How can you test for compliance readiness?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

Compliance testing is not a one-time checkbox. You verify three things on a recurring basis: authentication, unsubscribe handling, and complaint rates. If any one of these slips, Gmail and Yahoo will quietly start sending you to spam before you notice the drop in revenue.

Authentication: send a test, read the headers

Send a message from your production sending platform to a Gmail address and a Yahoo address you control. Open the message, view the original (Gmail: three-dot menu, Show original), and look at the Authentication-Results header. You want three things:

  • spf=pass with the envelope-from domain you expect
  • dkim=pass signed by the domain in your visible From header
  • dmarc=pass (this only happens if SPF or DKIM aligns with the From domain)

Alignment is the part most senders get wrong. SPF can pass on a sending platform's bounce domain and still fail DMARC because that domain does not match your From. Same with DKIM if the d= tag points at the platform instead of you. See RFC 7489 for the alignment rules in plain spec form, and Google's bulk sender requirements for what Gmail actually enforces.

Our free SPF checker and DMARC parser will run the DNS side for you, but the header check is the only way to confirm what receivers actually see. For background on why this matters at the provider level, see Gmail's position on authentication.

Unsubscribe: test the headers and the click

For any marketing message, you need two unsubscribe headers:

  • List-Unsubscribe: <mailto:unsub@yourdomain.com>, <https://yourdomain.com/u/abc123>
  • List-Unsubscribe-Post: List-Unsubscribe=One-Click

Test both. For the URL, fire a POST request with the body List-Unsubscribe=One-Click (curl works fine) and confirm your system suppresses that address within a few seconds. Then send another message to the same address 24 hours later and confirm it does not deliver. The rule from Gmail and Yahoo is suppression within two days, but suppress immediately if you can. The spec is RFC 8058 for one-click POST, RFC 2369 for the header itself.

The mailto address has to work too. Send a real email to it and confirm it suppresses. Most senders forget this one because nobody emails it, until a provider's auditor does.

Complaint rates: watch the dashboards

Gmail's threshold is 0.3 percent over a rolling window, and you want to stay under 0.1 percent. The only place to see this number is Google Postmaster Tools, set up against your authenticated sending domain. Add the DNS TXT verification and wait a few days for data to populate.

Yahoo, AOL, and the Verizon Media properties feed back through their Complaint Feedback Loop (CFL). Sign up, give them an address, and your ESP should ingest the reports automatically and suppress complainers. If you self-host, you parse the ARF reports yourself.

Microsoft is the awkward one. Outlook.com and Hotmail do not have a public dashboard. You sign up for SNDS for IP reputation data and JMRP for complaint feedback. Both are free, both are clunky, both are mandatory if you send any volume to Outlook addresses. For context on why these thresholds matter, see Gmail's complaint thresholds.

A weekly checklist that takes ten minutes

  1. Send a test to Gmail and Yahoo seed addresses, check Authentication-Results.
  2. Hit your unsubscribe URL with a POST, confirm suppression.
  3. Check Postmaster Tools complaint rate for the past 7 days.
  4. Check SNDS for any red IPs.
  5. Pull a sample of yesterday's bounces and look for 550 5.7.x policy rejections.

If any of those five fail, stop sending bulk mail until you know why.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Get a compliance audit checklist.

I need to audit my email setup for compliance. Walk me through the specific tests I should run for SPF, DKIM, and DMARC. What tools should I use, and how do I know I'm actually compliant.

Edit the yellow boxes, then send to the AI of your choice.