Gmail and Yahoo Sender Requirements: The Complete Guide (2026)
Published July 1, 2026
Since February 2024, Gmail and Yahoo require all senders to authenticate email with SPF and DKIM, and require anyone sending 5,000 or more messages a day to Gmail addresses to also publish a DMARC policy (at least p=none), pass DMARC alignment, support one-click unsubscribe, and keep spam complaint rates under 0.3%. These are enforced requirements, not recommendations: non-compliant mail gets rejected with SMTP errors like 550 5.7.26 or routed to spam. As of 2026 the rules are fully in force and other providers, including Microsoft, have followed with similar policies.
What changed in February 2024, and where it stands now
In October 2023, Google and Yahoo jointly announced that email authentication would stop being optional. Enforcement began in February 2024 and tightened through that year: first temporary failures for unauthenticated mail, then outright rejections, then enforcement of the unsubscribe requirement. The stated goal was blunt: Gmail's spam filters were carrying a burden that senders should have been carrying themselves.
As of 2026, this is settled infrastructure, not news. The requirements are fully enforced, Microsoft introduced closely matching rules for Outlook.com bulk senders in 2025, and the practical effect is that the requirements below function as the baseline for sending email to anyone. Treating them as a Gmail-and-Yahoo problem understates it: they are now simply how email works.
Every requirement, and who it applies to
The rules split senders into two tiers: everyone, and bulk senders, defined by Google as those sending 5,000 or more messages to Gmail addresses in a single day. Cross the threshold once and Google treats you as a bulk sender permanently. Yahoo uses a similar bulk-sender concept without publishing a precise number.
| Requirement | All senders | Bulk senders (5,000+/day) |
|---|---|---|
| SPF or DKIM authentication | Required | Both SPF and DKIM required |
| DMARC policy published (p=none minimum) | Not required | Required |
| DMARC alignment (From domain matches SPF or DKIM domain) | Not required | Required |
| One-click unsubscribe (RFC 8058) for marketing mail | Not required | Required |
| Spam complaint rate under 0.3% | Advisable | Required |
| TLS encryption for sending | Required | Required |
| Valid forward and reverse DNS (PTR) for sending IPs | Required | Required |
The authentication tier: SPF, DKIM, DMARC, alignment
For everyone, the floor is passing either SPF (Sender Policy Framework, the DNS list of servers allowed to send for your domain) or DKIM (DomainKeys Identified Mail, a cryptographic signature proving the message is genuine and unaltered). Mail passing neither is rejected or junked regardless of your volume. This is the requirement that ended the era of unauthenticated small senders.
Bulk senders must have both SPF and DKIM, plus a published DMARC (Domain-based Message Authentication, Reporting and Conformance) record. The minimum policy is p=none (monitoring mode), so this requirement is about visibility, not enforcement. But the companion requirement has teeth: the From domain must align with the domain that passed SPF or DKIM. A newsletter tool signing with its own domain while displaying yours fails this test, which is why the alignment requirement quietly forced thousands of businesses to complete their email tools' custom-domain setups.
One consequence worth knowing: because DMARC alignment can never work with a From address you don't control, sending bulk mail from an @gmail.com From address is effectively prohibited. Businesses that ran newsletters from a Gmail address needed their own domain.
One-click unsubscribe (RFC 8058)
Bulk senders of marketing and promotional mail must support one-click unsubscribe as defined by RFC 8058 (an RFC is a published internet standard). Concretely, messages must carry two hidden headers (List-Unsubscribe with an HTTPS address, and List-Unsubscribe-Post) that let the mailbox provider itself offer an unsubscribe button and honor a click with a single automated request. A link in the footer alone doesn't satisfy this; the headers are what Gmail's own unsubscribe button uses.
Unsubscribe requests must be honored within two days. If you send through any mainstream email service provider (Mailchimp, Klaviyo, Brevo, HubSpot and the rest), the headers are added automatically; this requirement mainly bites teams running their own sending infrastructure. Purely transactional mail (receipts, password resets) is exempt.
The spam-rate ceiling and encryption
Gmail requires senders to keep the user-reported spam rate (the fraction of your delivered mail that recipients mark as spam) below 0.3%, and recommends staying under 0.1%. You can watch your exact number in Google Postmaster Tools, Google's free dashboard for domain owners; Yahoo operates an equivalent through its sender hub. This is the requirement authentication can't save you from: perfectly authenticated mail that people don't want will still cross the threshold, and sustained breaches mean spam-foldering that takes weeks of good behavior to recover from.
Finally, all mail must be transmitted over TLS (Transport Layer Security, the same encryption technology behind the padlock in your browser). Every mainstream provider and ESP has used TLS by default for years, so this only affects genuinely ancient self-hosted setups, but it's a hard requirement.
What non-compliance actually looks like
Failures show up in two ways. The visible one is rejection: the receiving server refuses the message during delivery with an SMTP error, most famously 550 5.7.26: 'this mail has been blocked because the sender is unauthenticated'. Gmail also uses 5.7.25 for missing reverse DNS and temporary 4xx codes as warnings. Rejections at least produce bounce messages you can see.
The quieter failure is placement: mail that is accepted but routed to spam because authentication is weak or complaint rates are elevated. Nothing bounces, dashboards look normal, and open rates just sag, which is why the first symptom many businesses noticed in 2024 was simply 'customers say they aren't getting our emails'. Compliance is checkable in an afternoon: verify SPF and DKIM pass with alignment, publish a DMARC record with a rua reporting address, confirm your ESP sends RFC 8058 headers, and set up Postmaster Tools. DMARCPath's monitoring covers the authentication half continuously and flags drift before it becomes bouncing mail.
Frequently asked questions
- I send far fewer than 5,000 emails a day. Do these rules affect me?
- Yes. The SPF-or-DKIM authentication requirement, TLS, and valid reverse DNS apply to all senders regardless of volume. And the 5,000 threshold counts messages to Gmail addresses in a single day: one big announcement or invoice run can cross it. Setting up DMARC anyway costs little and improves deliverability for everyone.
- Does the 5,000 threshold reset if my volume drops?
- No. Google's guidance says that once a domain qualifies as a bulk sender, it's treated as one permanently, even if volume later falls below the line. Plan to meet the bulk-sender requirements before your first large send, not after.
- Is p=none really enough for compliance?
- For Gmail and Yahoo's published requirements, yes: any DMARC policy including p=none qualifies, as long as alignment passes. But p=none provides zero protection against spoofing, and enterprise customers and insurers increasingly expect enforcement. Treat p=none as the compliant starting point on the way to p=reject.
Keep reading
Reading about it is step one
DMARCPath does the watching for you: every sender identified, every failure explained, and a guided path to p=reject. One domain free, forever.
Start monitoring free →