What are the Google and Yahoo sender requirements?

In February 2024, Google and Yahoo jointly rolled out new sender requirements that permanently changed what it takes to deliver bulk email. What started as "recommendations" in late 2023 became enforcement in Q2 2024, and by 2026 the requirements are table stakes — noncompliant bulk senders see delivery rates collapse or messages bounce outright with 550 5.7.26 and similar codes. If you send any volume of email, understanding these rules is not optional.

Who is affected

Google and Yahoo define "bulk sender" as any domain sending more than 5,000 messages per day to that provider. The count is per-provider, not global — you can hit the threshold on Gmail while staying below it on Yahoo. The rules apply whether you send from your own infrastructure, through an ESP (SendGrid, Mailgun, Postmark, Amazon SES), or through a transactional service (Twilio, MessageBird). Shared IPs count, so if you are on a shared pool and your neighbors push the pool over the limit, you inherit the requirements.

Below 5,000/day, many of the rules still apply as best practices but enforcement is lighter. Above it, every rule is enforced.

The core requirements

1. SPF OR DKIM aligned with the From header. You need at least one, though in practice every bulk sender should do both.
2. DKIM on every bulk email. 1024-bit minimum; 2048-bit recommended.
3. DMARC published with at least p=none. Quarantine or reject is not required for inbound, but it must exist.
4. From header aligned with the authenticated domain. No sending "From: [email protected]" while only sendgrid.net DKIM-signs the message.
5. One-click unsubscribe (RFC 8058) on marketing mail. The List-Unsubscribe-Post: List-Unsubscribe=One-Click header must actually work — a 200 OK response to an HTTP POST is required.
6. Spam complaint rate below 0.3%. Measured as a rolling average in Gmail Postmaster Tools. Above 0.3%, delivery gets throttled. Above 0.5%, you go to spam.
7. Valid forward and reverse DNS on sending IPs. PTR records must exist and match the HELO.
8. TLS on transport. STARTTLS on SMTP connections to Gmail/Yahoo MX servers.

One-click unsubscribe in detail

This is where most senders fail. The RFC 8058 mechanism requires two headers:

List-Unsubscribe: <mailto:[email protected]>, <https://example.com/unsub?id=abc123>
List-Unsubscribe-Post: List-Unsubscribe=One-Click

Gmail and Yahoo generate a POST to the HTTPS URL with the body List-Unsubscribe=One-Click when the user clicks the unsubscribe link inside the mail client. Your server must accept the POST, process the unsubscribe within two days, and respond 200. A 302 redirect to a confirmation page is not acceptable — it fails the automated check.

Common mistakes:

• Using only the mailto: form and omitting the HTTPS URL.
• Requiring the user to click a confirmation after the POST.
• Rate-limiting unsubscribe POSTs (Google will retry but impatient clients give up).
• Stripping the header at an outgoing relay.

DMARC alignment, not just publication

The rules say DMARC must be published at p=none or stronger. But publication alone is not enough — the email must pass DMARC. That means SPF OR DKIM must align with the organizational domain in the From header.

Example of a misaligned DKIM signature that would fail the rule:

From: [email protected]
DKIM-Signature: d=sendgrid.net; s=s1; ...
SPF: pass (envelope: [email protected])

The domain "example.com" is not authenticated. Gmail will either bounce or heavily penalize this. The fix is to set up custom domain authentication in SendGrid (or your ESP) so the DKIM d= becomes example.com.

Spam complaint rate measurement

Google Postmaster Tools is free and mandatory if you send at volume. The spam rate shown in the dashboard is the rolling user-reported rate for your domain. Yahoo publishes similar data through its sender hub.

Staying under 0.3% requires:

• Honoring unsubscribes within 48 hours.
• Not emailing inactive recipients (180+ days no opens).
• Clear From names that recipients recognize.
• Sending cadence that matches subscriber expectations.
• Double opt-in or confirmed opt-in lists.

If you spike above 0.3%, pause the campaign, segment out inactive users, and warm back up slowly.

What Microsoft is doing

Microsoft announced similar requirements for Outlook.com, Hotmail, and Live.com that took effect in May 2025. The threshold is also 5,000/day. SPF, DKIM, DMARC, and one-click unsubscribe are all required. Microsoft is slightly stricter on DMARC alignment and considers neutral (pct=0) DMARC as noncompliant.

Apple Mail (iCloud.com) has not published explicit thresholds but applies similar heuristics.

Typical failure modes

550 5.7.26 — the message does not pass authentication. Fix SPF/DKIM alignment with the From header.

421 4.7.28 — rate limit. Too much traffic in a short window from an IP with mediocre reputation. Slow down and warm up.

550 5.7.0 mail rejected for policy reasons — generic block, usually complaint-driven. Check Postmaster Tools.

Silent spam folder — authentication passes but reputation is bad. No SMTP-level signal. Monitor Postmaster Tools and inbox-placement tools.

A deployment checklist for 2026

1. Buy a dedicated IP or confirm your shared pool is well managed.
2. Set up SPF with only the necessary includes (under 10 lookups).
3. Configure DKIM at your ESP with your own d= domain. Use 2048-bit keys.
4. Publish DMARC at p=none with rua= and a mailbox you actually read.
5. Add List-Unsubscribe headers in both mailto and HTTPS forms.
6. Implement the POST endpoint per RFC 8058 with a 200 response.
7. Register in Google Postmaster Tools and Yahoo's sender portal.
8. Monitor complaint rate weekly.
9. Move DMARC to p=quarantine once clean, then p=reject.

When to use IntoDNS.ai

IntoDNS.ai audits your domain against the Google/Yahoo/Microsoft 2024+ requirements in one scan: SPF lookup count, DKIM selector presence and key strength, DMARC alignment mode, and whether your MX servers present valid TLS and PTR records. If any requirement is missing, it tells you exactly which one and provides the specific DNS record to add.

The bounce codes you will actually see

When the requirements fail at scale, SMTP responses tell you which rule you violated. The 2024+ codes at Gmail:

• 550 5.7.26 This message does not have authentication information or fails to pass authentication checks. — SPF/DKIM/DMARC alignment failed.
• 550 5.7.1 Our system has detected that this message is likely unsolicited mail. — reputation/complaints.
• 421 4.7.28 Gmail has detected an unusual rate of unsolicited mail originating from your IP address. — rate-limit. Slow down.
• 550 5.2.3 Your message exceeded Google's message size limits. — not an auth issue but common during the transition to stricter checks.

Yahoo uses similar codes with minor variants. Microsoft 365 returns 550 5.7.507 Access denied, banned sender or 550 5.7.509 Access denied, sending domain has either SPF record or DKIM signature but not both.

When a message is dropped silently into spam rather than bounced, no SMTP-level signal exists. This is when Postmaster Tools becomes your only visibility.

Postmaster Tools setup

Google Postmaster Tools (postmaster.google.com) is free and essential:

1. Add your sending domain.
2. Verify via DNS TXT record.
3. Wait 48-72 hours for data to accumulate.
4. Check daily: Spam Rate, IP Reputation, Domain Reputation, Authentication, Encryption, Delivery Errors.

You need at least "a few hundred" emails per day to the provider before data appears. Below that volume, the dashboard shows "Insufficient data."

Yahoo's equivalent is the Yahoo Sender Hub. Microsoft offers SNDS (Smart Network Data Services) at sendersupport.olc.protection.outlook.com for IP-level reputation. Use all three if you send to all three providers.

Ongoing compliance, not a one-time fix

These requirements are not a project with a completion date. Google and Yahoo update thresholds, Microsoft tightens rules, and new rules arrive. Maintain a quarterly review: SPF lookup count, DKIM key age, DMARC alignment rate, complaint rate trend, unsubscribe endpoint health.

Many bulk senders treat the 2024 rollout as "done." They fixed SPF, DKIM, DMARC, and unsubscribe once, and now their deliverability slowly degrades as edge cases accumulate. The domains that stay green in Postmaster Tools are the ones that scan themselves monthly.