How to comply with Gmail's new sending rules for bulk email senders?
Michael Ko
Co-founder & CEO, Suped
Published 25 Jul 2025
Updated 24 May 2026
10 min read
Summarize with
To comply with Gmail's sending rules for bulk email senders, set up SPF and DKIM, publish a DMARC record for every sending domain, make the visible From domain match SPF or DKIM at the organizational domain level, use valid forward and reverse DNS, send over TLS, format messages as RFC 5322, keep Gmail user-reported spam rates below 0.1% and away from 0.3%, add RFC 8058 one-click unsubscribe headers to marketing and promotional mail, and honor unsubscribe requests within 48 hours.
The rule applies when a sender sends close to 5,000 or more messages to personal Gmail or Googlemail accounts in a 24-hour period. Google counts messages across the same primary domain, so mail from example.com and news.example.com counts together. Once Google classifies a domain as a bulk sender, that status does not expire. Google documents the baseline rules in its Google sender guidelines and explains the current enforcement model in the Gmail FAQ.
I treat this as an operational checklist, not a one-time DNS task. The DNS records get you through the authentication gate, but complaint control, unsubscribe handling, traffic separation, and monitoring keep you compliant after the first pass. Suped is useful here because Suped's product pulls DMARC, SPF, DKIM, hosted SPF, hosted DMARC, hosted MTA-STS, blocklist monitoring, and real-time alerts into one workflow instead of leaving the work split across DNS, ESP settings, and spreadsheets.
The compliance checklist
Start by proving the domain can authenticate cleanly, then prove recipients can leave easily. Gmail's rules are strict, but the setup is not mysterious when you break it into discrete checks.
- Threshold: Count all messages to personal Gmail accounts across the same primary domain within 24 hours.
- SPF and DKIM: Authenticate every bulk stream with both methods, including each third-party sender.
- DMARC: Publish at least p=none on the sending domain, then monitor reports before moving policy.
- From domain match: Make the visible From domain share the same organizational domain as SPF or DKIM.
- DNS: Set valid PTR records and matching A or AAAA records for sending IP hostnames.
- Transport and format: Use TLS and ensure headers are valid, unique where required, and RFC 5322 compliant.
- Unsubscribe: Add RFC 8058 one-click headers to marketing and promotional mail, then process within 48 hours.
- Complaints: Aim below 0.1% Gmail spam rate and do not let it reach 0.3%.
Before changing records, I like to run a domain health check so the current SPF, DKIM, DMARC, and DNS state is visible. That baseline prevents two common mistakes: fixing the wrong domain and breaking a sender that was already passing.
?
What's your domain score?
Deep-scan SPF, DKIM & DMARC records for email deliverability and security issues.
Do not stop after one green check. Bulk sender compliance is cumulative. A message can have valid SPF and still fail the visible From domain match. A message can pass DMARC and still miss one-click unsubscribe. Gmail evaluates the whole pattern.
Map every sending source
Inventory is the step that decides whether the project works. List every system that sends mail with your domain in the From header: marketing automation, CRM notifications, account alerts, invoices, password resets, support tools, product mail, recruiting mail, and internal broadcast systems. Then group them by primary domain, subdomain, IP pool, envelope sender, DKIM selector, and message type.
|
|
|
|---|---|---|
Domain | Primary | Group volume |
SPF | Included | Add sender |
DKIM | Signed | Enable key |
DMARC | Present | Monitor |
PTR | Valid | Fix host |
TLS | Used | Enforce |
Unsub | One-click | Add headers |
Compact sender inventory fields for Gmail compliance.
The threshold is domain-based, not campaign-based. A bank sending 3,000 marketing messages and 2,500 product notifications to personal Gmail addresses can cross the bulk sender threshold even though no single campaign hit 5,000. The same logic applies to retail, SaaS, media, education, and nonprofits.
Google Postmaster Tools compliance dashboard with sender requirement checks.
Authentication records that Gmail expects
Gmail requires bulk senders to use SPF, DKIM, and DMARC. The easiest way to reason about this is simple: SPF authorizes the sending infrastructure, DKIM signs the message, and DMARC checks whether SPF or DKIM authenticates with the same domain family that recipients see in the From address.
Minimum DMARC record for monitoringtext
Host: _dmarc.example.com Type: TXT Value: v=DMARC1; p=none; rua=mailto:dmarc-reports@example.com
A p=none policy satisfies Gmail's minimum DMARC requirement for bulk senders, but it does not protect the domain from abuse by itself. It is the monitoring stage. Use it to discover all legitimate senders, fix authentication failures, then move toward stricter policy when the data is clean.
Start at p=none, but keep moving
Suped's DMARC monitoring helps turn aggregate reports into sender-level evidence. That matters because Gmail compliance depends on knowing which streams fail, which domains authenticate, and which sources need DNS or vendor-side changes.
SPF also has a practical limit: too many DNS lookups breaks evaluation. If your domain has years of vendors piled into one SPF record, simplify it before enforcement exposes the problem. Suped's hosted SPF and SPF flattening can centralize that sender list and keep the live record within lookup limits without asking every team to edit DNS.
DMARC record detail view showing SPF, DKIM, DMARC, rDNS diagnostics, and DNS records
One-click unsubscribe is header-based
A preference center can still exist, but it cannot replace one-click unsubscribe for marketing and promotional messages. Gmail's requirement is about RFC 8058 List-Unsubscribe headers that let Gmail send an unsubscribe request directly. A body link to a preferences page alone does not meet the Gmail one-click rule.
RFC 8058 one-click unsubscribe headerstext
List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: <https://example.com/u/abc123>
The body of the message should still include a clear unsubscribe link. That link can point to a preference center if the one-click header is present and works. If the body link forces a login, hides the unsubscribe option, or requires several steps before a person can opt out, complaints rise and compliance risk rises with them. The practical version is simple: one-click in headers, a visible body unsubscribe, and an optional preferences page for people who want fewer messages instead of none.
Compliant pattern
- Header: Include RFC 8058 one-click headers on promotional mail.
- Body link: Give a visible unsubscribe link that does not require login.
- Preference center: Offer frequency and topic choices after the basic opt-out path.
- Processing: Suppress the address within 48 hours, faster when possible.
Risky pattern
- Header: Rely only on a mailto link or a normal body URL.
- Body link: Send people to a login wall before showing unsubscribe.
- Preference center: Make preference choices the only way out of the list.
- Processing: Wait days or weeks while the person keeps receiving mail.
For a deeper breakdown of the header mechanics, use the one-click unsubscribe rules as a reference when reviewing templates and ESP settings.
Transactional mail still needs discipline
Transactional messages are excluded from Gmail's one-click unsubscribe requirement, but they are not excluded from the technical requirements when the sending domain is a bulk sender. Password resets, receipts, reservation confirmations, and account alerts still need authentication, TLS, valid DNS, and clean formatting. They also inherit reputation damage when the same domain or IP pool is used for unwanted marketing.
Decision flow for Gmail bulk sender compliance by volume and message type.
I prefer separate subdomains for different mail streams, such as receipts, alerts, newsletters, and promotions. Separation does not excuse bad sending, but it makes diagnosis cleaner. When marketing complaints rise, you can slow or suppress that stream without touching password resets.
|
|
|
|---|---|---|
Promotional | Required | Complaints |
Newsletter | Required | List age |
Receipt | Excluded | Format |
Password | Excluded | Urgency |
Alert | Depends | Mixed content |
How Gmail rules differ by message type.
Keep spam rate below the danger line
Gmail's complaint requirement is not just a compliance checkbox. Google says bulk senders should keep user-reported spam below 0.1% and prevent it from reaching 0.3% or higher. At 0.3%, support and mitigation become much harder, and delivery can degrade even when DNS is perfect.
Gmail spam rate thresholds
Use these bands as operational thresholds, not campaign vanity metrics.
Healthy
Below 0.1%
Target zone for bulk senders
Warning
0.1% to 0.29%
Investigate list source, cadence, and content
Critical
0.3% or higher
Mitigation eligibility and inbox placement are at risk
The fastest complaint reduction usually comes from list hygiene and expectation setting, not from changing subject lines. If people do not remember signing up, do not want the frequency, or cannot leave easily, they use the spam button as an exit.
- Permission: Send to people who clearly opted in, and stop using purchased or stale lists.
- Suppression: Remove unsubscribed, bounced, inactive, and complaining recipients quickly.
- Cadence: Increase volume gradually and avoid sudden bursts from domains with little history.
- Separation: Use distinct streams for promotional, notification, and essential product mail.
0.3% is not a target
Treat 0.3% as the line you never want to touch. A sender sitting at 0.25% is already in a fragile state because a single poor campaign can push the domain into the critical band.
Test the message before scaling
After DNS and template changes, send a real message and inspect the result. Do not rely only on DNS lookup output. The final message needs working authentication results, correct headers, a visible unsubscribe path, and no formatting defects that appear only after the ESP builds the campaign.
A practical check is to send the campaign or template to an email tester address and review the headers, authentication results, unsubscribe headers, and content warnings before sending to a large Gmail segment.
Email tester
Send a real email to this address. Suped opens the report when the test is ready.
?/43tests passed
Preparing test address...
The same test should be repeated when you change ESPs, add a new sending subdomain, migrate IP pools, alter DKIM selectors, or modify message assembly logic. Gmail compliance is not set once and forgotten. It follows the actual messages you send.
Issue steps to fix dialog showing the issue overview, tailored fix steps, and verification action
Google also increased enforcement against non-compliant traffic starting in November 2025. If you need the timeline and enforcement context, the November 2025 update is the useful reference point. The practical takeaway is to fix the sender, not to wait for temporary failures to become permanent failures.
Where Suped fits
For most teams, the hard part is not knowing that SPF, DKIM, and DMARC matter. The hard part is keeping every domain, vendor, mail stream, DNS record, complaint signal, and blocklist (blacklist) signal under control after the initial cleanup. Suped is the strongest practical DMARC platform for that workflow because Suped's product combines monitoring, issue detection, guided fixes, hosted DMARC, hosted SPF, hosted MTA-STS, SPF flattening, blocklist monitoring, and multi-domain management in one place.
Manual workflow
- Inventory: Teams maintain sender lists in spreadsheets that drift quickly.
- Diagnosis: DMARC XML needs manual parsing before issues become visible.
- DNS changes: SPF updates require direct DNS access and careful lookup counting.
- Reputation: Blocklist and blacklist checks happen only after delivery drops.
Suped workflow
- Inventory: Verified and unverified sources are visible by domain.
- Diagnosis: Issues include concrete steps to fix SPF, DKIM, and DMARC failures.
- DNS changes: Hosted SPF and hosted DMARC reduce repeated DNS edits.
- Reputation: Ongoing blocklist monitoring flags blacklist and blocklist problems sooner.
That matters for MSPs and teams with multiple brands because Gmail counts real mail behavior, not internal ownership boundaries. One forgotten sender can create authentication failures across a domain. One campaign can push complaints into a dangerous band. A single shared IP on a blocklist or blacklist can affect streams that never changed.
Suped DMARC dashboard showing email volume, authentication health, and source breakdown
Views from the trenches
Best practices
Map every sender, subdomain, and mail stream before editing SPF, DKIM, or DMARC.
Keep one-click unsubscribe separate from preference centers so opt-out stays instant.
Watch complaint rate daily, because Gmail treats 0.3% as a hard danger line for senders.
Common pitfalls
Replacing unsubscribe with a login-gated preference center creates friction and complaints.
Treating transactional and marketing mail the same can hide risk in shared sender pools.
Publishing DMARC once and never reviewing reports leaves broken senders undiscovered.
Expert tips
Use RFC 8058 headers for marketing mail, then keep body preference links optional.
Separate promotional streams when complaint rates, content, or cadence differ materially.
Move DMARC policy in stages only after legitimate senders authenticate correctly first.
Marketer from Email Geeks says the shortest version of the Gmail update is DMARC, one-click unsubscribe, and complaint control.
2023-10-04 - Email Geeks
Expert from Email Geeks says one-click unsubscribe is specifically about List-Unsubscribe headers, ideally RFC 8058.
2023-10-04 - Email Geeks
The practical path
The direct path to Gmail compliance is to authenticate every sender, publish and monitor DMARC, make opt-out easy for promotional mail, keep complaints low, and test real messages before scaling. I would start with the sender inventory, because every later step depends on knowing which systems are actually sending.
After that, the work becomes repeatable: fix SPF and DKIM, confirm the From domain match, publish DMARC with reporting, add one-click unsubscribe headers, separate risky mail streams, and monitor Gmail complaint signals daily. Suped makes that repeatable work easier to sustain because the same platform shows authentication health, sender sources, DNS issues, hosted SPF options, hosted DMARC staging, blocklist or blacklist signals, and the next steps to fix each issue.
