Google, Yahoo and Microsoft Bulk-Sender Rules
Updated June 17, 2026
In February 2024, Google and Yahoo began requiring bulk senders to authenticate with SPF, DKIM, and DMARC, keep spam complaint rates under 0.3 percent, and provide one-click unsubscribe. Microsoft began enforcing the same baseline for high-volume senders to Outlook and Hotmail in 2025. Failing any requirement routes your mail to spam or blocks it outright.
Email authentication used to be a best practice you could get away with skipping. In early 2024 that ended. Google and Yahoo turned the recommendations into hard requirements for bulk senders, and Microsoft followed for its consumer inboxes — the rules now have teeth, and ignoring them sends your mail to spam.
The requirements are not complicated, and a properly built cold email setup already meets most of them. But the thresholds — especially the spam-complaint rate — are strict enough that they shape how you have to run cold outreach. This is what each provider requires and how to stay inside the lines.
What the rules actually require
The three core requirements are shared across providers. First, full authentication: SPF and DKIM on all mail, plus a DMARC policy published for the domain. Second, a spam complaint rate kept reliably under 0.3 percent — Google's stated threshold — measured by recipients marking your mail as spam. Third, one-click unsubscribe in bulk messages, so a recipient can opt out with a single action.
Google and Yahoo defined a bulk sender as roughly 5,000 or more messages a day to their respective domains, but the safe assumption is that the bar applies to anyone doing cold outreach at volume. Microsoft extended the same authentication and complaint expectations to high-volume senders into Outlook and Hotmail in 2025.
| Requirement | Yahoo | Microsoft | |
|---|---|---|---|
| SPF + DKIM | Required | Required | Required |
| DMARC policy | Required | Required | Required |
| Spam rate under 0.3% | Required | Required | Enforced |
| One-click unsubscribe | Required | Required | Expected |
Bulk-sender requirements by provider
The spam-complaint threshold is the hard part
Authentication and unsubscribe are one-time setup. The 0.3 percent spam-complaint rate is an ongoing operational constraint, and it is strict: three complaints per thousand delivered messages is the ceiling, and Google advises staying well under it, closer to 0.1 percent. A handful of irritated recipients on a small send can blow past that ratio.
This is why list targeting and relevance matter beyond politeness — they are now compliance. Sending to people with no plausible reason to hear from you generates complaints that breach the threshold and get the domain filtered. Tight targeting, a genuine reason for the outreach, and an easy opt-out keep the complaint rate inside the limit.
What compliance looks like in practice
A compliant cold email operation authenticates every sending domain with SPF, DKIM, and DMARC; includes a working unsubscribe in every message; targets tightly enough to keep complaints rare; and monitors complaint and bounce rates so a problem surfaces before it burns a domain. None of this conflicts with good cold outreach — it is good cold outreach.
Where it gets operationally heavy is at scale: maintaining authentication across many domains, honoring unsubscribes across all of them, and watching complaint rates per domain in real time. BILT handles that compliance layer on managed infrastructure, so authentication, unsubscribe handling, and complaint monitoring stay correct across every sending domain without manual tracking.
Frequently asked
When did the bulk-sender rules take effect?
Google and Yahoo began enforcing them in February 2024, with a phased rollout through that year. Microsoft extended the same authentication and complaint expectations to high-volume senders into Outlook and Hotmail in 2025. The requirements are now in active enforcement across all three.
What is the spam-complaint rate limit?
Google's stated ceiling is 0.3 percent — three complaints per thousand delivered messages — and it advises staying well under that, near 0.1 percent. Yahoo aligns with the same threshold. Breaching it gets your mail filtered, so tight targeting that keeps complaints rare is now a compliance requirement.
Do the rules apply to me if I send under 5,000 a day?
The 5,000-a-day figure defined the formal bulk-sender bar, but the authentication and complaint expectations are applied broadly, and cold outreach at any real volume should meet them. Treat SPF, DKIM, DMARC, low complaints, and easy unsubscribe as mandatory regardless of your daily count.
What is one-click unsubscribe?
It is an opt-out a recipient can complete with a single action, implemented via list-unsubscribe headers so the mail client shows an unsubscribe option at the top of the message. Bulk senders are required to support it and to honor the request promptly — within a couple of days.
The takeaway
Since 2024, Google, Yahoo, and Microsoft require bulk senders to authenticate with SPF, DKIM, and DMARC, keep spam complaints under 0.3 percent, and offer one-click unsubscribe. Authentication and unsubscribe are setup; the complaint threshold is an ongoing constraint that makes tight targeting a compliance requirement, not just good manners. Meet all three and the rules stop being a problem.