Gmail & Yahoo bulk sender requirements: the working checklist

In February 2024, Gmail and Yahoo stopped treating email authentication as a best practice and started treating it as an entry requirement. Microsoft followed with equivalent rules for high-volume senders in 2025. The rules bind "bulk senders" — 5,000+ messages/day to Gmail — but the baseline items now affect everyone, and failing them produces 550 5.7.26 bounces at any volume.

Updated July 13, 2026

Requirements for every sender

  • SPF or DKIM passing (at least one; both strongly recommended) — verify with the SPF checker and DKIM checker.
  • Valid forward and reverse DNS (PTR) on sending IPs — handled by your provider unless you self-host.
  • TLS for message transmission — every major provider does this by default.
  • Spam rate kept under 0.3% in Google Postmaster Tools.

Additional requirements for bulk senders (5,000+/day)

  • Both SPF and DKIM passing.
  • A DMARC record — p=none satisfies the requirement, enforcement protects you.
  • DMARC alignment: the From domain must align with SPF or DKIM — see alignment explained.
  • One-click unsubscribe (RFC 8058 List-Unsubscribe-Post headers) on marketing/subscribed mail, honored within 2 days.
  • No impersonating Gmail From addresses (sending 'from' @gmail.com through your own infrastructure fails DMARC — Gmail enforces p=quarantine on gmail.com).

Checking yourself in one pass

Our compliance checker evaluates the DNS-verifiable requirements — SPF validity, DKIM presence, DMARC record and policy — against Google's, Yahoo's, and Microsoft's rulesets in one run. The parts DNS can't see (spam rate, unsubscribe headers on actual sends) need Postmaster Tools and a look at your ESP settings; HealthCheck Email monitors the observable set continuously and re-checks daily.

What happens if you don't comply

Enforcement is graduated: first a rising percentage of your mail gets rejected or spam-foldered, then — for persistent authentication failures — outright 550 blocks. The practical translation: these aren't guidelines you optimize for, they're the cost of entry. The good news is the checklist is finite, and most of it is a one-time DNS setup.

Common questions

How is the 5,000/day threshold counted?+

Messages to Gmail personal accounts (gmail.com and googlemail.com), counted per sending domain, on any day. Cross it once and Google treats the domain as a bulk sender from then on. Yahoo's threshold is similar in spirit without a hard published number.

Do these rules apply to transactional email?+

The authentication requirements apply to all mail. One-click unsubscribe applies to marketing and subscribed traffic — password resets and receipts don't need an unsubscribe header, though they must still authenticate.

Is p=none really enough for the DMARC requirement?+

For the letter of the requirement, yes — Gmail and Yahoo currently require a DMARC record with at least p=none. It won't stop spoofing, and the direction of travel is obvious: build toward enforcement now and the next ratchet won't touch you.

We're under 5,000/day — can we ignore all this?+

You escape the bulk-only items (mandatory DMARC, one-click unsubscribe), but the baseline still applies — and unauthenticated mail at any volume now bounces with 5.7.26. Doing the bulk checklist anyway is cheap insurance and better deliverability.