Infrastructure guide
Google and Yahoo bulk sender requirements
The sender rules Gmail and Yahoo enforce: SPF, DKIM, and DMARC, one-click unsubscribe, the 0.3 percent spam-rate threshold, and the supporting checks like HTTPS and MTA-STS.
On this page
In February 2024, Google and Yahoo stopped treating email authentication as a best practice and started enforcing it. Senders who miss the requirements do not get a warning email. Their mail starts bouncing with policy error codes or quietly stops arriving. Two years on, these rules are the baseline every cold email operation is measured against. Here is what is required, what the thresholds are, and how to verify a domain before launch.
What the requirements are
Google’s rules apply in full to senders of 5,000 or more messages per day to Gmail accounts, with a lighter set for everyone else. Yahoo enforces an equivalent set. The bulk-sender list:
- SPF and DKIM must both pass. Small senders need one; bulk senders need both. See the SPF and DKIM guides for setup.
- DMARC must be published, at minimum
p=none, and the From domain must align with SPF or DKIM. Setup in the DMARC guide. - One-click unsubscribe (RFC 8058) in commercial mail, honored within 2 days.
- Spam complaint rate below 0.3 percent, ideally below 0.1 percent, measured by Google Postmaster Tools.
- Valid forward and reverse DNS on sending infrastructure, and TLS on the sending connection. Your inbox provider handles both when you send through Google Workspace or Microsoft 365.
- No From-header impersonation of gmail.com. Sending bulk mail with a gmail.com From address fails DMARC outright, since Gmail publishes
p=quarantineon it. Cold email must run on your own domain.
Cold email volumes per domain usually sit below 5,000 a day by design, but treating the bulk rules as the floor is the correct posture. Enforcement is pattern-based, thresholds move, and every requirement on the list is also just sound infrastructure.
Why it matters for a cold email launch
- Failure modes are hard, not soft. Non-compliant mail to Gmail gets rejected with
550 5.7.26class errors or filtered on arrival. This is not a ranking penalty; it is a gate. - The spam-rate threshold is unforgiving at cold email scale. 0.3 percent is 3 complaints per 1,000 messages. A poorly targeted 2,000-send week can cross it with 6 clicks on “report spam.” Above the threshold, filtering applies to the domain broadly, not just the offending campaign.
- The requirements interact. Unauthenticated mail cannot build the reputation that keeps complaint-driven filtering proportionate. A domain that fails DMARC and picks up complaints degrades much faster than either problem alone.
How to comply, step by step
Step 1: Authentication. Publish SPF, activate DKIM, publish DMARC at p=none or stricter. Verify all three with the auth checker:
yourdomain.com TXT "v=spf1 include:_spf.google.com ~all"
google._domainkey.... TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkq..."
_dmarc.yourdomain.com TXT "v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com"
Step 2: One-click unsubscribe. RFC 8058 means two headers on commercial mail:
List-Unsubscribe: <https://yourdomain.com/unsub?id=abc123>
List-Unsubscribe-Post: List-Unsubscribe=One-Click
The receiver POSTs to that URL when the user clicks Gmail’s unsubscribe button, and the opt-out must take effect within 2 days. Serious sending platforms add these headers when the feature is enabled; your job is confirming it is enabled, not building it. An unsubscribe link in the body is still good practice alongside the headers.
Step 3: Watch the spam rate. Set up Google Postmaster Tools for each sending domain. It is free, takes one DNS verification record, and is the same complaint data Google enforces against. Keep the rate under 0.1 percent so a bad day cannot reach 0.3.
Step 4: Keep bounces low. Bounce handling is why MX records matter here: bounce processing is what removes dead addresses, and dead addresses drive both bounce rate and trap hits. Verify lists before sending.
MTA-STS
MTA-STS (RFC 8461) lets a domain declare that inbound mail must arrive over verified TLS. It is a policy file at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt plus a DNS record:
_mta-sts.yourdomain.com TXT "v=STSv1; id=20260701"
Google publishes MTA-STS on gmail.com and recommends it, but it is not on the required list for bulk senders, and it protects mail coming to you rather than mail you send. For cold email domains it is a nice-to-have that signals a well-run domain. Set it up on the main brand domain first, sending domains later, and never at the expense of the required items above.
The root website and HTTPS
Not a line item in Google’s published rules, but a real input to how mail from a domain is judged: the sending domain’s root should resolve to a real website over valid HTTPS.
- Filters and link scanners resolve sender domains. A domain with no site, a parking page, or a certificate error resembles disposable spam infrastructure.
- Prospects check. The first thing a curious recipient does is visit the domain. A browser warning at that moment ends the thread.
- The certificate is the same class of failure as tracking-domain SSL: invisible from the sender’s side, fully visible to everyone else.
Give every sending domain at minimum a one-page site over HTTPS, ideally redirecting to the main brand site. OutboundQA checks root HTTPS on every sending domain for exactly this reason.
Common mistakes
- Assuming sub-5,000 volume means exemption. Authentication requirements apply to everyone; the bulk tier just adds more. Build to the bulk standard.
- DMARC published without alignment. A
p=nonerecord satisfies the checkbox while every message fails alignment through a misconfigured platform. Verify alignment on a real message, not just the DNS record. - One-click unsubscribe disabled at the platform level. The headers exist in the tool but the toggle is off for the workspace.
- No Postmaster Tools. Flying without the one dashboard that shows the enforced metric.
- Counting the spam rate across all traffic. The rate is measured per domain at Gmail. A small, badly received campaign on one domain crosses the line even when the account-wide average looks fine.
FAQ
Do these rules apply to cold email at all, since it is unsolicited? The rules apply to all bulk senders and Gmail does not carve out cold email. Complying is necessary, not sufficient: targeting and list quality still decide the complaint rate.
What happens at exactly 0.3 percent? Google describes 0.3 percent as the threshold above which enforcement applies, with 0.1 percent as the level to stay under. Treat 0.1 as the operating limit.
Is one-click unsubscribe required for B2B cold email? Gmail’s requirement covers commercial messages to personal Gmail accounts, but Workspace-hosted corporate mail runs the same filters. Include the headers everywhere; there is no downside.
Where does OutboundQA fit? Sender requirement checks (authentication, DMARC presence and alignment inputs, root HTTPS) are part of the 16 checks behind each Ready, Needs Fix, or Do Not Launch verdict.
Verify a domain against the authentication requirements with the auth checker, or run the full readiness pass with the email deliverability checker.
Check it now
Run the pre-flight check on your next outbound launch
Upload the domains and inboxes, get a verdict and the exact fixes, and a report you can share.