Deliverability service

Compliant with the rules that now decide whether your mail arrives.

Bulk sender compliance means meeting the requirements Gmail, Yahoo and Microsoft place on any domain sending 5,000 or more messages a day to their users: SPF, DKIM and DMARC with alignment, a low spam complaint rate, one-click unsubscribe, valid reverse DNS and TLS. Miss them and mail is bounced, not filed to spam.

Free 25-point audit Talk to an expert

Bulk sender compliance means meeting the requirements Gmail, Yahoo and Microsoft place on any domain sending 5,000 or more messages a day to their consumer inboxes — a count made per provider, not in total. The mandates are: authenticate with SPF, DKIM and DMARC aligned to the visible From domain; add a one-click unsubscribe (RFC 8058) to marketing mail; keep the spam complaint rate under 0.30% (Gmail targets 0.10%); and publish valid reverse DNS and TLS. Gmail and Yahoo have enforced since February 2024 and Microsoft since 5 May 2025, with Gmail moving to permanent rejections in November 2025. Mail that fails is bounced at the SMTP level with a specific code — Gmail 550 5.7.26, Yahoo 550 5.7.9, Microsoft 550 5.7.515 — not quietly filed to spam, so a missed requirement stops invoices and receipts, not just marketing.

In short

→ The 5,000-a-day threshold is counted per provider and subdomains roll up to the parent, so a sender splitting volume across Gmail and Outlook can be a bulk sender at each without feeling like one, and the classification does not expire if volume later drops.
→ Having SPF, DKIM and DMARC is not compliance: the records only count when SPF or DKIM aligns with the visible From domain, so all three can be present and DMARC still fail.
→ The providers diverge in the arithmetic — Yahoo measures the complaint rate against inbox-delivered mail only, so identical sending can pass at Gmail and breach at Yahoo — which is why each is monitored separately.
→ One-click unsubscribe (RFC 8058) is required on marketing mail and a mistake on transactional mail, where it would let a recipient opt out of the password resets and receipts they need.
→ Failure is a bounce, not a spam folder: mail is refused at the SMTP level with a code (Gmail 550 5.7.26, Yahoo 550 5.7.9, Microsoft 550 5.7.515), and since November 2025 Gmail rejects non-compliant bulk mail permanently rather than deferring it.

For most of email’s history these were best practices — advisable, widely ignored, rarely punished. That ended between 2024 and 2026. Gmail and Yahoo turned the requirements on together in February 2024, Microsoft enforced its own from 5 May 2025, and in November 2025 Gmail escalated from temporary deferrals to permanent rejections. The grace period is over at all three. A domain that crosses the bulk threshold and misses a requirement no longer suffers a soft penalty; its mail is refused at the door with a code that names the failure.

The requirements themselves are not complicated, and they overlap heavily across the three providers. What makes compliance harder than it looks is that the overlap is incomplete: the thresholds are calculated differently, the enforcement dates and codes differ, and a setup that satisfies one provider can fail another with no change in your sending. This page lays the three side by side, then covers what each mandate means and the places the differences bite.

What does each provider require, side by side?

The table is the reference the rest of this column points back to. The principles rhyme across Gmail, Yahoo and Microsoft; the specifics, which are what get senders bounced, do not.

Requirement	Gmail	Yahoo / AOL	Microsoft
Bulk threshold	5,000/day to gmail.com & googlemail.com	5,000/day to Yahoo-hosted inboxes	5,000/day to Outlook, Hotmail, Live
Authentication	SPF, DKIM and DMARC, with alignment	SPF, DKIM and DMARC, with alignment	SPF, DKIM and DMARC, p=none alignment minimum
Spam complaint line	Below 0.10% target, 0.30% hard limit	Below 0.30%, measured on inbox-delivered only	No public per-domain figure; IP reputation
One-click unsubscribe	RFC 8058, honoured within ~2 days	RFC 8058 required	Functional unsubscribe expected
Also required	Valid PTR (reverse DNS) and TLS	Valid PTR and TLS	PTR, TLS, and clean ARC on forwarded mail
Enforced since	Feb 2024; permanent rejections Nov 2025	Feb 2024	5 May 2025
Rejection code	`550 5.7.26` / `550 5.7.350`	`550 5.7.9`	`550 5.7.515`
Where to watch	Postmaster Tools v2	Complaint Feedback Loop	Smart Network Data Services (SNDS)

Requirements as published by Google, Yahoo and Microsoft and confirmed against current provider guidance. Microsoft publishes no per-domain complaint threshold and judges reputation at the IP level.

The four mandates that gate a bulk sender, all required at once

The four mandates are not a menu to pick from — they gate delivery together, and meeting three of them still bounces the mail. The trigger above them, 5,000 messages a day counted per provider, is what turns a recommendation into a rule, and once a domain crosses it at any one of the three, that provider enforces all four independently. The arithmetic differs per provider underneath this diagram, which is why a setup that clears Gmail can still bounce at Yahoo on the same send, with no change to the mail you sent.

What counts as a bulk sender?

The threshold is 5,000 messages a day to consumer inboxes, and three details about it trip up senders who skim the rule. It is counted per provider, not across your whole program, so a sender doing 4,000 a day to Gmail and 4,000 to Outlook sits under each line while feeling busy. Subdomains roll up to the parent domain for the count, so splitting volume across mail.example.com and news.example.com does not divide your total. And once a domain is classified as a bulk sender, the label does not lapse if volume later falls. Below the threshold the hard enforcement does not apply, but the filtering algorithms favour authenticated mail for every sender, so the work is worth doing whatever your volume.

Checking the four mandates the way a provider does

compliance check — DNS & headers, read-only

# Mandate 1: is DMARC published and moving past p=none?
$ dig +short TXT _dmarc.example.com
"v=DMARC1; p=none; rua=mailto:[email protected]"
# present, but p=none — meets the letter, protects nothing

# Mandate 2: is the one-click unsubscribe header on marketing mail?
$ grep -i list-unsubscribe sample-marketing.eml
List-Unsubscribe-Post: List-Unsubscribe=One-Click   # RFC 8058, correct

# Mandate 4: valid PTR on the sending IP?
$ dig +short -x 203.0.113.45
mail.example.com.    # FCrDNS resolves both ways — good

Three quick read-only checks cover three of the four mandates from the outside. Here the one-click unsubscribe header is correctly formed and the reverse DNS resolves cleanly both ways, but the DMARC record sits at p=none — which meets today’s letter while protecting nothing and drawing growing scrutiny from Microsoft and Yahoo. The fourth mandate, the complaint rate, cannot be read from DNS at all; it lives in Postmaster Tools, the Yahoo feedback loop and SNDS, which is why a full check is part query and part dashboard.

Run this compliance check today

Before any work, it is worth knowing where you stand. The following is the quick version of the check we run formally, and a team can walk most of it in an afternoon.

Confirm SPF, DKIM and DMARC all resolve, and that SPF or DKIM aligns with your visible From domain — alignment, not mere presence.
Read your DMARC policy. If it sits at p=none, you meet the letter of the rule while protecting nothing against spoofing.
Send a test marketing message to a Gmail and a Yahoo account and confirm the native one-click unsubscribe button appears.
Confirm that one-click unsubscribe is absent from your transactional mail, so no one opts out of a receipt or a reset.
Verify reverse DNS (PTR) resolves for every sending IP and that connections negotiate TLS.
Open Google Postmaster Tools and Microsoft SNDS and read your spam rate and reputation against each provider.
Account for your subdomains, since their volume rolls up to the parent domain for the threshold.
Scan your bounce logs for any 550 5.7.x codes, which mean a requirement is already failing.

What are the four mandates, in plain terms?

Strip away the provider-specific wording and the requirements reduce to four things, each of which has to be true and stay true.

Authenticate, and align. SPF, DKIM and DMARC all present, valid, and — the part that is missed most — aligned with the visible From domain, alongside valid reverse DNS and TLS on the connection. Authentication that passes on the wrong domain does not count.
Publish DMARC, and mean it. A DMARC record is mandatory. A policy at p=none meets the requirement while protecting nothing, and the providers increasingly expect movement toward quarantine and reject rather than an indefinite stay at monitoring.
Make leaving easy. One-click unsubscribe under RFC 8058 on marketing and promotional mail, honoured within roughly two days, and deliberately absent from transactional messages so a customer cannot accidentally opt out of a receipt or a password reset.
Keep complaints low. A spam complaint rate held under 0.10% as a working target, and never at or above the 0.30% line where enforcement begins. At three complaints per thousand, a provider will act regardless of how clean your authentication is.

One-click unsubscribe, done correctly

The requirement is more specific than “have an unsubscribe link.” Under RFC 8058 a bulk marketing message needs two headers working together: List-Unsubscribe, carrying the unsubscribe target, and List-Unsubscribe-Post, which tells the mailbox provider it may unsubscribe the user with a single POST request and no further clicks. Gmail and Yahoo render that as a native button beside the sender name, giving recipients an alternative to the Report Spam button — which matters, because a spam report damages reputation in ways an unsubscribe does not. Two rules govern it. The request has to be honoured quickly, within about two days, so someone who unsubscribes on Monday is not mailed again on Wednesday. And the headers belong only on marketing and promotional mail; placing them on transactional messages risks a customer accidentally opting out of the alerts they depend on. We make sure the headers are correct on the streams that need them and absent from the ones that do not.

The spam complaint rate, in detail

Of the four mandates, the complaint rate is the one that overrides the others: a provider acts on a high rate regardless of how clean your authentication is. It measures the share of your delivered mail that recipients mark as spam, and the working numbers are a target below 0.10% and a hard line at 0.30% — three complaints per thousand messages. The rate is driven by the things authentication cannot touch: how the list was built, how relevant the mail is, and how recently the recipient agreed to hear from you. A single heavy send to a stale segment can push a healthy domain over the line in a week. Because Google and Yahoo measure it on different denominators and Microsoft judges reputation at the IP level with no public figure, the only safe approach is to watch each provider on its own and treat 0.10% as the ceiling rather than 0.30%.

Where do the providers diverge?

Treating the three as one rulebook is the error that produces the most surprises, because the gaps between them are exactly where compliant-looking mail fails. Three differences matter more than the rest.

Yahoo measures the spam complaint rate against a smaller denominator. Where Google calculates complaints as a share of all delivered mail, Yahoo counts only inbox-delivered mail, excluding anything that already landed in spam. The same complaints produce a higher rate at Yahoo, so a sender sitting safely under the line at Google can breach it at Yahoo with identical behaviour. The two have to be watched on their own dashboards, because one number does not stand in for the other.

Microsoft leans harder on ARC. As mail passes through forwarders and mailing-list managers, the original DKIM signature is often broken, and ARC is the protocol that carries the original authentication result through that break. Microsoft has expanded its use of it, which means your authentication chain has to be clean end to end: a relay that breaks DKIM without ARC in place reads to Microsoft as a failure even when your origin was correct. The forgotten forwarding service is a frequent cause of mail that should pass and does not.

And the enforcement is staggered in time and expression. Gmail moved to permanent rejections in November 2025; Microsoft bounces immediately on its own code; Yahoo enforces on its own complaint data independent of Google’s. A program that went compliant against the February 2024 rules and was never revisited is already behind on the changes that followed.

Cold email and individualized outreach

Senders who run cold or one-to-one outreach often assume the rules are someone else’s problem, and the threshold is lower than they expect. The 5,000-a-day line counts all mail to a provider’s consumer inboxes, so an outreach program at any scale crosses it sooner than its operators think. The one-click unsubscribe mandate targets bulk marketing rather than genuinely individualized mail, but the spam filters read unsubscribe friction and complaint rates as negative signals for any sender, cold or not. The honest position is that authentication is non-negotiable for everyone, and that a cold program large enough to matter is a bulk program for the purpose of these rules whether or not it thinks of itself that way.

Why the big three set the baseline

Gmail, Yahoo and Microsoft are not the only inboxes, but between them they account for the large majority of consumer and business mail, which makes their shared requirements the de facto standard for the whole industry. A program that satisfies all three is in good shape for most of any list. The smaller and regional providers — Apple’s iCloud Mail, national providers across Latin America and Europe — have largely converged on the same authentication expectations rather than inventing their own, so the work done for the big three carries over. The exception worth naming is that business-heavy lists skew toward Microsoft 365, so a B2B sender cannot treat Microsoft as the afterthought a consumer sender sometimes does.

How the rules arrived

The sequence is worth holding in mind, because a setup tuned to one stage is often behind at the next. Google and Yahoo announced the requirements together in October 2023. Enforcement began in February 2024 and ramped through the following months, up to and including message rejection. Microsoft announced its own in April 2025 and began enforcing on 5 May 2025. Then, in November 2025, Google escalated Gmail from temporary deferrals to permanent rejections for non-compliant bulk mail. Each step tightened what came before, so “we handled this in 2024” is rarely the same as “we are compliant now.”

What does non-compliance actually cost?

The penalty is the part senders most often underestimate, because they picture the spam folder rather than a bounce. Non-compliant bulk mail is refused at the SMTP level and returned, each provider with its own code: Gmail’s 550 5.7.26 and 550 5.7.350, Yahoo’s 550 5.7.9, Microsoft’s 550 5.7.515. There is no review, no folder to be rescued from, and since late 2025 no temporary reprieve at Gmail. For a transactional program that means receipts and resets failing; for a marketing one it means a campaign that simply does not land. Reading those codes in your logs is usually how a compliance gap announces itself, after the fact.

Compliance is a state, not a setup

The most expensive misunderstanding is that compliance is a project with an end. It is a condition you hold, and a long list of ordinary events can break it without notice: a new marketing tool sending as your domain without authentication, a DNS edit that breaks alignment, a complaint rate that drifts up after one tired send to a stale segment, a provider tightening a threshold. None of these triggers a warning. You learn about them through a bounce, by which point the mail is already failing. Holding compliance is the same continuous monitoring and hygiene that holds deliverability in general, which is why the two are really one job.

How does a compliant sender fall out?

Most of the senders we are called in to help were compliant once. Compliance slipped through one of a few ordinary doors.

A new marketing or sales tool started sending as the domain without being added to SPF or signed with DKIM.
A DNS cleanup removed or altered a record and broke alignment, with no test afterwards to catch it.
A complaint rate drifted up over months of mailing a slowly staling list, then crossed the line on one larger send.
A DKIM key was rotated and a stream was left signing with the old selector, or unsigned entirely.
A provider tightened a threshold or changed a calculation, and a setup that cleared the old bar no longer cleared the new one.

None of these announces itself. Each surfaces as a bounce or a placement drop, which is why the only reliable defence is watching the metrics rather than trusting that a past pass still holds.

How we bring you compliant and keep you there

This page is the capstone of the work the rest of this column describes, because bulk sender compliance is not a separate task — it is the sum of authentication, reputation, list hygiene and infrastructure done well enough to satisfy three providers at once. We approach it in that order. We establish where you stand against each provider’s current rules, close the gaps in priority of how much mail they are costing, and then watch the metrics that decide whether you stay compliant as your sending and the rules both change.

The advantage we bring is that the work lives at the infrastructure level where most of it actually sits. Alignment across your own MTA and your ESP, reverse DNS and TLS on the sending hosts, ARC on the forwarding paths, the throttling and warm-up that keep complaint rates down — these are operations problems, and running PowerMTA and KumoMTA at volume is what we do. We work independently, with no platform to sell you, and in Spanish and Portuguese as readily as in English, which matters for senders whose compliance problem spans markets. The free 25-point audit is the natural first step: it measures your standing against the 2026 requirements, provider by provider, and shows exactly which of the four mandates needs the work.

FAQ

Compliance questions

Do these rules actually apply to us?

If your domain sends 5,000 or more messages a day to consumer inboxes at any one of Gmail, Yahoo or Microsoft, yes. Three details catch people out. The count is per provider, so 4,000 a day to Gmail and another 4,000 to Outlook leaves you under each line while feeling like a high-volume sender. Subdomains roll up to the parent domain for the count. And the classification does not expire if your volume later drops. Even below the threshold the rules are worth meeting, because the filters favour authenticated mail for everyone, bulk or not.

We have SPF, DKIM and DMARC. Are we compliant?

Not necessarily, and this is the most common false sense of security. Authentication only counts when SPF or DKIM aligns with the visible From domain, so all three records can be present and DMARC still fail. Beyond authentication you also need a spam complaint rate under the line, a working one-click unsubscribe on marketing mail, valid reverse DNS and TLS, and you need all of it to hold at each provider independently. Having the records is the start of compliance, not the proof of it.

We pass at Gmail but get flagged at Yahoo with the same sending. How?

Because Yahoo calculates the spam complaint rate differently. Where Google measures complaints against all delivered mail, Yahoo measures them against inbox-delivered mail only, excluding anything that landed in spam. The same number of complaints therefore produces a higher rate at Yahoo, so a sender sitting comfortably under the line at Google can breach it at Yahoo with identical behaviour. The providers look similar on paper and diverge in the arithmetic, which is why we monitor each one separately rather than assuming one dashboard speaks for all.

Does one-click unsubscribe apply to our transactional mail?

No, and adding it there is a mistake. The requirement covers marketing and promotional mail; transactional messages — password resets, receipts, shipping notices, account alerts — are exempt. Putting a one-click unsubscribe header on those risks a customer accidentally opting out of the very notifications they need. The providers separate the two categories by content and recipient behaviour rather than by your label, so the practical work is making sure the header is present on the right streams and absent from the wrong ones.

What actually happens if we fail?

Your mail is bounced, not filtered to spam. A failing message is refused at the SMTP level with a specific code — Gmail returns 550 5.7.26 or 5.7.350, Yahoo 550 5.7.9, Microsoft 550 5.7.515 — and returned to your server. Since November 2025 Gmail moved from temporary deferrals to permanent rejections for non-compliant bulk mail, and Microsoft bounces immediately. The cost is not a quiet dip in placement; it is invoices, receipts and campaigns that never arrive, with a bounce code naming the requirement you missed.

We send through a forwarder or relay. Does that matter?

It matters most for Microsoft, which has expanded its use of ARC — the protocol that preserves authentication results as mail passes through intermediaries. If your mail goes through a forwarding service or mailing-list manager that breaks the DKIM signature, Microsoft sees a failed authentication even when your original setup was correct. The practical requirement is a clean authentication chain end to end, with ARC handling the legitimate breaks. We check the whole path rather than just the origin, since a relay you forgot about is a common reason compliant-looking mail still fails.

Is a DMARC record at p=none enough?

It satisfies the letter of the requirement — you have a DMARC record — and protects nothing against spoofing. The providers have noticed: Microsoft and Yahoo are increasingly skeptical of domains that sit on p=none for years without moving toward enforcement. Compliance today is met at p=none, but the direction of travel is clearly toward quarantine and reject, and a domain that never progresses is both unprotected and increasingly conspicuous. We treat p=none as a starting line rather than a destination.

How do we stay compliant once we are?

Compliance is a state you hold, not a box you tick. A new sending tool, a DNS edit, a complaint rate creeping up after a tired campaign, or a provider tightening a rule can each quietly break it, and you find out through a bounce rather than a warning. Staying compliant is the ongoing monitoring, hygiene and per-provider watching that our managed deliverability service runs. The free 25-point audit establishes where you stand today; keeping you there is the steady-state work.

Start with the audit.

Twenty-five points across authentication, reputation, infrastructure and compliance — a written assessment, no charge and no obligation. It tells both of us exactly what we are working with.

Request the free audit Talk to an expert

A deliverability emergency?

Request received