The Google and Yahoo bulk sender rules: what changed in 2024

In February 2024, Google and Yahoo began enforcing new requirements for anyone sending bulk email to their users. The rules had been announced in October 2023, giving senders a four-month runway. Many senders missed the deadline anyway. The result: legitimate marketing and transactional email started bouncing or landing in spam at a scale most deliverability teams had not seen before.

If you send email at any meaningful volume, these rules apply to you. Here is exactly what changed, what the Google Yahoo bulk sender requirements mean in practice, and how to verify your domain is compliant.

Who counts as a bulk sender

Google defines a bulk sender as any domain that sends 5,000 or more messages to Gmail addresses within a 24-hour period. Yahoo applies similar thresholds without publishing a specific number. Once you cross the line, the full set of requirements kicks in.

A few details that catch people off guard:

• The count is per domain, not per service. If your marketing platform sends 3,000 and your transactional system sends 2,500, you are a bulk sender.
• It is cumulative across subdomains. Messages from mail.example.com and notify.example.com can contribute to the parent domain's total, depending on how Google measures it.
• Once you qualify, you stay qualified. Google does not reset the classification daily. If you hit 5,000 once, expect continued scrutiny.

Even if you send fewer than 5,000 per day, most of these requirements are still good practice. Google recommends them for all senders. The 5,000 threshold is where enforcement becomes strict, not where relevance begins.

The three pillars: authentication, unsubscribe, spam rates

The 2024 changes boil down to three categories. Each one is independently enforced.

1. Email authentication (SPF, DKIM, and DMARC)

Before February 2024, Google recommended email authentication. Now it is required.

SPF (Sender Policy Framework): Your domain must publish an SPF record that authorizes every IP address sending mail on your behalf. This was already standard practice, but the new rules make it a hard requirement rather than a best-practice suggestion.

DKIM (DomainKeys Identified Mail): Every message must carry a valid DKIM signature. The signing domain (the d= tag in the DKIM header) should match your From domain or your organization's domain. DKIM provides cryptographic proof that the message was not altered in transit.

DMARC (Domain-based Message Authentication, Reporting, and Conformance): Bulk senders must publish a DMARC record. The minimum acceptable policy is p=none, which is monitoring-only. Google does not yet require p=quarantine or p=reject for compliance, but a none policy still means you are collecting reports without blocking spoofed mail. Moving toward enforcement is strongly recommended.

The critical detail: DMARC requires alignment. At least one of SPF or DKIM must both pass and align with the domain in the visible From header. SPF passing alone, without alignment, does not satisfy DMARC. This is the single most common compliance failure.

2. One-click unsubscribe

Bulk senders must support RFC 8058 one-click unsubscribe. This means including two specific headers in every commercial message:

List-Unsubscribe: <https://example.com/unsubscribe/abc123>
List-Unsubscribe-Post: List-Unsubscribe=One-Click

The List-Unsubscribe-Post header is the key addition. It tells the mail client that a POST request to the unsubscribe URL is sufficient to remove the recipient. No confirmation page, no login, no extra steps. Gmail renders this as a prominent "Unsubscribe" link next to the sender name.

Google began enforcing this requirement in June 2024, a few months after the initial authentication deadline. If your email service provider handles unsubscribe headers automatically, verify the headers are present by inspecting the raw message source. If you manage your own sending infrastructure, you need to implement the POST endpoint yourself.

Transactional messages (order confirmations, password resets, account alerts) are generally exempt from the unsubscribe requirement. But the line between transactional and commercial is blurrier than most senders assume. When in doubt, include the header.

3. Spam complaint rate

Google now publishes a clear threshold: keep your spam complaint rate below 0.3%. The recommended target is below 0.1%.

The complaint rate is measured by Google Postmaster Tools and counts the percentage of delivered messages that recipients manually mark as spam. At 0.3% or above, you will see deliverability degrade. Stay above that threshold persistently, and Google may start rejecting your messages outright.

Yahoo tracks similar metrics but is less transparent about exact thresholds.

Practical steps to stay under the line:

• Send only to people who opted in. Purchased lists and scraped addresses generate complaints fast.
• Honor unsubscribes immediately. Processing delays lead to complaints from people who already tried to opt out.
• Segment by engagement. Stop sending to recipients who have not opened in 90 days. Unengaged recipients are the most likely to complain.
• Monitor Google Postmaster Tools weekly. Complaint rate spikes often correlate with specific campaigns or list segments. Catch them early.

Additional technical requirements

Beyond the three pillars, Google specifies several infrastructure requirements:

• Valid PTR records. Every IP address you send from must have a reverse DNS (PTR) record that resolves to a hostname matching your sending domain. Most hosted email providers handle this automatically. If you run your own mail server, verify it.
• TLS encryption. Messages must be transmitted over a TLS-encrypted connection. This has been standard for years, but it is now explicitly required.
• RFC 5322 compliance. Messages must conform to the Internet Message Format standard. Malformed headers or non-standard formatting can trigger rejection.
• No Gmail impersonation. Do not set a Gmail address in the From header unless you are actually sending from Gmail infrastructure. This was always a bad practice, and now it is an enforced policy.

What happens when you fail to comply

Google rolled out enforcement gradually:

• February 2024: Temporary errors (4xx codes) for non-compliant messages. These are warnings, not hard rejections.
• April 2024: Permanent rejections (5xx codes) began for senders without SPF, DKIM, and DMARC.
• June 2024: One-click unsubscribe enforcement started. Messages without the required headers face increased spam classification.

Yahoo followed a similar timeline. Non-compliant messages either bounce with an error code or silently route to spam. Neither provider sends detailed notifications to the sender, so you may not realize you have a problem until open rates drop or recipients tell you they never received the message.

How to check your compliance

Start with authentication. Query your domain's DNS records and verify that SPF, DKIM, and DMARC are all present, valid, and aligned.

For SPF, confirm your record authorizes every service that sends on your behalf and stays within the 10-lookup limit defined by RFC 7208. For DKIM, verify that a signed message passes verification and that the d= domain aligns with your From address. For DMARC, check that your record exists, that the policy is at least p=none, and that you have rua= and ruf= addresses configured to receive aggregate and forensic reports.

The AcuityScan SPF Record Generator and DMARC Record Generator can help you build or fix both records from scratch. If you already have records in place and want to validate the full authentication chain, run a scan at acuityscan.com. The email module checks SPF syntax, DMARC enforcement policy, probes 16 common DKIM selectors, and scans your domain against 77 verified active email blacklists.

TL;DR

• Google and Yahoo began enforcing bulk sender requirements in February 2024. The rules apply to any domain sending 5,000+ messages per day to Gmail.
• Three core requirements: email authentication (SPF + DKIM + DMARC with alignment), one-click unsubscribe headers (RFC 8058), and spam complaint rates below 0.3%.
• DMARC alignment is the most common failure point. SPF passing alone is not enough if the Return-Path domain does not match the From header.
• Non-compliant messages are rejected or routed to spam. Neither Google nor Yahoo notifies the sender directly.
• Verify your records now. Check SPF, DKIM, and DMARC alignment before your next campaign, not after deliverability drops.