Gmail and Yahoo Just Changed How They Judge Your Email — Is Your Klaviyo Account Compliant?
one brand's klaviyo score said "good." gmail spam-foldered 100%.
Hey,
In June, Google started saying something no dashboard has ever said out loud: "Users signal they don’t want to get your email messages." Plain English. Inside Postmaster Tools. Right next to a compliance checklist that was 100% green.
Read that again. Every authentication box checked — SPF passing, DKIM passing, DMARC passing — and Google, in a full sentence, telling the sender their mail isn’t wanted.
I’ve spent the last two years watching brands treat "all green" as the finish line. Set up the branded domain, tick the DMARC box in Klaviyo, walk away. Done. Compliant. Safe.
Two things changed between May and June 2026 that quietly moved the finish line, and almost no ecommerce newsletter has covered either one. DMARC became an official internet standard for the first time since 2015. And Google split its scoring into two separate dashboards — one that grades whether you’re set up correctly, and a brand-new one that grades whether real humans actually want your mail.
Here’s the part that should stop you: those two dashboards disagree with each other all the time. Compliance is the price of admission now. It is not the same thing as landing in the inbox.
Let me walk you through what changed, the anecdote that proves the stakes, and exactly what to check in your Klaviyo account this week.
Not sure if Gmail has quietly flagged you — or whether your DMARC record is even in the new format? We’ll pull up your Postmaster Tools status and audit your Klaviyo authentication setup and tell you exactly where you stand. Detailed report, 3-5 days.
DMARC Just Quietly Became an Official Internet Standard
For eleven years, DMARC wasn’t actually a standard. It was published in 2015 as RFC 7489 — an Informational RFC, which is internet-speak for "a widely-adopted convention nobody was formally required to follow." Everyone used it. It was never official.
In May 2026, the IETF finished a multi-year effort called DMARCbis and turned it into three real Proposed Standards: RFC 9989, 9990, and 9991. The old 2015 spec is now obsolete (Validity’s breakdown).
Here’s the good news, and I want to be clear about it because the RFC talk scares people: nothing you’ve already published breaks. Your existing DMARC record keeps working exactly as-is. You don’t have to touch anything to stay compliant.
But a few things are genuinely worth knowing (dmarcian’s tag-by-tag rundown):
Three tags got deprecated —
pct,rf,ri— because receivers implemented them inconsistently or ignored them entirely.Three new tags arrived. The two that matter for ecommerce:
t=y(a clean test mode that lets you trialp=rejectwith zero enforcement impact while still getting reports) andnp=(a policy specifically for non-existent subdomains — it closes a phishing hole where attackers spoof from fake addresses likeabc123.yourbrand.com).The messy old "Public Suffix List" that receivers used to figure out your domain got replaced with a structured DNS lookup, so policy discovery is finally consistent across providers.
That’s what a real DMARC record looks like in a DNS provider — pulled straight from Klaviyo’s own help docs. And here’s the thing most brands don’t realize: Klaviyo can add a starter DMARC record for you, but it cannot manage your policy. It drops in v=DMARC1; p=none; during branded-domain setup and that’s it. Everything after that — moving toward enforcement, adding np= or t=y — happens in your DNS, not in Klaviyo. More on that below.
Google Added a Dashboard That Grades Whether People Want Your Mail
This is the real story, and it’s the part nobody’s talking about.
Back on September 30, 2025, Google retired the old Postmaster Tools — the familiar High/Medium/Low/Bad reputation scores everyone used to check. The replacement, Postmaster Tools v2, swapped that fuzzy four-tier score for a binary Compliance Status dashboard: 11 named requirements, each one pass or fail. SPF, DKIM, DMARC policy, DMARC alignment, message formatting, TLS, one-click unsubscribe, spam rate, and so on.
Clean. Objective. You either pass or you don’t. Fine.
Then in May and June 2026, Google quietly layered a second dashboard on top called Deliverability Analysis — and this one doesn’t grade your setup at all. It renders a plain-English verdict about whether real people want your email.
Nobody announced it. Deliverability practitioners found it by comparing notes across client accounts and tracing it back to Google’s own API docs, where a DeliverabilityStatusVerdict object has been sitting since at least May 13, labeled a Developer Preview (the full story is here).
There are seven possible verdicts. The two you care about:
USER_FEEDBACK_POSITIVE— "Users signal they want to get your email messages." The one you want.USER_FEEDBACK_NEGATIVE— "Users signal they don’t want to get your email messages." The one that should scare you.
And here’s the finding that made me want to write this whole newsletter. A deliverability team documented a real domain where every single Compliance Status item was green — full marks, nothing flagged — while the Deliverability Analysis verdict simultaneously read "Users signal they don’t want to get your email messages" (postboxservices.com).
Their explanation is the sentence I’d tattoo on every marketer’s monitor: "SPF, DKIM, and DMARC passing tells Gmail you are who you claim to be. It says nothing about whether the people receiving your mail actually want it."
One more number, because it’s the sneakiest change of all. For years, every deliverability guide — Klaviyo’s included — trained you to keep your spam complaint rate under 0.3%. Google’s own API documentation shows the new automated SPAM_RATE_HIGH verdict fires at 0.1%. Three times stricter. If you’ve been managing to 0.29% "with a clear conscience," the new system can still flag you.
"Good" Klaviyo Score. 100% Gmail Spam.
If you need proof that your ESP’s dashboard can’t be trusted on this, here it is.
In June, CustomersAI (Larry Kim’s team) audited a DTC brand whose Klaviyo deliverability score read 70% — which Klaviyo itself labels "Good." Not amazing, not alarming. The kind of number that makes you close the tab.
An actual inbox-placement test told a different story: 41.3% of sends landed in spam overall, and Gmail plus Google Workspace hit 100% spam placement. All of it. Every message.
Why was the score so wrong? Because ESP deliverability scores — Klaviyo’s and everyone else’s — are built from engagement signals the platform can see: opens, clicks, bounces. Not from where the email actually landed. The audit found roughly two-thirds of the brand’s reported opens weren’t real humans, and about 11% of clicks came from bots and corporate security scanners pre-fetching links. Those phantom numbers were propping up a "Good" score while the inbox outcome was a catastrophe.
Kim’s line: "A ‘Good’ ESP deliverability score does not prove you are reaching the inbox. Sometimes it just means the spam folder is hiding the evidence."
This is exactly why Google Postmaster Tools — not just Klaviyo’s in-app score — has to be part of your monitoring. Klaviyo’s own docs say the same thing: Gmail doesn’t share spam complaints back to ESPs, so Klaviyo literally cannot see your real Gmail complaint rate. You have to go to the source.
What Actually Fixed It (Neither One Was a DNS Change)
Here’s what I find reassuring about this whole topic. When brands actually recover, the fix is almost never some exotic DMARC surgery. It’s list hygiene and segmentation — boring, repeatable work.
Two real examples.
A health and wellness supplement brand (Swanky Agency case study) migrated from HubSpot to Klaviyo, cleaned the database on the way over, and built an engaged-first sending strategy. In 90 days: deliverability score went from under 10 to 65. Open rate from under 10% to 46%. Click rate from 0.9% to 6.9%. One email tied to a Forbes feature drove 13.9% of the period’s revenue. (Fun counter-intuitive detail: emails without emojis beat the emoji versions by 8.9-10.8% for this audience.)
A luxury brand working with consultant Siim Pettai took its score from 49 to 86 in two months while growing monthly email revenue 9x (case study). The whole play: five exclusion segments (recent buyers, refunds, bounces, unsubscribes, and anyone unengaged for 90+ days) and only sending campaigns to people who’d received 3+ emails and opened at least one in the last 90 days.
Notice what neither of them did. Neither one touched a DNS record. A 2025 corpus analysis found fully authenticated mail — valid SPF, DKIM, and DMARC — still landed in spam more than 30% of the time, because mailbox providers weight engagement far more heavily than a passing auth check once your identity is established (digitalapplied’s 2026 playbook). Authentication gets you in the door. Engagement decides whether you get a seat.
What to Do in Your Klaviyo Account This Week
Concrete steps, in order.
1. Register for Google Postmaster Tools if you haven’t (postmaster.google.com). This is the single biggest gap I see — a huge share of small-to-mid brands have never once looked at either dashboard because Klaviyo doesn’t surface Gmail’s complaint data. Check both tabs: Compliance Status and Deliverability Analysis. Green on the first, negative verdict on the second is a real and common combination.
2. Confirm you have a branded sending domain. Klaviyo → account name (bottom left) → Settings → Domains → Add Domain. Choose Dynamic routing unless your DNS provider can’t do NS records. Each send type (Marketing / Transactional) builds its own reputation.
3. Toggle "Add DMARC record" during setup. Klaviyo generates v=DMARC1; p=none; — the minimum compliant, monitoring-only policy.
But p=none is where most brands stop, and it protects you from exactly nothing — it’s monitoring mode, not a defense. Only about 2.5% of domains actually enforce p=reject; a mere ~14.9% publish any DMARC record at all. If you want real spoofing protection, use the new t=y test tag to trial p=quarantine or p=reject safely, read the reports to confirm no legitimate mail would break, then flip the switch.
That’s what a real DMARC problem looks like in the dashboard — one row flagged while the rest stay green. Worth knowing that DMARC policy and DMARC alignment are tracked as two separate checks.
4. Align your From address. If your sending domain is send.yourbrand.com, your From address must be on yourbrand.com (like hello@yourbrand.com). This is the alignment check, and it’s separate from whether a DMARC record merely exists.
5. Add an rua= reporting tag so you actually receive aggregate reports (e.g., rua=mailto:dmarc-reports@yourbrand.com). The raw XML is unreadable, so route it through a DMARC vendor — dmarcian, EasyDMARC, and Valimail are Klaviyo’s own recommendations.
6. Build your exclusion segments and let them run every send. Recent purchasers, refunds, hard bounces, unsubscribes, and anyone unengaged for 90+ days. This is the boring work that did all the heavy lifting in both recovery stories above.
7. Monitor against 0.1%, not 0.3%. Use Klaviyo’s Deliverability Hub as a secondary signal, but treat Postmaster Tools as your source of truth for Gmail — because it’s the only place that sees the real number.
The Bottom Line
Green checkmarks used to feel like the finish line. They’re now the starting line. Compliance proves you are who you say you are. It says nothing about whether anyone wants your mail — and Google will now tell you the difference in a plain-English sentence.
Register for Postmaster Tools. Check both dashboards, not one. Fix your list hygiene before you touch a single DNS record. And if you’re still anchored on 0.3%, move your line to 0.1% today.
Green checkmarks don’t mean Gmail wants your email anymore — and now there’s a dashboard that says so out loud. If you haven’t checked your Deliverability Analysis verdict, don’t know how, or aren’t sure your DMARC record survived the RFC update, that’s exactly the kind of gap a full audit is built to catch. We’ll look at your Postmaster Tools status, your authentication, and your list health, and hand you a prioritized fix list. Detailed report, 3-5 days, no obligation.
👉 Request Your Free Klaviyo Audit
Talk soon,
Sahil




