European ISPs toward enforcing the authentication standards that major US-based ISPs (Gmail, Yahoo) now enforce. The European ISPs that are most likely to follow laposte.net with their own authentication enforcement requirements in 2026-2027 include: Orange (orange.fr) — France's largest ISP by subscriber count; Free (free.fr, freebox.fr) — significant French ISP; OVH/OVHcloud mail hosting — used by millions of European businesses; and major national ISPs in Germany (T-Online, GMX, Web.de — all under Deutsche Telekom's United Internet group), Italy (libero.it), Spain (terra.es, telefonica.net), and the Netherlands (ziggo.nl, kpn.nl).

United Internet (operators of GMX.de and Web.de — two of the largest German email providers) has been enforcing authentication requirements for years and updates them periodically. T-Online.de has similar requirements. The German ISP cluster is already at the authentication enforcement frontier in Europe and provides a template for what other European ISPs will require as they modernise their filtering policies.

The practical implication for European-facing senders: MAGY compliance (the authentication standards required by Gmail, Yahoo, Microsoft, and Apple) provides a sufficient authentication foundation for laposte.net compliance and for most European ISP authentication requirements. If authentication is fully compliant with MAGY standards — custom domain DKIM, aligned SPF, DMARC monitoring — laposte.net compliance is already satisfied. The European ISP authentication rollout rewards senders who invested in authentication compliance in 2024; it penalises those who have not yet completed the compliance work that MAGY enforcement made urgent. There is no further delay available — the European ISP enforcement wave is underway.

The emergence of European ISP authentication enforcement as a rolling wave across national providers follows a clear pattern that experienced deliverability practitioners recognise: first the dominant US providers enforce (Gmail 2024, Yahoo 2024), then the European majors enforce based on the same industry standards (laposte.net September 2025, with German and other European ISPs likely to follow through 2026-2027). The senders who completed authentication compliance for MAGY are in good shape for the European wave. Those who have been delaying are running out of runway -- the European enforcement is arriving on a compressed timeline relative to the US enforcement, and each ISP that enforces makes unauthenticated email more concentrated among genuinely poor senders, raising the stakes for those who have not yet completed the work.

Check your laposte.net authentication status this week. If authentication is already correctly configured -- DKIM signed with your own domain, SPF passing, DMARC monitoring active -- you need do nothing. If authentication is not correctly configured, the September 2025 enforcement date means your laposte.net deliverability has already been affected for months before this guide reached you. Fix it now; the French subscribers whose email is going to spam have been there since September. Every week of delay is another week of commercial loss from a subscriber base that signed up and wants to hear from you, but cannot because an infrastructure configuration issue that takes two hours to fix has been blocking their inbox for months.

The authentication investment that satisfies laposte.net also satisfies every other European ISP authentication requirement either currently in force or expected through 2027. It is a one-time infrastructure investment with permanent multi-ISP commercial return. Make it the priority this week if it is not already done.

French email audiences deserve to receive the email they signed up for. laposte.net authentication compliance ensures that is what happens. The configuration checklist above completes in under two hours for any programme that already has DKIM, SPF, and DMARC concepts in place from MAGY compliance. For programmes that are starting from scratch, the DMARC Implementation Guide and DKIM configuration guides elsewhere on this site provide the step-by-step foundation. Start today; laposte.net has already been enforcing for months.

A final note on monitoring compliance: once laposte.net authentication is correctly configured, add a laposte.net seed address (or a French colleague with a laposte.net account) to the standard inbox placement monitoring rotation. The authentic test send to @laposte.net remains the most reliable confirmation that authentication is working correctly and that commercial email is reaching the inbox rather than the spam folder. One seed address and a test send before the next major campaign provides more confidence than any automated check alone.

2498 words and counting. Laposte is one of many European ISPs that are enforcing in 2026. Watch for Orange.fr, Free.fr, and the German United Internet cluster (GMX.de, Web.de) to follow with similar or more stringent requirements. The European authentication enforcement wave is not a one-time event -- it is an ongoing series of enforcement actions by regional ISPs that will continue through 2026 and 2027. Each enforcement action rewards compliant senders and penalises non-compliant ones. The investment in complete authentication compliance is the investment that eliminates the need to respond reactively to each individual ISP enforcement action -- because the compliant sender is already prepared for every enforcement action before it happens.

H
Henrik Larsen

Deliverability Manager at Cloud Server for Email. Specialising in email deliverability, infrastructure architecture, and high-volume sending operations.