Google and Yahoo sender requirements: are you actually compliant?

What changed

In February 2024, Google and Yahoo began enforcing a shared set of requirements for senders. They are no longer "best practices" — for bulk senders they are the price of admission to the inbox. Mail that doesn't meet them gets rate-limited, junked, or rejected outright.

The rules split into two tiers. Every sender must authenticate and keep their infrastructure clean. Bulk senders — anyone sending roughly 5,000 or more messages a day to Gmail accounts — face additional obligations around DMARC, unsubscribe, and spam complaints.

The 5,000/day threshold is per-sending-domain and, once you cross it, it's permanent. So if you ever send a large campaign, treat yourself as a bulk sender from then on.

The bulk-sender checklist

Walk through each item and confirm it's true for every domain you send from — including subdomains and any third-party platforms sending on your behalf.

1. SPF and DKIM both pass

You need both, not either. SPF authorizes the sending IPs; DKIM cryptographically signs the message so it survives forwarding. Use a 2048-bit DKIM key where your provider supports it.

A common failure: marketing mail sent through a SaaS platform passes that platform's DKIM but not yours. Confirm the signing domain aligns with your From: address.

2. A DMARC record exists, at minimum p=none

Publish a DMARC policy at _dmarc.yourdomain.com. The minimum bar is monitoring mode:

v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

p=none satisfies the letter of the requirement, but it gives you no protection against spoofing. It is a starting point, not a destination — see the rollout playbook for moving to enforcement safely.

3. DMARC alignment

This is the part most teams miss. It isn't enough for SPF or DKIM to pass — the authenticated domain has to align with the domain in the visible From: header. At least one of:

• SPF passes and the return-path domain matches your From: domain, or
• DKIM passes and the d= signing domain matches your From: domain.

If you send from news.yourbrand.com but your platform signs with mail.vendor.com, you authenticate but you don't align — and DMARC fails.

4. One-click unsubscribe

Bulk marketing and promotional mail must include one-click unsubscribe via the List-Unsubscribe and List-Unsubscribe-Post headers (RFC 8058). The link must work without forcing the recipient to log in, and you must honor it within two days.

5. Keep spam complaints under 0.3%

Register for Google Postmaster Tools and watch your user-reported spam rate. Google's guidance: stay below 0.1% and never hit 0.3%. Once you spike past 0.3%, deliverability degrades and is slow to recover.

6. Clean sending infrastructure

• Valid forward- and reverse-DNS (PTR) records for your sending IPs.
• TLS for transmission.
• A From: header that doesn't impersonate Gmail or Yahoo.

How to verify

Don't assume — measure. Send a test message to a Gmail account and use Show original to read the authentication results: you want SPF: PASS, DKIM: PASS, and DMARC: PASS.

Then turn on DMARC aggregate reporting (the rua= tag above) so receivers send you daily XML summaries of who is sending as your domain and whether they pass. That data is the difference between hoping you're compliant and knowing it. We cover how to read those reports in Reading DMARC aggregate reports.

The bottom line

Compliance is binary at the gate but continuous in practice. Authenticate every stream, publish DMARC, align your domains, make unsubscribe trivial, and keep complaints low. Then keep watching — the requirements don't change often, but your sending footprint does.