In February 2024, Gmail and Yahoo announced new requirements for bulk senders, defined as anyone sending more than 5,000 messages per day to a single provider. The rules have been in active enforcement for two years now. Here is what they actually look like in practice and the checklist for compliance.
The three rules
- SPF, DKIM, and DMARC must all pass. Authentication failures get demoted to spam.
- One-click unsubscribe must be present. Both the email header (
List-Unsubscribe-Post: List-Unsubscribe=One-Click) and a working unsubscribe URL. - Spam complaint rate must stay below 0.3%. Sustained above this triggers throttling and eventually blocking.
What changed since 2024 enforcement began
Authentication enforcement is strict
Gmail and Yahoo originally rolled out enforcement gradually. By mid-2024, mail without DKIM passing was being demoted aggressively. By 2026, missing DKIM essentially guarantees spam folder for bulk senders.
DMARC alignment is checked
Earlier guidance was "pass DMARC". Current guidance is "pass DMARC with alignment". This means the From domain must match the DKIM signing domain (or SPF return-path domain) exactly. A common gotcha: ESPs that sign with their own domain instead of yours.
List-Unsubscribe-Post is mandatory
The header must be present. Many ESPs added it by default in 2024. If you send through a custom system, confirm both headers are present.
Complaint rate threshold is non-negotiable
0.3% is a hard ceiling. The "ideal" is below 0.1%. Senders consistently between 0.1% and 0.3% get warnings via Postmaster Tools and degraded delivery. Above 0.3% sustained gets blocking.
The compliance checklist
- Confirm SPF passes by sending a test email and checking the Authentication-Results header.
- Confirm DKIM passes and is signed by your sending domain (not your ESP's).
- Confirm DMARC passes (the policy can be
p=nonefor monitoring or stronger). - Check List-Unsubscribe and List-Unsubscribe-Post headers are present.
- Click the one-click unsubscribe and confirm it works without further authentication.
- Pull Postmaster Tools data: complaint rate, IP reputation, domain reputation.
- If complaint rate is approaching 0.3%, audit your acquisition source and content.
What about smaller senders (under 5,000/day)?
The rules technically apply only to bulk senders, but mailbox providers apply the same standards loosely to everyone. If you authenticate properly, include unsubscribe, and keep complaints low, you land in inbox regardless of volume. If you do not, you land in spam regardless of volume.
Setting all of this up now, before you cross 5,000/day, avoids a panicked migration later.
FAQ
Where do I check authentication and complaint rate?
Gmail: Postmaster Tools. Yahoo: their Sender Hub. Use both. For broader visibility, services like Postmark DMARC Digests give you cross-provider aggregate reports.
Will list verification help with compliance?
Indirectly. Verification cuts bounce rate, which reduces the signals that drag down complaint rate (people complain about mail they did not expect, often because the address was scraped). Clean lists generate cleaner engagement.
Does this apply to transactional email?
Mostly no. Transactional (password resets, receipts) is held to different standards. The bulk rules target marketing.
Stay on the right side of the line
Authenticate, include unsubscribe, keep complaints low, verify your list. Run the verification step before your next campaign.