[jeroenhd]

It looks like this started all the way back in the beginning of last year: https://www.mimecast.com/blog/guide-to-google-dmarc-setup/

This overview also shows other requirements you may have missed: https://www.proofpoint.com/us/blog/email-and-cloud-threats/g...

As for DMARC in the headers, I'm pretty sure Google has done that for years when DMARC is being checked (i.e. when it's being offered by the sending domain).

[zinekeller]

Canonical links to Google's advice: https://support.google.com/a/answer/81126 and https://support.google.com/a/answer/14229414

(and yes, this was supposed to be enforced last year)