Gmail and Yahoo sender requirements checklist
Check the Gmail and Yahoo bulk sender rules for SPF, DKIM, DMARC, one-click unsubscribe, complaint rate, TLS, PTR, and list quality before scaling.
Google and Yahoo began enforcing updated bulk-sender requirements in February 2024. Microsoft added SPF, DKIM, and DMARC requirements for domains sending more than 5,000 messages per day to Outlook.com consumer addresses in May 2025. The three policies overlap, but they are not identical. Use WillItInbox deliverability testing, bulk validation, and DMARC monitoring to verify each provider's current checklist before scaling volume.
The seven requirements
| Requirement | Gmail | Yahoo | Microsoft |
|---|---|---|---|
| SPF aligned with From | ✓ | ✓ | ✓ |
| DKIM signing with aligned d= | ✓ | ✓ | ✓ |
DMARC published (p=none minimum) | ✓ | ✓ | ✓ |
| One-click List-Unsubscribe | Required for marketing mail | Required; RFC 8058 POST highly recommended | Good practice, not part of the 2025 authentication mandate |
| Spam rate below 0.3% | ✓ | ✓ | ✓ |
| TLS on outbound connections | Required | Secure infrastructure expected | Verify current Outlook guidance |
| Valid PTR for sending IPs | Required | Required | Strong sender-hygiene expectation |
| Signal | Risk if broken | First fix |
|---|---|---|
| DMARC alignment | Authentication passes but policy still fails | Align SPF or DKIM with the visible From domain |
| One-click unsubscribe | Complaints rise because users cannot leave easily | Add RFC 8058 headers and a POST endpoint |
| Complaint rate | Provider reputation drops quickly | Pause low-engagement segments and suppress complaints |
| List quality | Bounces and traps poison the send | Validate stale imports before the campaign |
1. Authentication: SPF + DKIM + DMARC, all aligned
Just having the records isn't enough — the From-header domain must align with the SPF authenticated domain or the DKIM signing domain. Both providers want to see DMARC published even at p=none; without it, the entire p=none → reject ramp is impossible to start.
2. One-click List-Unsubscribe
RFC 8058 mandates a List-Unsubscribe-Post header that lets the mail client unsubscribe with a single click. Both headers are required together — List-Unsubscribe alone is not enough.
List-Unsubscribe: <https://example.com/unsubscribe?token=ABC123>, <mailto:[email protected]>
List-Unsubscribe-Post: List-Unsubscribe=One-Click- HTTPS URL must accept POST and unsubscribe immediately, no confirmation page.
- Mailto is a fallback but the URL is what Gmail/Yahoo render.
- Unsubscribe must process within 2 days to comply.
- Removing this header is a one-way ticket to the spam folder.
3. Keep spam rate below 0.3%
Spam complaint rate is the percentage of recipients who hit "Report Spam." Both providers publish 0.3% as the hard ceiling and 0.1% as the recommended target. The math is brutal: with 100,000 sends, 300 complaints crosses the line.
| Spam rate | Receiver behavior |
|---|---|
| Under 0.1% | Healthy — no penalty |
| 0.1% – 0.3% | Warning zone — placement starts shifting to spam |
| Over 0.3% | Active filtering — most mail goes to spam |
| Over 0.5% | Outright rejection or rate limiting |
4. Monitor with Postmaster Tools and SNDS
- Google Postmaster Tools — adds a TXT record to your domain, then exposes spam rate, IP reputation, domain reputation, auth pass rate, and encryption rate.
- Microsoft SNDS — IP-based dashboard. Shows complaint rate, trap hits, and reputation tiers.
- Yahoo Sender Hub — newer; check inbox placement and complaint metrics.
- Both Google and Microsoft are free. Treat them as required reading every Monday.
5. TLS and transport security
Google explicitly requires TLS for mail sent to Gmail accounts. Yahoo expects securely operated mail infrastructure, while Microsoft's high-volume announcement centers on authentication and alignment. In every case, verify that your provider negotiates modern TLS and does not silently downgrade. Inspect received headers and provider telemetry rather than assuming transport security is working.
6. Valid PTR for sending IPs
Google and Yahoo explicitly require valid forward and reverse DNS for sending IPs. For self-hosted mail, configure the PTR through the IP owner, ensure the hostname resolves forward to the same IP, and use a consistent EHLO identity. Managed ESPs usually operate this layer, but dedicated-IP customers should still verify it.
7. Sane From identity
- From address on a domain you control with valid SPF/DKIM/DMARC.
- Avoid display-name spoofing of well-known brands (
From: PayPal Support <noreply at yourdomain>). - Reply-To should be a real, monitored mailbox.
- Subject line should match the body's intent. "Re:" without prior thread is a trigger.
The pre-launch checklist
Verify before scaling
- 01
Audit authentication
Run a WillItInbox test from your production sending platform. Confirm SPF, DKIM, and DMARC all pass with alignment. No warnings.
- 02
Verify List-Unsubscribe
Send to a Gmail account you control. Open the message, click "Unsubscribe" in the header. The unsubscribe must complete in one click without a confirmation page.
- 03
Set up Postmaster Tools and SNDS
Both require domain or IP verification. Wait 48 hours for data to populate.
- 04
Establish a complaint-rate baseline
Send to a small segment first (10% of your list). Read complaint metrics for a week before scaling.
- 05
Add suppression handling
Bounces, complaints, and unsubscribes must funnel into a permanent suppression list. Re-send to a complainer and Gmail will route everything to spam.
Frequently asked questions
Last updated May 24, 2026.
Sources reviewed
- Email sender guidelines(official)
- Sender requirements and recommendations(official)
- Outlook high-volume sender requirements(official)
Factual review: June 13, 2026 by WillItInbox Editorial.
Keep reading