Google, Yahoo & Microsoft Sender Requirements

In February 2024, Google and Yahoo began enforcing new requirements for anyone sending email to their users. Microsoft followed with matching rules for Outlook, Hotmail, and Live.com in May 2025, and enforcement has tightened since — Google moved from temporary delays to permanent rejections in late 2025. What started as “the 2024 rules” is now a three-provider, actively-enforced reality: for many organisations it turned DMARC from “good practice” into “required to reach the inbox.”

Do these rules apply to you?

The strict requirements target bulk senders — defined as anyone sending 5,000 or more messages per day to personal inboxes (@gmail.com, Yahoo-hosted domains, @outlook.com/@hotmail.com/@live.com). A few things worth knowing about that threshold:

• Messages from your subdomains roll up to the parent domain for counting.
• Once you cross 5,000/day, the classification tends to stick — providers don’t un-flag you the next quiet day.
• It applies based on where you’re sending, not what you use yourself: emailing 5,000 personal Gmail addresses from your business domain makes you a bulk sender regardless of your own mail provider. Mail between accounts inside the same Google Workspace or Microsoft 365 org doesn’t count.

Even below the threshold, the baseline still matters: Google expects at least SPF or DKIM, and Yahoo expects both — so authentication isn’t optional for anyone, it’s just enforced harder on bulk senders.

What bulk senders must have

The three providers’ requirements converge on the same short list:

• SPF and DKIM — both, properly set up for every service that sends as you.
• DMARC — a published DMARC record. The mandated minimum is p=none (monitoring); the providers don’t yet require enforcement, though reaching p=quarantine/p=reject is where the actual protection is.
• Alignment — your authenticated domain has to align with the domain in the visible From:. Passing SPF or DKIM for some other domain doesn’t satisfy DMARC.
• One-click unsubscribe — marketing and subscribed mail must include a working one-click unsubscribe (the List-Unsubscribe header, RFC 8058), honoured within a couple of days. Transactional mail (password resets, receipts, confirmations) is exempt.
• A low spam-complaint rate — keep complaints below 0.3%, and ideally under 0.1%. Cross those lines and deliverability suffers regardless of your authentication.

What failing looks like

Non-compliant bulk mail no longer just gets a deliverability nudge. Depending on the provider and the violation, messages are temporarily deferred with error codes, routed to spam, or — increasingly — rejected outright. The grace period that existed in early 2024 is gone; the enforcement is real and progressive.

The fix is the same work you’d do anyway

Every requirement here is satisfied by getting your authentication healthy and your DMARC published: SPF and DKIM aligned, a DMARC record in place, one-click unsubscribe on your marketing mail, and complaint rates kept low. None of it is special “bulk-sender” machinery — it’s standard email hygiene, now mandatory.

Start here

• What is DMARC? — the record all three providers now expect
• What is SPF? and What is DKIM? — the authentication they check for alignment
• DMARC Enforcement Guide — getting to a compliant, protected posture safely