Back to main menu


Understanding the Gmail and Yahoo sender requirements: Takeaways from our fireside chat with Gmail and Yahoo

What is the impact of Gmail and Yahoo’s new requirements on email deliverability? What actions do senders need to take? Why is this happening now? The industry has been buzzing around these requirements for months. We decided to sit down with reps from Google and Yahoo to get some clarity. So now we have a question for you, are you ready to yahoogle? Let’s go.



The inbox requirements for bulk senders announced by Google and Yahoo in October 2023 have shot through the community like panic up a spine. As with any big announcement it can be hard to wade through content and opinion to get to the truth. The truth is these requirements are more established and familiar than you may realize.

To break through confusion, Sinch Mailgun’s VP of Deliverability, Kate Nowrouzi sat down with Marcel Becker, Sr. Product Manager for Yahoo, and Anu Yamunan, Director of Product for Anti-Abuse & Safety at Google to dispel the rumors surround the requirements and answer questions about what will change for bulk senders, and why enforcement for these requirements is happening now.

What’s changing and why?

Google and Yahoo are both cracking down on enforcing requirements for bulk senders around authentication standards, spam rate thresholds, and one-click unsubscribe policies. We covered the requirements in depth when they were first announced in October 2023, and got some further insights from Yahoo featured in our Email’s Not Dead podcast. If we’ve learned anything from industry changes, it’s that sometimes there is never enough information straight from the source. That’s why we hosted a webinar and put both of these mailbox giants in the same room to set the record straight.

The requirements in a nutshell

Here’s a quick recap. Bulk senders will be held to three primary requirements designed to enforce a healthy and happy inbox experience. These requirements revolve primarily around preventing spammy behaviors by strengthening authentication, creating a uniform unsubscribe process, and managing overall spam rates.

  • Authentication: Bulk senders must implement SPF, DKIM, and DMARC authentication protocols.

  • One-click unsubscribe: One-click unsubscribe headers must be used in accordance with the RFC 8058 standard.

  • Spam rate 0.3%: Senders will need to maintain a spam complaint rate of 0.3% or below.

Your questions answered

Throughout the rest of this post, we’re going to feature some of the most asked questions around each of these requirements from our recent Fireside chat with Google and Yahoo which you can watch on-demande here. To kick it off, we’re going to dive into an easy, albeit existential question. Why now?

Why are these requirements being enforced now?

Like we said, these requirements may seem familiar and that’s because they’ve been around for a while. The goal is not to disrupt senders, it’s to make the inbox safer for users. Here’s what the experts had to say:

"These are new requirements for bulk senders based on policies and industry standards that have existed for 10+ years. They are designed to help improve the user experience when combating spam and fraud. This is an exciting opportunity for us as an industry to meaningfully upgrade the safety of the email ecosystem. We believe all users should be able to trust the messages that they are reading are from trusted sender."

Anu Yamunan, Director of Product for Anti-Abuse & Safety at Google

"All of these requirements have been well documented best practices for years. A lot of senders have already implemented them. Authenticating your email traffic should be something that you're already doing if you care about the health of your email traffic as well as your infrastructure. Putting easy unsubscribe options into the header and making sure people can unsubscribe from your emails instead of marking them as spam, that should be a no brainer, that technology has been around. And if you're sending emails people want your spam rates should be well below 0.1%."

Marcel Becker, Senior Director of Product at Yahoo

Aside from why now, the next big question is who will these requirements affect?

Who do these changes impact?

The ultimate goal is to create a better and more secure experience for users. If you take away only one thing from this post it should be this: Users are shared customers between mailbox providers, ESPs and senders. Enforcing these requirements is about building a better email ecosystem that will benefit us all.

The requirements are specific to bulk senders. Much of the confusion surrounding these requirements has revolved around what that means. What send volume makes you a bulk sender?

"There is a very strong reason why we (Yahoo) didn't give a number. What does this number (5,000) mean? If you send a lot of the same emails to a lot of different people, you're a bulk sender. It doesn't really matter if it's 3,000 or 2,000, or 10,000. There's no limit we can share, if you are a bulk sender, you know you are a bulk sender, and you need to follow these guidelines."

Marcel Becker, Senior Director of Product at Yahoo

Google has placed a 5,000 daily send nametag on bulk senders – purely for the sake of documenting a ballpark for reference – but senders shouldn’t think they can skirt around the requirements by sending 4,999 messages. There is no magic number or final straw that breaks the camel’s back. These requirements are more about sending habits than they are about exact math.

What does one-click unsubscribe mean?

Now that we’ve covered who will be impacted, let’s dive into the actual requirements, starting with one-click unsubscribe. One-click unsubscribe has confused a lot of senders who already include unsubscribe links in the body of their emails. But this requirement isn’t about that, it’s about including unsubscribe headers defined by RFC 8058.

RFC 8058 defines the "Unsubscribe" header field for email messages. This header field provides a standardized way for email clients to display an unsubscribe option to users, allowing them to easily opt-out of receiving future emails from the sender directly from the UI of their mailbox. In other words, the "Unsubscribe" header field defined in RFC 8058 offers a standardized mechanism for facilitating unsubscribes in email messages.

"For one-click unsubscribe the RFC you need to follow is RFC 8058. From a sender benefits perspective, letting people opt out of messages can improve your open rates, click through rates, and your sending efficiency."

Anu Yamunan, Director of Product for Anti-Abuse & Safety at Google

According to Anu Yamunan, if you aren't compliant with the one-click unsubscribe requirement yet, you have until June 2024 before Gmail starts rejecting the traffic.

"We're just making sure we can put an easy link in front of our users which allows them to unsubscribe. What you as a sender unsubscribe them from is completely up to you. Just like you control it now with an unsubscribe link in the body." | "If you don't put the unsubscribe header in there people will just mark you as spam and that's worse because it will have a negative impact on your sender reputation. We've seen that senders who put a one-click unsubscribe affordance in their headers get 20-40% less spam votes and that's a noble goal for you as a sender to create a better user experience."

Marcel Becker, Senior Director of Product at Yahoo

What­ you’­ll need­

How to get ther­e

What­ you’­ll need­

Sa­me for Gmai­l and Yaho­o: A sing­le-click path­way for user­s to easi­ly unsu­bscribe from­ your­ mess­ages from­ with­in the mail­box prov­ider’s UI usin­g list­-unsubscribe head­ers, and inte­rnal supp­ort to hono­r unsu­bscribe requ­ests and remo­ve addr­esses from­ rele­vant emai­l list­s with­in 2 days­.

Send­ers will­ need­ to put list­-unsubscribe post­ head­ers into­ the head­er of thei­r emai­l as spec­ified by RFC­ 8058­.

Why is a 0.3% spam rate threshold being enforced, and what happens if you go over the limit?

First off, a spam rate of 0.3% is generous. By many accounts, keeping your spam complaint rate below 0.1% – 1 email in 1,000 marked as spam– is the mark of a healthy sender.

One of the main goals of these requirements is to make the inbox less spammy. DMARC helps prevent bad actors from stealing and spoofing sender identities, the unsubscribe requirements gives users control to manage the messages they receive with the same ease as it takes to mark a message as spam (saving senders the pain of being spammed), and the low spam threshold is a way to identify and react to senders that empl0y spam tactics.

"Please keep your user in mind. If your users are reporting that a lot of messages coming from you are spam, it is going to impact your future deliverability."

Anu Yamunan, Director of Product for Anti-Abuse & Safety at Google

Remember when we said these requirements weren’t about exact math? Well, that applies to the spam rate requirement also. In our podcast Email’s Not Dead, we sat down with Marcel Becker and he broke down this spam rate requirement a bit more and left us with the mantra, more than a day, less than a year.

Senders who hit a higher spam rate on one campaign won’t automatically be punished for it. Mailbox providers are looking at your average spam complaint rate over an undisclosed period of time, somewhere between a day and a year. If your high spam rate becomes habitual it will impact you, but this requirement isn’t a one and done limit.

What­ you’­ll need­

How to get ther­e

What­ you’­ll need­

Sa­me for Gmai­l and Yaho­o: The spam­ comp­laint thre­shold is 0.3%­.

Clos­ely moni­tor your­ spam­ rate­, as well­ as othe­r enga­gement metr­ics, usin­g reso­urces like­ Goo­gle Post­masters Tool­s. Empl­oy deli­verability best­ prac­tices like­ lis­t mana­gement and sun­set poli­cies to opti­mize your­ emai­l list­s, ensu­ring you’­re only­ send­ing mess­ages to enga­ged reci­pients. Use del­iverability tool­s like­ Emai­l Veri­fication and Inbo­x Plac­ement Test­ing to stay­ on top of your­ over­all deli­verability and impr­ove your­ inbo­x plac­ement.

Why enforce a DMARC policy when requirements only dictate setting it to "none"

You’ve got to start somewhere. With DMARC the requirement is about enforcing adoption…finally. When DMARC first emerged as an authentication, mailbox providers crossed their fingers and prayed to the deliverability gods that senders would catch on, but that didn’t happen.

DMARC adoption has been slow and according to Sinch Mailgun’s 2023 State of Email Deliverability report, among those using DMARC for authentication, 40% don’t know what their policy is. According to, most active DMARC policies (68.2% as of 2022) are p=none. If your DMARC policy is "p=none" mailbox providers take that as an indication you are focusing on the "R" in DMARC which stands for reporting, but this isn’t the end goal.

"The end goal is ideally a policy of p=reject. That's what DMARC is for. Ensuring that your domain cannot be spoofed and protecting our mutual customers from abuse."

Marcel Becker, Senior Director of Product at Yahoo

If your DMARC policy is "p=none" it indicates you as a sender are focused on the "R" in DMARC which stands for reporting, so ensure you also have the rua tag (rua=mailto:) configured which defines where mail receivers should send the aggregated reports. Kate Nowrouzi, VP of Deliverability for Sinch Mailgun predicts that p=reject will become the requirement in 2024. Learn more in our post: Email predictions for 2024.

What­ you’­ll need­

How to get ther­e

What­ you’­ll need­

Gm­ail: Both­ SPF and DKIM­ are requ­ired by Gmai­l. Mess­ages that­ don’­t carr­y thes­e prot­ocols will­ be reje­cted from­ the inbo­x or mark­ed as spam­. DMAR­C is also­ requ­ired to prev­ent Gmai­l impe­rsonation in FROM­ head­ers.

If you’­re a Mail­gun user­, we’v­e alre­ady got you cove­red on SPF and DKIM­. But if you’­re not we’v­e outl­ined the proc­esses for obta­ining thes­e auth­entications in thes­e post­s: SPF­ basi­cs and Und­erstanding DKIM­. For­ DMAR­C you will­ need­ to set at mini­mum a p=no­ne poli­cy.

How to get ther­e

Ya­hoo: Will­ requ­ire stro­ng auth­entication and for user­s to “lev­erage indu­stry stan­dards such­ as SPF,­ DKIM­, and DMAR­C”.

Impl­ementing DMAR­C take­s a bit more­ time­, as DMAR­C allo­ws you to make­ choi­ces rega­rding your­ poli­cy base­d on your­ emai­l prog­ram. Get star­ted now by chec­king out our Imp­lementing DMAR­C arti­cle.

Keep calm and Yoogle on

These sender requirements aren’t the end of the world. Not even a little bit. Ultimately, mailbox providers like Gmail and Yahoo are hopeful that implementing these requirements will benefit senders as well as users. But it can be complicated to break these requirements down, understand them, and then bring your unique email program into compliance.

If you want to dive deeper, check out the full-length Fireside Chat with Gmail and Yahoo, and visit our Yoogle resources page for more insights and answers.

On-demand webinar

Are you prepared for Google and Yahoo's new sender requirements?

View our fireside chat with Marcel Becker, Senior Director of Product at Yahoo, Anu Yamunan, Director of Product for Anti-Abuse & Safety at Google, and Kate Nowrouzi, Vice President of Deliverability at Sinch Mailgun, as we explore the new requirements for bulk email senders.

Related readings

6 fundamental tools for better email results

Even in today’s futuristic AI marketplace, email remains a powerful means for businesses to connect with their audiences. And at the core of email communications lies email...

Read more

Email testing 101: How to test email deliverability

Deliverability is the ability to get your messages into your recipient’s inbox without being blocked or marked as spam. Without deliverability testing, you may miss issues that...

Read more

Mailgun Optimize: Introducing the best way to improve email deliverability

No matter how good an email design looks, how compelling the copy reads, or how perfectly a campaign renders across email clients... none of it matters if your messages...

Read more

Popular posts

Email inbox.

Build Laravel 10 email authentication with Mailgun and Digital Ocean

When it was first released, Laravel version 5.7 added a new capability to verify user’s emails. If you’ve ever run php artisan make:auth within a Laravel app you’ll know the...

Read more

Mailgun statistics.

Sending email using the Mailgun PHP API

It’s been a while since the Mailgun PHP SDK came around, and we’ve seen lots of changes: new functionalities, new integrations built on top, new API endpoints…yet the core of PHP...

Read more

Statistics on deliverability.

Here’s everything you need to know about DNS blocklists

The word “blocklist” can almost seem like something out of a movie – a little dramatic, silly, and a little unreal. Unfortunately, in the real world, blocklists are definitely something you...

Read more

See what you can accomplish with the world's best email delivery platform. It's easy to get started.Let's get sending
CTA icon