Blog / Deliverability

Gmail & Yahoo Sender Requirements: How to Keep Landing in the Inbox

Gmail and Yahoo now enforce a baseline every bulk sender has to meet. Miss it and your mail gets rejected or filtered to spam — no matter how good your content is. Here's the checklist.

9 min read·Deliverability

In early 2024, Gmail and Yahoo rolled out shared requirements for anyone sending more than roughly 5,000 messages a day to their users. The bar hasn't lowered since — if anything, enforcement has tightened. If you send at volume, treating these rules as optional is the fastest way to watch your open rates collapse.

The good news: the requirements are mostly things a well-run program should already be doing. The bad news: "mostly" is doing a lot of work in that sentence, and the details are where high-volume senders get burned. Let's walk through what actually matters.

1. Authenticate every message: SPF, DKIM, and DMARC

Authentication is how mailbox providers confirm a message genuinely came from your domain and wasn't spoofed. All three records now need to be in place for bulk senders:

  • SPF (Sender Policy Framework) publishes which servers are allowed to send on behalf of your domain.
  • DKIM (DomainKeys Identified Mail) cryptographically signs your messages so the receiver can verify they weren't altered in transit.
  • DMARC (Domain-based Message Authentication, Reporting & Conformance) tells receivers what to do when a message fails SPF or DKIM, and gives you reporting on who's sending as your domain.

Gmail and Yahoo require a DMARC policy of at least p=none to start. That's the floor, not the goal — p=none only monitors. As you gain confidence that all legitimate mail is authenticating, you should move toward p=quarantine and eventually p=reject to actually protect your domain from spoofing.

A surprising share of "deliverability problems" we audit turn out to be a single misconfigured DKIM selector or an SPF record that quietly exceeded its DNS lookup limit. Authentication is unglamorous, and it's the first thing to check.

2. Align your domains

It's not enough for SPF and DKIM to pass — at least one of them has to align with the domain in your visible "From" address. If you send from news@yourbrand.com but your authentication points at an unrelated ESP domain, DMARC alignment fails even when the individual checks pass. Use a subdomain of your own brand (for example email.yourbrand.com) for sending, and authenticate it properly.

3. Make unsubscribing effortless: one-click list-unsubscribe

Bulk senders must support one-click unsubscribe (RFC 8058) — a header that lets recipients opt out directly from the inbox interface without loading a landing page or logging in. You also still need a visible unsubscribe link in the body. And the requirement has teeth: opt-outs must be honored within two days.

Counterintuitively, making it easier to leave protects your deliverability. When unsubscribing is hard, frustrated recipients hit "report spam" instead — and complaints hurt far more than a quiet opt-out ever could.

4. Keep spam complaints under control

This is the requirement that catches the most senders off guard. Gmail asks senders to keep their spam complaint rate below 0.3%, and to avoid ever spiking near it. For perspective, 0.3% is three complaints per thousand delivered messages. At a million sends, that's a ceiling of 3,000 complaints — and you want to live well under it, ideally below 0.1%.

Complaint rates are driven by three things: how you collected the address, how relevant your content is, and how often you send. The senders who stay clean tend to share habits:

  • They use confirmed opt-in and never buy or scrape lists.
  • They segment so the most engaged subscribers see the most mail, and dormant ones see less.
  • They set expectations at signup about frequency and content — and keep them.
  • They monitor complaint signals through Google Postmaster Tools and react before a spike becomes a reputation problem.

5. Send valid, well-formed mail

The remaining requirements are hygiene: format messages to the RFC 5322 standard, don't impersonate Gmail/Yahoo "From" headers, use a valid PTR record (forward and reverse DNS that match), and don't spike volume erratically. If you're warming a new IP or domain, ramp gradually rather than blasting your full list on day one.

The metric that ties it together: engagement

Underneath every rule is one idea — mailbox providers reward senders whose recipients want their mail. Authentication proves you are who you say you are; complaint thresholds and engagement signals prove people actually want to hear from you. Opens, clicks, replies, and the absence of complaints all feed your sender reputation. Clean lists, relevant content, and smart segmentation aren't just nice-to-haves; they're the deliverability strategy.

A quick self-audit

Run through this before your next big send:

  • Do SPF, DKIM, and DMARC all pass, and does at least one align with your From domain?
  • Is your DMARC policy at least p=none, with a plan to tighten it?
  • Does every message include one-click unsubscribe, honored within two days?
  • Is your Gmail Postmaster complaint rate consistently under 0.1%?
  • Are you suppressing unengaged recipients instead of mailing everyone every time?
  • Is new sending infrastructure being warmed gradually?

If any of those is a "no" — or a "not sure" — that's where your inbox placement is leaking.

Not sure where you stand with Gmail and Yahoo?

Our deliverability team will check your authentication, reputation, and complaint signals — and hand you a prioritized fix list. Free, no obligation.

Get a Free Deliverability Audit
email deliverabilityGmail sender requirementsYahoo bulk sendersSPF DKIM DMARCinbox placement
More Articles Free Audit