Skip to content
The DDMARC Blog

Yahoo & Google Sender Requirements 2026: SPF, DKIM, DMARC

The 2026 Yahoo & Google bulk-sender rules — SPF, DKIM, DMARC alignment, one-click unsubscribe, and the 0.3% spam-rate limit — in one checklist to confirm you comply.

PlatOps Security TeamDeliverability4 min read

What changed

In February 2024, Google and Yahoo began enforcing a shared set of requirements for senders. They are no longer "best practices" — for bulk senders they are the price of admission to the inbox. Mail that doesn't meet them gets rate-limited, junked, or rejected outright.

The rules split into two tiers. Every sender must authenticate and keep their infrastructure clean. Bulk senders — anyone sending roughly 5,000 or more messages a day to Gmail accounts — face additional obligations around DMARC, unsubscribe, and spam complaints.

The 5,000/day threshold is per-sending-domain and, once you cross it, it's permanent. So if you ever send a large campaign, treat yourself as a bulk sender from then on.

Requirements at a glance

Requirement All senders Bulk senders (5,000+/day to Gmail)
SPF and DKIM pass Required Required
DMARC record (at least p=none) Required Required
Clean infrastructure — valid PTR/rDNS, TLS, no Gmail/Yahoo impersonation Required Required
DMARC alignment (authenticated domain matches From:) Required
One-click unsubscribe (RFC 8058) Required
Spam-complaint rate under 0.3% (aim under 0.1%) Required

Each item below has the exact record, header, or setting to check.

The bulk-sender checklist

Walk through each item and confirm it's true for every domain you send from — including subdomains and any third-party platforms sending on your behalf.

1. SPF and DKIM both pass

You need both, not either. SPF authorizes the sending IPs; DKIM cryptographically signs the message so it survives forwarding. Use a 2048-bit DKIM key where your provider supports it.

A common failure: marketing mail sent through a SaaS platform passes that platform's DKIM but not yours. Confirm the signing domain aligns with your From: address.

2. A DMARC record exists, at minimum p=none

Publish a DMARC policy at _dmarc.yourdomain.com. The minimum bar is monitoring mode:

v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

p=none satisfies the letter of the requirement, but it gives you no protection against spoofing. It is a starting point, not a destination — see the rollout playbook for moving to enforcement safely.

3. DMARC alignment

This is the part most teams miss. It isn't enough for SPF or DKIM to pass — the authenticated domain has to align with the domain in the visible From: header. At least one of:

  • SPF passes and the return-path domain matches your From: domain, or
  • DKIM passes and the d= signing domain matches your From: domain.

If you send from news.yourbrand.com but your platform signs with mail.vendor.com, you authenticate but you don't align — and DMARC fails.

4. One-click unsubscribe

Bulk marketing and promotional mail must include one-click unsubscribe via the List-Unsubscribe and List-Unsubscribe-Post headers (RFC 8058). The link must work without forcing the recipient to log in, and you must honor it within two days.

5. Keep spam complaints under 0.3%

Register for Google Postmaster Tools and watch your user-reported spam rate. Google's guidance: stay below 0.1% and never hit 0.3%. Once you spike past 0.3%, deliverability degrades and is slow to recover.

6. Clean sending infrastructure

  • Valid forward- and reverse-DNS (PTR) records for your sending IPs.
  • TLS for transmission.
  • A From: header that doesn't impersonate Gmail or Yahoo.

How to verify

Don't assume — measure. Send a test message to a Gmail account and use Show original to read the authentication results: you want SPF: PASS, DKIM: PASS, and DMARC: PASS.

Then turn on DMARC aggregate reporting (the rua= tag above) so receivers send you daily XML summaries of who is sending as your domain and whether they pass. That data is the difference between hoping you're compliant and knowing it. We cover how to read those reports in Reading DMARC aggregate reports. You can also check your domain's current DMARC record to confirm everything is in place. If you're weighing a platform to monitor all of this continuously, see our comparison of DMARC tools and DDMARC's pricing.

The bottom line

Compliance is binary at the gate but continuous in practice. Authenticate every stream, publish DMARC, align your domains, make unsubscribe trivial, and keep complaints low. Then keep watching — the requirements don't change often, but your sending footprint does. Whether you run a single domain or manage email for many clients, continuous DMARC monitoring is what keeps you on the right side of the gate.

ShareX / TwitterLinkedIn
Free to start · 14-day trial · cancel anytime

From spoofed to enforced.

p=none
5 min
p=quarantine
Week 2
p=reject
Week 4–6

Billed when your 14-day trial ends · cancel anytime before then