Press ESC to close

MailTester NinjaMailTester Ninja Increase your email deliverability

Gmail Bulk Sender Requirements 2026: Essential Checklist

    The grace period is over. Since November 2025, Gmail no longer quietly files non-compliant bulk email into the spam folder: it rejects it outright at the server level with permanent 5xx errors. Microsoft did the same for Outlook in May 2025. If your emails suddenly started bouncing with codes like 550-5.7.26 or 550 5.7.515, the Gmail bulk sender requirements are almost certainly why.

    The stakes are not abstract. Two years into enforcement, roughly 30% of bulk senders still fail at least one requirement, and the penalty gap has widened dramatically: compliant senders average 89% inbox placement, while non-compliant senders see 22 to 34% of their mail land in spam, when it is delivered at all.

    30%
    of bulk senders still fail at least one requirement
    89%
    inbox placement for compliant senders
    22-34%
    of non-compliant mail lands in spam

    This guide covers the Gmail bulk sender requirements in full, plus the matching Yahoo and Microsoft rules, the 2024 to 2026 enforcement timeline, the exact error codes you will see when something fails, and a practical compliance checklist. It also covers the two thresholds that cause the most damage, the 0.3% spam rate ceiling and your bounce rate, and how to stay safely under both.

    Search intents covered: "gmail bulk sender requirements", "bulk sender requirements 2026", "gmail 5000 emails per day rule", "gmail new sender requirements", "yahoo bulk sender requirements", "microsoft outlook sender requirements", "one-click unsubscribe requirement", "gmail spam rate 0.3", "email compliance 2026", "gmail rejecting emails 550", "DMARCbis 2026", "gmail 421-4.7.26", "550 5.7.515 outlook", "how to comply with gmail requirements"
    Quick answer: what are the Gmail bulk sender requirements? Anyone sending 5,000 or more emails per day to personal Gmail addresses must: authenticate with SPF, DKIM, and DMARC (all three, with alignment); offer one-click unsubscribe (RFC 8058) and honor it within two days; keep the reported spam rate below 0.3%, ideally under 0.1%; have valid forward and reverse DNS; and use a TLS connection. Yahoo enforces matching rules, and Microsoft added equivalent requirements for Outlook in 2025. Since November 2025, Gmail permanently rejects non-compliant bulk mail with 5xx SMTP errors instead of filtering it to spam. The classification is permanent: cross 5,000 daily messages once, and the requirements apply to your domain from then on.

    What Are the Gmail Bulk Sender Requirements?

    The Gmail bulk sender requirements are a set of mandatory technical and behavioral standards that Google enforces on anyone sending high volumes of email to Gmail addresses. Announced in October 2023 and enforced from February 2024, Google's sender guidelines turned what used to be "best practices" into hard requirements: authenticate your email, make unsubscribing effortless, and keep complaints low.

    Yahoo announced matching requirements at the same time, and Microsoft followed for Outlook, Hotmail, and Live addresses in 2025. Together, the three providers cover the overwhelming majority of consumer inboxes, which makes these rules the de facto standard for the entire email industry. As of 2026, they are strictly enforced across all three.

    In short: The bulk sender requirements are the price of admission to the inbox in 2026. They do not guarantee placement, they establish the baseline level of trust needed to compete for it. Meeting them keeps you in the game; failing any single one can get your mail rejected outright.

    Who Counts as a Bulk Sender?

    Google defines a bulk sender as any domain that sends 5,000 or more messages to personal Gmail addresses (ending in @gmail.com or @googlemail.com) within 24 hours. Two details in that definition catch senders off guard.

    1
    Subdomains count together
    Messages sent from mail.yourdomain.com, news.yourdomain.com, and yourdomain.com are all counted against the same primary domain. Splitting volume across subdomains does not keep you under the threshold.
    2
    The classification never expires
    Cross the 5,000-per-day line once, even with a single unusual campaign spike, and your domain is permanently classified as a bulk sender and held to the stricter requirements from then on.
    Under 5,000 a day? Follow the rules anyway. The strict enforcement targets bulk senders, but Google, Yahoo, and Microsoft recommend the same practices for everyone, and smaller senders with SPF, DKIM, DMARC, and one-click unsubscribe consistently see better inbox placement. Treat the requirements as the 2026 baseline for any serious sender, whatever your volume.

    The Enforcement Timeline: 2024 to 2026

    Enforcement did not arrive all at once. It escalated in stages, from warnings to temporary deferrals to outright rejection, and the escalation is not finished. Here is the full timeline.

    DateWhat happened
    October 2023Google and Yahoo announce bulk sender requirements.
    February 2024Enforcement begins: temporary errors on a portion of non-compliant traffic.
    June 2024Gmail's full rollout: non-compliant mail starts being rejected. Senders without DMARC see immediate inbox drops.
    May 2025Microsoft enforces for Outlook, Hotmail, and Live: non-compliant bulk mail routed to junk, then blocked with 550 5.7.515.
    November 2025Gmail moves to hard enforcement: permanent 5xx rejections at the SMTP level instead of spam-folder filtering.
    May to June 2026DMARCbis (RFC 9989 to 9991) replaces the original DMARC standard, adding the np and t parameters.
    2026 to 2027Apple iCloud Mail widely expected to adopt equivalent enforcement.

    The direction is one-way: each stage has been stricter than the last, and each new provider that joins raises the floor. Senders who fixed their foundations early faced no disruption; those who waited discovered the problem through bounces.

    The Requirements, One by One

    Here is every Gmail bulk sender requirement, what it means in practice, and the pitfall most senders hit with each.

    The authentication trio: SPF, DKIM, and DMARC

    Bulk senders must pass all three, not just one. SPF lists the IPs authorized to send for your domain. DKIM cryptographically signs each message. DMARC ties the two together and requires alignment: your visible From domain must match your SPF or DKIM domain. A published DMARC policy is mandatory, and while p=none is an accepted starting point, providers expect active progression toward p=quarantine or p=reject. Our complete SPF, DKIM, and DMARC guide walks through the setup.

    The SPF 10-lookup trap. SPF fails permanently (PermError) if resolving your record requires more than 10 DNS lookups. Teams using several sending tools (an ESP, a CRM, a support desk, a billing system) breach this limit without realizing it. Audit your SPF record, remove legacy tools, and use subdomains or SPF flattening if you are over the limit.

    One-click unsubscribe (RFC 8058)

    Marketing and promotional email from bulk senders must include the RFC 8058 List-Unsubscribe headers, which let Gmail and Yahoo display a native unsubscribe button at the top of the email. Unsubscribe requests must be honored within two days. This is not the same as the link in your footer: the header is machine-readable and powers the button in the interface. It is also the requirement senders miss most often, and it exists to protect you, because a recipient who cannot find the exit hits "Report spam" instead.

    Spam rate below 0.3%

    Your reported spam rate in Google Postmaster Tools must stay below 0.3%, with 0.1% as the recommended operating target. This threshold gets its own section below, because it is the requirement with the sharpest teeth.

    Infrastructure basics

    Sending IPs need valid forward and reverse DNS (FCrDNS), messages must be sent over a TLS connection, and your From header must not impersonate Gmail. These are table stakes, but a missing PTR record is still a common silent failure, and it is one of the checks covered in our free email spam test.

    Check your compliance in 30 seconds Our free spam test verifies exactly what Gmail checks: SPF, DKIM, DMARC alignment, blocklists, and reverse DNS, scored out of 100 with a fix list. No signup, nothing stored.
    Run the free compliance check

    Choosing Your DMARC Policy: none, quarantine, or reject

    Publishing a DMARC record satisfies the requirement, but the policy value you choose determines what actually happens to mail that fails authentication. Most senders start too cautious and stay there for years, which leaves the door open to spoofing.

    p=none
    Monitor only. Failures are delivered normally, but you receive reports. Satisfies the minimum requirement. Use it for the first 30 to 60 days while you find every legitimate sending source.
    p=quarantine
    Send failures to spam. The natural second step once your reports show all legitimate sources passing. Start with a small percentage and increase gradually.
    p=reject
    Block failures outright. The strongest protection against spoofing and the destination providers expect. Required for BIMI, and the strongest trust signal you can send.

    The migration path is straightforward but should never be rushed. Start at p=none with reporting enabled, read the aggregate reports to find every service sending on your behalf (your ESP, CRM, help desk, billing system, and any legacy tool nobody remembers), fix the ones failing alignment, then move to quarantine and finally reject. Jumping straight to reject before your reports are clean will block your own legitimate mail.

    In short: A published DMARC record with p=none meets the Gmail bulk sender requirements, but it only monitors. Providers expect progression toward quarantine or reject, and stricter policies measurably improve your trust profile. Spend 30 to 60 days at none, then advance.

    DMARCbis: What Changed in 2026

    In May and June 2026, the original 2015 DMARC specification (RFC 7489) was replaced by DMARCbis, published as RFC 9989, 9990, and 9991. This does not change the Gmail, Yahoo, or Microsoft bulk sender requirements directly, but it elevates DMARC from an informational specification to a Proposed Standard, which signals stricter implementation expectations across the ecosystem going forward.

    ChangeWhat it means for you
    New np parameterSets a policy for non-existent subdomains, closing a spoofing hole attackers used against subdomains you never created.
    New t parameterReplaces the old pct percentage tag, used to mark a record as being in testing mode.
    pct deprecatedThe percentage-based rollout tag is retired. Plan your migration to reject without relying on it.
    p now recommended, not mandatoryThe primary policy tag is no longer strictly required by the specification, though providers still expect it in practice.

    Practically, nothing breaks on July 2026. Existing DMARC records continue to work. But if you are building a new record or planning a move to reject, use the new parameters, add np=reject to protect unused subdomains, and stop depending on pct.

    Gmail vs Yahoo vs Microsoft: The Differences

    The three providers align on the fundamentals but differ on details. Here is the comparison that matters when your list spans all three.

    RequirementGmailYahooMicrosoft (Outlook)
    Threshold5,000+/day5,000+/day5,000+/day
    SPF + DKIMBoth requiredAt least one, both recommendedBoth required
    DMARCRequired (p=none minimum)RequiredRequired
    One-click unsubscribeRequired (RFC 8058)Required (RFC 8058)Required
    Spam rateBelow 0.3%, target 0.1%Below 0.3%Complaint-driven filtering
    Enforcement sinceFeb 2024, hard since Nov 2025Feb 2024May 2025 (550 5.7.515)

    The practical takeaway: build for the strictest interpretation (both SPF and DKIM, DMARC with alignment, RFC 8058 headers, spam rate under 0.1%) and you are compliant everywhere at once, including with whatever Apple iCloud enforces next.

    The Error Codes of Non-Compliance

    When you fail a requirement, the rejection tells you which one. These are the codes senders are seeing in 2026, and what each means. Remember the pattern from our hard bounce vs soft bounce guide: 4xx codes are temporary deferrals, 5xx codes are permanent rejections.

    CodeTypeMeaning and fix
    421-4.7.26TemporaryRate-limited because the mail is unauthenticated. Set up SPF or DKIM (both, ideally).
    421-4.7.30TemporaryRate-limited because DKIM does not pass. Fix your DKIM signing and DNS key.
    421-4.7.32TemporaryRate-limited because there is no DMARC alignment. Align your From domain with SPF or DKIM.
    550-5.7.26PermanentBlocked: sender unauthenticated. The escalated version of 421-4.7.26. Immediate action required.
    550 5.7.515PermanentMicrosoft's access-denied code: your domain does not meet Outlook's authentication requirements.

    If you are seeing the 421 codes, treat them as your final warning: Gmail is deferring a portion of your traffic and telling you exactly why. If you are seeing the 550 codes, your deliverability is already broken and authentication is the fix, not content or copy.

    The Spam Rate Rule: Why 0.1% Is the Real Target

    Google's requirement says to keep your reported spam rate below 0.3% and ideally under 0.1%. The gap between those numbers is where campaigns die. At the 0.3% ceiling, three complaints per thousand delivered messages tips you over, and one rough campaign can do that in a day.

    Crossing 0.3% has a specific, brutal consequence: your domain becomes ineligible for Gmail's delivery mitigation, and it stays ineligible until your spam rate holds below the line for seven consecutive days. One bad week can cost you weeks of recovery, because inbox restoration after an enforcement period depends on your broader sender history, not a single clean day.

    0.3%
    the ceiling: 3 complaints per 1,000 messages makes you ineligible for mitigation
    0.1%
    the real operating target Google recommends managing against
    7 days
    consecutive days below the line required before recovery begins
    Manage against 0.1%, alert at 0.05%. Treating 0.3% as your threshold means reacting when it is already too late. Monitor your complaint rate per domain in Google Postmaster Tools daily, set an internal alert at 0.05%, and if a campaign spikes, pause it immediately and audit the segmentation and frequency before resuming.

    How to Become Compliant, Step by Step

    If you are starting from zero, this is the order that minimizes disruption. Authentication first, because it is the requirement that triggers rejections, then the behavioral thresholds that determine whether you stay in the inbox.

    1
    Inventory every sending source
    List every service that sends email using your domain: your ESP, CRM, help desk, billing system, transactional provider, and any legacy tool. You cannot authenticate what you have not found, and forgotten tools are the top cause of DMARC failures.
    2
    Publish and audit your SPF record
    Include every authorized sending IP, then count your DNS lookups. If you are over 10, remove legacy tools, move streams to subdomains, or use SPF flattening. An SPF PermError fails silently and takes your deliverability with it.
    3
    Enable DKIM signing everywhere
    Configure custom domain authentication in every third-party tool so it signs with your domain key, not theirs. A tool signing as its own domain breaks alignment even when DKIM technically passes.
    4
    Publish DMARC at p=none with reporting
    Start monitoring. Read the aggregate reports for 30 to 60 days, fix every legitimate source that fails alignment, then move to quarantine and eventually reject.
    5
    Add RFC 8058 unsubscribe headers
    Confirm your ESP includes both List-Unsubscribe and List-Unsubscribe-Post headers on marketing mail, and that your system processes requests within two days. Most modern ESPs do this automatically, but verify rather than assume.
    6
    Set up monitoring, then verify your list
    Connect Google Postmaster Tools and Microsoft SNDS so you see your spam rate and reputation as providers do. Then verify your list before your next send, because bounces and complaints are the half of compliance no DNS record can fix.
    Confirm your setup actually works Publishing records is not the same as passing checks. Our free spam test sends a real email through your setup and verifies SPF, DKIM, DMARC alignment, blocklists, and reverse DNS in about 30 seconds.
    Run the free compliance check

    The 6 Most Common Compliance Mistakes

    Roughly 30% of bulk senders still fail at least one requirement two years into enforcement. These are the failures that account for most of them, and none of them are exotic.

    MistakeWhy it happensThe fix
    Missing RFC 8058 headersA footer unsubscribe link is mistaken for the header requirement. This is the single most common failure.Confirm your ESP sends both List-Unsubscribe headers on marketing mail.
    SPF over 10 lookupsEach new SaaS tool adds an include. Nobody counts, and SPF fails with a silent PermError.Audit and flatten the record, or split streams across subdomains.
    DKIM not alignedA third-party tool signs with its own domain instead of yours, so DKIM passes but DMARC alignment fails.Enable custom domain authentication in every sending tool.
    DMARC stuck at p=nonePublished once to satisfy the rule, then forgotten for years.Read your reports, fix the failures, advance to quarantine, then reject.
    Missing reverse DNSA new sending IP is provisioned without a PTR record and nobody notices.Set forward and reverse DNS on every sending IP, then test it.
    Sending to an unverified listBounces and complaints are treated as marketing metrics rather than compliance thresholds.Verify before every large send to keep bounces under 2% and complaints under 0.1%.
    Subdomain reputation is not a reset button. Moving your sending to a fresh subdomain does not escape the bulk sender threshold, since subdomains count together against your primary domain. It also starts you with no reputation, which means a full warm-up before you can send at volume.

    Already Blocked? How to Recover

    If your mail is bouncing with 550 errors or your spam rate has crossed 0.3%, recovery is possible but it is not instant. Google calculates your spam rate daily, and a domain above the ceiling stays ineligible for delivery mitigation until the rate holds below the line for seven consecutive days. Rushing back to full volume restarts the clock.

    1
    Stop sending to the affected provider
    Pause campaigns to Gmail or Outlook immediately. Every additional non-compliant message deepens the problem and extends your recovery window.
    2
    Read the bounce code and fix that exact requirement
    The code names the failure. A 550-5.7.26 means unauthenticated mail, so fix SPF and DKIM. A 421-4.7.32 means missing DMARC alignment. Do not guess.
    3
    Verify your entire list before resuming
    Remove every invalid, disposable, and role-based address. A bounce spike on resumption will undo the fix and signal that nothing changed.
    4
    Resume slowly with your most engaged segment
    Send to recent openers and clickers first, at low volume, and ramp over two to four weeks. Positive engagement is what rebuilds reputation; volume without engagement rebuilds nothing.
    5
    Watch Postmaster Tools daily until stable
    You need seven consecutive days below 0.3%, and realistically below 0.1%, before Gmail treats you normally again. Inbox restoration after that depends on your broader sending history, not one clean week.
    Recovery takes weeks, not days. Skipping verification before a large send is the most common cause of sudden deliverability collapse, and the bounce spike that follows can take weeks to unwind. The cheapest fix is the one you make before sending, not after. Our guide to why emails go to spam covers the wider diagnostic picture.

    Your 2026 Compliance Checklist

    Run through this list before your next major send. Every item maps to a requirement that can get your mail deferred or rejected.

    • SPF passes and your record stays under the 10-DNS-lookup limit.
    • DKIM signs every message with a valid key published in DNS, including mail sent through third-party tools.
    • DMARC is published and aligned, at p=none minimum, with a plan to move to quarantine or reject.
    • One-click unsubscribe (RFC 8058) headers are on every marketing message, honored within two days.
    • Spam rate under 0.1% in Google Postmaster Tools, checked daily, with an alert at 0.05%.
    • Bounce rate under 2%, kept there by verifying your list before every send.
    • Valid forward and reverse DNS on every sending IP, and TLS on every connection.
    • Postmaster Tools and Microsoft SNDS configured so you see your reputation as providers see it.
    • Pre-send spam test run on the final rendered email to confirm authentication and content pass.

    Where List Quality Fits In

    Here is the connection most compliance guides skip. Two of the deadliest thresholds, the spam rate and your bounce rate, are functions of list quality, not configuration. You can have perfect SPF, DKIM, and DMARC and still get filtered because your list is generating complaints and bounces.

    The mechanics are direct. Invalid addresses bounce, and a bounce rate above 2% flags you as a sender who does not maintain their list. Stale and purchased addresses generate spam complaints from people who never opted in or forgot they did, pushing you toward the 0.3% ceiling. And dead addresses never open or click, dragging down the engagement signals Gmail weighs most heavily. Skipping verification before a large send is the single most common cause of sudden deliverability collapse, and the bounce spike that follows can take weeks to recover from.

    Compliance starts with a clean list MailTester.Ninja verifies every address with real-time SMTP checks before you send, removing the invalid, disposable, and risky addresses that inflate your bounce and complaint rates. Keep both safely under the thresholds, at a fraction of incumbent prices.
    Verify your list

    Pair verification with the rest of your hygiene routine: regular email list cleaning on a 90-day cycle, removing hard bounces immediately, monitoring your sender reputation, keeping your bounce rate low, and a proper email warm-up for any new domain. Compliance is the floor; these practices are what actually win the inbox, as our full email deliverability guide covers.

    The bottom line: The Gmail bulk sender requirements are non-negotiable in 2026: SPF, DKIM, and DMARC with alignment, one-click unsubscribe, a spam rate under 0.3% (manage against 0.1%), and clean DNS. Enforcement is now rejection, not filtering. Configure the authentication once, then protect the behavioral thresholds continuously with a verified, engaged list. That combination keeps you on the right side of the 89% inbox average.

    Key Takeaways

    • The threshold is 5,000 messages a day to personal Gmail addresses, subdomains counted together, and the bulk sender classification never expires once crossed.
    • Enforcement is now rejection, not filtering. Gmail issues permanent 5xx errors since November 2025; Microsoft since May 2025.
    • All three authentication protocols are required, with DMARC alignment. SPF alone or DKIM alone is not enough.
    • One-click unsubscribe (RFC 8058) is the most-missed requirement, and the footer link does not satisfy it.
    • Manage your spam rate against 0.1%, not 0.3%. Crossing the ceiling costs seven consecutive clean days before recovery even begins.
    • Authentication is a one-time setup; the thresholds are continuous. Your bounce and complaint rates are functions of list quality, and no DNS record can fix a dirty list.

    Glossary

    The key terms behind the bulk sender requirements, in plain language.

    TermWhat it means
    Bulk senderA domain sending 5,000+ messages a day to personal Gmail addresses. The classification is permanent once crossed.
    RFC 8058The standard for one-click unsubscribe headers, which power the native unsubscribe button in Gmail and Yahoo.
    DMARC alignmentThe match between your visible From domain and the domain authenticated by SPF or DKIM.
    Spam rateThe share of delivered messages recipients mark as spam, measured by Google Postmaster Tools.
    Delivery mitigationGoogle's process for restoring delivery after issues. Unavailable while your spam rate is 0.3% or higher.
    FCrDNSForward-confirmed reverse DNS: your sending IP resolves to a hostname that resolves back to the same IP.
    DMARCbisThe 2026 update to the DMARC standard (RFC 9989 to 9991), adding the np and t parameters.
    Postmaster ToolsGoogle's free dashboard showing your spam rate, reputation, and authentication results as Gmail sees them.
    SPF PermErrorA permanent SPF failure caused by exceeding the 10-DNS-lookup limit. It fails silently and breaks authentication.
    p=none / quarantine / rejectThe DMARC policy values: monitor only, send failures to spam, or block them outright.
    SNDSMicrosoft's Smart Network Data Services, the Outlook equivalent of Google Postmaster Tools.
    Complaint rateThe share of recipients who mark your mail as spam. The requirement ceiling is 0.3%; the practical target is 0.1%.

    Frequently Asked Questions

    What are the Gmail bulk sender requirements?
    The Gmail bulk sender requirements apply to anyone sending 5,000 or more emails per day to personal Gmail addresses. They require authenticating with SPF, DKIM, and DMARC (with alignment between your From domain and the authenticated domain), including one-click unsubscribe headers (RFC 8058) on marketing mail and honoring requests within two days, keeping your reported spam rate below 0.3% (ideally under 0.1%), maintaining valid forward and reverse DNS on sending IPs, and using TLS. Since November 2025, Gmail permanently rejects non-compliant bulk mail with 5xx SMTP errors rather than filtering it to spam.
    Do the requirements apply if I send fewer than 5,000 emails a day?
    Strict enforcement targets bulk senders above the 5,000-per-day threshold, but Google, Yahoo, and Microsoft recommend the same practices for all senders, and smaller senders who follow them consistently see better inbox placement. Two cautions: the threshold counts all subdomains of your primary domain together, and the bulk sender classification is permanent, so a single campaign spike past 5,000 puts you under the stricter rules from then on. The safest approach for any serious sender is to treat the requirements as the baseline regardless of volume.
    What happens if I do not comply?
    Enforcement has escalated from filtering to rejection. In 2024, non-compliant senders saw temporary 4xx deferrals on part of their traffic. Since November 2025 for Gmail and May 2025 for Microsoft, non-compliant bulk mail receives permanent 5xx rejections at the SMTP level, meaning it never reaches the inbox or even the spam folder. The measured gap is stark: compliant senders average around 89% inbox placement, while partially non-compliant senders see 22 to 34% of their mail land in spam. Roughly 30% of bulk senders still fail at least one requirement, most often the one-click unsubscribe header.
    What is one-click unsubscribe (RFC 8058)?
    RFC 8058 defines machine-readable List-Unsubscribe headers that let mailbox providers display a native unsubscribe button at the top of the email interface, separate from any link in your footer. Bulk senders must include these headers on marketing and promotional mail and honor unsubscribe requests within two days. The requirement protects senders as much as recipients: when unsubscribing is effortless, people use the button instead of hitting "Report spam," and spam complaints damage your sender reputation far more than unsubscribes do. It is also the requirement the most senders still miss.
    What spam rate does Gmail require?
    Gmail requires bulk senders to keep their reported spam rate below 0.3%, and recommends managing against 0.1% as the real operating target. The rate is calculated daily in Google Postmaster Tools. Crossing 0.3% makes your domain ineligible for delivery mitigation, and it stays ineligible until the rate holds below the line for seven consecutive days, so one bad week can cost weeks of recovery. In practice, healthy programs run under 0.1% and set internal alerts around 0.05% so they can pause a problem campaign before it crosses the threshold.
    Which DMARC policy do I need: none, quarantine, or reject?
    The minimum requirement is a published DMARC record, and p=none satisfies it as a starting point. But p=none only monitors; it tells receivers to take no action on failures. Providers expect active progression toward p=quarantine (send failures to spam) or p=reject (block them), and stricter policies strengthen your domain's trust profile against spoofing. The practical path: start at p=none with reporting enabled, fix the legitimate sources that fail alignment, then move to quarantine and eventually reject. The 2026 DMARCbis update (RFC 9989 to 9991) refines the standard but does not change this progression.
    Why are my emails suddenly bouncing with 550 errors from Gmail or Outlook?
    A sudden wave of 550 bounces from Gmail (550-5.7.26) or Microsoft (550 5.7.515) almost always means you are failing the authentication requirements. Gmail moved to hard enforcement in November 2025, replacing quiet spam-folder filtering with permanent SMTP rejections, and Microsoft did the same for Outlook in May 2025. The fix is authentication, not content: verify that SPF passes and stays under the 10-lookup limit, that DKIM signs correctly including through third-party tools, and that your DMARC record exists with proper alignment. The 421-series codes (4.7.26, 4.7.30, 4.7.32) are the temporary warnings that precede these permanent blocks.
    How do I check if I meet the requirements?
    Test from the outside in. Run a free email spam test by sending a real email from your production setup: it verifies SPF, DKIM, DMARC alignment, blocklist status, and reverse DNS in one pass, which covers the authentication side of compliance. Then set up Google Postmaster Tools to monitor your spam rate and reputation as Gmail sees them, and Microsoft SNDS for the Outlook side. Finally, check your list quality: verify your addresses so your bounce rate stays under 2%, since bounces and complaints are the behavioral half of compliance that no DNS record can fix.
    What is DMARCbis and do I need to update my DMARC record?
    DMARCbis is the 2026 update to the DMARC standard, published as RFC 9989, 9990, and 9991 in May and June 2026, replacing the original 2015 specification. It adds an np parameter that sets a policy for non-existent subdomains (closing a spoofing hole), replaces the old pct percentage tag with a new t parameter for testing mode, and makes the p policy tag recommended rather than strictly mandatory. Existing DMARC records continue to work, so nothing breaks immediately. If you are creating a new record or migrating to p=reject, use the new parameters, add np=reject to protect unused subdomains, and stop relying on pct.
    Can I avoid the requirements by sending from a subdomain?
    No. Google counts messages from all subdomains together against your primary domain, so splitting volume across mail.yourdomain.com and news.yourdomain.com does not keep you under the 5,000-per-day threshold. Worse, a fresh subdomain starts with no sending reputation, which means you need a full warm-up period before sending at volume, and unwarmed domains face heavy filtering regardless of compliance. Subdomains are useful for separating transactional and marketing streams, or for isolating SPF lookups, but they are not a way to escape the bulk sender requirements.
    How long does it take to recover if I am already blocked?
    Expect weeks, not days. Google calculates your spam rate daily, and a domain above the 0.3% ceiling stays ineligible for delivery mitigation until the rate holds below the line for seven consecutive days. Even then, inbox restoration depends on your broader sending history rather than one clean week. The recovery sequence is: pause sending to the affected provider, read the bounce code and fix that exact requirement, verify your entire list to remove invalid addresses, then resume slowly with your most engaged recipients and ramp over two to four weeks while monitoring Postmaster Tools daily.
    What is the difference between a footer unsubscribe link and RFC 8058?
    The footer link is for the human reading your email. RFC 8058 defines machine-readable List-Unsubscribe and List-Unsubscribe-Post headers that let the mail client itself, Gmail or Yahoo, render a native unsubscribe button at the top of the message. Bulk senders must include the headers; a footer link alone does not satisfy the requirement, which is exactly why this is the most commonly missed rule. Most modern ESPs add the headers automatically, but you should verify rather than assume, and confirm that your system processes the resulting requests within two days as required.
    Danila Kozlov, COO at MailTester.Ninja
    About the author
    Danila Kozlov
    COO at MailTester.Ninja

    Danila has spent the last few years deep in email deliverability, helping SaaS companies and growth teams fix the infrastructure problems that silently kill their outbound results. As COO of MailTester.Ninja, he oversees product and operations with a single obsession: making email verification fast, accurate, and genuinely useful for the people who need it most.

    Stay under every threshold

    Authentication is a one-time setup. Your bounce and complaint rates are a continuous battle, and both are functions of list quality. MailTester.Ninja verifies every address with real-time SMTP accuracy, keeping your bounce rate under 1% and your complaints low so the bulk sender requirements never touch you.

    Verify your list for free

    Real-time SMTP verification · Catch-all detection · Spam trap flagging · Zero data storage