If you send roughly 5,000 or more messages a day to consumer inboxes, Gmail, Yahoo, Microsoft, and Apple now require you to authenticate every message with SPF, DKIM, and DMARC, publish a one-click unsubscribe header on marketing mail, and keep your spam complaint rate well under 0.3%. These are no longer best practices. As of late 2025, Gmail and Microsoft return permanent SMTP rejections for non-compliant bulk mail instead of quietly filtering it. This guide is the current, provider-by-provider checklist so you can confirm your domain meets every requirement before your next send.
Reads public DNS only. Nothing is stored unless you save the domain to an account.
Who counts as a bulk sender
Gmail defines a bulk sender as any sender that transmits close to 5,000 messages or more to personal Gmail accounts (addresses ending in @gmail.com and @googlemail.com) within a 24-hour window. Messages from the same primary domain count together toward that threshold, so splitting traffic across subdomains does not reset the counter. Cross the line once and Google treats you as a bulk sender going forward.
Microsoft adopted the same 5,000-per-day trigger for Outlook, Hotmail, and Live consumer mailboxes. Yahoo does not publish a hard number but applies its requirements to any sender at meaningful volume. Apple iCloud Mail has not announced a numeric threshold either, yet it follows the same authentication expectations. The practical takeaway: if you run marketing campaigns, transactional flows, or newsletters at scale, assume every requirement below applies to you.
The core requirements at a glance
| Requirement | Gmail | Yahoo | Microsoft | Apple iCloud |
|---|---|---|---|---|
| SPF or DKIM (both recommended) | Required | Required | Required | Required |
| SPF and DKIM both, with DMARC alignment | Required | Required | Required | Recommended |
DMARC record (p=none minimum) | Required | Required | Required | Recommended |
| One-click unsubscribe (RFC 8058) | Required | Required | Recommended | Recommended |
| Spam rate under 0.3% (aim under 0.1%) | Required | Required | Monitored | Monitored |
| Valid forward-confirmed PTR (reverse DNS) | Required | Required | Required | Required |
| TLS for transmission | Required | Required | Required | Required |
| Format messages to RFC 5322 | Required | Required | Required | Required |
SPF, DKIM, and DMARC with alignment
Authentication is the foundation, and all four providers now demand it from bulk senders.
SPF publishes the IP addresses and hosts authorized to send for your domain as a DNS TXT record. Keep it under the hard limit of 10 DNS lookups; exceeding it produces a PermError that fails SPF entirely. If your record is bloated with include: mechanisms, see fixing too many SPF DNS lookups.
DKIM adds a cryptographic signature so receivers can verify the message was not altered in transit. Use a 2048-bit key where your provider supports it, and publish the public key as a TXT record at selector._domainkey.yourdomain.com, where selector is the label your sending platform stamps into the DKIM-Signature header.
DMARC ties the two together and tells receivers what to do on failure. The minimum accepted policy is p=none, which monitors without affecting delivery, but none only satisfies the letter of the rule. To actually stop spoofing you should progress to quarantine and then reject, and the tradeoffs are covered in none vs quarantine vs reject.
Alignment is the requirement senders most often miss. Passing SPF or DKIM is not enough on its own; the authenticated domain must match the domain in the visible From header. SPF aligns when the Return-Path domain matches; DKIM aligns when the d= signing domain matches. DMARC passes only when at least one of them aligns. A message can pass raw SPF and still fail DMARC because the Return-Path points at your email service provider rather than your own domain, so check alignment, not just the raw pass or fail.
One-click unsubscribe (RFC 8058)
Gmail and Yahoo require bulk marketing and promotional mail to support one-click unsubscribe as defined in RFC 8058. This means two headers working together:
List-Unsubscribecontaining an HTTPS URL (and optionally amailto:address).List-Unsubscribe-Post: List-Unsubscribe=One-Click.
When a recipient clicks unsubscribe in the mailbox UI, the client sends an HTTP POST to your HTTPS URL with the body List-Unsubscribe=One-Click. Your endpoint must accept the POST and process the opt-out within two days. The POST requirement exists so that link-scanning bots issuing GET requests do not accidentally unsubscribe people. You must still include a visible unsubscribe link in the message body. One-click unsubscribe applies to marketing mail, not to genuine transactional messages. For the header syntax and common mistakes, read the List-Unsubscribe header guide.
Spam complaint rate
Google Postmaster Tools reports your spam rate, calculated daily. Keep it below 0.3% and never let it reach or exceed that figure, because a sustained rate of 0.3% or higher triggers filtering and rejection. Gmail restores mitigation only once your rate stays below 0.3% for seven consecutive days, so a single bad campaign can cost you a week of deliverability. The real target is below 0.1%, which gives you headroom before a spike crosses the line. Set up monitoring through the Google Postmaster Tools guide. The most effective way to keep complaints low is honest list acquisition, prompt unsubscribe handling, and removing unengaged recipients before they mark you as spam.
Valid reverse DNS (PTR) and TLS
Every sending IP needs a valid PTR record that resolves back to a hostname, and that hostname must forward-resolve to the same IP. This is forward-confirmed reverse DNS, and Gmail lists it explicitly. Missing or generic PTR records are a common reason mail from self-hosted servers gets rejected; the details are in the PTR record guide. All four providers also require TLS for message transmission. If you use a reputable email service provider, both are handled for you; if you run your own mail server, verify them directly.
Enforcement timeline
The rules arrived in stages, and 2025 was the year they gained teeth.
| Date | Change |
|---|---|
| February 2024 | Gmail and Yahoo requirements take effect; failures start seeing temporary rejections and filtering. |
| June 1, 2024 | Google requires the RFC 8058 one-click unsubscribe headers on bulk marketing mail. |
| May 5, 2025 | Microsoft begins enforcing for high-volume senders to Outlook, Hotmail, and Live, initially junk-foldering non-compliant mail. |
| Late 2025 | Microsoft escalates from junking to outright rejection of unauthenticated bulk mail. |
| November 2025 | Gmail ramps enforcement so non-compliant traffic receives permanent 5xx rejections at the SMTP layer rather than spam-foldering. |
The shift from spam-foldering to permanent rejection is the important one. Previously a misconfigured domain still reached the spam folder, where a determined recipient might find it. Now the message bounces and never arrives.
Rejection codes you will see
When enforcement blocks your mail, the SMTP response tells you why. Learn to read these rather than guessing.
- Gmail unauthenticated mail:
550 5.7.26with the text "This message does not have authentication information or fails to pass authentication checks." It is covered in the 5.7.26 guide. - Gmail DMARC policy rejection:
550 5.7.1when your ownp=rejectorquarantineblocks a misaligned source. - Microsoft high-volume authentication failure:
550 5.7.515 Access denied, sending domain [domain] does not meet the required authentication level.
A 4xx code is a temporary deferral you can retry; a 5xx code is permanent and requires a fix before the mail will ever be accepted.
Verify before you send
Run through this checklist ahead of any large send:
- SPF
TXTrecord exists, uses-allor~all, and stays under 10 DNS lookups. - DKIM signs every message with a published 2048-bit key.
- DMARC record is published at
_dmarc.yourdomain.com, at leastp=none, ideally progressing towardreject. - SPF or DKIM aligns with your visible
Fromdomain. - Marketing mail carries both
List-UnsubscribeandList-Unsubscribe-Postheaders. - Sending IPs have forward-confirmed
PTRrecords and negotiate TLS. - Postmaster Tools spam rate sits below 0.1%.
Frequently asked questions
What is the exact daily threshold for bulk sender requirements?
Gmail and Microsoft define a bulk sender as one that sends close to 5,000 messages or more to their consumer mailboxes within 24 hours, counting all mail from the same primary domain together. Yahoo and Apple apply the requirements at meaningful volume without publishing a fixed number, so treat 5,000 as the universal trigger point.
Is DMARC p=none enough to comply?
Yes, p=none meets the published minimum for all four providers because it establishes a valid DMARC record while you monitor results. It does not protect your domain from spoofing, though, so treat none as a starting point and move to quarantine and then reject once your aggregate reports confirm every legitimate source aligns.
What happens if my spam complaint rate exceeds 0.3%?
A sustained rate at or above 0.3% causes Gmail to filter and, under current enforcement, reject your mail. Because the rate is calculated daily and mitigation returns only after seven consecutive days below the line, a single bad campaign can keep you blocked for a week, so aim to stay under 0.1% at all times.
Do transactional emails need one-click unsubscribe?
The RFC 8058 one-click unsubscribe requirement targets marketing and promotional bulk mail, not genuine transactional messages like receipts or password resets. Authentication with SPF, DKIM, DMARC, valid PTR, and TLS still applies to all bulk traffic regardless of message type.
For a deeper look at the two providers that started this shift, read the Google and Yahoo sender requirements guide. Verifying your own setup takes seconds: run a free SPFWise scan to confirm your SPF, DKIM, and DMARC records are published, aligned, and ready to meet the 2026 bulk sender requirements before your next campaign goes out.