---
title: "Google, Yahoo & Microsoft DMARC Requirements"
description: "Google, Yahoo, and Microsoft now require DMARC for bulk senders — including Gmail's 2025 SMTP rejection escalation. See the full compliance checklist."
publishedAt: 2026-04-24
tags: ["dmarc", "compliance", "bulk-sender", "gmail", "yahoo", "microsoft", "email-authentication"]
faq:
- question: "What does it mean to be DMARC compliant for Google, Yahoo, and Microsoft?"
answer: "DMARC compliant means the domain in the From header is aligned with either SPF or DKIM (both, for Microsoft), the domain publishes a DMARC record of at least p=none, sending IPs have valid forward and reverse DNS, and — for bulk marketing mail — RFC 8058 one-click unsubscribe is in place. Compliance with these three providers is a deliverability floor, not a security posture."
- question: "How do I comply with DMARC?"
answer: "Publish SPF under the 10-DNS-lookup limit, add DKIM with 2048-bit keys per sending service, and publish a DMARC record with at minimum v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com. Align the From header with SPF or DKIM, enforce TLS on SMTP, and add one-click unsubscribe headers on marketing mail. Verify with a DMARC checker before you send at scale."
- question: "Does p=none satisfy Google, Yahoo, and Microsoft's bulk sender requirements?"
answer: "Yes, today. All three providers accept p=none as the minimum policy level, as long as DMARC alignment passes and a valid record is present. Google has stated that alignment with both SPF and DKIM will likely become a requirement in the future, so p=quarantine is the direction the industry is moving."
- question: "What is Gmail's 5,000-emails-per-day threshold?"
answer: "Gmail classifies any sender that sends close to 5,000 messages or more to personal Gmail accounts within a 24-hour rolling window as a bulk sender. The count is per primary organizational domain and subdomains roll up. Bulk status is permanent once triggered, and domains that hadn't crossed 5,000/day to Gmail since January 1, 2024 are fast-tracked through enforcement."
- question: "What does SMTP error 550 5.7.26 mean after November 2025?"
answer: "550 5.7.26 is Gmail's permanent rejection for unauthenticated mail. There are three documented variants: the sender is not authenticated (neither SPF nor DKIM passes), SPF hit a hard -all fail, or the sender domain's DMARC policy rejected the message. After Gmail's November 2025 escalation, these are hard rejections, not spam-folder placements."
- question: "How is Microsoft's May 2025 enforcement different from Google's?"
answer: "Microsoft requires both SPF and DKIM to pass individually and then align via DMARC — stricter than Gmail, which accepts either SPF or DKIM alignment. Microsoft also skipped the 4xx-deferral phase and went straight to permanent 5xx rejections on May 5, 2025 with code 550 5.7.515. The scope is Outlook.com consumer domains only; Exchange Online tenants are out of scope for this specific rule."
---
# Google, Yahoo, and Microsoft DMARC Requirements: The 2026 Bulk Sender Compliance Guide
30.4% of the 5.49 million domains we scanned publish a DMARC record, but only
6.0% enforce at `p=reject`. That compliance gap is why Google, Yahoo, and
Microsoft's bulk-sender rules are now biting — and why Gmail started returning
SMTP-level rejections in November 2025.
This post walks through the Google, Yahoo, and Microsoft DMARC requirements as
they stand in April 2026: the Gmail November 2025 enforcement ramp, Yahoo's
Sender Hub posture after the Insights launch, Microsoft's May 2025 hard
cutover, and a side-by-side comparison table so you can see the three
providers' bars next to each other. You will also get a practitioner-level
view of what "compliant" actually tests, two real failure modes ESPs have
documented, and a copy-paste 2026 checklist.
The three providers now share one playbook:
[DMARC](/learn/dmarc/) on the From-header domain, SPF
([RFC 7208](https://datatracker.ietf.org/doc/html/rfc7208)) and DKIM
([RFC 6376](https://datatracker.ietf.org/doc/html/rfc6376)) both published,
and hygiene on PTR, TLS, and unsubscribe. The gap between "record published"
and "record actually protecting delivery" is where most senders get stuck.
## Why the bulk-sender compliance gap matters
DMARC is defined in [RFC 7489](https://datatracker.ietf.org/doc/html/rfc7489).
The protocol has been stable since 2015. What changed is enforcement. In our
most recent scan of 5,499,028 domains from the Tranco list, 1,670,975 (30.4%)
publish a DMARC record, 702,000 (12.8%) enforce at `p=quarantine` or
`p=reject`, and only 327,959 (6.0%) reach `p=reject`. Source:
[DMARCguard State of Email Authentication 2026](/research/email-authentication-2026/).
That 30.4% headline number hides the real operational risk. A domain at
`p=none` technically satisfies the letter of Google, Yahoo, and Microsoft's
bulk-sender rules, but it offers zero protection against spoofing and, as of
2026, zero margin for DNS drift. A single unaligned DKIM selector on one
sending service, or an SPF record that quietly pushes past the 10-DNS-lookup
limit, now triggers a 5xx at Gmail rather than a spam-folder placement.
We deliberately avoid the "DMARC compliance interest is up 200% quarter over
quarter" framing you may have seen elsewhere. The honest 90-day trend is
roughly +57% quarter over quarter on that search term, and the December 2025
spike was news-reactive to Gmail's escalation, not a durable shift. The story
worth telling is the gap itself: ~58% of domains that publish DMARC are parked
at `p=none`, and the three big providers have now set enforcement thresholds
that punish any configuration drift on top of that.
## What Gmail's November 2025 change actually did
Google's November 2025 move was an inline update to the Email Sender
Guidelines FAQ, not a standalone blog post. The new line reads: "Starting
November 2025, Gmail is ramping up its enforcement on non-compliant traffic.
Messages that fail to meet the email sender requirements will experience
disruptions, including temporary and permanent rejections." Source:
[Google Workspace Admin Help — Email sender guidelines FAQ](https://support.google.com/a/answer/14229414).
The underlying rules did not change. SPF, DKIM, DMARC alignment, one-click
unsubscribe, a spam rate below 0.3%, valid PTR records, TLS on SMTP, and RFC
5322 header compliance have all been in force since February 2024. What
changed is the share of non-compliant mail that gets hard-rejected versus
quietly spam-foldered.
### The 4.7.x-to-5.7.x transition is the real escalation
Before November 2025, most authentication failures earned a 4.7.x temporary
deferral. After the ramp, senders are now seeing the permanent 5.7.x
counterparts in their SMTP logs. These are the codes documented on the Gmail
SMTP errors reference page:
| SMTP code | Meaning |
| ------------ | -------------------------------------------------------------- |
| `421 4.7.26` | Rate-limited: unauthenticated (SPF and DKIM both missing/fail) |
| `550 5.7.26` | Permanent reject: unauthenticated, or SPF hard-fail, or DMARC |
| `421 4.7.32` | Rate-limited: From-header not aligned with SPF or DKIM |
| `550 5.7.25` | Permanent reject: missing PTR / rDNS |
| `550 5.7.27` | Permanent reject: SPF permanent fail |
| `550 5.7.29` | Permanent reject: message not sent over TLS |
| `550 5.7.30` | Permanent reject: DKIM permanent fail |
| `550 5.7.40` | Permanent reject: bulk sender has no DMARC record |
The widely-seen `550 5.7.26` has three documented variants on the Gmail SMTP
errors page — unauthenticated, SPF hard-fail, and DMARC policy. When you see
it in a bounce log, the remediation depends on which variant your bounce
string contains, so read the full message rather than the code alone.
### The 5,000/day threshold is permanent
Gmail defines a bulk sender as any domain that sends close to 5,000 messages
or more to personal Gmail accounts within a rolling 24-hour window. The
threshold is per primary organizational domain, subdomains roll up to the
parent, and bulk status is permanent once triggered — it does not expire if
your volume drops back below the line.
A second clause matters for any domain you spin up in 2026. Google defines a
"new domain" as any domain that hadn't crossed 5,000/day to personal Gmail
since January 1, 2024, and fast-tracks new domains through the enforcement
progression. A fresh sending subdomain inherits none of the 2024 grace period.
### Postmaster Tools v2 is a binary compliance verdict
In October 2025, Google retired the legacy Postmaster Tools web interface and
the Domain and IP Reputation dashboards that went with it. In their place
sits Postmaster Tools v2 with a Compliance status dashboard that uses a
binary Pass/Fail model. Every requirement is either "Compliant" or "Needs
work." There is no middle reading, no yellow-light reputation bar, and no
protective moat from historical reputation.
Google splits the dashboard into two tiers: all-senders checks (SPF or DKIM,
DNS records, message formatting, encryption, user-reported spam rate) and
bulk-only checks (DMARC, one-click unsubscribe, honor-unsubscribe). Compliance
status changes take up to 7 days to reflect in the dashboard after you fix
the underlying issue, and the spam-rate target is `<0.1%` with a hard ceiling
at 0.3%. Senders who breach 0.3% lose access to mitigation support until
their rate stays below 0.3% for seven consecutive days.
## Yahoo's 2026 posture
Yahoo has not re-versioned its Sender Requirements page for 2026 — the body
still reads "2024 Email Sender Requirements" with a 2026 copyright footer.
The operational changes happened around the pages, not in them: the Insights
dashboard launched in October 2025, and AT&T-family domains (att.net,
sbcglobal.net, bellsouth.net, and ten others) were consolidated into Yahoo
routing in June 2025.
### Yahoo does not publish a volume threshold
Unlike Gmail's 5,000/day line, Yahoo explicitly refuses to publish a numeric
threshold: "a 'bulk' sender is classified as an email sender sending a
significant volume of mail. We will not specify a volume threshold." Source:
[Yahoo Sender Hub FAQs](https://senders.yahooinc.com/faqs/). Classification
happens at the domain and content level.
### Bulk requirements: both SPF and DKIM, DMARC p=none floor
Yahoo's bulk-sender rules require both SPF and DKIM (not "either"), a DMARC
record of at least `p=none` that passes, and From-header alignment with either
the SPF or DKIM domain. Relaxed alignment is accepted. DKIM keys must be at
least 1024 bits, with 2048 bits recommended. RFC 8058 one-click unsubscribe
is "highly recommended" with `mailto:` acceptable, plus a visible body link
honored within 2 days. Source:
[Yahoo Sender Hub — Sender Requirements](https://senders.yahooinc.com/best-practices/).
One Yahoo-specific edge: multi-signature DKIM. If a message has multiple
DMARC-aligned signatures, all of them must pass, or Yahoo will not guarantee
DMARC alignment. Senders using forwarding tools that re-sign in transit need
to verify all signatures resolve.
### Insights exposes 0.1% warning, 0.3% enforcement
Yahoo's Insights dashboard launched on October 27, 2025. It surfaces Spam
Complaint Rate and Delivered Messages per verified DKIM domain. The threshold
math: 0.1% is the warning line, 0.3% is the enforcement line, and the
denominator is inbox-delivered messages only — not ESP-total sends. If you
compute complaint rate against total sends, your number will read lower than
Yahoo's.
Yahoo still spam-folders or defers more often than it hard-rejects. There is
no published Yahoo equivalent to Gmail's November 2025 SMTP escalation. The
enforcement string senders see most often is `421 4.7.0 [TSS04]` for volume
or complaint-rate deferrals, with `554` or `550 5.7.9` for permanent
authentication rejections.
## Microsoft's May 5, 2025 posture and aftermath
Microsoft announced the Outlook.com consumer bulk-sender rules in April 2025
and enforced them starting May 5, 2025. The scope is narrower than Gmail's:
this rule applies only to the consumer domains outlook.com, hotmail.com,
live.com, and msn.com. Exchange Online business tenants are out of scope for
the 5.7.515 rule — they face separate TERRL/ERR outbound caps. Source:
[Microsoft Tech Community blog](https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/strengthening-email-ecosystem-outlooks-new-requirements-for-highvolume-senders/4399730).
### The 550 5.7.515 reject code
The enforcement string is `550 5.7.515 Access denied, sending domain [X]
does not meet the required authentication level`. Microsoft skipped a
4xx-deferral phase entirely. Day one, May 5, 2025, was a hard 5xx cutover.
Microsoft Support's remediation article accepts `p=reject`, `p=quarantine`,
or `p=none` as valid DMARC policies, and adding a sender to the Safe Senders
list does not bypass enforcement. Source:
[Microsoft Support — Fix NDR 550 5.7.515](https://support.microsoft.com/en-us/topic/fix-ndr-error-550-5-7-515-in-outlook-com-34cfe8f8-6fbf-457e-9e8b-9e4dbaf4e0ef).
There is a separate code, `550 5.7.509`, for messages that fail DMARC
because the sender's policy is `p=reject`. If your bounce reads 5.7.509, the
fix is on the sender side (alignment); if it reads 5.7.515, the fix is
authenticating to the Outlook.com bulk-sender floor.
### Microsoft is stricter than Gmail on alignment
Microsoft requires SPF "Must Pass" AND DKIM "Must Pass" individually, then
DMARC alignment. Gmail, by contrast, accepts SPF or DKIM alignment — only one
of the two needs to line up with the From header. In practice, senders have
reported `Spf=Fail, Dkim=Pass, DMARC=Pass` results still getting rejected at
Microsoft because Microsoft evaluates both mechanisms as standalone pass/fail
rather than "one of two." If you have been coasting on DKIM alignment alone
to pass DMARC, Microsoft will surface the SPF weakness as a 5.7.515.
Microsoft's other unique clause is the Compliant P2 Sender Address
requirement: the `From` or `Reply-To` must be valid, reflect the true sending
domain, and be able to receive replies. Gmail and Yahoo do not publish an
equivalent rule. For the tenant-level DNS walkthrough and Exchange admin
center steps, see our
[Microsoft DMARC enforcement deep-dive](/blog/microsoft-dmarc-enforcement/).
## Google vs Yahoo vs Microsoft side-by-side
Reading the three providers' rules in parallel makes the deltas obvious.
Microsoft is strictest on alignment; Yahoo is loosest on volume threshold;
Gmail has published the most detailed SMTP error taxonomy.
| Requirement | Google (Gmail consumer) | Yahoo (consumer + AT&T) | Microsoft (Outlook.com consumer) |
| -------------------------------- | ---------------------------------- | ------------------------------------ | --------------------------------------------- |
| Bulk threshold | 5,000/day, 24h rolling, per domain | "Significant volume," not numeric | 5,000/day per `5322.From` domain |
| SPF required | Yes (bulk: and DKIM) | Yes (bulk: both SPF and DKIM) | Yes — must pass |
| DKIM required | Yes (bulk); 1024-bit min | Yes; 1024-bit min, 2048 recommended | Yes — must pass |
| DMARC minimum policy | `p=none` | `p=none` | `p=none` (accepts `p=none/quarantine/reject`) |
| Alignment | SPF OR DKIM aligned | SPF OR DKIM aligned (relaxed OK) | SPF AND DKIM each pass, then aligned |
| TLS on SMTP | Required | Not a standalone bullet (unverified) | Implied via infrastructure |
| PTR / rDNS | Required | Required | Not called out standalone |
| One-click unsubscribe (RFC 8058) | Required (bulk marketing) | Required (Post preferred, mailto OK) | "Functional" link — RFC 8058 not mandated |
| Spam-rate ceiling | 0.10% target, 0.30% hard ceiling | 0.3% (inbox-delivered denominator) | No published numeric threshold |
| Primary 2025–2026 reject code | `550 5.7.26`, `550 5.7.40`, etc. | `554` / `421 4.7.0 [TSS04]` defer | `550 5.7.515` |
| Enforcement surface | Postmaster Tools v2 Compliance | Sender Hub Insights (Oct 2025) | SNDS + NDR bounce |
| Announcement cadence | Phased ramp, Nov 2025 escalation | No Nov-2025 equivalent | Hard cutover May 5, 2025 |
The row that trips senders most often is alignment. Passing DMARC at Gmail via
DKIM alignment alone is not sufficient at Microsoft, even though both
providers accept `p=none`. The second row that causes surprises is the
spam-rate denominator — Yahoo's inbox-only math consistently reads higher than
your ESP's total-sends math, so tune your alerts to Yahoo's number.
[Check your domain against all three providers — free, no signup required](/tools/dmarc-checker/).
## What "compliant" actually tests
Four things break authentication for bulk senders more often than anything
else.
**1. Authenticated From alignment.** For Gmail and Yahoo, SPF or DKIM must
pass and the `5322.From` organizational domain must match one of the two
aligned domains. For Microsoft, both SPF and DKIM must pass standalone, then
align. Relaxed alignment (subdomains count) is accepted at all three.
**2. Valid forward and reverse DNS (PTR).** Generic cloud PTRs — the
`ec2-54-123-45-6.compute-1.amazonaws.com` style default — get penalized at
Yahoo and rejected at Gmail with `550 5.7.25`. Every dedicated sending IP
needs a PTR that reflects your sending domain.
**3. A valid DMARC record with an active RUA.** `p=none` without a RUA tag
technically satisfies Google, Yahoo, and Microsoft's letter, but you have zero
visibility into what is happening to your mail. Spam Resource's Al Iverson
calls this "good enough to comply with the current set of requirements, but
no visibility and no protection means no fun when something bad happens."
Publish a RUA and monitor the reports.
**4. A DMARC record that actually exists.** `550 5.7.40` at Gmail
specifically flags the "bulk sender with no DMARC record at all" case. Run
through a DMARC lookup before you cross the 5,000/day threshold.
Three quick supporting checks belong on the same short list: SPF must stay
under the 10-DNS-lookup limit (2.7% of SPF-publishing domains in our own
5.49M-domain scan — 148,655 domains — already breach it), DKIM keys should be
2048 bits, and TLS must be enforced on SMTP. Gmail dropped 3DES cipher
support on May 30, 2025, so modern TLS is now the floor at Gmail.
## Two real-world failures
**Outlook.com at 40% bounce from a legitimate M365 tenant.** An M365-hosted
notification sender with valid SPF, DKIM, and DMARC saw over 40% bounce to
hotmail.com, msn.com, live.com, and outlook.com in the days after May 5, 2025. Microsoft Support confirmed the domain was hit by a known issue and
allowlisted it via `olcsupport.office.com`. The fix required Microsoft-side
intervention; nothing was broken in the sender's DNS. If you are seeing
`550 5.7.515` with passing alignment on every message header, open a support
ticket.
**20,000–25,000/day transactional sender with unfixable legacy DKIM.** A
mid-sized notification service saw roughly 25% bounce on Outlook.com once
May 5, 2025 landed. Root cause was a DKIM key their legacy MTA could not
rotate. The fix was architectural, not a DNS tweak: split transactional and
marketing streams onto a dedicated subdomain with a fresh DKIM selector that
the modern MTA could sign. Mixed-content single-domain senders have been
among the biggest losers of the 2025 enforcement wave; stream separation is
the remediation pattern that keeps showing up.
## Your 2026 bulk-sender compliance checklist
Each item maps to a DNS record or a tool check. Use the ordering below — SPF
and DKIM before DMARC, DMARC before policy tightening, unsubscribe last.
1. Publish SPF under the 10-DNS-lookup limit. End with `-all` (strict) or
`~all` (soft-fail) rather than `?all`. Example for
`example.com`: `v=spf1 include:_spf.google.com ~all`.
2. Publish DKIM with 2048-bit keys, one custom selector per sending service,
and make sure the `d=` value is your organizational domain (not the
ESP's). Generate a compliant DMARC record with Google/Yahoo/Microsoft
presets —
[open the DMARC generator](/tools/dmarc-generator/) to lay out a clean
record from scratch.
3. Publish a DMARC record with at minimum
`v=DMARC1; p=none; rua=mailto:dmarc@example.com`. `p=none` is the floor;
`p=quarantine` is the direction all three providers are steering.
4. Confirm PTR/rDNS on every sending IP you control. Generic cloud PTRs fail
at Gmail and Yahoo.
5. Enforce TLS on SMTP. Gmail dropped 3DES on May 30, 2025; MTA-STS is not
required but is strongly recommended.
6. For marketing mail: add RFC 8058 one-click unsubscribe via
`List-Unsubscribe-Post: List-Unsubscribe=One-Click` plus an HTTPS URL in
`List-Unsubscribe`. Honor unsubscribe requests within 48 hours (Gmail)
or 2 days (Yahoo).
7. Separate transactional, marketing, and sales streams if you cross
5,000/day to any single provider. Yahoo's domain-centric reputation model
makes this especially important; mixed streams collapse to the worst
behaviour on the domain.
8. For forwarders and mailing lists, add ARC headers. Gmail, Microsoft, and
Yahoo all honor ARC from trusted intermediaries.
9. Monitor Postmaster Tools v2 Compliance status weekly, check Yahoo Sender
Hub Insights, and register for Microsoft SNDS if you run dedicated IPs.
## How DMARCguard helps
DMARCguard checks your domain against the three providers' public
requirement surfaces in one pass and then points at exactly which record
needs to change. The DMARC record generator ships Google, Yahoo, and
Microsoft bulk-sender presets so you can publish a compliant record without
re-reading three vendor pages.
Continuous monitoring surfaces named sender identification (you see
"Mailchimp" not "52.24.128.5") so you can find the misconfigured sender
before the 4.7.26 starts landing in your logs. We cannot make Gmail, Yahoo,
or Microsoft reverse a permanent bulk-sender classification — nobody can.
What we do is help you not trip the rules in the first place, and give you
the diff the moment your setup drifts.
## FAQ
### What does it mean to be DMARC compliant for Google, Yahoo, and Microsoft?
DMARC compliant means the domain in your `From` header aligns with either SPF
or DKIM (both, for Microsoft), your domain publishes a DMARC record at
`p=none` or stricter, your sending IPs have valid forward and reverse DNS,
and bulk marketing mail carries an RFC 8058 one-click unsubscribe header.
Treat the three providers' rules as a deliverability floor, not a security
posture — `p=none` passes their check but does nothing to stop spoofing.
### How do I comply with DMARC?
Publish SPF under the 10-DNS-lookup limit, add DKIM with 2048-bit keys for
every service that sends on your behalf, and publish a DMARC record of at
least `v=DMARC1; p=none; rua=mailto:dmarc@example.com`. Align the From header
with either SPF or DKIM, enforce TLS on SMTP, and add one-click unsubscribe
headers on marketing mail. Verify the record with a DMARC checker before you
send at scale.
### Does p=none satisfy Google, Yahoo, and Microsoft's bulk sender requirements?
Yes, today. Google, Yahoo, and Microsoft all explicitly accept `p=none` as
sufficient, provided the record is valid and DMARC alignment passes. Google's
FAQ notes that "it's likely that DMARC alignment with both SPF and DKIM will
eventually be a sender requirement," so the direction of travel is toward
stricter posture. Moving to `p=quarantine` once you have confirmed all
legitimate senders align is the next step most organizations take.
### What is Gmail's 5,000-emails-per-day threshold?
Gmail classifies any sender that sends close to 5,000 messages or more to
personal Gmail accounts within a rolling 24-hour window as a bulk sender.
The count is per primary organizational domain, subdomains roll up, and bulk
status is permanent once triggered. Domains that had not crossed 5,000/day
to personal Gmail since January 1, 2024 are fast-tracked through the
enforcement progression, so newly-spun-up sending subdomains inherit none of
the 2024 grace window.
### What does SMTP error 550 5.7.26 mean after November 2025?
`550 5.7.26` is Gmail's permanent rejection for unauthenticated mail. Gmail's
SMTP errors page documents three variants: the sender is not authenticated
(neither SPF nor DKIM passes), SPF hit a hard `-all` fail, or the From
domain's DMARC policy rejected the message. Read the full bounce string to
tell which variant you hit — the remediation differs for each. After the
November 2025 escalation, these are hard rejections, not spam-folder placements.
### How is Microsoft's May 2025 enforcement different from Google's?
Microsoft requires both SPF and DKIM to pass individually and then align via
DMARC. Gmail, by contrast, accepts either SPF or DKIM alignment on its own.
Microsoft also skipped the 4xx-deferral phase entirely — May 5, 2025 was a
hard 5xx cutover with code `550 5.7.515`. The scope is Outlook.com consumer
domains only (outlook.com, hotmail.com, live.com, msn.com); Exchange Online
tenants are out of scope for this specific rule.
## Conclusion
The gap is the story. 30.4% of domains publish DMARC, 12.8% enforce, 6.0%
reach `p=reject`. Google, Yahoo, and Microsoft have all priced in that gap
with enforcement machinery that now hard-rejects rather than spam-folders.
All three providers are converging on the same floor: both SPF and DKIM
published, aligned with the `5322.From` organizational domain, DMARC at
least `p=none`, valid PTR, TLS on SMTP, and — for bulk marketing — one-click
unsubscribe.
Gmail's November 2025 ramp, Yahoo's October 2025 Insights launch, and
Microsoft's May 2025 hard cutover are three different surfaces enforcing one
shared baseline. The domain that meets it on all three providers today is the
one that keeps its transactional mail landing tomorrow.