The Gmail and Yahoo bulk sender rules: a 2026 checklist

In February 2024, Google and Yahoo jointly introduced new requirements for senders pushing more than 5,000 messages per day to Gmail or Yahoo accounts. Microsoft followed with similar (slightly weaker) rules in 2025. Two years in, the rules are no longer optional and enforcement is real: spam-folder placement, rate limiting, and outright rejection are all on the table.

The seven requirements

1. Authentication: SPF + DKIM + DMARC, all aligned

Just having the records isn't enough — the From-header domain must align with the SPF authenticated domain or the DKIM signing domain. Both providers want to see DMARC published even at p=none; without it, the entire p=none → reject ramp is impossible to start.

2. One-click List-Unsubscribe

RFC 8058 mandates a List-Unsubscribe-Post header that lets the mail client unsubscribe with a single click. Both headers are required together — List-Unsubscribe alone is not enough.

List-Unsubscribe: <https://example.com/unsubscribe?token=ABC123>, <mailto:[email protected]>
List-Unsubscribe-Post: List-Unsubscribe=One-Click

• HTTPS URL must accept POST and unsubscribe immediately, no confirmation page.
• Mailto is a fallback but the URL is what Gmail/Yahoo render.
• Unsubscribe must process within 2 days to comply.
• Removing this header is a one-way ticket to the spam folder.

3. Keep spam rate below 0.3%

Spam complaint rate is the percentage of recipients who hit "Report Spam." Both providers publish 0.3% as the hard ceiling and 0.1% as the recommended target. The math is brutal: with 100,000 sends, 300 complaints crosses the line.

4. Monitor with Postmaster Tools and SNDS

1. Google Postmaster Tools — adds a TXT record to your domain, then exposes spam rate, IP reputation, domain reputation, auth pass rate, and encryption rate.
2. Microsoft SNDS — IP-based dashboard. Shows complaint rate, trap hits, and reputation tiers.
3. Yahoo Sender Hub — newer; check inbox placement and complaint metrics.
4. Both Google and Microsoft are free. Treat them as required reading every Monday.

5. TLS on outbound

All three receivers require STARTTLS on the connection. Most modern MTAs default to opportunistic TLS; you only need to verify your provider isn't downgrading silently. Look at any random message header — Received: ... (TLSv1.3) is what you want.

6. Valid PTR for sending IPs

Every IP that connects to the receiver must have a reverse DNS (PTR) record that resolves back to a hostname matching the EHLO/HELO greeting. Self-hosting requires asking your hosting provider to add the PTR (most have a control panel for this). ESPs handle this for you.

7. Sane From identity

• From address on a domain you control with valid SPF/DKIM/DMARC.
• Avoid display-name spoofing of well-known brands (From: PayPal Support <[email protected]>).
• Reply-To should be a real, monitored mailbox.
• Subject line should match the body's intent. "Re:" without prior thread is a trigger.

The pre-launch checklist