Gmail, Yahoo & Microsoft bulk sender requirements

Most pages ranking for "gmail yahoo sender requirements" are ESP blogs reciting Google's original announcement. We do something different. We monitor the headers of every newsletter our customers track, and we report what real senders ship in production. This article uses that header corpus to show which parts of the bulk sender rules are universally adopted, which parts still trip teams up, and the order to fix them in.

What changed and who must comply

Google rolled out its bulk sender rules in February 2024. Yahoo matched them within weeks, and Microsoft published a near-identical Outlook.com policy a year later. By 2026 the three biggest inbox providers operate on the same playbook, with mild differences in how they measure and enforce it. The differences matter less than the shared framework, which is now table stakes if you want to land in the primary tab.

The threshold to know: 5,000 messages a day to Gmail addresses, counted on a rolling 24-hour window. Cross the line on any single day and your domain is treated as a bulk sender from that point on, even if you average less the rest of the week. Yahoo uses the same 5,000 figure. Microsoft has been less specific in public documentation but applies similar filtering in practice.

Who counts? Anyone running a marketing send through a shared IP, a transactional system that fans out to consumers, or a creator newsletter that has grown past roughly 30,000 active subscribers. Gmail Postmaster Tools is the system of record on the Google side. Yahoo Sender Hub mirrors it. Microsoft SNDS covers Outlook.com and Hotmail addresses, though its data is sparser. Senders under 5,000 a day still need SPF and DKIM to land in the primary inbox. Our guide to the Gmail primary tab covers the small-sender case in more depth.

The authentication trio: SPF, DKIM, DMARC

SPF and DKIM are table stakes. The hard call is DMARC. Bulk senders need a published DMARC record at the organisational domain, and at minimum a policy of p=none with aggregate (rua) reporting going somewhere a human reads. That is a low bar for ten years ago and a real bar today, because it forces alignment between your envelope-from, your DKIM signing domain, and your visible From header. Our deep dive on SPF, DKIM, and DMARC walks through the records themselves.

A few specifics that bite teams in production. SPF should end in -all once you are confident, not ~all, because the soft-fail is treated as a yellow flag by some filters. DKIM keys should be 2048-bit and rotated at least yearly. We still see 1024-bit keys at well-known ESPs, particularly on older Mailchimp tenants that have never re-authenticated their sending domain. ARC sealing is required if you ever forward through a list manager or a Google Group, because without it the original DKIM signature breaks on relay.

Our position: start with p=none. Get the reports flowing, fix every alignment failure they expose, and only then move to p=quarantine. The cost of jumping to p=quarantine on day one is that legitimate mail starts dropping into spam before you can see why. Faster compliance is not the same as safer compliance.

Spam complaint rate thresholds

Two numbers matter and only two. The 0.10% complaint rate is the "stay below this" target. The 0.30% rate is the enforcement threshold, the point at which Gmail starts filtering you regardless of authentication. Hit 0.30% and you are filtered or blocked for the affected mail stream, often for days.

The denominator is where teams misread the rule. Gmail Postmaster Tools measures complaints against the count of messages that actually reached an inbox, not the count you sent. That sounds reasonable until you realise it means a bad day for deliverability quietly raises your complaint rate, because the same number of complaints is being divided by a smaller delivered base. List rot and complaint rate are the same problem in two costumes. Our unsubscribe rate benchmark shows how this shows up over time.

Microsoft uses SNDS complaint data, which is sparser but follows similar logic. Yahoo's signal is weaker. You mostly see Yahoo's verdict as "this domain is no longer landing in the primary tab", with no diagnostic page to confirm it.

One-click unsubscribe (RFC 8058)

RFC 8058 is the IETF specification the rule references. In practice it means two headers in your message. List-Unsubscribe carries both a mailto and an https URL. List-Unsubscribe-Post is set to the literal string List-Unsubscribe=One-Click. When the recipient clicks the unsubscribe link Gmail renders in the message header, Gmail posts to your URL silently. No landing page, no confirmation form, no "are you sure".

You have two business days to honour the request. Most ESPs honour it immediately, but if you run your own list or use a custom unsubscribe endpoint, you need a job that processes the inbound posts inside that window.

Default behaviour by ESP, as of our latest header sample: SendGrid, Mailchimp, Klaviyo, Beehiiv, and ConvertKit all ship both headers by default. Substack does too, with their own redirect domain in the URL. Iterable and Customer.io expose the header but require a tenant-level toggle, which a surprising number of teams forget to flip. Older HubSpot Marketing Hub portals (pre-2024) sometimes still ship only the legacy mailto variant. Check yours by sending to a Gmail seed and inspecting the raw headers.

TLS, PTR, and message formatting

TLS for transit, PTR records that resolve back to the sending hostname, and message bodies that conform to RFC 5322. None of this is new. What is new is that bulk senders who skip them are now binned, not warned. The rule moved these from "nice to have" to "required".

PTR catches teams that move from a managed ESP to a self-hosted MTA, because the new IP often has no reverse DNS yet. The fix is fifteen minutes with your hosting provider, but you discover the problem only when delivery rates fall off a cliff. Forward and reverse alignment matters too: the IP's PTR should resolve to the same hostname your HELO uses.

The format requirements catch the long tail. Missing Date headers, malformed Message-ID, eight-bit content in headers without proper MIME encoding. Most ESPs get this right, but anyone hand-rolling an outbound system trips on it. If you have ever sent through a bare Python smtplib script in production, you have likely shipped a few non-conformant messages already. Our breakdown of how spam filters score modern mail explains why each of these signals carries weight.

What Newsletrix sees in real headers

We monitor the headers of every newsletter our users track. Across the senders we sampled this month, here is what production looks like. SPF pass rate is the highest at roughly 96%. DKIM follows at 93%. DMARC published is at 82%, but DMARC with a policy stricter than p=none drops to 41%. List-Unsubscribe-Post coverage sits at 78%, with the missing share concentrated in self-hosted sends, older CRMs, and a handful of B2B marketing automation tenants.

The most common failure pattern is not a missing record. It is misalignment. The From header uses example.com, the DKIM domain is mail.example.com, and the DMARC record refuses to consider them aligned because the policy is set to strict alignment. The sender thinks DMARC is passing because the reports they never open say "delivered". Fixing this is a five minute change once you understand it. The hard part is knowing to look.

Notable rollouts in our corpus: SendGrid tenants now ship 2048-bit DKIM by default. Mailchimp pushed authenticated domains to all paid accounts in 2024 and most of the long tail has caught up. Beehiiv ships clean out of the box. Substack writes its DMARC for you at the org domain when you connect a custom send domain. Klaviyo enforces a verified sending domain before letting you send commercial mail. Compare that to Mailcharts and the older newsletter tracking tools, which expose subject lines and creative but never the headers, and you can see why we invest in the protocol layer.

The compliance checklist

A short list. Each item is binary, not a slider. Walk down it once per sending domain and once per ESP tenant you operate.

1. SPF record published with a final -all.
2. DKIM signing with a 2048-bit key.
3. DMARC record published at the organisational domain.
4. DMARC policy at minimum p=none with rua reporting to a monitored address.
5. From, DKIM, and SPF aligned (relaxed alignment is fine).
6. ARC sealing in place if you route through a forwarder or group.
7. List-Unsubscribe header present, both mailto and https variants.
8. List-Unsubscribe-Post: List-Unsubscribe=One-Click set.
9. Unsubscribe requests processed within two business days.
10. TLS 1.2 or higher accepted on the receiving side.
11. PTR record resolves to your sending hostname.
12. Message format conforms to RFC 5322 with valid Date and Message-ID.

If you are below 5,000 sends a day, items 1 through 3 and 7 through 8 still matter. The rest is good hygiene that does not yet carry an enforcement consequence. Pair this list with our newsletter footer compliance checklist to cover both the protocol and the visible footer requirements in a single pass.

How to audit any competitor newsletter

This is where Newsletrix earns its keep. Paste a competitor's send domain into the ESP detector and you get back the sending platform, the IP range, and the header set we extracted from their last send to our seed accounts. You can see whether their SPF ends in -all, whether DKIM is 2048-bit, and whether they ship List-Unsubscribe-Post. If they are running their own MTA, you see the PTR and HELO names too.

We use this internally before we vet any newsletter-swap partner. If their headers look like a hand-rolled 2018 stack, that is a signal about the rest of their operation. Tradeoff worth being honest about: header inspection cannot tell you their complaint rate, because only the sender sees their own Postmaster Tools view. It tells you whether they have done the cheap, deterministic homework, and most senders haven't.

For a deeper teardown, our subject line analyzer scores the creative side of the same sends. Together they give you a fuller picture of a competitor's setup than any sender will publish.

Frequently asked questions

What is the 5,000 email per day Gmail rule?

Google treats any sender that delivers more than 5,000 messages a day to Gmail addresses as a bulk sender, measured on a rolling 24-hour window. Once you cross the line on any single day, the bulk sender rules apply from that point on. Yahoo uses the same 5,000-per-day figure, and Microsoft applies similar filtering against Outlook.com and Hotmail addresses.

What is the spam complaint rate threshold for Gmail?

Two numbers. Stay below 0.10% as your operating target, and never let your domain cross 0.30%, which is the enforcement threshold. Gmail measures complaints as a share of messages that landed in the inbox, not the total you sent. Crossing 0.30% gets you filtered or blocked for that mail stream.

Is DMARC p=none enough for bulk senders?

Yes, for now. The published rule only requires a DMARC record with rua reporting, and p=none is acceptable as long as the record exists and reports go to a monitored address. Stay there until your reports show zero alignment failures, then graduate to p=quarantine. Jumping to enforcement before reports are clean drops legitimate mail into spam.

Does Microsoft Outlook follow the same rules as Gmail and Yahoo?

In practice yes. Microsoft published an Outlook.com bulk sender policy that mirrors the Gmail and Yahoo framework: SPF, DKIM, DMARC, one-click unsubscribe, and low complaint rates. Their enforcement signal is weaker because Outlook.com and Hotmail share the SNDS dashboard, but the filtering effect is the same.

What is RFC 8058 one-click unsubscribe?

RFC 8058 is the IETF specification for one-click unsubscribe in email. It requires the message to carry a List-Unsubscribe header with both a mailto and an https URL, plus a List-Unsubscribe-Post: List-Unsubscribe=One-Click header. When the recipient clicks Gmail's native unsubscribe link, Gmail posts to your URL silently and expects removal within two business days.

Do these rules apply to senders below 5,000 per day?

Not the enforcement regime, but the underlying signals still matter. Inbox filters use SPF, DKIM, DMARC, and complaint rate as inputs regardless of volume. A 2,000-a-day creator newsletter still needs authentication to land in the Gmail primary tab.

Related reading