Gmail’s permanent rejections: the end of the deliverability grace period

For nearly two years, the bulk-sender requirements that Gmail and Yahoo announced in October 2023 came with a quiet escape hatch. Mail that failed them was usually filtered to the spam folder rather than refused, which meant a non-compliant sender could limp along on the recipients diligent enough to go fishing in junk. In November 2025 that hatch closed. Google began enforcing the rules at the connection itself, returning non-compliant bulk mail to the sender instead of tucking it out of sight. The requirements have not changed since 2023. What changed is what happens when you miss them.

The distinction matters more than it first sounds. A message in the spam folder has still arrived; a determined recipient can retrieve it, and a determined sender can argue their way back to the inbox over time. A rejected message never arrives at all. There is no folder to rescue it from, no second chance at engagement, nothing but a bounce in your logs and a customer who did not get their receipt. For senders who treated the 2024 guidance as advisory, the shift from filtering to refusal is the moment the advice acquired teeth.

What actually changed

On 3 November 2025, Google added a line to its Email sender guidelines FAQ — the document formerly called the Bulk sender guidelines — warning that from that month it was ramping up enforcement against non-compliant traffic, and that failing mail would face disruption up to and including temporary and permanent rejections. Deliverability watchers spotted the edit within days. Nothing about the underlying requirements was new; the FAQ simply confirmed that the long-promised enforcement had arrived in earnest.

In practice that turned a soft regime into a hard one. Through 2024 and most of 2025, enforcement had been characterised, in Google’s own framing, as light touch: a small share of non-compliant mail saw errors, the rest leaked through to spam folders. From November 2025 the posture is active. Mail that fails authentication or trips the policy thresholds is rate-limited and then rejected at the SMTP level, before it reaches any folder. The grace period that began when the rules were announced is, by Google’s own account, over.

Two kinds of failure: 4.7.x and 5.7.x

Enforcement now speaks in two registers, and the difference between them is the difference between a warning and a wall. Temporary failures use the 4.7.x series — a deferral that rate-limits your sending and asks you to try again, the SMTP equivalent of being told to slow down. A message rate-limited for being unauthenticated, for instance, comes back as 421 4.7.26. These are recoverable: fix the cause and the mail flows again.

Permanent failures use the 5.7.x series, and they are final for that message. A non-compliant message can be refused outright with a code such as 550 5.7.26, which Gmail uses for mail that is not properly authenticated, alongside the related codes the provider returns for policy failures. A 5.7.x rejection is a bounce; the message is gone, and only a corrected resend will reach the recipient. Google has described the rollout as gradual and progressive, escalating from deferrals to outright rejection as non-compliance persists, so a sender ignoring the 4.7.x deferrals is effectively opting into the 5.7.x rejections that follow.

The useful consequence is that the bounce tells you exactly what is wrong. Where a spam-folder placement was silent — you only learned of it through missing engagement — a rejection names the failure in its code. Reading those codes in your logs is now the fastest diagnosis you have.

How we got here

The November change is the end of a road that has been visible since 2023, and the timeline is worth holding in mind, because each step tightened the one before.

• October 2023 — Google and Yahoo jointly announce the sender requirements: authentication, alignment, easy unsubscribe, a spam-rate ceiling, RFC-valid headers.
• February 2024 — initial enforcement begins. A small percentage of non-compliant mail starts seeing temporary errors such as 5.7.26, a deliberate nudge rather than a block.
• April 2024 — Google begins rejecting a percentage of non-compliant mail, with the rejected share rising over time.
• 1 June 2024 — the one-click unsubscribe requirement becomes mandatory for bulk marketing mail.
• October 2025 — Google retires the legacy Postmaster Tools and launches Postmaster Tools v2, replacing reputation grades with a compliance view.
• November 2025 — enforcement ramps up to active rejection. The soft period ends.

Read together, the lesson is that “we handled this in 2024” is rarely the same as “we are compliant now.” Each phase assumed the previous one had been absorbed, and the November step assumes you have been authenticated and aligned for well over a year.

Postmaster Tools v2: from reputation to compliance

The quieter October 2025 change may matter as much as the November one. Google retired the old Postmaster Tools dashboard, with its familiar High, Medium, Low and Bad domain-reputation grades, and replaced it with Postmaster Tools v2 built around a binary Compliance Status. The shift in language is the shift in philosophy: for years a strong reputation could carry a sender through minor lapses, and the goal was to keep the gauge in the green. Under v2 the first question is not how good your reputation is but whether you meet the requirements, full stop.

That reframes the old reputation scores as necessary but no longer sufficient. A sender who once leaned on a high reputation to survive a sloppy authentication setup no longer has that cushion; compliance is checked first, and a domain that fails it does not get to fall back on its history. For anyone whose deliverability strategy was essentially “keep the Postmaster Tools reputation high,” v2 is a prompt to rebuild around the compliance checklist instead.

Who counts as a bulk sender now

The threshold remains five thousand messages a day, but two details are easy to get wrong. The count is per sending domain to a provider’s consumer inboxes, so volume split across subdomains rolls up to the parent rather than dividing neatly. And Google has narrowed the definition since the original announcement: where the 2023 wording covered mail to both free Gmail accounts and paid Google Workspace accounts, the current guidance applies the bulk-sender rules to mail sent to personal, free Gmail accounts. Workspace mail follows its own administrative controls.

The narrowing is not an exemption to relax into. The authentication, unsubscribe and complaint expectations now read as the baseline for any sender of consequence, bulk or not, because the filters favour authenticated, well-behaved mail for everyone. A sender just under the threshold who skips authentication is not safe; they are simply not yet being rejected for it.

Why a bounce is worse than the spam folder

It is worth being concrete about the cost, because teams that pictured the spam folder tend to underestimate it. A rejected transactional message is a password reset that never arrives, a receipt the customer never sees, an order confirmation that generates a support ticket. A rejected marketing message is a campaign that quietly fails to land, with the bounce buried in logs the marketing team may never read. In both cases the failure is invisible at the point of sending and expensive at the point of discovery, which is usually a confused customer or a metric that fell off a cliff. The spam folder at least kept the mail in the building; rejection does not.

What this does, and does not, change

It is important to separate two things that the November change tends to blur. Compliance is now a gate: fail authentication, alignment, unsubscribe or the spam-rate ceiling and your bulk mail is refused before anything else is considered. That gate is what acquired teeth. Above the gate, however, the older logic still governs whether accepted mail lands in the inbox or the spam folder, and that logic is reputation and engagement — whether recipients open, reply, and want your mail. Passing the compliance gate is not a promise of the inbox; it is permission to compete for it.

This is why the requirements themselves did not change in November while the stakes did. The four mandates — authenticate and align, publish and move toward DMARC enforcement, offer a one-click unsubscribe honoured within about two days, and keep the spam-complaint rate under control — have read the same since 2023. We cover them in full in the bulk sender compliance guide and the authentication guide. What changed is that missing any of them now costs you the message rather than the folder.

How to tell whether you are affected

Three signals tell you where you stand, and they are quick to check. The first is your bounce logs: a rise in 4.7.x deferrals or 5.7.x rejections from Gmail, each citing a reason, is the clearest evidence that enforcement has reached you. The second is Postmaster Tools v2, where the Compliance Status now states plainly whether your domain meets the requirements rather than leaving you to infer it from a reputation grade. The third is your own authentication: if SPF, DKIM and DMARC are not all present and aligned with your visible From domain, you are exposed regardless of what the logs show today, because the enforcement is progressive and your turn is coming.

What to do now

The remediation is the same checklist it has been since 2023, with the urgency the November change supplies.

1. Authenticate and align. SPF, DKIM and DMARC all valid, and aligned with the From domain. Alignment, not mere presence, is what passes.
2. Publish DMARC and progress it. A record is mandatory; a policy at p=none meets the letter while protecting nothing, so plan the move to quarantine and reject once your reports are clean.
3. Honour unsubscribes fast. One-click unsubscribe on marketing mail, processed within about two days, and kept off transactional streams so no one opts out of a receipt.
4. Hold complaints down. Keep the spam-complaint rate under 0.10% as a target; 0.30% is the line where providers act regardless of authentication.
5. Validate the headers. RFC-compliant message structure, valid reverse DNS, and TLS on the connection.
6. Watch Postmaster Tools v2. Treat its Compliance Status as the scoreboard, and read your bounce codes as the diagnosis when something slips.

Reading a Gmail bounce, line by line

Because the rejection names its own cause, a few minutes in the bounce logs now does what an afternoon of guesswork used to. The codes fall into a small set worth recognising on sight.

• 421 4.7.26 — a temporary deferral for unauthenticated mail. The connection is being rate-limited and the message will be retried; it is a warning shot, and the fix is to get SPF or DKIM aligned before the deferrals harden.
• 550 5.7.26 — a permanent rejection for mail that is not authenticated to Gmail’s satisfaction. The message is gone, and only an authenticated resend will reach the recipient.
• Other 5.7.x codes — related permanent failures for other breaches, from missing alignment to policy violations. The text alongside the code usually points at the specific rule.

The discipline is to treat any rise in 4.x deferrals as the last warning before 5.x rejections, rather than as noise to retry away. A queue that is being deferred is a queue that is about to be refused.

Keep transactional mail off the same fate as marketing

The senders hurt worst by the change are usually the ones running transactional and marketing mail through the same domain and the same reputation. When a campaign drives complaints or trips authentication, the rejection does not politely confine itself to the campaign; it lands on the shared sending identity, and the password resets and receipts riding on it begin to bounce too. The fix is separation: send transactional mail from a distinct subdomain with its own authentication and its own clean reputation, insulated from whatever the marketing stream is doing. It is the single structural change that most reduces the blast radius of a compliance slip, and the November enforcement makes that case much harder to defer.

Why “we published a DMARC record” is not the finish line

A large share of the senders newly exposed in November did publish a DMARC record back in 2024 — at p=none — ticked the box and moved on. The requirement is technically met, which is exactly why it is a trap. A policy of none asks receivers to take no action on mail that fails the check, so it protects nothing against a spoofer using your domain. Postmaster Tools v2 will register the record; your customers’ security will not benefit from it. The honest position is that p=none is a monitoring stage, not a destination. The path forward is to read the aggregate reports long enough to see every legitimate source of your mail, fix the ones failing alignment, and then move the policy to quarantine and on to reject. Senders who never make that move are both unprotected and, as providers grow more skeptical of indefinite monitoring, increasingly conspicuous.

If you run your own MTA

For senders operating their own PowerMTA or KumoMTA infrastructure rather than an ESP, the November change lands squarely in the part of the stack you control — which is both the risk and the advantage. Authentication and alignment are configured at the MTA and in DNS, not bought from a platform, so a misaligned DKIM signing domain or an SPF record that no longer covers your sending IPs is yours to find and fix. The deferral codes matter operationally too: a 4.7.x rate-limit is Gmail asking your MTA to back off, and an MTA that ignores it by hammering the same queue earns the harder treatment faster. Sensible traffic shaping — per-provider rates, measured retry intervals, and a genuine backoff posture when a receiver signals one — is now part of staying compliant, not only of sending quickly. This is the layer we work in, and it is where a self-hosted sender has the most direct control over the result.

Where compliant-looking senders still trip

Most of the rejections we are asked to explain come from senders who believe they are compliant, and the cause is usually one of a few ordinary gaps.

• A new marketing or sales tool began sending as the domain without being added to SPF or signed with DKIM.
• A DKIM key was rotated and one stream kept signing with the retired selector, or stopped signing entirely.
• A forwarder or mailing-list service broke the DKIM signature in transit, so authentication that passed at origin failed on arrival.
• A DNS cleanup altered the SPF record and quietly pushed it past the ten-lookup limit, failing it.
• A subdomain started sending without its own authentication, leaning on a parent record that does not cover it.

None of these announces itself until the bounces start, which is why “we set this up in 2024” is worth re-verifying against what is actually leaving your systems today.

After a rejection: what recovery looks like

Fixing the compliance gap stops the new rejections quickly — once authentication and alignment are corrected, the deferrals and 5.7.x bounces ease within a sending cycle or two. Reputation is slower. A stretch of rejected, deferred or complained-about mail leaves a mark on how Gmail weighs your domain, and that mark outlasts the fix; the gate reopens before the inbox does. The way back is the discipline of a cold start rather than a switch you flip: drop volume, send first to the recipients most likely to open and reply, and rebuild the signal of wanted mail over days and weeks. Resuming full volume the morning after the records are corrected is how a sender who just recovered earns a fresh round of trouble. It helps to hold the two clocks separately — compliance, which you can fix this afternoon, and reputation, which you earn back over weeks — because conflating them is what turns a solved problem into a recurring one. Watch the Compliance Status in Postmaster Tools v2 through the recovery, not just the day you flip the fix on. And keep a close eye on the bounce rate as volume climbs back, because a second spike of deferrals during the ramp is the signal to slow down again rather than push through it.

What it means for cold outreach

Teams running cold or one-to-one outreach often assume the bulk rules are someone else’s problem, and the November change is an expensive way to learn otherwise. The five-thousand-a-day threshold counts all mail to a provider’s consumer inboxes, so an outreach program at any real scale crosses it sooner than its operators expect, and once across it is subject to the same gate as a marketing list. Authentication and alignment are not optional for outreach; an unsigned, unaligned cold campaign is now refused rather than quietly filtered, which at least fails loudly enough to notice. The honest framing is that a cold program large enough to matter is a bulk program for the purpose of these rules, whether or not it thinks of itself that way, and the cost of pretending otherwise rose sharply in November.

Gmail is not the only gate

Because the providers enforce on their own data and their own arithmetic, passing Gmail does not mean passing the others. Yahoo measures the spam-complaint rate against inbox-delivered mail only rather than all delivered mail, so the same complaints produce a higher rate there, and a sender comfortable at Gmail can breach Yahoo’s line with identical behaviour. Microsoft, enforcing since May 2025, leans harder on ARC, which preserves authentication results as mail passes through forwarders; a relay that breaks the DKIM signature without ARC in place reads to Microsoft as a failure even when the origin was correct. The practical implication is that each provider has to be watched on its own terms, and a clean authentication chain has to hold end to end, not just at the point of sending.

The one-click unsubscribe detail people miss

The unsubscribe requirement is more specific than “include a link.” Under RFC 8058 a bulk marketing message needs two headers working together, so the mailbox provider can unsubscribe the recipient with a single action and no round trip, and the request has to be honoured within about two days — a manual or weekly batch process no longer qualifies. The detail that trips people is the boundary: these headers belong on marketing and promotional mail and deliberately not on transactional messages, because a customer who accidentally one-click unsubscribes from a receipt or a security alert has opted out of mail they need. Getting the header onto the right streams, and off the wrong ones, is part of what compliance now means.

The bigger picture

Gmail is not acting alone, which is what makes November 2025 a milestone rather than a single provider’s policy. Yahoo enforced the same requirements from February 2024, and Microsoft began enforcing its own from May 2025, so a domain with weak authentication is now exposed across the providers that carry most consumer and business mail at once. A misconfigured DMARC record is no longer one inbox’s problem; it is a gap that several major providers will independently penalise. The convergence is the point: the industry has settled on a shared baseline, and the cost of ignoring it compounds with every provider that adopts it.

Our reading is unromantic. Compliance is now table stakes, not a competitive advantage — meeting it earns you the right to be considered, not a guaranteed inbox. The senders who will do well from here are the ones who treat authentication and hygiene as settled infrastructure and then spend their effort where placement is actually decided, on the reputation and engagement that live above the gate. If you are not certain which side of the gate you are on, the fastest way to find out is to look: read your Gmail bounce codes, check your Compliance Status, and confirm your alignment. If you would rather have it checked properly, our free 25-point audit does exactly that across your whole setup.

Sources: Google Workspace Email sender guidelines FAQ (updated 3 November 2025); Spam Resource; Valimail; PowerDMARC; GMass; industry reporting, November 2025. Error codes per Google’s published guidance.