security badges and locks depicting email authentication

Get Ready for New Bulk Sender Requirements from Gmail and Yahoo

Two of the biggest mailbox providers on the planet got together to find ways to make the inbox a better place for their users. Now, changes for 2024 could mean a little extra work for some bulk email senders, but they're changes that are worth the effort.

In early October 2023, Gmail and Yahoo announced new requirements for bulk senders looking to deliver mail to those using their services. While the strictest standards mainly impact those who send thousands of emails every day, even those with lower send volumes should consider updating their practices.

The new bulk sender requirements deal with the following areas:

  1. Implementing stronger email authentication practices.
  2. Providing an easy way to unsubscribe in one click.
  3. Monitoring spam complaint rates to keep them under specific thresholds.

Let's take a closer look at what you'll need to do to get delivered to Gmail and Yahoo.

Details of new bulk sender requirements

Starting in February 2024, Gmail and Yahoo say they'll be enforcing these new standards for bulk senders. There is no doubt that Gmail users make up a significant portion of your contact database, and Yahoo Mail has more than 227 million active users. So, if you want to keep reaching these people, it is important to review your current sending practices and make the necessary changes.

While there are some slight differences between Gmail and Yahoo's guidelines, they are mostly very similar. The table below outlines the strictest standards so you'll be compliant with both mailbox providers' requirements.

The requirement The details 
Use all three email authentication methods.Bulk senders must use both SPF and DKIM along with DMARC. The DMARC policy can be set to p=none. The domain in the sender's “From:” header should align with either the SPF domain or the DKIM domain. This is required to pass DMARC. 
Provide one-click unsubscribe functionality It must be easy to unsubscribe from all marketing emails. This requires specific headers and a visible link in the message body. Senders must follow through within two days. The requirement does not apply to purely transactional messages. 
Use ARC headers to authenticate email forwarding Bulk senders who regularly forward emails must implement ARC headers. This identifies the sender as the one forwarding the message. It also checks the previous authentication status before forwarding. 
Keep user-reported spam below thresholds.Senders should consistently keep spam rates below 0.1% (1 for every 1,000 emails). Temporary spikes in the spam complaint rate should not reach or exceed 0.3%. 

To implement some of these changes, or to check to see what your existing authentication methods are, email teams may need to work with the IT department, a DNS hosting provider, or their email service provider (ESP) for answers and assistance.

Why are these changes needed?

Most people prefer hearing from brands via emails. The problem is, the inbox can be an overcrowded and even dangerous place. Gmail and Yahoo want to protect their users from bad actors and shady senders.

Stronger authentication tops the list of new bulk sender requirements because that is how mailbox providers are able to stop email spoofing. This occurs when a malicious sender impersonates a recognizable brand in order to deceive a recipient, gaining access to credentials and/or scamming them out of money. Phishing, which was already a huge problem, saw a 1,265% increase since late 2022. That sharp increase is partly because bad actors are making use of generative AI to do their dirty deeds.

Beyond the dangers of malicious phishing emails, there are legitimate senders who may be overstepping their bounds. If someone is emailing contacts without obtaining consent, making it hard for people to opt out, or simply sending too many annoying emails recipients, Gmail and Yahoo want it to stop.

Making it easy to unsubscribe from marketing emails gives Gmail and Yahoo Mail users more control over who has permission to send them messages. Senders still can (and should) use email preference centers where subscribers can select the type and frequency of messages they want to receive.

The transparency around user reported spam complaints encourages senders to pay closer attention to their list building practices, subscriber engagement, and email list hygiene. People who signed up to hear from you and want your emails won't mark messages as spam.

More about email authentication requirements

green check mark for SPF between envelope and mail server

Email authentication can be somewhat technical, but it's extremely important to the inbox experience. Authentication protocols help mailbox providers like Gmail and Yahoo verify the identity of a sender by connecting the message to a specific sending domain or IP address. Here's a quick overview:

  • Sender Policy Framework (SPF): A list of sources approved to send mail on behalf of a domain. For example, you may need your ESP listed on your SPF record.
  • Domainkeys Identified Mail (DKIM): A pair of keys, one public and one private, which are used to connect a sender to a specific domain through an encrypted digital signature in the email header.
  • Domain-based Message Authentication, Reporting and Conformance (DMARC): A specification that checks for SPF and DKIM alignment while providing a policy on how to handle authentication failures.

Until recently, many senders used some but not all three of these authentication protocols, but that won't be considered acceptable moving forward. Sinch Mailgun's report, The state of email deliverability 2023, found that there are significant gaps in use, or else senders are unclear about authentication.

  • SPF: Not using (12.8%), Unsure (31.8%) 
  • DKIM: Not using (11.1%), Unsure (30.4%) 
  • DMARC: Not using (18.7%), Unsure (38.8%) 

The future of DMARC requirements

The updated best practices on Yahoo's Sender Hub indicate DMARC implementation is only required for bulk senders. But all senders must start using both SPF and DKIM authentication in early 2024.

If you qualify as a bulk sender, passing DMARC is also required. However, Gmail and Yahoo are accepting a DMARC policy of p=none. This policy tells receiving mail servers not to do anything with messages that fail SPF or DKIM. There are also policies of p=reject and p=quarantine.

  • Reject: Means the policy recommends not accepting or blocking messages that fail authentication.
  • Quarantine: Means the policy recommends filtering authentication failures to the spam folder.
  • None: Tells mailbox providers not to take any specific action, and authentication failures may reach the inbox.

Here's where you shouldn't get confused about the DMARC policy. The requirement is not to use p=none. Consider that the minimum accepted policy. A stronger DMARC policy would be to use p=reject or p=quarantine, which is what mailbox providers really want.

In fact, email industry experts say it's very likely that accepting p=none is only a temporary move. First, Gmail and Yahoo want more senders to adopt DMARC. Then, they will probably start requiring senders to enforce policies of reject or quarantine.

Here's the good news...

While the bulk sender requirements are new, the ideas behind them are not. Responsible email senders have been pursuing effective authentication, ensuring they obtain consent from new contacts, and making it easy to opt-out when desired for years.

Even if you do have to make some changes to your email program to comply with Gmail and Yahoo's standards, it will benefit you in the long run.

As email marketers, we want our subscribers to trust the messages that land in their inboxes. We don't want them afraid to open emails from brands. We want subscribers who are anticipating what we send and eager to engage. We don't want people on our lists who don't want to be there. These changes push the email industry in the right direction.

As the Gmail announcement explained to its users, we're all in this together:

Gmail logo on background of code

"These changes are like a tune-up for the email world, and by fixing a few things under the hood, we can keep email running smoothly. But just like a tune-up, this is not a one-time exercise. Keeping email more secure, user friendly and spam-free requires constant collaboration and vigilance from the entire email community."

If achieving better inbox placement is a top priority, you need to check out the complete deliverability suite from Mailgun Optimize. Take advantage of useful features like Email Validation to keep your list clean and Inbox Placement Testing to see reports on where campaigns are likely to land.

As you update and improve your email authentication methods, you can access helpful features to make sure DMARC, DKIM, and SPF are passing. Plus, use a Google Postmaster Tools integration to monitor Gmail spam complaints and more with Reputation Monitoring.


Two of the biggest names in email want senders to make important changes that protect their users and your customers. Gmail and Yahoo are enforcing new requirements in 2024. That includes mandatory email authentication if you want your messages delivered. The Mailgun Optimize email deliverability suite has tools to help you stay on the right side of the inbox.

See What Mailgun Optimize Can Do