In October 2023 Google and Yahoo jointly announced new requirements for bulk senders, effective February 1, 2024. Enforcement phased in through 2024 — first with tempfail responses, then with quarantine routing, then with outright rejection. We're now two years in, and the vast majority of "our mail stopped delivering" support tickets trace back to one of the seven requirements below. This is the compliance checklist.
If you send 5000+ messages per day to Gmail or Yahoo users, you must have: SPF and DKIM passing, DMARC published with alignment, one-click unsubscribe working, complaint rate under 0.3%, outbound TLS, and honored unsubscribe within 2 days. Non-compliance means throttling, spam-folder routing, and eventually 5.7.26-style rejections.
Who this applies to
The 5000-per-day threshold is aggregate — all your sending across all domains, all IPs, into a given receiver. Google and Yahoo both use "bulk sender" to mean "any entity sending 5000+ messages per day to their users". If you have 3 brands each sending 2000/day to Gmail, you cross the threshold.
Even if you're under 5000/day, comply anyway. Gmail has signalled these requirements will become universal — and the sub-5000 senders who comply already get better placement than those who don't.
Requirement 1: SPF and DKIM both authenticating
Pre-2024, Gmail would often accept mail with SPF OR DKIM passing. Post-2024, bulk senders need both passing. SPF alone or DKIM alone gets you rejected.
Verify with any message delivered to a Gmail inbox: open the message, click "Show original", look for the Authentication-Results header. You need to see both spf=pass and dkim=pass.
Authentication-Results: mx.google.com;
dkim=pass header.i=@yourdomain.com header.s=default;
spf=pass (google.com: domain of user@yourdomain.com designates 1.2.3.4);
dmarc=pass (policy=none)Requirement 2: DMARC published
DMARC must exist at _dmarc.yourdomain.com with a minimum policy of p=none and at least a rua= report address. You don't need to start at quarantine or reject — but you need a record, and it needs to validate.
v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com; fo=1; adkim=s; aspf=sGoogle's long-term direction is stricter policies. If you're still on p=none two years after rollout, read your aggregate reports, fix misalignments, and move to p=quarantine at minimum. Both providers track how long you've been on p=none and factor it into reputation.
Requirement 3: Alignment
DMARC alignment is where a lot of senders fail without realising. Your SPF and DKIM can pass technically — but the domain that passed must align with the domain in the From header.
- SPF alignment: the envelope-from (Return-Path) domain must match the From header domain. If your From is
sales@acme.combut your Return-Path isbounce@mailer.esp.com, SPF can pass but DMARC fails. - DKIM alignment: the DKIM signing domain (
d=in the signature) must match the From domain. Signing with the ESP's domain doesn't align — you need to sign with your own.
Fix: in your ESP settings, configure a custom return-path (CNAME to ESP) and custom DKIM (CNAME or DNS-hosted keys). Every major ESP supports this — Mailchimp, SendGrid, Postmark, Amazon SES, HubSpot — but it's usually not the default.
Requirement 4: One-click unsubscribe
Bulk senders must include RFC 8058 one-click unsubscribe headers in every message. Two headers are required:
List-Unsubscribe: <mailto:unsub@yourdomain.com>, <https://yourdomain.com/unsub?t=TOKEN>
List-Unsubscribe-Post: List-Unsubscribe=One-ClickThe mailto: and https:// URLs must both work. Gmail/Yahoo clients use the HTTPS URL with a POST request containing the body List-Unsubscribe=One-Click. Your server must accept the POST and remove the recipient without any further click — no confirmation page, no captcha, no login.
A GET request to the same URL (from someone clicking the in-body unsubscribe link) should also work, with or without confirmation. But the one-click flow via POST is not optional.
Requirement 5: Honour unsubscribe within 2 days
Once a recipient unsubscribes, you have two days to stop sending. Most ESPs do this automatically. Self-hosted senders often have processing delays of hours to days in unsubscribe pipelines — that used to be fine, it isn't now.
Fix: test your own unsubscribe flow quarterly. Subscribe with a test address, unsubscribe via both in-body link and one-click POST, confirm you're removed from all lists within 48 hours, not 72.
Requirement 6: Spam complaint rate under 0.3%
This is the hardest one to maintain and the easiest to miss. Complaint rate is complaints divided by delivered messages, as measured at the ISP. Gmail surfaces this in Postmaster Tools. Yahoo in its FBL reports.
- Under 0.1% — excellent. Headroom for mistakes.
- 0.1%–0.3% — acceptable but trending. Diagnose before it spirals.
- Above 0.3% — non-compliance. Expect throttling immediately, folder routing within days.
Complaint rate is mostly about list acquisition. Opt-in forms with confirmation, clean segmentation, and aggressive sunset policies (drop non-engagers after 60 days) keep you under 0.1%. Bought lists, purchased enrichment data, or re-activations of long-cold segments blow past 0.3% instantly.
Requirement 7: TLS encryption for outbound mail
All outbound mail to Gmail and Yahoo must be delivered over TLS. Opportunistic TLS (STARTTLS) is enough — both providers support it and your MTA almost certainly does by default.
Fix: confirm your sending server negotiates TLS when talking to gmail-smtp-in.l.google.com and mta{5,6,7}.am0.yahoodns.net. Check Postmaster Tools' "Encryption" metric — you want to be at 99%+. If your MTA has TLS disabled or restricted to specific cipher suites the providers don't support, you'll silently land in Spam.
Penalties for non-compliance
Enforcement is graduated and has been ratcheting up since the original rollout. The escalation ladder:
- Delayed delivery (temp-fail responses,
421-4.7.0). Your ESP retries, eventually delivers, but inbox placement suffers. - Spam folder routing. Your messages accept (
250 OK) but land in Spam regardless of content. - Outright rejection.
550-5.7.26 Unauthenticated email from...or550 5.7.1 Unsolicited mail. Mail never reaches the mailbox. - IP or domain blocklisting at Google scale. Effectively untargetable for weeks.
How to verify you're compliant
A weekly verification routine:
- Google Postmaster Tools: check Authentication (99%+ SPF, DKIM, DMARC pass), Encryption (99%+), Spam rate (under 0.1% target).
- Yahoo Postmaster: check complaint rate and deliverability stats.
- Self-test: send a message to a Gmail test account and a Yahoo test account. Inspect
Authentication-Results. Trigger one-click unsubscribe. Confirm removal. - DMARC reports: read aggregate (
rua) reports weekly. Fix anydmarc=failsources before they become a pattern. - Inbox placement test for per-provider folder visibility. Compliance is necessary but not sufficient — reputation still varies.
Edge cases: what "bulk" means
Common edge cases and how they're handled:
- Shared ESP. Your volume counts as the ESP's in the aggregate, but your domain-level compliance (SPF/DKIM/DMARC on your domain) is still your responsibility.
- Multiple domains, under 5000 each. Google looks at the sending entity, not just the domain. If the domains are obviously the same operator, you're bulk.
- Transactional-only senders. One-click unsubscribe still applies to transactional mail if you're 5000+/day. The requirement doesn't care about your intent, only your volume and the presence of marketing-adjacent content.
- Mixed transactional + marketing. Separate subdomains. Apply bulk requirements to the marketing subdomain; keep transactional on a different subdomain without List-Unsubscribe (since it's below the threshold and recipients don't want to unsubscribe from password resets).
Gmail and Yahoo together cover 60%+ of most B2C lists and a growing share of B2B. Non-compliance doesn't mean "slightly worse deliverability" anymore — it means large chunks of your list become unreachable. The seven requirements above are the price of entry, not a bonus track.