What Gmail and Yahoo's February 2024 bulk-sender rules changed

On 1 February 2024 Google and Yahoo simultaneously enforced new requirements for any sender exceeding 5,000 messages per day to their respective user bases. The two announcements are still the canonical references — Google's "Email sender guidelines" and Yahoo's "Sender best practices" — and they remain near-identical in substance. The three demands:

1. Authentication. SPF and DKIM are mandatory; DMARC at minimum p=none is mandatory. Non-aligned mail goes to spam or is rejected.
2. One-click unsubscribe. The List-Unsubscribe header (RFC 2369, 1998) was always available; what 2024 added was a one-click requirement — the unsubscribe URL must accept a single POST request and process it without a confirmation step (RFC 8058, 2017). The user clicks once in their mail client and is unsubscribed.
3. Complaint-rate ceiling. Bulk senders must keep their spam-complaint rate under 0.3% at all times. Sustained higher rates trigger automated demotion to spam folder.

Pre-2024, most self-hosted operators ran SPF + DKIM only and skipped DMARC. The argument: DMARC is just a policy on top of the other two, and getting reports back is operationally annoying. That argument is no longer available.

Specifically, the 2024 rule requires DMARC to exist — even at p=none — and to align. "Align" in DMARC means either the SPF From-domain or the DKIM signing domain matches the visible From: header, in either strict or relaxed alignment mode. A common failure: a sender uses marketing@yourcompany.com as the visible From but routes through a third-party CRM that signs DKIM with the CRM's domain — alignment fails, DMARC fails, and Gmail / Yahoo route the message to spam silently.

The fix is the standard DMARC rollout: publish p=none with RUA reporting, watch the daily aggregates for two to four weeks, identify and fix unaligned streams, ramp through p=quarantine, settle on p=reject. There is no shortcut.

The technical bar is two headers, both per RFC 8058:

The mail client (Gmail, Yahoo, Apple Mail) renders this as a one-click "Unsubscribe" link in the message header. When the user clicks it, the client POSTs List-Unsubscribe=One-Click to the URL. Your server processes the unsubscribe and returns 200 OK. No confirmation page, no captcha, no login.

AcelleMail emits both headers by default for any campaign list with unsubscribe handling enabled. Where operators trip up is custom integrations — transactional flows that bypass the campaign engine, third-party SMTP relays that strip the headers, or unsubscribe URLs that redirect through a CMS confirmation page. Each of those is a deliverability hit.

The simplest verification: send yourself a test, click "Show original" in Gmail, search for List-Unsubscribe-Post. If the header is missing or does not say One-Click, you are non-compliant. Fix it before the volume crosses 5,000/day to either provider.

The complaint rate is the percentage of recipients who marked your message as spam, computed per-day over a rolling window. Google's announcement called for "below 0.3%" sustained, with "we want to see your rate consistently below 0.1%" as the working margin.

Two implementation notes:

1. It is per-domain, not per-account. If you split marketing on a subdomain (e.g. news.yourcompany.com) the complaint rate is computed against that subdomain only. A subdomain crossing 0.3% does not automatically demote your transactional traffic on the apex domain, which is one reason the standard practice is to isolate marketing on a subdomain. (See /glossary/email-deliverability.)
2. Gmail and Yahoo measure differently. Gmail uses the spam-button click rate among recipients who opened. Yahoo uses a similar metric on their interface. Both numbers should track each other within ~0.05%; large divergences indicate audience-skew rather than a sender problem.

For visibility, sign up for Google Postmaster Tools (free, requires DNS verification of your domain) and Yahoo's Complaint Feedback Loop. Both surface daily complaint-rate numbers. AcelleMail consumes the SES-level complaint feed via SNS webhooks (app/SendingServers/Webhooks/ComplaintReceived.php), which is the source of truth at the sending-server level. The Gmail / Yahoo rates are post-delivery; the SES rate is at-acceptance.

Strictly speaking, the 2024 rules apply only to bulk senders — >5,000/day to either Gmail or Yahoo. Below that threshold the requirements are "best practice" rather than enforced.

In practice, this is meaningless. Sub-5,000 senders still get spam-foldered for missing DMARC, missing one-click unsubscribe, or high complaint rate. The heuristic the providers run is largely the same; the difference is that above 5,000 the providers will publish you to a "bulk sender" queue with stricter automation, while below it you fall into a manual-review / engagement-driven track. Either way, ignoring the rules below 5,000 produces measurable deliverability loss.

The right framing: the 2024 rules codified what was already the de-facto bar at the major providers. They did not invent new requirements; they made the existing requirements explicit and enforced. Self-hosted operators below 5,000/day should treat the rules as the working bar regardless.

Three patterns broke at scale in February-March 2024 and are still causing measurable deliverability loss today:

1. Forwarder-DMARC-fail. Operators with mailing lists that forwarded mail to subscribers' personal addresses (the classic "list service" pattern) saw their forwarded mail rejected en masse. The fix is to rewrite the From header on forwarded mail (the ARC approach) or to switch lists to direct-from-list-domain sending. Mailman 3 and Postal's list module both support this.
2. Third-party CRM senders. Sending through a CRM-attached SMTP relay that signs with the CRM's domain breaks DMARC alignment unless the CRM also publishes its own DKIM under your subdomain. SES, Mailgun, SparkPost, and SendGrid all support this; older or less-mainstream relays may not.
3. Unauthenticated transactional flows. "We send password resets through Postfix on the same box that runs the app, no DKIM" stopped working at any meaningful volume. The fix is to publish DKIM keys for the apex domain and configure OpenDKIM on the Postfix install — one-time work that pays back across all transactional traffic.

The 2024 rules turned out to be more meaningful than they first looked. They did not just raise the bar — they made the bar concrete and testable. Sender Score, Talos, GlockApps, Postmark, and the various deliverability-monitoring vendors all incorporated the three pillars into their checks within months. By mid-2025 the entire commercial deliverability tooling ecosystem assumed DMARC + one-click unsubscribe + complaint-rate as preconditions; the older "we will help you debug your SPF" services either upgraded or quietly retired.

For self-hosted operators specifically, the 2024 rules accelerated a shift that was already underway: away from "send anything from anywhere" (the 2010s self-hosted norm) toward "send only authenticated, aligned, easily-unsubscribable mail from a domain whose reputation you actively manage". That is a higher operational bar but a lower-risk steady-state. AcelleMail's tooling for the steady state — WarmupStrategy, BounceHandler, suppression list, NeverBounce / ZeroBounce verification adapters — were already in the codebase pre-2024; what changed is that they became necessary rather than optional.

If you have not done a 2024-rule compliance audit on your sending domain in the last six months, today is a good day to start. The five-minute version: send yourself a test, "Show original" in Gmail, verify three pass verdicts plus the List-Unsubscribe-Post: List-Unsubscribe=One-Click header. If everything checks, you are good. If not, the work to get there is well-trodden.