Gmail and Yahoo Sender Requirements: What Changed and What You Need to Do

Source: Google, Yahoo

What Happened

On October 3, 2023, Google and Yahoo jointly announced new authentication requirements for email senders, effective February 2024. This was the most significant change to email deliverability standards in over a decade. The requirements target bulk senders — defined as anyone sending 5,000 or more messages per day to Gmail addresses — but the practical implications affect every email marketer regardless of volume.

The announcement was not a surprise to industry veterans. SPF, DKIM, and DMARC have been best practices for years. What changed is that “best practice” became “requirement.” Emails that fail authentication now face rejection, not just spam folder placement.

The Requirements in Detail

For All Senders (Any Volume)

• SPF or DKIM authentication: Every sending domain must have at least one of these configured correctly. SPF tells receiving servers which IP addresses are authorized to send on your behalf. DKIM adds a cryptographic signature proving the email was not altered in transit.
• Valid forward and reverse DNS: Your sending IPs must have proper PTR records.
• TLS encryption: Emails must be transmitted over a TLS-encrypted connection.
• Spam rate below 0.3%: Google monitors spam complaint rates via Postmaster Tools. Exceeding 0.3% triggers deliverability penalties.

For Bulk Senders (5,000+ Messages/Day to Gmail)

Everything above, plus:

• SPF and DKIM authentication: Both are required, not just one.
• DMARC policy: Your domain must publish a DMARC record. At minimum, p=none is required, though Google has increasingly recommended p=quarantine or p=reject for better protection.
• DMARC alignment: The domain in the From header must align with either the SPF or DKIM domain.
• One-click unsubscribe (RFC 8058): Marketing emails must include both a List-Unsubscribe header and a List-Unsubscribe-Post header that supports one-click unsubscribe without requiring the user to log in or visit a confirmation page.
• Spam rate below 0.1% (target): While the hard threshold is 0.3%, Google recommends staying below 0.1%. Senders consistently between 0.1% and 0.3% may still experience throttling.

Yahoo’s Requirements

Yahoo’s requirements mirror Google’s almost exactly. The two companies coordinated their announcements and timelines. This means compliance with Gmail’s standards automatically covers Yahoo.

Enforcement Timeline

Google rolled out enforcement gradually:

• February 2024: Initial enforcement began. Non-compliant bulk senders received temporary errors (4xx codes) on a small percentage of messages — a warning shot.
• April 2024: Rejection of non-compliant messages began, starting with a small percentage and increasing over time.
• June 2024: One-click unsubscribe enforcement took effect for bulk senders of marketing and promotional messages.
• Throughout late 2024 and 2025: Enforcement tightened. Rejection rates for non-compliant messages increased, and Google’s Postmaster Tools began providing more detailed compliance feedback.
• 2026: Full enforcement is in effect. Non-compliant bulk senders can expect significant rejection rates. Google has also started recommending stricter DMARC policies (p=quarantine or p=reject) for better inbox placement.

What This Means If You Use an ESP

If you send email through a reputable email service provider — Mailchimp, GetResponse, MailerLite, Kit, ActiveCampaign, and others — most of the technical requirements are handled for you. These platforms sign emails with their own DKIM keys, manage SPF through their sending infrastructure, and include one-click unsubscribe headers automatically.

However, you are still responsible for:

1. Setting up a custom sending domain. Using your own domain (rather than your ESP’s shared domain) gives you control over your sender reputation and ensures DMARC alignment. Most ESPs walk you through this in their onboarding.
2. Publishing a DMARC record. Your ESP can handle SPF and DKIM, but DMARC is a DNS record on your domain that you must publish yourself. At minimum, add a TXT record: v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com.
3. Monitoring your spam complaint rate. Register for Google Postmaster Tools (free) and monitor your domain’s complaint rate. If it exceeds 0.1%, investigate immediately — clean your list, improve targeting, or reduce frequency.
4. Maintaining list hygiene. Remove hard bounces promptly, honor unsubscribes immediately, and never send to purchased or scraped lists.

What This Means If You Send From Your Own Server

If you manage your own mail server or use a transactional email service (Postmark, SendGrid, Amazon SES), the burden falls on you:

• Configure SPF, DKIM, and DMARC records in your DNS
• Ensure your sending IPs have valid reverse DNS
• Implement RFC 8058 one-click unsubscribe headers in marketing messages
• Monitor Postmaster Tools and feedback loops from major ISPs

Actionable Steps Right Now

1. Check your authentication. Use a free tool like MXToolbox or Mail Tester to verify your SPF, DKIM, and DMARC records are correctly configured.
2. Register for Google Postmaster Tools. It is free, takes 10 minutes to set up, and gives you direct visibility into how Google views your sending domain.
3. Upgrade your DMARC policy. If you are still at p=none, consider moving to p=quarantine. This tells receiving servers to treat unauthenticated messages as suspicious, which protects your brand from spoofing and improves your reputation with inbox providers.
4. Audit your unsubscribe process. Make sure every marketing email has a visible unsubscribe link and that unsubscribe requests are processed within 48 hours (preferably instantly). If you are using an ESP, this should already be handled.
5. Clean your list. Remove subscribers who have not engaged in 6+ months. Re-engagement campaigns can help win back some, but dead weight on your list drives up complaint rates and hurts deliverability.

The Bigger Picture

Google and Yahoo’s 2024 requirements are part of a broader industry trend toward stricter sender accountability. Microsoft (Outlook, Hotmail) and Apple (iCloud Mail) have implemented similar filtering, even if they have not published formal requirements as explicitly as Google did.

The message is clear: authentication is no longer optional, list hygiene is non-negotiable, and making it easy to unsubscribe is a requirement, not a courtesy. Senders who were already following best practices barely noticed these changes. Senders who were cutting corners got a wake-up call.

For email marketers who play by the rules, this is a net positive. Higher standards for all senders mean less spam in the inbox, better engagement rates for legitimate messages, and a healthier email ecosystem overall.