What changed in February 2024
For years, the guidance for reaching the inbox was a loose set of best practices. That changed on February 1, 2024, when Google and Yahoo began enforcing a common baseline for anyone sending large volumes of email. The two providers deliberately aligned their requirements so senders could follow one checklist instead of two. Enforcement started as temporary errors and rejections for a slice of non-compliant traffic, then ramped up over the following months, with Gmail tightening enforcement further from late 2025.
The rules fall into three buckets: authenticate your mail, make it easy to unsubscribe, and only send mail people want. None of them are exotic — they codify what good senders were already doing — but they are now the price of admission.
Who the rules apply to
Google defines a bulk sender as anyone who sends 5,000 or more messages a day to personal Gmail accounts. The count is per sending domain, and once you cross the threshold on any single day, Google treats you as a bulk sender from then on. Yahoo frames the same tier around high-volume senders. A few requirements — like publishing SPF or DKIM and keeping spam complaints low — apply to every sender regardless of volume, so smaller senders should not tune them out entirely.
Authenticate your mail: SPF, DKIM and DMARC
Authentication proves a message genuinely came from your domain. Bulk senders must set up all three standards:
- SPF lists the servers allowed to send mail for your domain, so receivers can reject spoofed sources.
- DKIM adds a cryptographic signature (Yahoo requires a key of at least 1024 bits) that lets receivers verify the message was not altered in transit.
- DMARC ties the two together and tells receivers what to do with mail that fails. A policy of
p=noneis the minimum you must publish, though moving toquarantineorrejectonce you are confident protects your domain from abuse.
There is one more subtlety: DMARC alignment. The domain in your visible From: address has to match the domain validated by SPF or DKIM. Plenty of senders pass SPF and DKIM in isolation yet still fail DMARC because nothing aligns with the From: header.
Offer one-click unsubscribe
Marketing and subscribed messages must include a working one-click unsubscribe built to RFC 8058. In practice that means two headers — List-Unsubscribe with an HTTPS URL and List-Unsubscribe-Post: List-Unsubscribe=One-Click — plus a clearly visible unsubscribe link in the body. Google also requires that you process unsubscribe requests within two days. A prominent, honored opt-out is one of the strongest signals that you are a sender worth delivering.
Keep spam complaints under 0.3%
This is the rule people trip over. Google and Yahoo both expect your user-reported spam complaint rate to stay below 0.3% — that is fewer than three spam reports per thousand delivered messages. Google is explicit that you should aim well under this ceiling, ideally below 0.1%, because brief spikes above 0.3% are enough to hurt delivery. You monitor this in Google Postmaster Tools and Yahoo's Complaint Feedback Loop. Clean lists, genuine opt-in, and an easy unsubscribe are what keep the number down.
The rest of the checklist
A handful of supporting requirements round things out: publish valid forward and reverse DNS (PTR) records for your sending IPs, format messages to the RFC 5322 standard, don't impersonate Gmail From: headers, and transmit over TLS. These are easy to get right once and forget.
How to check where you stand
You do not have to guess. Paste your newsletter or upload the raw .eml and the checker inspects authentication, your List-Unsubscribe headers, and CAN-SPAM basics, then tells you in plain English what would pass and what would trip these rules.