All resources

Guide

What Gmail, Yahoo and Microsoft now require from senders

In 2024 the big mailbox providers turned a decade of best practice into hard requirements. Microsoft followed in 2025. Here is the actual checklist, the dates enforcement kicked in, and the line between being compliant and being trusted.

7 min read·Updated June 2026

For years, SPF, DKIM and DMARC were strong recommendations. You could skip them and still land mail, just less reliably. That era is over. Google and Yahoo made authentication and a few related rules mandatory for bulk senders in February 2024, and Microsoft brought Outlook.com and Hotmail into line in May 2025. The penalty for ignoring them is no longer a nudge toward spam, it is outright rejection: your mail bounces before it ever reaches an inbox.

Last updated June 2026. Enforcement of these rules keeps tightening, and the providers adjust thresholds over time. Treat the dates below as the milestones that have already landed, and re-check your authentication periodically rather than assuming a one-time setup holds forever.

Who has to comply

The rules target bulk senders, defined by Google, Yahoo and Microsoft as anyone sending roughly 5,000 or more messages per day to their users. The threshold is per day and measured across your domain, and crossing it even occasionally is enough for providers to hold you to the full standard. If you run cold outreach, newsletters, or any automated campaign at scale, assume you qualify. Lower-volume senders are still expected to authenticate, the enforcement is just gentler.

Rule one: authenticate everything

This is the non-negotiable core, and it is identical across all three providers. Three records, all required, all aligned:

  • SPF. A DNS record listing the servers allowed to send mail for your domain. Keep it under the 10-lookup limit, or it silently fails.
  • DKIM. A cryptographic signature on every message that proves it was not altered in transit and genuinely came from your domain.
  • DMARC. A published policy at minimum p=none, with alignment: your visible From domain has to match the domain that passes SPF or DKIM (at least one of the two). Alignment is the part most senders miss, because a record can exist and still not align.

If you are not sure where you stand, run your domain through the free email auth checker to see all three records at once, and read SPF, DKIM & DMARC explained if you need to fix what it flags.

Rules two and three: unsubscribe and spam rate

Beyond authentication, bulk marketing mail has two more obligations:

  • One-click unsubscribe. Marketing and promotional mail must include the RFC 8058 List-Unsubscribe and List-Unsubscribe-Post headers, so a recipient can opt out in a single click without leaving their inbox, and you must process the request within two days. Google enforced this from June 2024.
  • Spam rate under 0.3 percent. Keep your reported spam complaint rate in Google Postmaster Tools below 0.10 percent, and never let it reach 0.30 percent. At 0.30 percent your domain reputation takes real damage and providers start treating you as a problem sender. This is the metric most directly tied to recipient sentiment, which is why it is the one warming and list hygiene exist to protect.

The enforcement timeline

These are the milestones that have already taken effect. Knowing the sequence matters, because enforcement was deliberately phased so that problems show up as a rising share of rejected mail rather than a single hard cutoff.

  • February 2024: Google and Yahoo requirements take effect. Non-compliant bulk mail starts receiving temporary errors on a portion of traffic.
  • April 2024: Google begins rejecting a percentage of non-compliant bulk traffic, increasing over time.
  • June 2024: The one-click unsubscribe header requirement becomes enforceable for bulk senders.
  • May 2025: Microsoft begins enforcing the same authentication standard on Outlook.com and Hotmail for high-volume senders. Non-compliant mail is routed to Junk, then rejected with a 550 5.7.515 Access denied error.

Compliance is the floor, not the goal

Here is the part the requirement checklists leave out. Meeting these rules does not get your mail into the inbox. It gets your mail accepted instead of rejected. Those are different things. Compliance is binary and one-time: your records either align or they do not, your unsubscribe header either exists or it does not. Once you pass, you pass.

Reputation is continuous and earned. After your compliant mail is accepted, the provider still has to decide between the primary inbox and the spam folder, and it makes that call on your sending history: how recipients have engaged with your mail over time, how steady your volume is, how low your complaints run. A perfectly compliant domain with no reputation still lands in spam. That gap is exactly what email warming closes.

The split in one line: compliance (auth, one-click unsubscribe, low complaints) is table stakes you configure and maintain. Reputation (the trust that decides inbox vs spam) is built through engagement over time. Warming is the reputation half, not the compliance half. You need both.

Where MailStrike fits

Once your domain is compliant, MailStrike builds the reputation layer on top. Persona-based warming generates the engagement history providers look for: opens, replies, link clicks, mark-as-important, and spam rescues from real mailboxes, varied per inbox so the footprint reads like a real team rather than a script. It also keeps that history alive at low volume after you go live, which protects the spam rate you are now required to keep under control. Run the auth checker first to clear compliance, then start warming to earn placement.

Frequently asked questions about sender requirements

Who counts as a bulk sender under the Gmail and Yahoo rules?

+

Google and Yahoo define a bulk sender as anyone sending roughly 5,000 or more messages per day to Gmail or Yahoo addresses. The count is per day, measured across a domain, and it does not have to be 5,000 every single day to matter: cross the threshold once and providers expect you to meet the full requirements. Microsoft applies the same 5,000-per-day threshold for its high-volume sender rules on Outlook.com and Hotmail. Below that volume you are still expected to authenticate, but enforcement is lighter.

What are the Gmail and Yahoo sender requirements?

+

Three groups. First, authentication: SPF and DKIM on your sending domain, plus a DMARC record at minimum p=none, with alignment between your visible From domain and at least one of SPF or DKIM. Second, one-click unsubscribe: bulk marketing mail must include the RFC 8058 List-Unsubscribe and List-Unsubscribe-Post headers so recipients can opt out in a single click, processed within two days. Third, spam complaints: keep your reported spam rate in Google Postmaster Tools below 0.10 percent and never let it reach 0.30 percent. These took effect in February 2024 with rejections phasing in from April 2024.

What are Microsoft's sender requirements for Outlook?

+

Microsoft extended similar rules to Outlook.com and Hotmail for high-volume senders (5,000+ per day). Starting 5 May 2025, mail from non-compliant domains was first routed to Junk and then rejected outright with a 550 5.7.515 'Access denied, sending domain does not meet the required authentication level' error. The requirements mirror Google and Yahoo: valid SPF, DKIM signing, and a DMARC record at minimum p=none aligned with SPF or DKIM, plus a functional unsubscribe path and a valid, reply-capable From address.

What is the spam rate threshold and how is it measured?

+

Google measures your spam complaint rate in Postmaster Tools as the percentage of your delivered mail that recipients mark as spam. The guidance is to stay below 0.10 percent and to never reach 0.30 percent, because hitting 0.30 percent damages your domain reputation and can get you flagged as a problematic bulk sender. Spam rate is a trailing indicator of how recipients feel about your mail, which is exactly what warming and good list hygiene are meant to protect.

Does email warming make me compliant with these rules?

+

No, and any tool that says it does is overstating things. Compliance is authentication, one-click unsubscribe, and keeping complaints low. Those are configuration and list-hygiene tasks you do once and maintain. Warming builds the separate thing the rules cannot give you: sender reputation, the accumulated trust that decides whether your compliant mail lands in the inbox or the spam folder. You need both. Compliance gets you through the door; reputation decides which room you end up in.

What happens if I do not meet the requirements?

+

Enforcement is gradual but real. Non-compliant bulk mail first gets temporary errors, then a growing percentage is rejected outright. On Gmail this rejection ramp began in April 2024; on Outlook, non-compliant high-volume mail has been rejected since May 2025 with a 550 5.7.515 error. Practically, that means campaigns silently failing or bouncing rather than landing in spam, which is harder to diagnose because the mail never arrives at all.

How do I check whether my domain meets the requirements?

+

Start by auditing your authentication. Run your domain through an SPF, DKIM, DMARC and MX check to confirm all three records exist, are valid, and align. Then confirm your bulk mail carries a working one-click unsubscribe header, and monitor your spam rate in Google Postmaster Tools. MailStrike's free email auth checker covers the authentication half in one pass, and the spf-dkim-dmarc guide explains how to fix anything it flags.

Stop landing in spam.

MailStrike warms your domain with AI-personalized, human-like personas that open, read, reply, and rescue your mail from spam on realistic schedules. The fastest path to the inbox.

Book a Call

Keep reading

SPF, DKIM & DMARC explained

The authentication records in plain English, and how to set each one up.

Why are my emails going to spam?

Ten reasons mail lands in spam, and how to diagnose which one is hitting you.