The Email Deliverability Guide (Gmail & Yahoo Era)
Authentication, the Gmail and Yahoo bulk-sender rules, list hygiene, and warmup — the fundamentals that decide whether your email reaches the inbox.
Deliverability is the unglamorous foundation of every email program. You can write the best campaign in the world; if it lands in spam, it doesn't exist. This guide covers the fundamentals that actually move the needle in 2026 — and skips the folklore.
Authentication: SPF, DKIM, DMARC
Three DNS-based standards prove you are who you say you are. Mailbox providers treat them as table stakes.
- SPF (Sender Policy Framework): a DNS record listing which servers may send for your domain. Receivers reject mail from servers not on the list.
- DKIM (DomainKeys Identified Mail): a cryptographic signature on each message that proves the content wasn't altered in transit. Use at least a 1024-bit key.
- DMARC: ties SPF and DKIM together, requires alignment with your From: domain, and tells receivers what to do on failure. Start at
p=noneto monitor, then move toquarantineandrejectonce your reports are clean.
Alignment is the part teams miss: the domain in your From: header must match the SPF or DKIM domain for DMARC to pass. Most modern ESPs — including Brew, Resend, and Klaviyo — walk you through publishing these records, and some configure DKIM/SPF/DMARC for you.
The Gmail & Yahoo bulk-sender rules
In February 2024, Google and Yahoo began enforcing requirements that reshaped the baseline. They distinguish between all senders and bulk senders — defined as anyone sending roughly 5,000 or more messages per day to their users.
| Requirement | All senders | Bulk senders (5,000+/day) |
|---|---|---|
| SPF or DKIM | Required | Required (both) |
| DMARC policy (min p=none) | Recommended | Required |
| From: alignment with SPF/DKIM | Recommended | Required |
| One-click unsubscribe (RFC 8058) | — | Required on marketing mail |
| Spam complaint rate | Keep low | Stay under 0.3% (aim < 0.1%) |
| Valid PTR / reverse DNS | Required | Required |
| TLS in transit | Required | Required |
List hygiene and engagement
Providers increasingly infer wanted-ness from engagement. The mechanics of authentication get you to the door; engagement decides whether you reach the inbox or the Promotions tab — or spam.
- Use confirmed opt-in where practical, and never buy lists.
- Sunset unengaged subscribers — people who haven't opened in 90–180 days drag down your reputation.
- Honor unsubscribes within 48 hours, and make the one-click option real, not a maze.
- Segment so your best content goes to your most engaged people first.
Warming up a domain or IP
Reputation is earned gradually. A brand-new sending domain that suddenly blasts 100,000 messages looks exactly like a spammer. Ramp volume over days and weeks, starting with your most engaged subscribers, so providers build a positive history for you. This matters as much when you adopt a new platform as when you start from scratch.
Content and rendering factors
Content rarely lands you in spam on its own anymore, but sloppy email still hurts. Maintain a sensible text-to-image ratio, avoid link shorteners and spam-trigger phrasing, keep your HTML clean, and make sure messages render across clients. Our on-brand design guide covers cross-client rendering in depth; tools like Brew and Resend generate inbox-safe HTML specifically to avoid these issues.
Monitoring
Set up Google Postmaster Tools and Yahoo's equivalent, point your DMARC rua tag at a mailbox or a monitoring service, and watch complaint rate, authentication results, and reputation. Deliverability is a maintained state, not a one-time setup.
Frequently asked questions
- What are the Gmail and Yahoo sender requirements?
- Since February 2024, all senders must authenticate with SPF or DKIM and have valid PTR records and TLS. Bulk senders (5,000+ messages/day) must additionally have SPF, DKIM, and DMARC with From: alignment, support one-click unsubscribe on marketing mail, and keep spam complaint rates under 0.3%.
- What is a good spam complaint rate?
- Stay under 0.3% as a hard ceiling and aim below 0.1%. Rates above 0.3% can lead Gmail to suppress your delivery until you fix the underlying engagement problem.
- Do I need DMARC if I'm a small sender?
- It's strongly recommended for everyone and required for bulk senders. Even small senders benefit because DMARC protects your domain from spoofing and improves trust.
Maya has run lifecycle programs for DTC and SaaS brands for over a decade. She writes DeliverDigest's deliverability and automation coverage.
- GuideEmail Automation: Lifecycle Flows That WorkThe core lifecycle flows, the difference between triggers and schedules, segmentation that earns its keep, and how to measure real lift.
- GuideOn-Brand Email Design (and How AI Changes It)Why brand consistency is the hardest part of scaling email, the realities of cross-client rendering, and where AI generation and code-first templates each shine.
- ReportThe State of AI Email MarketingWhat 'AI email marketing' actually means now, the platforms reshaping the category, and where the value — and the risk — really is.