Will La Poste require SPF, DKIM and DMARC for all senders?

La Poste’s laposte.net is tightening email authentication: starting in September 2025, messages that lack proper SPF, DKIM and DMARC are likely to be routed to spam. This note explains what that means for senders and how to prepare.

Questions & Answers

What exactly is changing at laposte.net?

From September 2025, laposte.net will require senders to authenticate mail with SPF, DKIM and DMARC. Messages that present no authentication will be moved to the spam folder rather than delivered to the inbox. This applies to all senders — individual and corporate — and to transactional or marketing mail. The objective is to reduce phishing and impersonation that reach users. Senders who don’t act risk permanent deliverability issues.

Who announced the change?

The change was shared publicly by laposte.net’s postmaster, Simon Bressier. Below is the exact post he published on LinkedIn, which clarifies the timeline and intent:

Courant Septembre, laposte.net va commencer à durcir ses attentes en terme d'authentification email. Aujourd'hui des mails ne présentant aucuns protocoles d'authentification peuvent encore être livrés en boîte de réception, ce ne sera plus le cas courant Septembre. -> 100% des mails ne présentant ni SPF ni DKIM ni DMARC, se verront au mieux placés en dossier indésirable. LPN va attendre de la part des senders qu'ils authentifient et protègent leurs mails et domaines. SPF et DKIM et DMARC ne seront plus optionnels dans un avenir proche. D'autres annonces viendront prochainement pour détailler ce qui sera à suivre. Bonne rentrée à tous !

— Simon Bressier, postmaster, laposte.net (LinkedIn)

Which protocols are required and why?

SPF, DKIM and DMARC are required because they authenticate senders and protect recipients from spoofing. SPF declares the IPs allowed to send for a domain; DKIM signs messages so receivers can verify integrity; DMARC tells receivers how to treat messages that fail SPF/DKIM and provides reporting. Together they give mailbox providers confidence to deliver mail to the inbox. Without them, messages look anonymous and are treated as higher risk.

How will this affect deliverability for senders who haven’t implemented these protocols?

If your domain has no SPF, DKIM or DMARC, laposte.net will likely route your mail to spam. That means reduced visibility, missed messages, and potentially lost business. Even legitimate automated or transactional messages can be impacted, so the risk is not limited to marketing. Repairing reputation and restoring inbox placement can take time and careful monitoring. Start remediation now to avoid immediate delivery loss when enforcement begins.

What are the first steps an IT team should take?

Start by auditing every sending domain to confirm SPF, DKIM and DMARC are in place and correctly configured. Publish a valid SPF record listing all sending IPs, enable DKIM signing with keys aligned to your domain, and publish a DMARC record (p=none to start) to collect reports. Verify records with tools and test sending from all systems, including third-party services. Monitor DMARC reports to spot misconfigurations and shadow senders quickly.

Can third‑party senders or ESPs be used safely?

Yes — but they must be authorised in your SPF record or use DKIM alignment tied to your domain. If you send through an ESP, configure DKIM with your domain and ensure the ESP’s sending IPs are in SPF. Failing to align third‑party signatures can trigger DMARC failures even when a provider is legitimate. Work with vendors to add proper records and test thoroughly before September. Keep an inventory of all vendors that send mail on your behalf.

Should organisations move directly to DMARC enforcement (p=quarantine or p=reject)?

Start with p=none to collect data and identify legitimate senders; don’t jump straight to enforcement. Use the reporting to fix failures and verify all sending sources. Once you consistently see clean reports and few or no failures, progress to p=quarantine and later p=reject on a controlled timeline. Rushing to reject without full visibility risks losing legitimate mail. A staged approach preserves deliverability while improving security.

How should teams monitor results after making changes?

Collect and review DMARC aggregate (RUA) and forensic (RUF) reports to track which sources pass or fail authentication. Look for unexpected sources, repeated failures, and misaligned DKIM signatures. Keep dashboards or automated alerts for spikes in failures and maintain a runbook for common fixes. Regular review reduces the chance of delivery surprises after enforcement. Consider centralised DMARC management to simplify reporting and triage.

Are there France‑specific considerations?

Yes — if you operate in France, expect stricter enforcement and potential regulatory expectations for secure communications. French mailbox providers and major national services often coordinate to reduce phishing at scale. Local partners and vendors should be included in audits to avoid gaps. Also verify transactional mail (banking, healthcare, public services) which is high-impact and often targeted. Following national best practices keeps important messages flowing.

Where can teams get tools and help to comply?

Palisade offers tools and guidance for SPF, DKIM and DMARC setup, testing and ongoing monitoring. Use the Palisade SPF checker to validate records: SPF checker. For DKIM key creation and verification, see the Palisade DKIM tool: DKIM tool. To evaluate overall posture and DMARC readiness, try Palisade’s email security score: DMARC & email score. These resources help accelerate compliance before enforcement begins.

Quick Takeaways

• La Poste (laposte.net) will enforce SPF, DKIM and DMARC from September 2025.
• Messages with no authentication will be routed to spam, hurting deliverability.
• Audit all sending domains, including third‑party services, immediately.
• Begin with DMARC p=none, fix issues using reports, then progress to enforcement.
• Use Palisade tools to validate SPF, DKIM and DMARC and monitor results.

More FAQs

1. How quickly do I need to act?

Act now — enforcement begins in September 2025 and delays can cause immediate inbox loss. Inventory senders, test records, and collect DMARC reports over several weeks to gain confidence. The sooner you start, the smoother the transition will be.

2. Will private individuals be affected?

Yes — personal senders without authentication may see mail land in spam when sending to laposte.net addresses. Encourage personal account holders or small teams to use authenticated relay services or set up simple DKIM and SPF records.

3. What if I can’t change an external vendor’s configuration?

Work with the vendor to add your domain’s DKIM or ensure their sending IPs are in your SPF; if they can’t, route that mail through an authorised service or proxy. As a last resort, consider removing that vendor as a sender to laposte.net recipients until alignment is possible.

4. Does this mean DMARC is mandatory everywhere?

Not universally, but major providers are moving that way; laposte.net’s enforcement is a clear sign of the direction. Many mailbox providers increasingly prioritise authenticated mail to protect users. Expect more strictness across regions in the near term.

5. Who can I contact for help?

For hands‑on support, Palisade provides consulting, tools and managed services to implement and monitor SPF, DKIM and DMARC. Visit Palisade to learn more and get assistance tailored to your environment.