Gmail Just Started Rejecting at SMTP Level: The November 2025 Hardening

Google updated their Bulk Sender Guidelines FAQ page on November 3, 2025 with a short but consequential addition: “Starting November 2025, Gmail is ramping up its enforcement on non-compliant traffic. Messages that fail to meet the email sender requirements will experience disruptions, including temporary and permanent rejections.”

The wording is bureaucratic. The operational impact is significant. The era of Gmail treating non-compliant mail as something to filter to spam folder is ending. The new era is SMTP-level rejection: non-compliant mail does not reach Gmail’s servers in any accessible form.

We have been monitoring across our customer base since November 3rd. The patterns of the first week are instructive about what Gmail is enforcing, how aggressively, and what the consequences are for senders who treated the February 2024 requirements as optional.

This post is what we observed in the first week of the November hardening, the specific error codes Gmail is using, and what senders need to do about it.

What Gmail actually changed

The published change is a single paragraph addition to Google’s FAQ. The text is short; the implication is substantial.

Before the update, Gmail’s enforcement of the February 2024 requirements was characterized as educational. Non-compliant mail was routed to spam folder, where recipients could theoretically find it. Warning indicators appeared in Postmaster Tools. The enforcement was visible but bounded.

After the update, enforcement is active. Non-compliant mail is rejected at the SMTP level. The sending server receives a permanent (5xx) or temporary (4xx) error response. The mail does not arrive in any folder.

The specific error codes Gmail is using:

• 550 5.7.26: authentication failure (SPF, DKIM, or DMARC issues)
• 550 5.7.25: missing or invalid PTR record (reverse DNS issues)
• 550 5.7.28: high spam complaint rate
• 550 5.7.29: missing TLS encryption
• 421 4.7.x: temporary rate limiting / throttling

Each error code identifies the specific compliance failure. Senders can investigate the specific cause from the error.

What we observed in the first week

Across our customer base, the November 3-10 period produced specific patterns.

Patterns for compliant senders

The customers we work with who have been doing the work since 2024 saw essentially no impact. Bounce rates remained at baseline. Postmaster Tools Compliance Status remained passing. Deliverability metrics continued steady.

This is the expected outcome. The customers who completed their compliance work do not face the new enforcement. The enforcement targets non-compliant traffic specifically.

Patterns for partially compliant senders

Customers with marginal authentication setup saw new bounce patterns starting November 3rd. The bounces showed 550 5.7.26 errors clearly identifying authentication failures.

The bounces were not surprises in the underlying issues; the bounces were new in their visibility. Marginal authentication that had been “good enough” to filter to spam was now insufficient to deliver at all.

The customers affected typically had:

• DMARC at p=none (compliant minimum but not strong)
• SPF or DKIM alignment that was technically passing but with edge cases
• Recently changed authentication that had not stabilized
• Mixed sending sources where some were properly authenticated and others were not

The remediation for these customers: identify the specific authentication issues, fix them, monitor the bounce rates returning to baseline. Most issues were fixable within 24-48 hours.

Patterns for non-compliant senders

Customers who had not implemented the February 2024 requirements at all saw immediate severe impact. Bounce rates for Gmail-bound mail jumped from 5-10% baseline to 30-60% post-November 3rd.

These customers were aware that they should have done the work earlier but had not prioritized it. The hardening forced the prioritization.

The remediation timeline for these customers is longer (3-6 weeks for full authentication setup including DMARC progression). During the remediation period, Gmail-bound traffic is significantly impaired.

Patterns for cold email operators

Cold email operators faced the most severe impact. The structural challenges of cold email (higher complaint rates, less engagement, weaker sender history) made the November hardening particularly punishing.

Cold email rejection rates went from 15-40% pre-November to 50-80% post-November. Some cold email operators are seeing essentially no delivery to Gmail recipients.

The structural responses available to these operators:

• Improve authentication if not already complete
• Reduce sending to Gmail recipients
• Improve recipient list quality dramatically
• Accept significant deliverability reduction
• Move to non-Gmail-receiver target focus

The cold email segment is facing existential pressure from this enforcement. Some operators will continue with reduced operations; others will pivot to different marketing approaches.

Patterns by mailing platform

We observed different patterns based on the customer’s underlying mailing infrastructure.

Mainstream ESP customers (those still using SendGrid, Mailgun, Postmark, etc.): patterns reflect the ESP’s overall compliance discipline. ESPs that maintain strong default compliance produced fewer customer impacts. ESPs with weaker defaults produced more impacts.

Self-hosted customers with managed services: minimal impact. Our customers with managed PowerMTA or Postal infrastructure saw their compliance setup working as designed. The hardening was a non-event for these customers.

Self-hosted customers without managed services: variable. Some customers had completed their authentication work and saw minimal impact. Some had been delaying authentication work and saw significant impact.

Specific error code analysis

The error codes Gmail uses for the new rejections provide diagnostic information.

550 5.7.26: Authentication failure

This is the most common error we observe. The cause is SPF, DKIM, or DMARC failure.

Investigation pattern:

• Check the DMARC aggregate reports for failing alignment
• Verify SPF record is current and authorizes all sending IPs
• Verify DKIM signatures are correctly configured
• Check for hostname mismatches in the From, Return-Path, and signing identity

The remediation typically takes 24-72 hours to deploy and verify.

550 5.7.25: Invalid PTR record

The error indicates the sending IP’s PTR record is missing, generic, or does not forward-confirm. The FCrDNS verification is failing.

Investigation:

• Verify PTR record exists for sending IP
• Confirm PTR points to a hostname under sender’s domain
• Verify forward DNS for that hostname resolves back to the same IP
• Check HELO/EHLO greeting matches PTR hostname

The remediation depends on whether the IP allows PTR customization (some providers do not). For IPs where customization is possible, the fix is bounded. For IPs without customization, alternative IPs are needed.

550 5.7.28: High spam complaint rate

The error indicates the sender’s spam complaint rate exceeds Gmail’s threshold. Gmail mentions 0.3% as the threshold but enforcement appears to begin at 0.1% based on what we observe.

Investigation:

• Review recent campaign data for complaint patterns
• Identify which sending domains or segments produce complaints
• Review list quality and engagement signals

The remediation is operational: tighten list quality, suppress complainers more aggressively, improve content relevance. The improvement takes 2-4 weeks to demonstrate in reputation.

550 5.7.29: Missing TLS

The error indicates the sender’s SMTP connection did not use TLS or had TLS configuration issues.

Investigation:

• Verify the SMTP service is configured for TLS
• Check that the TLS certificate is valid and chain-complete
• Verify the connection to Gmail’s MX uses TLS handshake

The remediation is configuration: ensure TLS is properly configured. Most operators have this already.

421 4.7.x: Temporary rate limiting

The error indicates Gmail is temporarily limiting delivery from the sender. The cause is typically borderline compliance combined with sending volume.

Investigation:

• Check overall compliance status in Postmaster Tools
• Review sending volume trends
• Identify any patterns triggering the rate limit

The remediation: address the underlying compliance issues. The rate limiting resolves once compliance improves.

What the customers we serve are doing

Based on the first week of observations:

Customers already in good shape

Continue normal operations. Monitor Postmaster Tools weekly. Watch for any new patterns that might indicate emerging issues.

This is the position we want all customers in. The November hardening is uneventful for these customers.

Customers with marginal compliance

Tighten authentication setup. Verify DMARC alignment is solid. Check SPF for completeness. Confirm DKIM signing is consistent.

The work is bounded but real. We’re spending more time with these customers in November than the baseline.

Customers with new bounces

Investigate the specific error patterns. Identify the cause. Implement remediation. Monitor the bounce rates returning to baseline.

The customers in this category are receiving more support attention from us during November. The support load is bounded but elevated.

Customers with cold email operations

Strategic conversations about whether the operation continues, pivots, or accepts the reduced deliverability. These are difficult conversations because the structural challenges of the segment do not have easy operational fixes.

Some cold email customers are migrating to non-cold approaches. Others are reducing volume. Others are accepting the reduced deliverability as cost of business model.

What is different from the February 2024 enforcement

The February 2024 enforcement and November 2025 hardening are related but distinct.

February 2024:

• Initial requirements for SPF, DKIM, DMARC
• Soft enforcement with non-compliant mail filtered to spam
• Bulk sender threshold (5,000 messages per day to Gmail)
• Educational warnings in Postmaster Tools
• Gradual ramping of consequences

November 2025:

• Same requirements (no new technical requirements)
• Hard enforcement with non-compliant mail rejected at SMTP
• Same bulk sender threshold
• Compliance Status replacing reputation graphs
• Active enforcement rather than progressive

The technical requirements have not changed. The enforcement model has. Senders who were compliant in February 2024 remain compliant in November 2025. Senders who were not compliant face new consequences.

What is similar to the Microsoft May 2025 enforcement

Microsoft moved to hard rejection of non-compliant mail in May 2025 (the 550 5.7.515 error). The November 2025 Gmail hardening brings Gmail to similar enforcement level.

The major mailbox providers (Gmail, Yahoo, Microsoft) are now operating at comparable enforcement intensity. Senders compliant with one are typically compliant with others. The receiver-specific differences are now smaller than they were a year ago.

The implication: investment in proper authentication infrastructure pays off across multiple major receivers. The work to comply with Gmail is essentially the same work that satisfies Microsoft and Yahoo. The compliance pattern transfers.

What Apple iCloud and others are doing

Apple iCloud has not announced specific enforcement events comparable to Gmail’s November 2025 hardening or Microsoft’s May 2025 enforcement. Apple’s filtering operates differently (their own anti-spam infrastructure) and produces less visible enforcement patterns.

We do observe that Apple’s filtering has tightened over 2025 in subtle ways. Non-compliant mail is more likely to land in spam at Apple than it was in 2024, but not yet rejected at SMTP level.

Smaller mailbox providers vary widely. Some have followed Gmail’s lead with their own enforcement. Others remain at less aggressive enforcement levels. The industry direction is toward tightening, but specific timing differs.

For senders, the practical advice: target Gmail/Microsoft/Yahoo-level compliance. This typically exceeds requirements at other receivers and positions for future tightening across the ecosystem.

What we recommend for senders in November 2025

For senders reading this in November 2025:

Check Postmaster Tools v2 Compliance Status today

The Compliance Status dashboard tells you directly whether you meet Gmail’s requirements. The check takes one minute. The result is binary.

If passing: continue current practices, monitor weekly.

If failing: investigate the specific failure category, remediate within days.

Verify authentication is fully working

SPF authorizing all sending IPs. DKIM signing all outbound mail with current 2048-bit keys. DMARC at p=quarantine or p=reject minimum (p=none is technically minimum but produces weaker reputation outcomes).

Test with online tools to confirm authentication is passing.

Review recent bounce logs

Look for 550 5.7.x errors that started in November. The error code identifies the specific issue. Investigate and remediate.

If no bounce log review process exists, set one up. Daily review of high-error-rate periods catches issues quickly.

Tighten spam complaint management

Even if complaint rate is below Gmail’s 0.3% threshold, tighten toward 0.1%. Lower complaint rates produce better reputation and reduce risk during enforcement.

Suppress complainers proactively. Improve list quality through engagement-based segmentation. Improve content relevance to reduce complaint triggers.

Audit sending domain consistency

The From domain, Return-Path domain, and DKIM signing identity should all align. Mismatches produce alignment failures even when individual authentication mechanisms pass.

The audit is bounded but important. Audit-discovered misalignments are often the cause of mysterious recent rejection patterns.

Document the resolution

Whatever fixes are required, document them. Future infrastructure changes need to maintain the fixes. Documentation prevents regression.

Plan for tighter future enforcement

The November hardening is unlikely to be the last enforcement tightening. Gmail (and other providers) will continue evolving requirements. Building operational practices that exceed current minimums positions for future requirements.

What we expect through year-end 2025

Predictions for the rest of 2025:

The first weeks of enforcement will produce the largest customer impact. Customers will discover specific issues and remediate them. The remediation phase will continue through November and December.

Gmail will likely refine the enforcement during this period. Specific issues that emerge in production may produce minor adjustments to thresholds, error messages, or remediation guidance.

Microsoft enforcement may tighten further. The May 2025 enforcement was the first phase; additional phases were mentioned but not specifically announced.

The industry conversation will accelerate. Email deliverability forums, vendor blogs, customer support channels will be heavily focused on the new enforcement throughout November-December.

Mainstream ESP customers will see ESP-level remediation efforts. The ESPs will work to ensure their customers don’t experience disproportionate impact. The remediation will be visible in ESP customer-facing communications.

Self-hosted operations will see more migration interest. Customers experiencing problems on mainstream ESPs will explore self-hosted alternatives. The migration patterns we have observed since the May 2025 Microsoft enforcement will continue.

The broader trajectory

Looking at the trajectory of email infrastructure over the past two years:

February 2024: initial Gmail/Yahoo bulk sender requirements with soft enforcement.

October 2024: Postmaster Tools v2 launches with Compliance Status dashboard.

April 2025: Microsoft announces bulk sender requirements.

May 2025: Microsoft enforces with 550 5.7.515 rejection.

September 2025: Postmaster Tools v1 retirement, reputation dashboards eliminated.

November 2025: Gmail hardens enforcement to SMTP-level rejection.

The trajectory is consistent and accelerating. Authentication continues to matter more. Compliance becomes binary rather than reputation-based. The major mailbox providers continue tightening together.

For senders, the path forward:

The work to comply is bounded but mandatory. Authentication, list hygiene, content quality, ongoing operational discipline.

The work to maintain compliance is ongoing rather than one-time. Receivers continue evolving requirements. Maintenance work continues.

The cost of non-compliance continues increasing. Each enforcement event makes the gap between compliant and non-compliant senders larger.

The benefits of self-hosted infrastructure with operational discipline continue growing. The mainstream ESP convenience comes with policy decisions outside customer control. Self-hosted independence allows customer-controlled compliance posture.

The honest assessment

The November 2025 hardening is the natural next step in Gmail’s enforcement evolution. The technical requirements have been clear since October 2023. The 25-month grace period was generous. Senders who had not completed compliance work in that time receive consequences now.

For the senders who completed the work, this enforcement is non-news. They continue operating normally.

For the senders who delayed the work, this enforcement is a forcing function. The remediation work that should have been done in 2024 must be done now under more time pressure.

For the email infrastructure ecosystem, this enforcement continues the trajectory toward higher compliance standards. The trajectory continues regardless of any specific event. Senders who treat email infrastructure as ongoing operational discipline continue to be the ones operating successfully at scale.

For our customers reading this in November 2025: the work to do is the same work we have been recommending for two years. Authentication. List hygiene. Content quality. Operational monitoring. Customer engagement focus. The trajectory is clear. The work is bounded. The benefits of doing it correctly continue compounding.

The next major enforcement event will come. The senders who prepare continuously rather than reactively will be the ones positioned well for whatever comes next. The dashboard interfaces change. The error codes evolve. The underlying discipline remains constant.

We continue working with customers through the November 2025 transition. The next major data point will be year-end when we have a month of enforcement experience to analyze. Until then, the work is investigation and remediation for affected customers and continued monitoring for everyone else. The enforcement is real. The remediation is bounded. The path forward is clear.