Google, Yahoo & Microsoft Bulk Sender Requirements

In October 2023, Google and Yahoo announced new email authentication requirements that took effect in February 2024. Microsoft followed with similar requirements starting May 5, 2025. Together, these three providers handle approximately 90% of consumer email—if you’re sending bulk email, compliance isn’t optional.

This guide covers everything you need to know to meet these requirements and keep your emails reaching the inbox.

Quick Summary: What’s Required

Requirement	All Senders	Bulk Senders (5,000+/day)
SPF	Required	Required
DKIM	Required	Required
DMARC	Recommended	Required (minimum p=none)
DMARC Alignment	Recommended	Required (SPF or DKIM must align)
One-Click Unsubscribe	Recommended	Required (marketing emails)
Spam Rate	Below 0.3%	Below 0.1% (target)
Valid PTR Records	Required	Required
TLS Encryption	Required	Required

Timeline of Enforcement

Date	Milestone
October 3, 2023	Google and Yahoo announce requirements
February 1, 2024	Initial enforcement begins—temporary errors for non-compliance
April 2024	Google begins rejecting percentage of non-compliant email
June 1, 2024	One-click unsubscribe deadline for bulk senders
April 2, 2025	Microsoft announces requirements
May 5, 2025	Microsoft begins rejecting non-compliant email

Who Is a “Bulk Sender”?

Google’s Definition

Any domain that sends close to 5,000 messages or more to personal Gmail accounts in a 24-hour period. Once you reach this threshold even once, you’re permanently classified as a bulk sender.

Important clarifications:

• The count is per domain, not per email address
• Internal Google Workspace emails may count toward the limit
• Third-party sends (via ESPs like Mailchimp or SendGrid) using your domain count toward your total

Yahoo’s Definition

Yahoo hasn’t specified an exact threshold. They classify bulk senders based on “significant volume” to Yahoo addresses. Assume similar thresholds apply.

Microsoft’s Definition

Domains sending over 5,000 emails per day to Microsoft consumer domains:

• outlook.com
• hotmail.com
• live.com
• msn.com

Note: Microsoft 365 business addresses are not currently included in these requirements.

Requirement 1: Email Authentication (SPF, DKIM, DMARC)

SPF (Sender Policy Framework)

SPF specifies which servers can send email for your domain. All providers require SPF to pass.

What you need:

Type: TXT
Host: @
Value: v=spf1 include:_spf.google.com include:sendgrid.net -all

Key points:

• Only one SPF record per domain (combine all includes)
• Maximum 10 DNS lookups
• End with -all (hard fail) for best protection
• Include all legitimate sending sources

Verify your SPF:

dig +short TXT example.com | grep spf

DKIM (DomainKeys Identified Mail)

DKIM adds a cryptographic signature to verify email integrity and sender authenticity.

What you need:

• DKIM signing enabled for all sending sources
• Public key published in DNS
• Signature domain should match your From address domain

Verify your DKIM:

dig +short TXT selector._domainkey.example.com

Replace selector with your actual DKIM selector (e.g., google, s1, k1).

DMARC (Domain-based Message Authentication, Reporting & Conformance)

DMARC is required for bulk senders. It ties SPF and DKIM together and tells receivers what to do with failing emails.

Minimum required record:

Type: TXT
Host: _dmarc
Value: v=DMARC1; p=none; rua=mailto:[email protected]

Recommended record (with reporting):

v=DMARC1; p=none; rua=mailto:[email protected]; adkim=r; aspf=r; pct=100

DMARC policy values:

Policy	Meaning	When to Use
p=none	Monitor only	Starting out, meets minimum requirement
p=quarantine	Send failures to spam	After verifying legitimate sources
p=reject	Block failures entirely	Full enforcement (recommended goal)

DMARC Alignment (Critical for Bulk Senders)

This is where many senders fail. DMARC alignment means the domain in your From header must match the domain verified by SPF or DKIM.

SPF Alignment:

• The Return-Path domain (envelope sender) must match your From domain
• Many ESPs use their own Return-Path by default—you may need a custom Return-Path

DKIM Alignment:

• The d= domain in the DKIM signature must match your From domain
• Most ESPs support custom DKIM signing on your domain

You need at least one to align. Both is better.

Example of aligned vs. unaligned:

Scenario	From Header	DKIM d=	SPF Domain	Aligned?
Aligned (DKIM)	[email protected]	example.com	esp.com	✅ Yes
Aligned (SPF)	[email protected]	esp.com	example.com	✅ Yes
Not Aligned	[email protected]	esp.com	esp.com	❌ No

Requirement 2: One-Click Unsubscribe

Bulk senders must include a one-click unsubscribe mechanism for marketing and promotional emails.

What’s Required

1. List-Unsubscribe header with mailto: and/or HTTPS URL
2. List-Unsubscribe-Post header for one-click functionality
3. Process unsubscribe requests within 2 days

Example Headers

List-Unsubscribe: <mailto:[email protected]>, <https://example.com/unsubscribe?id=123>
List-Unsubscribe-Post: List-Unsubscribe=One-Click

What This Looks Like to Recipients

Gmail and other providers display an “Unsubscribe” link near the sender name:

From: Newsletter <[email protected]> Unsubscribe · to me

ESP Support

Most email service providers handle this automatically:

• Mailchimp: Automatic for all campaigns
• SendGrid: Automatic with subscription tracking enabled
• HubSpot: Automatic for marketing emails
• Klaviyo: Automatic for all sends

Check your ESP’s documentation if you’re not seeing these headers.

Transactional Exemption

One-click unsubscribe is not required for:

• Order confirmations
• Shipping notifications
• Password resets
• Account alerts
• Other transactional messages

Requirement 3: Spam Rate Thresholds

The Thresholds

Provider	Target Rate	Maximum Rate
Google	Below 0.10%	Never exceed 0.30%
Yahoo	Below 0.30%	Not specified
Microsoft	Below 0.30%	Not specified

How Spam Rate Is Calculated

Spam rate = (Emails marked as spam) / (Emails delivered to inbox)

A rate of 0.10% means 1 spam complaint per 1,000 emails delivered.

Monitoring Your Spam Rate

Google Postmaster Tools (essential for Gmail senders):

1. Go to Google Postmaster Tools
2. Add and verify your domain
3. Monitor spam rate, IP reputation, and authentication

Yahoo Complaint Feedback Loop:

1. Register at Yahoo Postmaster
2. Set up feedback loop to receive complaint notifications

Microsoft SNDS (Smart Network Data Services):

1. Register at Microsoft SNDS
2. Monitor IP reputation and complaint data

Reducing Spam Complaints

• Clean your list regularly: Remove inactive subscribers
• Honor unsubscribes immediately: Don’t wait the full 2 days
• Set expectations: Be clear about email frequency at signup
• Segment your sends: Don’t blast everyone with everything
• Make unsubscribe easy: Don’t hide it or require login

Requirement 4: Technical Infrastructure

Valid PTR Records (Reverse DNS)

Your sending IP addresses must have valid PTR (reverse DNS) records that resolve back to your domain.

Check your PTR:

dig -x YOUR.IP.ADDRESS +short

The result should be a hostname that, when looked up, resolves back to the original IP.

Most ESPs handle this for you. If you’re sending from your own infrastructure, work with your hosting provider.

TLS Encryption

All email must be transmitted over TLS (Transport Layer Security). This is handled at the server level—most modern email infrastructure supports this by default.

Valid From Addresses

• Use a real, monitored email address in your From field
• The address should be able to receive replies
• Don’t use noreply@ addresses for marketing emails (bad practice, though not explicitly banned)

Provider-Specific Details

Google Gmail

Documentation: Email Sender Guidelines

Key points:

• Don’t impersonate Gmail From headers
• Use ARC headers if forwarding email
• Enforcement is gradual—percentage of non-compliant mail rejected increases over time

Error codes for non-compliance:

• 421-4.7.28: Temporary failure, authentication issue
• 550-5.7.26: Unauthenticated email not accepted

Yahoo Mail

Documentation: Yahoo Sender Best Practices

Key points:

• Very similar to Google’s requirements
• Spoofed emails count toward your enforcement metrics
• Strong emphasis on user consent

Microsoft Outlook

Documentation: Outlook Sender Requirements

Key points:

• Enforcement began May 5, 2025
• Non-compliant emails are rejected, not just sent to junk
• Error code: 550 5.7.515 Access denied, sending domain does not meet the required authentication level
• Safe Sender lists do NOT bypass authentication requirements

Step-by-Step Compliance Checklist

For All Senders

• SPF record published with all legitimate sending sources
• DKIM enabled for all email streams
• DMARC record published (at minimum p=none)
• Valid PTR records for sending IPs
• TLS enabled for email transmission
• Valid From addresses that can receive replies

Additional for Bulk Senders (5,000+/day)

• DMARC alignment achieved (SPF or DKIM aligns with From domain)
• One-click unsubscribe implemented for marketing emails
• Spam rate monitored via Postmaster Tools
• Spam rate maintained below 0.10% (target) / 0.30% (max)
• Unsubscribes processed within 2 days

Testing Your Compliance

1. Check DNS Records

Use online tools or command line:

# Check SPF
dig +short TXT example.com | grep spf

# Check DMARC
dig +short TXT _dmarc.example.com

# Check DKIM (replace 'selector' with your selector)
dig +short TXT selector._domainkey.example.com

2. Send Test Emails

Send test emails to Gmail, Yahoo, and Outlook addresses. Check the headers:

In Gmail:

1. Open the email
2. Click the three dots → “Show original”
3. Look for Authentication-Results

You should see:

spf=pass
dkim=pass
dmarc=pass

3. Use Authentication Testing Tools

• Google Admin Toolbox
• MXToolbox
• Mail-Tester
• DMARC Analyzer

Common Compliance Issues

”DMARC is passing but emails still go to spam”

DMARC passing doesn’t guarantee inbox placement. Other factors matter:

• Sender reputation
• Content quality
• Engagement rates
• Spam complaints

”SPF is failing for my ESP”

Your ESP’s sending IPs might not be in your SPF record. Add their include statement:

ESP	SPF Include
SendGrid	include:sendgrid.net
Mailchimp	Not required (uses DKIM only)
Amazon SES	include:amazonses.com
Google Workspace	include:_spf.google.com
Microsoft 365	include:spf.protection.outlook.com

”DKIM alignment is failing”

Your ESP might be signing with their domain, not yours. Enable custom DKIM:

• Most ESPs support this via CNAME records
• Check your ESP’s domain authentication settings
• You may need to add 2-3 DNS records

”I exceeded the SPF lookup limit”

SPF allows maximum 10 DNS lookups. Solutions:

• Use SPF flattening (convert includes to IPs)
• Remove unused include statements
• Use subdomains for different sending streams

”I’m under 5,000 emails but still having issues”

Even non-bulk senders benefit from full authentication. Plus:

• Yahoo doesn’t have a firm threshold
• You might hit 5,000 during peak periods
• Requirements may expand to all senders

What’s Next

Implement Full DMARC Enforcement

Don’t stop at p=none. The progression:

1. p=none (Monitor): Collect reports, identify all legitimate sources
2. p=quarantine (Test): Send failures to spam, verify no legitimate mail affected
3. p=reject (Enforce): Block unauthorized email entirely

Monitor DMARC Reports

DMARC aggregate reports show:

• Who’s sending email as your domain
• Authentication pass/fail rates
• Sources you may have forgotten about

Use a DMARC monitoring tool to parse these reports—they’re XML and hard to read manually.

Maintain Good Sending Practices

Authentication is the baseline. For best deliverability:

• Send wanted email to engaged subscribers
• Remove inactive addresses regularly
• Monitor your sender reputation
• Respond quickly to deliverability issues

---

Get Help with Compliance

Verkh monitors your DMARC, SPF, and DKIM configuration and alerts you when something breaks. See who’s sending as your domain, track your authentication rates, and get copy-paste DNS records to fix issues.

Start Free →

---

Last updated: December 2025. Requirements may change—check provider documentation for the latest information.