The bulk sender requirements introduced by Gmail and Yahoo in February 2024, and extended by Microsoft in 2025, changed email forever: authentication and good sending hygiene are no longer best practice but enforced entry rules. If you send in volume and do not meet the bulk sender requirements, your mail is rate-limited, sent to spam, or rejected outright. This guide consolidates every rule from Gmail, Yahoo and Microsoft into one place — who the bulk sender requirements apply to, exactly what each provider demands, and a checklist to get compliant. It is part of our email deliverability hub.
What the bulk sender requirements are
The bulk sender requirements are a shared set of rules the major mailbox providers now enforce on anyone sending high volumes of email to their consumer users. They were designed to cut spam and spoofing by making authentication mandatory rather than optional. The common thread across all three providers is simple: prove who you are with SPF, DKIM and DMARC, make it easy to unsubscribe, and keep recipients happy enough that they do not mark you as spam. A “bulk sender” is generally defined by Google as anyone sending close to 5,000 messages or more to personal Gmail accounts within a 24-hour period; the count combines every subdomain under your primary domain, and once you cross the threshold the classification does not expire even if your volume later drops (Google’s email sender guidelines).
Crucially, the 5,000-a-day threshold counts mail to personal consumer mailboxes — Gmail.com, personal Yahoo and AOL, and Outlook.com/Hotmail/Live — not to business inboxes hosted on Google Workspace or Microsoft 365. But you should treat the bulk sender requirements as the baseline for all serious senders regardless of volume, because everything they mandate is what good deliverability looked like already.
Why the bulk sender requirements exist
For decades, authentication was something responsible senders did and spammers ignored, with little consequence either way — a forged From address sailed through as easily as a legitimate one. That asymmetry is exactly what phishing exploited: if a mailbox provider cannot tell a real bank from an impostor, neither can the recipient. The bulk sender requirements close that gap by making authentication the price of entry for high-volume mail, so that a message claiming to come from your domain can be checked against records only you control. The result is a quieter, safer inbox — and, for legitimate senders, a more level playing field, because the spammers who could never pass DMARC are now filtered out before they reach the inbox. Viewed that way, the bulk sender requirements are less a burden than a long-overdue baseline: every rule on the list is something a careful sender was doing anyway, now simply enforced. The senders who struggled with the 2024 deadline were generally those who had been cutting corners; those with clean authentication and engaged lists barely noticed the change.
Gmail and Yahoo bulk sender requirements (2024)
Google and Yahoo announced near-identical rules that took effect on 1 February 2024, with a one-click-unsubscribe compliance deadline of 1 June 2024. Both require, for senders above roughly 5,000 messages a day to their consumer users:
- SPF and DKIM — both must be set up and passing. For DMARC alignment, only one of the two needs to align with the From domain.
- A published DMARC record — a policy of at least
p=noneis the minimum, and DMARC must pass through SPF or DKIM alignment. - Valid forward and reverse DNS (PTR) on your sending IPs, so the IP resolves to a hostname and back again.
- One-click unsubscribe via RFC 8058 for marketing and subscribed mail, plus a visible unsubscribe link, with opt-outs honoured within two days.
- A spam complaint rate below 0.3% as reported in Google Postmaster Tools — and ideally kept under 0.1%, because crossing 0.3% makes you ineligible for delivery mitigation.
- TLS for the connection, and ARC if you forward mail or run a mailing list.
Enforcement ramped gradually through the first half of 2024, and in November 2025 Google escalated again — moving non-compliant traffic from temporary 4.7.x rate-limiting failures toward permanent 5.7.x rejections. The underlying numbers did not change; the enforcement simply grew teeth. Yahoo’s rules mirror Google’s almost exactly and are documented in its Sender Hub best practices, with a DKIM-based complaint feedback loop in place of Postmaster Tools.
Microsoft’s bulk sender requirements (2025)
In 2025 Microsoft brought Outlook.com, Hotmail and Live into line. From May 2025, senders of more than 5,000 emails a day to those consumer domains must pass SPF, DKIM and DMARC (DMARC at minimum p=none, aligned with SPF or DKIM). Non-compliant high-volume mail was first routed to the Junk folder during a grace period, with outright rejection — a 550 5.7.515 Access denied response — following for mail that stays unauthenticated.
Microsoft’s rules are narrower than Google and Yahoo’s in two ways: it focuses on authentication and does not mandate RFC 8058 one-click unsubscribe, nor does it publish a specific numeric spam-complaint ceiling. A functional, visible unsubscribe option is recommended as best practice rather than required. In short, if you already meet the Gmail and Yahoo bulk sender requirements, you almost certainly meet Microsoft’s too — authentication is the common core.
The bulk sender requirements compared
Here is how the three providers line up on the rules that matter:
| Requirement | Gmail & Yahoo (2024) | Microsoft (2025) |
|---|---|---|
| Volume threshold | ~5,000/day to consumer inboxes | ~5,000/day to Outlook/Hotmail/Live |
| SPF + DKIM | Both required | Both required |
| DMARC | Required, min p=none | Required, min p=none |
| Reverse DNS (PTR) | Required | Best practice, not enforced |
| One-click unsubscribe | Required (RFC 8058) | Recommended, not required |
| Spam complaint rate | Below 0.3% (aim <0.1%) | No published number |
One-click unsubscribe and the RFC 8058 rule
The one-click unsubscribe rule trips up more senders than any other part of the bulk sender requirements, because it is more than just a visible “unsubscribe” link. RFC 8058 requires two headers on marketing mail, both covered by your DKIM signature:
List-Unsubscribecontaining at least one HTTPS URL (and optionally amailto:).List-Unsubscribe-Post: List-Unsubscribe=One-Click.
When a recipient clicks unsubscribe, the mailbox provider sends an HTTPS POST to your URL and expects you to process the opt-out server-side, with no login, no confirmation page and no redirect. The most common one-click unsubscribe mistakes are forgetting to DKIM-sign both headers, using HTTP instead of HTTPS, returning a redirect, or building an endpoint that only accepts GET. Get any of those wrong and providers treat your one-click unsubscribe as invalid, even though the link looks fine to a human.
Meeting the bulk sender requirements: a checklist
Work through these in order to satisfy every provider’s bulk sender requirements:
- Publish SPF for every service that sends on your behalf — see our SPF record guide.
- Enable DKIM signing on your domain — our DKIM record guide walks through it.
- Publish DMARC at
p=nonewith aruareporting address, then move toward enforcement — see the DMARC record guide. - Set up valid reverse DNS (PTR) for your sending IPs.
- Add RFC 8058 one-click unsubscribe headers to all marketing mail and honour opt-outs within two days.
- Monitor your spam complaint rate in Google Postmaster Tools and keep it well under 0.1%.
Most senders who fail an audit fail on DMARC alignment or a broken one-click unsubscribe, not on the basics — so verify those two carefully. Once the records are in place, the spam complaint rate becomes the ongoing discipline: it is the one requirement you cannot set once and forget, because it depends on list quality and engagement that drift over time. Pair this guide with our inbox placement guide to keep complaints low after you are compliant.
Related reading
Bulk sender requirements FAQ
Who do the bulk sender requirements apply to?
Anyone sending roughly 5,000 or more messages a day to personal Gmail, Yahoo/AOL or Outlook/Hotmail/Live accounts. Google counts all subdomains of your primary domain together, and once you are classified as a bulk sender the status does not expire. The rules target consumer mailboxes, not business inboxes on Workspace or Microsoft 365 — but every serious sender should meet them regardless of volume.
What is the spam complaint rate limit?
Google and Yahoo require bulk senders to keep their spam complaint rate below 0.3% as measured in Google Postmaster Tools, and strongly recommend staying under 0.1%. Crossing 0.3% makes you ineligible for delivery mitigation. Microsoft has not published a numeric threshold, but a high complaint rate will hurt you at Outlook regardless.
Do Microsoft’s rules require one-click unsubscribe?
No. Microsoft’s 2025 requirements focus on SPF, DKIM and DMARC. A clear, functional unsubscribe option is recommended as best practice, but Microsoft does not mandate RFC 8058 one-click unsubscribe the way Gmail and Yahoo do. If you already comply with Google and Yahoo, you meet Microsoft’s authentication bar.
Is DMARC p=none enough to comply?
Technically yes — all three providers accept a published DMARC record at p=none as the minimum. But p=none only monitors; it does not stop anyone spoofing your domain. The bulk sender requirements are a floor, not a goal: once your legitimate mail passes cleanly, move your policy to p=quarantine and then p=reject for real protection.
What happens if I do not meet the bulk sender requirements?
Initially your mail is rate-limited with temporary failures or diverted to the spam folder. As enforcement has matured — notably Google’s November 2025 ramp and Microsoft’s move toward rejection — non-compliant high-volume mail is increasingly rejected outright with a 5.7.x error. In practice that means your campaigns simply stop reaching the inbox until you fix authentication.
How do I check whether I comply?
Start by confirming SPF, DKIM and DMARC resolve and align using our free email tools, then send a test message and inspect its headers for passing authentication and the RFC 8058 unsubscribe headers. Enrol in Google Postmaster Tools and Microsoft SNDS to watch your spam complaint rate and authentication pass rates over time. If all three authentication checks pass, your one-click unsubscribe works server-side, and your complaint rate stays under 0.1%, you meet the bulk sender requirements.
Do the bulk sender requirements apply below 5,000 emails a day?
The hard enforcement triggers around 5,000 messages a day to consumer mailboxes, but the rules describe good sending for everyone. Lower-volume senders are not exempt from the underlying signals — a small list with a high complaint rate or broken authentication still lands in spam. Treat the threshold as the point where the providers start actively rejecting non-compliant mail, not as permission to skip authentication below it. The cost of publishing SPF, DKIM and DMARC is the same whether you send 500 emails or 500,000, and the protection against spoofing is worth it at any scale.
Does the 5,000 limit count all my domains together?
Google counts every subdomain under your primary domain toward the same 5,000-a-day total — mail from news.example.com and billing.example.com is added together against example.com. Sending from a separate, unrelated domain is counted independently. This is why splitting marketing and transactional mail across subdomains is a reputation-isolation tactic rather than a way to dodge the threshold: the volume still aggregates, but the reputation does not.
Cite this article
Raj Kapoor. "Gmail, Yahoo & Microsoft Sender Requirements: The 2026 Compliance Guide." ToolTrusted, June 26, 2026, https://tooltrusted.com/sender-requirements-guide/.
Raj Kapoor. (2026). Gmail, Yahoo & Microsoft Sender Requirements: The 2026 Compliance Guide. ToolTrusted. https://tooltrusted.com/sender-requirements-guide/
Notice something outdated or incorrect in this review? Let us know below, and our team will update it within 24 hours.