Between 2024 and 2025, all major email providers have tightened requirements for bulk and large-volume email senders to protect their users from spam, spoofing, and phishing. Google’s Gmail, Yahoo, Apple’s iCloud Email, and now Microsoft (Outlook, Hotmail, and Live) are all following these new regulations.
Providers define “large email sender” (or high-volume sender) based on the number of emails sent per day to their users – even if you exceed the volume one day in a year.
Definition of Large Email Sender
| Provider | Threshold | Key Requirements |
| Google(Gmail) | 5,000+ emails/day to Gmail recipients | DMARC, SPF, DKIM, one-click unsubscribe, low spam rate |
| Yahoo | 5,000+ emails/day to Yahoo Mail users | Same standards as Google (DMARC, DKIM, SPF, unsubscribe) |
| Microsoft (Outlook/Hotmail) | 5,000+ emails/day to Microsoft domains (outlook.com, hotmail.com, etc.) | SPF, DKIM, DMARC, feedback loop registration, security alignment |
| Apple iCloud Mail | Not explicitly specified | DMARC, SPF, DKIM, one-click unsubscribe, valid PTR (reverse DNS) records, compliance with RFC 5321 and RFC 5322 |
Important: These thresholds refer to emails sent per day per domain, not just per IP address.
It’s important to note, however, that even if you’re under the 5,000 emails per day limit, best practices still apply, especially if your business is growing. Requirements like DMARC with a “p=none” policy are accepted, but this doesn’t protect you from impersonation attacks (BEC, phishing, etc.).
Requirements for Sending Emails to Gmail, Yahoo, Microsoft, and Apple iCloud Mail
- SPF, DKIM Authentication
- DMARC Implementation (p=none)
- DMARC Alignment
- Valid rDNS (PTR)
- TLS Encryption
- Spam Complaint Threshold
- One-Click Unsubscribe
- List-Unsubscribe Header & Unsubscribe Processing Timeline
- Valid “From” & “Reply-To” address
- Bounce Handling & List Hygiene
Below is a breakdown of the key requirements and technical expectations every sender should comply with:
| Requirement | Yahoo | Microsoft (Outlook) | Apple (iCloud Mail) | |
| SPF Authentication | Required (All Senders) | Required (All Senders) | Required (Bulk Senders only) | Required (Bulk Senders) |
| DKIM Authentication | Required (All Senders) | Required (All Senders) | Required (Bulk Senders only) | Required (Bulk Senders) |
| DMARC Implementation | Required for Bulk (p=none OK) | Required for Bulk (p=none OK) | Required for Bulk (p=none OK) | Required for Bulk Senders |
| DMARC Alignment | Required for Bulk | Required for Bulk (Relaxed OK) | Required for Bulk (prefer SPF & DKIM aligned) | Not specified |
| Valid Forward and Reverse DNS (PTR) | Required (All Senders) | Required (All Senders) | Not mentioned | Required (Bulk Senders) |
| TLS Encryption | Required (All Senders) | Not mentioned | Not mentioned | Not specified |
| Spam Complaint Rate | Must be < 0.3% (Postmaster Tools) | Must be < 0.3% | Not specified | Not specified |
| One-Click Unsubscribe | Required for Bulk | Required for Bulk | Recommended | Required for Bulk Senders |
| List-Unsubscribe Header | Implied by one-click requirement | Required (mailto: or POST) | Recommended | Not specified |
| Unsubscribe Processing Timeline | Not specified | Must honor within 2 days | Not specified | Immediate |
| Valid “From” / “Reply-To” Addresses | Required | Required | Required for Bulk | Required for Bulk Senders |
| Bounce Handling / List Hygiene | Required | Expected for deliverability | Recommended for Bulk | Required for Bulk Senders |
SPF and DKIM Authentication
SPF and DKIM are no longer optional—they are mandatory.
SPF (Sender Policy Framework) is a DNS TXT record that declares which IP addresses or hostnames are authorized to send emails on behalf of a domain. This is tied to the RFC5321.MailFrom (also known as the envelope sender). SPF validation is done by checking the return-path domain against the connecting IP.
To set up SPF, it is highly advised for you to examine your DMARC aggregate reports, investigate the sending sources used, and adjust your SPF record by adding the necessary include using EasyDMARC’s SPF Generator tool.
DKIM (DomainKeys Identified Mail) is a mechanism to digitally sign emails using asymmetric cryptography. The sender signs the message with a private key, and the recipient verifies the message with the public key published in DNS. DKIM signs headers and parts of the body to ensure the content wasn’t tampered with.
In most third-party sending platforms, like SendGrid, Mailchimp, or SES, the SPF include: mechanism and DKIM public keys are provided during setup. These services handle the private keys on their infrastructure. If you’re using a “dedicated” or “on-prem” server, you can use EasyDMARC’s DKIM generator tool.
SPF and DKIM alone ensure the message is authenticated, but this does not mean the domain used in the From: address is protected. That’s where DMARC and alignment comes in.
DMARC Implementation (p=none)
DMARC (Domain-based Message Authentication, Reporting, and Conformance) is a protocol that builds on SPF and DKIM to give domain owners control over what happens when authentication or alignment fails. It also provides visibility into your domain’s email traffic through reporting.
Google, Yahoo, Microsoft, and Apple (iCloud) now require senders to publish a DMARC record with at least a p=none policy. This is the monitoring mode of DMARC and represents the first step in a domain’s DMARC journey.
While these providers do not currently require the inclusion of a rua= (Reporting URI for Aggregate reports) tag in the DMARC record, we strongly recommend it, and here’s why:
Why rua= Should Be Mandatory in Practice:
- Without rua=, domain owners receive zero visibility into who is sending on their behalf.
- DMARC reports (sent to the RUA address) help identify:
- Misconfigurations in SPF or DKIM
- Unaligned senders
- Spoofing attempts
- These reports are essential for analyzing alignment, understanding real-world email behavior, and moving toward enforcement (p=quarantine or p=reject) with confidence.
Here’s an example of a DMARC Record:
v=DMARC1;p=reject;rua=mailto:[email protected];ruf=mailto:[email protected];fo=1;At EasyDMARC, we:
- Automatically generate a proper DMARC record with a RUA address
- Collect, normalize, and classify data from thousands of sources
- Help you detect anomalies and legitimate sources
- Provide actionable steps to fix misconfiguration
Without RUA reports, a p=none policy is ineffective. That’s why RUA is not just optional – it’s operationally required if you want to take DMARC seriously.
DMARC Alignment
DMARC doesn’t just require SPF and/or DKIM to pass—it requires domain alignment between the domain in the From: header (RFC5322.From) and the domains used in SPF (RFC5321.MailFrom) and/or DKIM (d= tag in the signature).
Alignment can be:
- Relaxed (default): subdomains are allowed (e.g., mail.example.com can align with example.com)
- Strict: domains must match exactly
At a minimum, either SPF or DKIM must both pass and align with the ‘From’ domain for DMARC to pass.
A key point here is that some providers or sending platforms handle bounce messages using their own return-path, which breaks SPF alignment. In those cases, DKIM alignment becomes critical. That’s why any serious sending service must support DKIM alignment as a baseline.
Valid rDNS (PTR)
Reverse DNS (rDNS) is often overlooked but plays a significant role in server reputation.
The sending IP must have a valid PTR record (reverse DNS). This means that the IP should resolve to a fully qualified domain name, and that domain should resolve back to the same IP address.
This requirement applies mainly to senders using:
- Self-hosted MTAs
- Dedicated servers or IPs
This requirement has already been handled for cloud-based email services (like Gmail, Microsoft 365, etc.). But if you’re managing your own MTA, not having a proper rDNS setup is a red flag for spam filters.
TLS Encryption
TLS (Transport Layer Security) ensures that emails are encrypted during transmission between sending and receiving servers. While authentication protocols like SPF, DKIM, and DMARC verify the sender’s identity, TLS secures the delivery path by preventing interception and tampering.
- Providers like Google, Yahoo, Microsoft, and Apple expect all senders to support TLS encryption during transmission.
- This means your mail server must offer and accept secure TLS connections when sending and receiving email.
- This is different from enforcing TLS, which is where MTA-STS (Mail Transfer Agent – Strict Transport Security) comes in.
MTA-STS allows domain owners to go a step further and enforce that incoming emails are only accepted if sent over a secure TLS connection.
- If TLS cannot be established, the message will be rejected or deferred based on the policy.
- This prevents downgrade attacks and ensures encrypted delivery by default.
To gain visibility into how TLS is working in real-world scenarios, TLS-RPT (TLS Reporting) is used:
- It provides reports on successful and failed TLS negotiations.
- Helps identify misconfigurations, invalid certificates, or gaps in secure delivery.
At EasyDMARC, we:
- Offer a one-click setup for MTA-STS and TLS-RPT.
- Collect and process TLS reports to help you monitor and fix delivery issues.
While providers require TLS to be present, enforcing it with MTA-STS and monitoring it with TLS-RPT is a best practice for organizations that want to strengthen their transport-layer email security.
Spam Complaint Threshold
Mailbox providers are now actively monitoring spam complaint rates. The maximum allowed threshold is 0.3%.
Spam complaints are user-generated. They occur when a recipient manually clicks “Report as spam.” They are not related to technical bounces.
That means if, for example, you send 1,000 emails, you must receive fewer than 3 complaints.
Maintaining a healthy complaint rate involves:
- Sending only to opted-in recipients
- Honoring unsubscribe requests
- Using consistent sender identity and content
You can use the Google Postmaster integration in our EasySender platform to monitor your spam complaint rate and other important parameters.
List-Unsubscribe Header & One-Click Unsubscribe
Mailbox providers like Gmail, Yahoo, and Apple require marketing and bulk senders to support one-click unsubscribe functionality via headers, not just links inside the email body.
This feature enables email clients to display a native “Unsubscribe” button next to the sender in the user interface.
To comply, two headers must be included:
List-Unsubscribe: <mailto:[email protected]>, <https://yourdomain.com/unsubscribe>
List-Unsubscribe-Post: List-Unsubscribe=One-Click
- The List-Unsubscribe header provides one or more unsubscribe methods: a mailto: or HTTPS link.
- The List-Unsubscribe-Post header tells the client (especially Gmail) that the HTTPS endpoint supports one-click HTTP POST unsubscribe.
Google explicitly requires both headers:
- If List-Unsubscribe-Post is missing, Gmail won’t trigger one-click unsubscribe
- The HTTPS link in the List-Unsubscribe header must respond to a POST request without redirects or confirmation pages
Failing to support this properly will increase your complaint rate, and Gmail will treat the sender as non-compliant.
Unsubscribe Processing Timeline
In addition to one-click unsubscribe support, mailbox providers are enforcing unsubscribe processing deadlines.
- Yahoo requires senders to honor unsubscribe requests within two business days
- iCloud expects immediate action
- Gmail is tracking whether senders honor unsubscribe requests in a timely manner, without specifying any timeframe.
The header must be present, and unsubscribes must be automatically and reliably handled. Failing to process requests promptly can lead to compliance violations and increased complaint rates.
Valid “From” and “Reply-To” Address
The From: and Reply-To: headers must use valid, routable, and monitored email addresses.
- They must not bounce
- They should be able to receive replies
- Ideally, they are actively monitored by support or marketing teams
Using invalid or non-existent reply addresses can damage trust and trigger delivery failures or spam filtering.
Bounce Handling and List Hygiene
Proper bounce handling is critical for reputation management.
- Hard bounces (user not found) must result in immediate removal from future sends.
- Soft bounces should be tracked and monitored; repeated soft bounces should lead to temporary suppression.
List hygiene also includes:
- Removing inactive users
- Avoiding purchased or scraped lists
Confirming opt-ins
Sending to outdated or unverified lists increases bounce rates, spam complaints, and reduces engagement—all of which negatively affect inbox placement.
| Checklist Item | Notes |
| SPF Record Configured | Add all authorized IPs to SPF record |
| DKIM Signature Enabled | Enable DKIM for all sending domains |
| DMARC Record Published (p=none) | Start with p=none to monitor without blocking |
| DMARC Domain Alignment Verified | Ensure SPF/DKIM align with “From” domain |
| Valid rDNS (PTR) Record | Set reverse DNS matching HELO/EHLO |
| TLS Encryption Enabled | Use STARTTLS to encrypt emails in transit |
| Spam Complaint Rate Monitored | Stay below 0.3% to avoid delivery issues |
| One-Click Unsubscribe Link Present | Especially for newsletters or promos |
| List-Unsubscribe Header Configured | Include mailto: or URL option in headers |
| Unsubscribe Requests Processed in 24–48h | Avoid delays to prevent user complaints |
| Valid “From” Address | Use branded and monitored address |
| Valid “Reply-To” Address | Ensure it routes to an active inbox |
| Bounce Handling in Place | Automate hard/soft bounce processing |
| Mailing List Hygiene Maintained | Regularly remove inactive/bounced emails |
We’re glad you joined EasyDMARC newsletter! Get ready for valuable email security knowledge every week.
You’re already subscribed to EasyDMARC newsletter. Continue learning more about email security with us