Google, Yahoo, and Microsoft Sender Requirements

What the major mailbox providers now require. Email Posture.

Gmail, Yahoo, and Outlook have moved from "recommended" to "required" on email authentication. If you don't meet their rules, your mail isn't just sent to spam, it can be rejected outright at the server level and bounce. This guide lays out exactly what they expect and how to comply. The fastest way to see if you're already in good shape is to check your domain.

Who this applies to

The strict rules target bulk senders, defined as roughly 5,000 or more messages per day to a given provider's users (Gmail users, Yahoo users, Outlook users). If you run marketing campaigns, newsletters, or high-volume transactional mail, you're almost certainly in scope. But the authentication basics now apply to everyone: even low-volume senders need valid SPF and DKIM, and providers increasingly distrust unauthenticated mail at any volume.

The requirements checklist

• SPF published and passing, aligned with your sending domain. Fix SPF.
• DKIM signing on your outgoing mail. Set up DKIM.
• DMARC published, at minimum p=none, with SPF or DKIM aligned to your visible From domain. Set up DMARC.
• One-click unsubscribe for bulk and marketing mail, using the RFC 8058 List-Unsubscribe and List-Unsubscribe-Post headers. A visible link in the body is no longer enough on its own; the header is what lets Gmail show its native unsubscribe button.
• Spam complaint rate under 0.3%, and ideally well below 0.1%. Watch it in Google Postmaster Tools. Sustained high complaints will get you throttled or blocked.
• Valid forward and reverse DNS (PTR) on your sending IPs, and TLS for transmission.

Enforcement is already live

This is not a future deadline. Microsoft began rejecting non-compliant bulk mail to Outlook, Hotmail, and Live addresses on May 5, 2025. Google and Yahoo ramped enforcement through late 2025, moving from temporary failures to permanent rejection for senders who don't meet the bar. The practical consequence is blunt: fail these checks as a bulk sender and your messages bounce rather than land in spam.

How to get compliant

1. Authenticate. Get SPF passing, DKIM signing, and DMARC published with alignment. That's the bulk of the requirement, and our guides walk each step.
2. Add one-click unsubscribe to your marketing and bulk streams. Most reputable email platforms add the required headers automatically; confirm yours does.
3. Watch your complaint rate in Google Postmaster Tools and keep your list clean. Stop mailing people who never engage, and never buy lists.
4. Verify. Run your domain through the free checker to confirm SPF, DKIM, and DMARC are all passing before you rely on it.

The good news: meeting these rules is the same work as protecting your domain from spoofing. Authenticate properly and you satisfy the providers and shut the door on impersonation at the same time.

Related: SPF, DKIM, and DMARC Explained · Set Up DMARC · Emails Going to Spam?