inboxes.
← Blog Compliance July 2026 · 11 min read

Gmail Sender Requirements 2026: the Google, Yahoo, and Microsoft Rules Compliance Checklist

Since February 2024, Google and Yahoo require every bulk sender (5,000+ messages per day to their users) to authenticate with both SPF and DKIM, publish a DMARC policy of at least p=none with alignment, offer RFC 8058 one-click unsubscribe honored within two days, and keep spam complaint rates under 0.10% sustained and never above 0.30%; Microsoft applied the same core rules to Outlook.com in May 2025, and Gmail began hard-rejecting non-compliant bulk mail at the SMTP level in November 2025. This page is the whole thing as one checklist: each requirement, the enforcement timeline, and how to verify every item.

Who counts as a bulk sender: the 5,000 per day threshold

Google defines a bulk sender as one that sends close to or more than 5,000 messages within a 24-hour period to personal Gmail accounts (addresses ending in @gmail.com or @googlemail.com). The details that trip people up:

  • It counts by primary sending domain, so mail from news.example.com and billing.example.com aggregates under example.com.
  • One crossing is enough. Hit the threshold once, on any day (a product launch, a Black Friday blast), and Google treats you as a bulk sender permanently thereafter.
  • Yahoo and Microsoft use materially the same threshold for their consumer domains (yahoo.com, aol.com; outlook.com, hotmail.com, live.com).

Practical advice: do not engineer around the threshold. Most requirements below (SPF, DKIM, DMARC, working unsubscribe, low complaints) measurably improve delivery for small senders too, and providers apply reputation logic to everyone. Treat the bulk-sender list as the modern baseline for any legitimate sender.

The email sender requirements checklist

1. SPF and DKIM: both, not either

Bulk senders must pass both SPF and DKIM. SPF authorizes the sending IPs for your return-path domain via a DNS TXT record; DKIM cryptographically signs each message with a key published in your DNS. One or the other was acceptable before 2024; it no longer is for bulk mail. Watch the classic failure modes: exceeding SPF's 10 DNS lookup limit, forgetting a new ESP in the SPF record, and DKIM signing with the ESP's default domain instead of yours.

2. DMARC: at least p=none, with alignment

You must publish a DMARC record on your From domain. The minimum policy is p=none, which enforces nothing by itself but is mandatory anyway, because DMARC is what ties authentication to the From address the recipient actually sees. That tie is alignment: the domain that passed SPF (the return-path) or DKIM (the d= signing domain) must match your From domain. Mail can pass SPF and DKIM in isolation and still fail DMARC because both passes belong to your ESP's domain rather than yours. Add a rua= tag so you receive aggregate reports; they are the only ground-truth view of who is sending as your domain, and parsing them is exactly what DMARC monitoring exists for.

3. One-click unsubscribe (RFC 8058), honored within 2 days

Marketing and subscription mail must include the List-Unsubscribe header with an HTTPS URI plus the List-Unsubscribe-Post: List-Unsubscribe=One-Click header, so mailbox providers can render an unsubscribe button that works with a single POST, no login, no survey, no "manage preferences" maze. Opt-outs must take effect within 2 days. Note this is the header-level mechanism, in addition to (not instead of) a visible unsubscribe link in the body.

4. Spam complaint rate: under 0.10%, never 0.30%

Google's stated thresholds, measured in Postmaster Tools: keep the user-reported spam rate below 0.10% as an operating target, and never let it reach 0.30%. That means fewer than 1 complaint per 1,000 delivered messages sustained, and 3 per 1,000 as the line where enforcement gets sharp and recovery gets slow. Complaint rate is a trailing indicator of list quality and expectation-setting; you manage it with consent, segmentation, and hygiene, not with header tricks.

5. Valid forward and reverse DNS (FCrDNS)

Every sending IP needs a PTR record (reverse DNS) that resolves to a hostname, and that hostname must resolve back to the same IP. Generic PTRs like 203-0-113-7.dynamic.isp.net fail the spirit of the rule. If you send through an ESP, this is their job; if you run your own MTA, it is yours.

6. TLS for transmission

Mail to Gmail must be transmitted over a TLS connection. Any maintained MTA and every mainstream ESP does STARTTLS by default; this item mostly catches ancient self-hosted servers and misconfigured relays.

7. Formatting and identity basics

Messages must comply with RFC 5322 formatting, must not impersonate Gmail From headers, and forwarders should use ARC to preserve authentication results. Marketing mail should come from your own domain, not from a gmail.com From address.

The enforcement timeline: February 2024 to November 2025

Date Milestone What actually happened
October 2023 Announcement Google and Yahoo jointly announced the bulk sender requirements, giving senders about four months of runway.
February 2024 Rollout begins Requirements took effect. Enforcement started gently: temporary errors and partial junking of non-compliant traffic rather than outright blocks, so senders could find and fix gaps.
June 2024 Unsubscribe enforcement The one-click unsubscribe requirement became fully enforced for bulk senders; non-compliant marketing mail began losing inbox placement.
May 2025 Microsoft joins Outlook.com (hotmail.com, live.com included) began requiring SPF, DKIM, and DMARC at p=none or stronger for senders over 5,000 messages per day, routing non-compliant mail to junk with rejection to follow.
November 2025 Gmail hard rejection Gmail moved to rejecting non-compliant bulk mail during the SMTP transaction with permanent 5xx errors, ending the grace-period era. Unauthenticated bulk mail now bounces instead of landing in spam.

The direction of travel is obvious and worth internalizing: each step converted a soft penalty into a hard one. There is no reason to expect the next steps (stricter DMARC policies, tighter thresholds) to reverse course. Senders still relying on tricks to compensate for missing fundamentals are on borrowed time, a dynamic we cover from another angle in our honest look at email warmup.

How to verify each requirement

Compliance you have not verified is a hope, not a state. Here is the check for every line item:

Requirement How to verify
SPF passes Run an SPF check on your return-path domain: record exists, includes all current sending services, stays within 10 DNS lookups. Then confirm spf=pass in the Authentication-Results header of a real delivered message.
DKIM passes Use a DKIM checker against your selector, and confirm dkim=pass with d=yourdomain.com (your domain, not the ESP's) in delivered headers.
DMARC published and aligned Check the record with a DMARC checker, confirm dmarc=pass in headers, and read your RUA aggregate reports for sources failing alignment.
One-click unsubscribe Send to a Gmail test account and confirm the unsubscribe button renders next to the sender name; inspect raw headers for both List-Unsubscribe and List-Unsubscribe-Post. Click it, then verify the address stops receiving within 2 days.
Spam rate under 0.10% Google Postmaster Tools, spam rate dashboard, checked weekly at minimum. Yahoo offers complaint feedback via its feedback loop; Microsoft via SNDS and JMRP.
Forward and reverse DNS dig -x YOUR_IP returns a hostname; dig A on that hostname returns the same IP. Repeat per sending IP.
TLS Delivered Gmail headers show the TLS version in the Received line; Postmaster Tools also reports the share of your mail sent over TLS.

Common questions about the bulk sender rules

Do transactional emails count? Yes, toward the 5,000-per-day threshold: receipts, password resets, and notifications all count as messages sent. The one-click unsubscribe requirement, however, applies to marketing and subscription mail, not to transactional messages a user needs regardless of preference. Authentication requirements apply to everything you send.

Does sending from a subdomain reset the count? No. Google aggregates volume at the organizational domain level, so mail.example.com and news.example.com both roll up to example.com. Subdomains are still worth using to separate reputation between streams; they just do not dodge the threshold.

What happens if I fall out of compliance after being compliant? Enforcement is continuous, not a one-time gate. Break your DKIM signing in a migration or let complaints cross 0.30% and the penalties apply to that traffic immediately: junk placement first, SMTP-level 550 rejections for authentication failures under the November 2025 regime. This is why compliance is a monitored state, not a completed project.

Is p=none really enough? It satisfies the letter of the requirement today. Both Google and Yahoo have signaled that stronger enforcement policies are the direction of travel, and p=none does nothing to stop spoofing of your domain. Treat it as the entry ticket and plan the move to quarantine or reject once your DMARC reports show clean alignment.

What compliance gets you, honestly

Here is the boundary worth stating plainly: this checklist is a floor, not a ceiling. Meeting every requirement means your mail is eligible for the inbox, not entitled to it. Placement still depends on your sending reputation, list quality, engagement history, and per-recipient filtering that no sender controls and no vendor can guarantee, us included. Distrust anyone who sells "guaranteed compliance = guaranteed inbox." Also note the reverse is true: these rules exist to protect recipients from unwanted mail, and being technically compliant does not make unsolicited bulk email legitimate. If people did not ask for your mail, perfect DKIM will not make them want it, and complaint rates will say so.

The efficient way to work this checklist is to test once, fix what fails, and keep watching. A seed placement test with Inboxes checks your authentication, alignment, headers, and blacklist status in the same pass that shows where your mail lands at Gmail, Outlook, Yahoo, iCloud, GMX, and Zoho, then ranks the gaps by impact. Run it before Gmail's SMTP rejections run it for you.