What are Gmail’s bulk sender requirements (Feb 2024)?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
If you send 5,000 or more emails a day to Gmail addresses, the rules changed in February 2024. Google started enforcing a set of requirements that had always been best practice, but were now non-negotiable. Here's what that actually means for your sending setup.
Authentication: SPF, DKIM, and DMARC
You need all three. SPF tells Gmail which servers are allowed to send on your behalf. DKIM cryptographically signs each message so it can't be tampered with in transit. DMARC ties the two together and tells receiving servers what to do when a message fails those checks.
For DMARC specifically, Gmail requires at least a policy of p=none to start. That's the minimum to get through the door. Moving toward p=quarantine or p=reject over time puts you in a much stronger position, and that's where the industry is heading.
One thing people miss: your DKIM signing domain and your visible From address need to be aligned. Sending from hello@yourbrand.com but signing with a third-party domain your subscribers have never seen? That's a misalignment problem, and Gmail notices.
One-click unsubscribe
Marketing and subscribed messages must support one-click unsubscribe via the List-Unsubscribe header. This is the unsubscribe link Gmail surfaces at the top of the email (not the one buried in your footer). When someone clicks it, they're out. No confirmation page, no extra steps.
And you also need to honor those unsubscribe requests within two days. Not two weeks. Two days.
Complaint rate
Keep your spam complaint rate below 0.10% to stay in good standing. Gmail will start flagging you once you hit 0.10%, and at 0.30% you're in real trouble. You can monitor this through Google Postmaster Tools, which is free and gives you a direct window into how Gmail sees your domain reputation.
The technical side
Beyond authentication, Gmail also requires valid reverse DNS (PTR records) for your sending IP addresses, TLS encryption in transit, properly formatted From headers, and message formatting that follows internet RFC standards. Most senders using a reputable ESP already have TLS covered. Reverse DNS is more commonly missed, especially if you're sending from your own infrastructure.
What happens if you don't comply
Gmail started with warnings and soft filtering when enforcement kicked off. Persistent non-compliance escalates to harder blocks and rejected messages. The rollout was gradual, but the requirements are now fully active.
These rules apply specifically to bulk senders hitting that 5,000-per-day threshold to Gmail addresses. Transactional senders below that threshold have slightly more flexibility, though the same best practices still apply.
Want to check if your authentication is set up correctly? Run your domain through our free SPF checker and DKIM checker to catch any gaps before Gmail does. And if this all feels like a lot to untangle at once, our SOS hotline is free.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.