Google fundamentally changed its approach to bulk email in late 2023, announcing requirements that became the new industry standard. If you send email at scale, meeting these requirements is not optional. This guide covers everything you need to know about Gmail's current sender requirements.
Who Is a Bulk Sender?
Gmail defines bulk senders as anyone who sends approximately 5,000 or more messages to personal Gmail accounts (@gmail.com, @googlemail.com) within a 24-hour period.
Bulk Sender Status Is Permanent
Once you reach the 5,000 message threshold, Google permanently categorizes you as a bulk sender. You cannot lose this status by reducing volume. The requirements apply indefinitely.
Authentication Requirements
SPF (Required)
Publish an SPF record that authorizes all servers sending email as your domain. The Return-Path domain must pass SPF validation.
DKIM (Required)
Sign all outgoing messages with DKIM using at least a 1024-bit key (2048-bit recommended). The DKIM signature must validate successfully.
DMARC (Required)
Publish a DMARC record for your domain. The minimum acceptable policy is p=none. Either SPF or DKIM must pass with alignment to the From header domain. You can use DMARC reports to monitor authentication results across all your sending sources.
Alignment Requirement
DMARC alignment is mandatory. The domain in your visible From header must align with either your SPF domain (Return-Path) or your DKIM signing domain.
Spam Rate Requirements
Gmail monitors spam complaint rates through Google Postmaster Tools:
| Spam Rate | Status | Impact |
|---|---|---|
| Below 0.1% | Recommended | Good deliverability |
| 0.1% - 0.3% | Warning zone | Increased filtering possible |
| Above 0.3% | Non-compliant | Enforcement actions, rejection |
The 0.3% threshold is not a target. Stay below 0.1% for reliable inbox placement. Exceeding 0.3% triggers enforcement actions that affect all your email, not just marketing messages.
One-Click Unsubscribe
Marketing and promotional emails must support one-click unsubscribe per RFC 8058. Requirements:
- Include List-Unsubscribe header with HTTPS URL
- Include List-Unsubscribe-Post header with value
List-Unsubscribe=One-Click - Both headers must be covered by your DKIM signature
- Process unsubscribe requests within 48 hours
- No login or confirmation required for unsubscribe
Transactional emails (order confirmations, password resets, etc.) are exempt from this requirement.
Technical Infrastructure
Valid PTR Records
Every sending IP must have a valid reverse DNS (PTR) record. The PTR hostname must resolve back to the sending IP (forward-confirmed reverse DNS).
TLS Encryption
All connections must use TLS encryption. Unencrypted connections are rejected.
RFC 5322 Compliance
Messages must comply with the Internet Message Format standard. Malformed messages may be rejected.
Enforcement Timeline
- October 2023: Requirements announced
- February 2024: Soft enforcement began (warnings, temporary errors)
- June 2024: One-click unsubscribe requirement active
- November 2025: Full enforcement with message rejection
As of November 2025, non-compliant messages receive immediate rejection or temporary deferral rather than just spam folder placement.
Common Compliance Mistakes
Even organizations that believe they are compliant often fall short in ways that trigger enforcement. These are the most common mistakes we see among bulk senders:
- Not authenticating all sending sources: Many organizations set up SPF and DKIM for their primary ESP but forget about third-party CRMs, transactional email services, helpdesk platforms, and marketing automation tools that also send on their behalf. Every source must be authenticated.
- Using shared domains without proper DKIM signing: If you send through a shared IP or shared domain environment, you must ensure your messages carry a valid DKIM signature tied to your own domain. Relying on the ESP's default shared signing domain will cause DMARC alignment to fail.
- Setting DMARC to
p=noneand forgetting to progress: Whilep=nonesatisfies Gmail's minimum, it provides zero protection against domain spoofing. Organizations should plan a clear path fromp=nonetop=quarantineand ultimatelyp=reject, using DMARC reports to identify unauthorized senders before tightening the policy. - Exceeding the SPF 10-lookup limit: SPF records are limited to 10 DNS lookups. Adding too many
include:statements causes SPF validation to fail entirely, which in turn breaks DMARC alignment for the SPF path. Audit and flatten your SPF record regularly. - Not monitoring Google Postmaster Tools regularly: Postmaster Tools is the only authoritative source for how Gmail views your domain reputation and spam rates. Senders who do not check it weekly miss early warning signs before enforcement actions begin.
- Treating 0.3% as a target instead of 0.1%: The 0.3% spam complaint rate is the enforcement threshold, not the goal. Gmail's own documentation recommends staying below 0.1%. Senders who hover near 0.3% have no margin for error and risk crossing into enforcement at any time.
Gmail vs Yahoo vs Microsoft: How Requirements Compare
Gmail was the first major mailbox provider to announce bulk sender requirements, but Yahoo and Microsoft followed with their own policies. The table below compares the core requirements across all three providers.
| Requirement | Gmail | Yahoo | Microsoft |
|---|---|---|---|
| SPF | Required | Required | Required |
| DKIM | Required | Required | Required |
| DMARC | Required (p=none minimum) | Required (p=none minimum) | Required (p=none minimum) |
| Spam Rate Limit | Below 0.3% | Below 0.3% | Not publicly specified |
| One-Click Unsubscribe | Required (RFC 8058) | Required (RFC 8058) | Required |
| PTR Records | Required | Required | Recommended |
| TLS Required | Yes | Yes | Yes |
| Enforcement Date | February 2024 (full Nov 2025) | February 2024 (full Nov 2025) | May 2025 |
All three major mailbox providers now align on core authentication and sender hygiene requirements. If you comply with Gmail's rules, you will meet the vast majority of what Yahoo and Microsoft require as well. The practical implication is that compliance is no longer provider-specific; it is a universal standard for sending email at scale.
Step-by-Step Compliance Checklist
Use this checklist to verify that your sending infrastructure meets all of Gmail's bulk sender requirements. Complete each step in order, as later steps depend on earlier ones.
- Audit all sending sources: Identify every system that sends email using your domain, including your primary ESP, CRM, transactional email service, helpdesk software, and any marketing automation platforms.
- Publish SPF records for each sending domain: Create or update your SPF TXT record to include all authorized sending IPs and services. Ensure you stay within the 10-lookup limit.
- Configure DKIM signing for all sources (2048-bit keys): Set up DKIM with a 2048-bit RSA key for each sending service. Verify that the DKIM signing domain aligns with your From header domain.
- Publish a DMARC record (start
p=none, plan to progress): Add a DMARC TXT record at_dmarc.yourdomain.com. Begin withp=noneand a reporting address to collect DMARC aggregate reports. - Register for Google Postmaster Tools: Verify your sending domain in Postmaster Tools to access Gmail's data on your authentication rates, spam complaints, and domain reputation.
- Implement one-click unsubscribe (RFC 8058): Add both
List-UnsubscribeandList-Unsubscribe-Postheaders to all marketing and promotional messages. Test that unsubscribe requests are processed without login or confirmation. - Set up feedback loops for complaint monitoring: Register for available feedback loop programs and configure alerts when spam complaint rates exceed 0.1%.
- Verify PTR records for all sending IPs: Confirm that every IP address you send from has a valid PTR record that resolves forward to the same IP (forward-confirmed reverse DNS).
- Test authentication by sending to a Gmail account and checking headers: Send a test message, open it in Gmail, and select "Show original" to verify that SPF, DKIM, and DMARC all show
pass. - Monitor weekly and respond to issues within 24 hours: Check Postmaster Tools at least once per week. If spam rates spike or authentication failures appear, investigate and resolve the root cause within one business day.
Checking Your Compliance
- Register for Google Postmaster Tools: Monitor your domain and IP reputation, spam rates, and authentication success
- Verify authentication: Send test emails and check Authentication-Results headers for SPF, DKIM, and DMARC pass
- Monitor spam rates: Keep complaint rates well below 0.3%
- Audit unsubscribe: Confirm one-click unsubscribe works for marketing emails
Google Workspace Recipients
Gmail's bulk sender requirements apply specifically to personal Gmail accounts (@gmail.com). Messages to Google Workspace accounts (business email on Google) are subject to the recipient organization's policies, which may be more or less strict.
However, Google Workspace administrators often configure similar requirements, and authentication best practices should be followed regardless of recipient type.