HOME / INSIGHTS / COLD EMAIL DELIVERABILITY · INSIGHT

Google and Microsoft sender requirements, decoded

Google and Microsoft now publish explicit rules for anyone sending email into Gmail and Outlook: authenticate with SPF, DKIM and DMARC, keep spam complaints extremely low, make unsubscribing effortless, and send from infrastructure that matches your identity. The rules are framed around "bulk senders" (broadly, 5,000+ messages a day to their users), but the two providers handle most B2B inboxes between them, so in practice these requirements are the de facto standard for everyone. Meet them fully — well below the thresholds — and you remove the most common structural reasons cold email fails to land.

What do the rules actually say?

Google's requirements, introduced from early 2024 alongside Yahoo's near-identical set, and Microsoft's from 2025 for Outlook, converge on the same short list:

RequirementPlain English
SPF and DKIMProve the sending server is authorised and the message wasn't altered
DMARCPublish a policy telling providers what to do when authentication fails
Aligned "from" domainThe address people see must match the domain that authenticated
Low complaint rateGoogle names 0.3% as the danger line and ~0.1% as the working target
Easy opt-outOne-click unsubscribe for bulk mail; honour requests promptly
Valid DNSProper forward and reverse DNS on sending infrastructure

The exact enforcement details shift, so treat the providers' own documentation as the source of truth — but the direction has been consistent for years: identity, consent signals, and low annoyance. This is the codified version of what the Cold Email Deliverability guide treats as the infrastructure layer of outbound.

Does the 5,000-a-day threshold mean small senders are exempt?

No, and believing it does is the expensive misreading. Three reasons. First, the thresholds are assessed loosely — Google counts by primary domain and looks at patterns over time, so "we send 200 a day" is not a safe harbour. Second, the requirements describe what the filters reward regardless of volume; an unauthenticated small sender doesn't get blocked at the gate, but it starts every conversation with the spam filter on the back foot. Third, the providers have explicitly signalled that requirements tighten over time and migrate downward from bulk senders to everyone.

The practical rule: build as if the requirements apply to you, because functionally they do. A B2B firm running 25–40 cold emails a day per inbox across several mailboxes is exactly the profile that benefits from being unambiguously compliant — small enough to be filtered casually, and easily made legible with a few DNS records.

How do you set your domains up to pass?

The mechanism is a one-time build per sending domain, and it runs in sequence. When you publish an SPF record listing your authorised sending services, then receiving servers can check that mail claiming to be you came from infrastructure you sanctioned. When you enable DKIM signing in your sending platform, then each message carries a cryptographic signature the receiver verifies against your DNS. When both pass and align with your visible "from" domain, then DMARC has what it needs — so when you publish a DMARC record (start at p=none to monitor, tighten to p=quarantine once reports look clean), then you've told Google and Microsoft exactly how to treat impostors, and told them you're the kind of sender who has done the work. When all three are in place before the first cold email leaves, then the domain starts its life legible instead of suspicious.

None of this requires an engineer — it is a handful of DNS records and an afternoon of care. But it must be done per sending domain, verified with a checking tool rather than assumed, and done before warm-up starts, not after delivery problems appear.

What about the complaint-rate rule?

This is the requirement copy and targeting actually touch. Authentication is binary and buildable; complaints are behavioural. Google's 0.3% line sounds generous until you translate it: at small B2B volumes, a handful of "report spam" clicks in a week can put a mailbox over it. The defences are unglamorous — tight targeting so recipients plausibly benefit from hearing from you, honest identification, a working opt-out honoured immediately, and volume discipline so no single bad day dominates your stats.

That last point is why warm-up and steady sending matter so much: a mailbox with weeks of consistent, well-received history can absorb a complaint; a cold one cannot. The full argument sits in warm-up tools: what they do and when to stop them.

What happens if you ignore all this?

Predictable degradation rather than a dramatic ban. Mail from unauthenticated or complained-about domains gets quarantined, junked or silently dropped; placement decays until reply rates make campaigns pointless; and in the worst cases the domain ends up flagged widely enough that you're into blacklist recovery territory. The requirements are, in effect, a published exam paper — it is rare in deliverability to be told the answers in advance, and it costs an afternoon to act on them.

One caveat worth repeating: sender rules govern whether mail arrives, not whether the list deserved to receive it. A compliant setup pointed at a poorly built list still fails — which is why the infrastructure work runs alongside the data work covered in the B2B Database Building Guide.


Next step: the Growth System Audit — £450, seven days, credited against any build — maps where your growth system leaks and what to build first.

Total Format builds the systems UK B2B service firms grow on — AI-powered outbound, automation, and reporting — so growth stops depending on the founder's time.

Map your growth system. The £450 audit takes seven days and is credited against any build.

BOOK THE AUDIT