Google & Yahoo Bulk Sender Requirements
In October 2023, Google and Yahoo jointly announced new requirements for bulk email senders (those sending 5,000+ messages per day to Gmail or Yahoo addresses) that took effect in February 2024. These requirements mandate SPF or DKIM authentication (both recommended), DMARC at minimum p=none, one-click unsubscribe headers, and a spam complaint rate below 0.3%. These are not regulatory compliance requirements but rather deliverability requirements enforced by the two largest email providers. Non-compliant senders face throttling, spam folder placement, or outright rejection of their email.
| Protocol | Requirement | Details |
|---|---|---|
| SPF | Required | Google requires bulk senders to authenticate email with SPF or DKIM (both are strongly recommended). SPF records must be valid and include all authorized sending IPs. Google checks SPF alignment for DMARC validation. |
| DMARC | Required | Bulk senders must publish a DMARC record with at least p=none. While p=none is the minimum, Google and Yahoo recommend progressing to p=quarantine or p=reject. The DMARC record must be valid and include the "v" and "p" tags at minimum. |
| DKIM | Required | DKIM signing is required for bulk senders. Google requires either SPF or DKIM, but both are strongly recommended. Yahoo requires DKIM for all bulk senders. DKIM keys should be at least 1024-bit (2048-bit recommended). |
| SSL/TLS | Required | Google requires TLS connections for sending email. Gmail has supported TLS for all inbound and outbound connections since 2014. Sending servers must support STARTTLS. Messages sent without TLS may be rejected or marked as insecure. |
| Security Headers | Optional | Security headers are not part of the Google/Yahoo sender requirements. However, if you link to web pages in your emails, having proper security headers improves the trust signal of your sending domain. |
| DNSSEC | Optional | DNSSEC is not required by Google or Yahoo sender guidelines. However, DNSSEC-signed domains provide stronger DNS integrity, which can prevent DNS-based attacks that could affect email authentication record lookups. |
Publish a valid SPF record listing all IP addresses and services that send email on your behalf. Enable DKIM signing on all sending sources (your mail server, marketing platforms, transactional email services). Both SPF and DKIM must pass for at least some messages to satisfy requirements.
Create a DMARC record at _dmarc.yourdomain.com with at least p=none. Include an rua tag to receive aggregate reports so you can monitor authentication results. Plan a path to p=quarantine and eventually p=reject for full protection.
Verify that all mail servers sending to Gmail and Yahoo support STARTTLS. Most modern email services handle this automatically, but self-hosted mail servers may need explicit configuration. Google flags non-TLS connections in Gmail.
Add RFC 8058 compliant List-Unsubscribe and List-Unsubscribe-Post headers to all marketing and bulk emails. This is a hard requirement from Google for bulk senders. The unsubscribe must be processed within 2 days.
Register with Google Postmaster Tools (postmaster.google.com) to monitor your spam complaint rate. Google requires that spam rates stay below 0.3% and recommends keeping them below 0.1%. High spam rates will result in delivery throttling regardless of authentication.
Run a domain security scan to verify SPF, DKIM, DMARC, and TLS are correctly configured. Address any issues before sending bulk email. Ongoing monitoring ensures configurations remain valid as you add new sending sources or make DNS changes.
Use Domain Security Scanner reports as evidence for your Google & Yahoo 2024 audit. Pro and Agency plans include PDF export for compliance documentation.
Run a free scan to see how your domain's email authentication measures up against Google & Yahoo 2024 requirements.
Effective February 2024, bulk senders (5,000+ messages/day to Gmail or Yahoo) must: authenticate email with SPF and DKIM, publish a DMARC record (at least p=none), support TLS, include one-click unsubscribe in marketing emails, maintain spam complaint rate below 0.3%, have valid forward and reverse DNS (PTR) records, and use a From: header domain that aligns with SPF or DKIM. Non-compliance results in email being throttled, sent to spam, or rejected.
The bulk sender threshold is 5,000+ messages per day to Gmail or Yahoo addresses. If your combined volume (marketing plus transactional) exceeds this threshold, all your email must comply. Even below the threshold, Google and Yahoo recommend implementing these authentication measures. Transactional email is exempt from the one-click unsubscribe requirement but not from authentication requirements.
Yes, p=none is the minimum DMARC policy required. However, p=none provides monitoring only and does not instruct receiving servers to take action on failing messages. Google and Yahoo recommend advancing to p=quarantine or p=reject for full protection. A p=none policy satisfies the requirement but leaves your domain vulnerable to spoofing. Use the monitoring phase to identify all legitimate sending sources, then advance your policy.