In response to the ever-evolving challenges posed by spam, phishing, and email-based fraud, email service giants Google and Yahoo are set to implement significant changes for bulk senders (businesses that send 5,000+ emails a day) from February 1, 2024. 

These requirements will go into effect February 1, 2024, and feature many new mandates which can broadly be grouped into three categories: 

Authenticate your domain. Protect recipients from malicious messages and protect your organization from being impersonated.

Make it easy to stop receiving email. Give recipients an easy way to unsubscribe from your messages.

Don’t spam. Send messages people want to receive and only send them to people who signed up to get messages from you.

The driving force behind these new policies is a collective commitment to make inboxes safer and less spammy. Through their united stance, Google and Yahoo are signaling that email security is no longer a nice to have. And so, for bulk senders who rely on business email communications and can’t afford to have their deliverability severely impacted, the email security standards once deemed best practice will soon become a mandated reality. Those who fail to meet these requirements will see Google and Yahoo limiting sending rates or marking legitimate messages as spam.

Whether you’re a marketer, an IT professional, or a small business owner who sends more than or around 5,000 emails a day to Gmail and/or Yahoo inboxes, this guide will help you understand the requirements, their benefits, and how to prepare for them. 

Google has now extended its original timeline for enforcement from April to June 2024, giving senders more time to action the requirements and avoid their messages being blocked.

Introduction

The requirements cover three core areas. In the table below, we’ll break down each area and its specific requirements (including sub-requirements), starting with the meatiest, most time-consuming requirement – email authentication.

Please note that these requirements will need to be put in place for every sending service and/or platform you send mail from – more on that below. 

Bulk sender requirements

Common scenarios that could lead to failure

Here is an illustrative – not exhaustive – list of common scenarios that may lead to bulk senders failing the new Google and Yahoo requirements.

Help! Where are Google and Yahoo’s requirements configured?

In the table below, we break out which requirements are configured at the email service provider (ESP) level (Hubspot, MailChimp, etc) and/or at the domain level. This will help you figure out where you need to action each requirement. 

It is important to note that if your organization uses multiple ESPs, you will need to configure these items in each platform. The same is true for the use of multiple domains. 

*Though the inclusion of the RUA tag is currently only recommended and not mandated by Yahoo, we strongly agree with their stance. The RUA tag specifies where DMARC aggregate reports should be sent which provide a daily overview of a domain’s email traffic. These reports provide crucial insight into your SPF, DKIM, and DMARC authentication status as well as where your domain is being used, which makes it easy to find mail currently not meeting authentication requirements.

**While a low spam rate is under the control of the sender, the mail originates at the ESP level. If for example, you use Salesforce Marketing Cloud for marketing mail and SendGrid for transactional with Mailgun as a backup, your overall spam complaint rate regardless of the sending platform(s) needs to be below the 0.3% threshold.

As of Jan 3, 2024, Google’s Email Sender Guidelines state that the requirements apply to businesses sending emails to any personal Gmail inbox, so an “account that ends in @gmail.com or @googlemail.com”. They further clarify that “the requirements don’t apply to Google Workspace inbound and intra-domain messages.”

Yahoo’s ruling applies to “all domains and consumer email brands hosted by Yahoo Mail”. 

If you want an easy way to make sure your email-sending domains are ready come February 1, 2024, Red Sift makes it easy. 

In under a minute, our free Investigate tool checks how you stack up against Google and Yahoo’s requirements and provides a visual breakdown of exactly what you need to action. 

What are the requirements?

SMTP (Simple Mail Transfer Protocol) error codes are three-digit codes that are returned by mail servers to indicate the status of an email delivery attempt. These codes help in diagnosing email delivery issues by providing information about why a message was not delivered successfully.

If you’re not yet meeting the new bulk sender requirements, chances are you will have seen error codes and may be wondering what they mean. These error codes signal that your unauthenticated mail has been temporarily rejected and help you identify and remediate domain-related issues.

As of early May 2024, Google has updated its error codes to include the following:

ip-address The sending IP address for this message doesn’t have a PTR record, or the PTR record’s forward DNS entry doesn’t match the sending IP address. To protect users from spam, your email has been temporarily rate limited.

Your email has been rate limited because SPF authentication didn't pass for this message. Gmail requires all bulk email senders to authenticate their email with SPF. Authentication results: SPF domain-name with IP address: ip-address = Did not pass.

Your email has been rate limited because this message wasn’t sent over a TLS connection. Gmail requires all bulk email senders to use TLS/SSL for SMTP connections.

Your email has been rate limited because DKIM authentication didn't pass for this message. Gmail requires all email bulk senders to authenticate their email with DKIM. Authentication results: DKIM = Did not pass.

Your email has been rate limited because the sending domain doesn’t have a DMARC record, or the DMARC record doesn’t specify a DMARC policy. Gmail requires all bulk email senders to add a DMARC record to their sending domain.

Your email has been rate limited because the From: header (RFC5322) in this message isn’t aligned with either the authenticated SPF or DKIM organizational domain.


If you are seeing these messages, we recommend you look into remediating these errors as soon as possible to avoid your mail being blocked when requirements are enforced in June.

Google's new temporary error codes

The best tools for validating that you will pass Google and Yahoo’s new requirements for bulk senders

Most teams today have to use a variety of tools to make sure all sending domains and sending services will pass the new requirements. 

A friendly reminder that it is important to check your configuration for all domains and subdomains you send mail from and all the email services you send through. You can get more details on that here.

Red Sift Investigate is the only free tool on the market that can confirm your domain is authenticated and that you have the proper unsubscribe measures to pass Google and Yahoo’s new requirements. 

What makes Red Sift Investigate different is that through a test email, the tool can examine the readiness of each of your email-sending services. Send a test email from each one of your email-sending services and Red Sift Investigate can evaluate your email-sending and receiving infrastructure, parse the email headers, and evaluate the email message encryption status in real-time. 

By doing so users can understand if their email-sending service and sending domain meet the following criteria: 

A valid DMARC record with at least a policy of p=none

A TLS connection for transmitting email (new requirement as of December 2023)

One-click unsubscribe included in the message

All that is required to get going with Red Sift Investigate is for users to send an email to a test inbox.

Many free tools on the internet like MX Toolbox can look at your DNS records to see if you have a valid SPF and DMARC record. Since DMARC, SPF, and DKIM information is publicly available, these tools start with your domain and see if a valid DMARC record is published in the DNS. However, these tools won’t necessarily confirm you have the proper SPF record and alignment for each of your sending services. This can only be tested through manual sending.

These types of tools are helpful for those organizations that are only uncertain about their DMARC configuration. Since these tools only look at the DNS, they cannot provide information about SPF or DKIM alignment, FCrDNS, TLS connections or one-click unsubscribes.

For those well-versed in email security and the right permissions in an organization, understanding if you are ready for the new requirements may be doable through manual verification. 

This would require sending a test email from every email service to an inbox the individual has access to and examining the header for the corresponding information in the new requirements. For large enterprises, this would quickly become arduous given the sheer number of email-sending services the average company uses.


Spam rates are dependent on historical data and therefore cannot be captured through a real-time or static solution. That being said, Google and Yahoo both have great free tools for making sure that your spam rate never reaches a spam rate of .30% or higher. 

Google Postmaster Tools tracks data on large volumes of emails sent to make sure that your sending domain stays healthy. Postmaster Tools surfaces the spam rate as the percentages of emails marked as spam by users vs emails sent to the inbox for active users. This tool does require domain verification and can only show relevant data based on how long it’s been since you verified your domain. Here’s a trick on verification… if you verify the root-level domain you can also add any subdomain to your Google Postmaster Tools account without having to individually verify each subdomain with a DNS record.

In March 2024, Google released a Compliance Status dashboard within Google Postmaster. This view lets you check your domains against the bulk sender requirements.


With Yahoo’s Complaint Feedback Loop (CFL) mail senders will get forwarded complaints from Yahoo’s users that report messages to be spam. These reports allow organizations to suppress the recipient from future campaigns, and review targeting and frequency to reduce complaints in the future. This program does require that domains be verified with DKIM. 

In May 2024, Yahoo announced a new Sender Hub Dashboard, a place for "email senders to view and manage the Yahoo sender services linked to their brand". It can be accessed here. 

The clear next step for all organizations that rely on large volumes of email is action. Use one of the approaches outlined above and ensure your email-sending domains and services are ready come February 1, 2024. 

If you realize you need to make changes to be compliant, check out Red Sift OnDMARC – our award-winning DMARC tool that makes DMARC, SPF, and DKIM implementation and configuration easy and efficient.

The best tools for validating that you pass the bulk sender requirements

What marketers should know about Google and Yahoo’s requirements for bulk senders

If you’re a marketer aiming to ensure consistent delivery to personal Google and Yahoo inboxes, it’s important you understand the upcoming changes and promptly review your sending practices. In this article, we’ll break down the requirements, explain what they mean, and help you get real-time insight into how your email setup stacks up with our free Google & Yahoo Compliance Checker tool. 

Why are Google and Yahoo making these changes?

Google and Yahoo are introducing new email deliverability standards to enhance the email experience for users and help achieve safer, less spammy inboxes. The aim is to prevent inboxes from being overwhelmed by unwanted, potentially dangerous emails and to ensure that recipients only get the mail they want to read.

If you send newsletters, product update emails, or any promotional mail to over 5,000 Gmail or Yahoo addresses, the new requirements apply to you. 

B2C marketers should pay particular attention as the chances are your email database is predominantly made up of personal addresses, with a significant majority using gmail.com addresses. Gmail has an approximate 30% email client market share (which makes up almost a quarter of the world’s email-using population) so bulk-sending compliance is crucial if you rely on email communication for your operations. 

The bulk sender requirements center around three key pillars:

Make it easy for people to stop receiving your emails: Bulk senders will need to provide a visible unsubscribe link in their marketing/commercial emails and process unsubscription requests within two days. 

Don’t spam: A clear spam threshold of 0.3% will be set to keep unwanted mail out of inboxes.

Authenticate the domains you send mail from: Both Google and Yahoo will require best practice security standards including SPF, DKIM, and DMARC. Confused by the acronyms? We will cover it all below.

If you’d like a tabulated overview of the requirements, go to chapter 2 for the full breakdown.

To start with, let’s break down the more straightforward requirements – unsubscribe links and spam rates – and explain their benefits for marketers. 

One-click unsubscribe is a widely accepted practice in email marketing. It is required by CAN-SPAM, CASL and GDPR so it should come as no surprise that Google and Yahoo are following suit and mandating consent-based email marketing. 

Most email-sending platforms include one-click unsubscribe by default, including Hubspot, Mailchimp, and customer.io. Nevertheless, you should double-check all email-sending platforms you use to make sure you are compliant. 

Google is pioneering an industry first by mandating that reported spam rates must be kept below 0.10% and must never reach 0.30%. Yahoo has aligned with its stance. 

It’s important for marketers to remember that reporting a message as spam is easy for a user to do, which makes it all the more important to ensure your recipients are receiving valuable, engaging content that they have opted in to. You should also regularly clean, segment, and update email lists to help maintain a good sender reputation and see emails landing in the rather than the spam folder. 

Google and Yahoo have great free tools to help bulk senders regularly monitor their email performance – check out Google’s Postmaster Tools and Yahoo’s Complaint Feedback Loop (CFL) program. 

Authenticating your email-sending domains ensures bad actors cannot use them to send mail on your behalf. While we acknowledge that email authentication may seem daunting to a marketer, not implementing these standards has huge implications for both security and deliverability. Plus the expectation isn’t on the marketer to carry out the work – this is where your IT team comes in! More on that later.

In the table below, we’ve provided a quick overview of each requirement and its respective benefits.

We think it’s fair to say that upon seeing these benefits, any experienced email marketer will consider them a critical tool in their arsenal – regardless of whether they are being mandated or not!

For a more in-depth read on email authentication, take a look at our latest article: “Why successful email marketing relies on email authentication”.

The first step is to check whether your email-sending service is compliant with Google and Yahoo’s bulk sending requirements. 

Red Sift makes it easy for you – in under 60 seconds, our free Google & Yahoo Compliance tool, Red Sift Investigate, will determine if your email setup is set up for success.

All you need is to send a test email to a unique address that we provide, and we’ll analyze your setup dynamically and in real time. We’ll also send a copy of the results to your email so you have something to forward to your IT team when you ask for configuration assistance!

It’s possible for marketers to action at least a handful of the Google and Yahoo requirements. You can check your one-click unsubscribe setup in your email-sending platform(s) and keep your eye on spam rates using Google’s Postmaster Tools and Yahoo’s CFL program. TLS is done by about 90% of providers already but if it’s not set up, it has to be actioned by the email service provider (ESP) – like Hubspot or Mailchimp.

For the email authentication requirements, we recommend approaching your IT team for guidance. Check out the next chapter for step-by-step guidance on how to approach and work with your IT team to ensure Google & Yahoo bulk sending success. 

The table below will give you an idea of which requirements are configured at the ESP level and/or at the domain level. 

It is important to note that if your organization uses multiple ESPs, you will need to configure these items in each platform. The same is true for the use of multiple domains - for a handy matrix, check chapter 2 of this guide. 

Adapting to the new bulk-sending environment is going to be an ongoing process. You need to ensure your email content is valuable to your recipients so you avoid being marked as spam, make sure your email marketing is permission-based, and work hand-in-hand with your IT team to make sure any existing or future email sending sources are correctly authenticated. 

Though there have not yet been any formal announcements, it’s possible that the requirements could become stricter in 2024. The next potential step could be that DMARC enforcement is required, which is a significant step up from the current policy that is being mandated. We recommend bookmarking Google and Yahoo’s guidelines, keeping an eye on our blog to help you stay up to date with the latest industry trends and regulations, and making use of our free Google & Yahoo Compliance tool, Red Sift Investigate, to ensure compliance across all of your email-sending services.

How marketers can work with security to meet Google and Yahoo’s requirements

This chapter has been written by a marketer whose been lucky enough to have worked at multiple cybersecurity companies. From these roles, I have learned from some of the best in the business how to effectively partner with your security team on any initiative. 

Given the introduction of Google and Yahoo’s bulk sender requirements, it seemed like the perfect opportunity to share what I’ve learned so your business is ready. 

Step 1: Don’t think of security as the department of “no”

Before I worked in security, I always thought of it as the far away department that told me to stop using the software I liked.

I can confidently confirm that that is not true. 

I can promise that they are busy (security teams everywhere are facing major understaffing challenges), they have a bunch of priorities that are not related to your marketing efforts, and this is just one of the urgent asks they will receive this week. 

But, every security leader I have met is focused on doing what is best for the business. And if you can help your team understand this is a requirement for your business, and not just a nice to have, you will have an ally to help you achieve what you need.

Step 2: Get clear on what your business needs to do

The easiest way to see if you need any help from the security team is to use a tool to examine your current email security configuration and see if you meet the requirements. 

At Red Sift, we are biased towards Red Sift Investigate – the only free tool on the market that can see if your email-sending infrastructure meets the new requirements from Google and Yahoo. 

All you have to do is send a test email from your bulk sending tool (like Hubspot, Mailchimp, or Customer.io) to Red Sift Investigate. From there you will get results that you can share with your security team about what you need to do specific to Google and Yahoo compliance.

Your results will be shown with green check marks for things that are compliant and red x’s for things that will need to be addressed. 

If you are willing to get into the weeds a bit more, there are other tools. Check out chapter 4 for our tooling guide.

Step 3: Get specific in your ask to your security team

With your Red Sift Investigates results in hand, you are in the perfect position to get clear on what you need to do to authenticate your domain. 

If you are confused about the errors you are seeing – or just want to make it super clear for your security team – check out our matrix that gives you more details on why you might be seeing errors. 

From there you are well positioned to put forth an ask to your security team. 

For example, if your Red Sift Investigate results look like this:

And you see in the matrix that this means “A DMARC record is required.” 

You can go to your security team and show them both, and ask how you can work together to make sure you can get the proper record in place. 

📢Don’t forget – you need to test all of your email-sending services. Just because your Hubspot test email passes, doesn’t mean your Mailchimp email will.

Step 4: Tie your ask to business outcomes

Like I mentioned earlier, your security team has a long, long priority list. And this may not be at the top of the list right now. But, it’s important to communicate with your team why now is the time to start taking action. 

Some quick digging can help you build your case. 

How did I use email to drive revenue last year? 

How many of my net new opportunities or new customers had email as a last touch? 

What would the cost of poor deliverability be for my business? 

What percentage of my database would stop hearing from me if I didn’t meet these new requirements? 

If you can put your ask in the context of the business problems to be solved, your security team will have a clear idea of why it’s so critical to meet these requirements quickly.

It’s easy to try to ignore these new requirements from Yahoo and Google, but the repercussions for doing so will be significant. Take the first step today with Red Sift Investigate and reach out to your security team to get the conversation going. 

We are here to help, and you can always talk to a Red Sift expert to help begin your journey to Google and Yahoo bulk sender compliance.  

Microsoft set to join Google and Yahoo in adopting bulk sender standards

In early June 2024, experts from Yahoo, Google, Microsoft, Twilio, and Valimail came together to discuss the evolving email landscape since the introduction of bulk sender requirements in October 2023. The webinar, titled “Insider Insights: Mastering New Email Authentication Standards,” is available here.

Ross Adams, Principal PM Architect at Microsoft, expressed strong support for Google and Yahoo's trailblazing initiative. He stated, "You can expect - at some point in the future - Microsoft to adopt very similar standards.”

Adams further elaborated that Microsoft plans to "start with consumer mail flows and then move on to enterprise mail flows... but both will ultimately be subject to enforcement."

This announcement underscores the collaborative effort of major email providers to enhance global inbox security.

Bookmark this chapter for updates as soon as Microsoft announces its standards and/or a timeline for implementation!

“Providing clean inboxes, protecting customers' brands, and giving users a choice will help us drive better features and allow us to get better rates." 

Ross Adams, Principal PM Architect at Microsoft

Thanks for your request.

I have read and accepted the Terms and Conditions and Privacy Policy and consent to receive Red Sift communications.

Become a partner

Become a Partner

Job Title

Your job title

Read a

Read an

Watch a

OnINBOX

OnDOMAIN

Request a quote for

Red Sift

Talk to an Expert

2024 guide to mastering Google and Yahoo’s bulk email sender requirements

#E11010

In this guide, we help you understand Google and Yahoo's bulk sender requirements, their benefits, and how to prepare for them.