Landing in the Inbox After the New Sender Rules

Email

Landing in the inbox after the new sender rules

In 2024, Google and Yahoo turned a long list of deliverability best practices into hard requirements. Authentication is no longer optional, one-click unsubscribe is mandatory, and a spam-complaint rate above a fraction of a percent can quietly send your mail to the junk folder. Here is what changed, and how to keep landing in the inbox.

For years, SPF, DKIM, and DMARC were treated as nice-to-haves, the kind of thing a diligent admin set up and everyone else skipped. That era is over. Starting in February 2024, Google and Yahoo began enforcing a shared set of rules for bulk senders, anyone sending roughly 5,000 or more messages per day to their users. Miss the requirements and your mail does not bounce with a clear error every time; it just stops reaching the inbox. Given that email still returns around $36 for every $1 spent (Litmus) and that global inbox placement already averages only about 84 percent (Validity), even a small deliverability slip is expensive.

What the new rules actually require

The mandates are not exotic. They are the fundamentals, finally enforced. Three of them are about proving who you are; the rest are about respecting the recipient.

  • Authenticate every message. Bulk senders must publish and pass SPF, DKIM, and DMARC, and the domains those checks reference must align with the visible From address.
  • Offer one-click unsubscribe. Marketing and subscribed mail must include a List-Unsubscribe header that lets a recipient opt out in a single click, and you must honor it within two days.
  • Stay below the spam-complaint threshold. Keep your reported spam rate under 0.3 percent, and treat anything above 0.1 percent as a warning sign worth acting on.

The three records that prove who you are

Authentication answers a simple question the receiving server is asking: is this message really from the domain it claims? Each record covers a different part of that answer.

SPF – who is allowed to send

Sender Policy Framework (RFC 7208) is a DNS TXT record that lists the servers and services authorized to send mail for your domain. When a receiver gets a message, it checks whether the sending IP appears in your SPF record. If it does not, that is a strong signal the mail is forged. SPF is your published guest list; it prevents unauthorized servers from passing themselves off as you, which is the mechanic behind a lot of spoofing.

DKIM – proof the message was not altered

DomainKeys Identified Mail (RFC 6376) adds a cryptographic signature to each message using a private key that only you hold. The matching public key lives in your DNS, so any receiver can verify the signature. If the signature checks out, two things are true: the message genuinely came from your domain, and its signed contents were not tampered with in transit. DKIM is the tamper-evident seal, it defends against spoofing and against a message being modified after it leaves you.

DMARC – the policy that ties it together

Domain-based Message Authentication, Reporting, and Conformance (RFC 7489) is the instruction layer. It tells receivers what to do when a message fails SPF or DKIM, do nothing, quarantine it, or reject it outright, and it requires alignment, meaning the domain that passed SPF or DKIM has to match the domain a human sees in the From line. That alignment requirement is what stops a clever attacker from passing authentication on a lookalike domain while displaying yours. DMARC also sends you aggregate reports, so you can see who is sending mail as your domain before you tighten the policy. Start at p=none to monitor, then move to quarantine and finally reject once you are confident your legitimate mail is aligned.

The authentication stack at a glance

Email authentication and compliance records, what each does, and what it protects against
RecordWhat it doesProtects against
SPFPublishes the servers authorized to send for your domainUnauthorized senders, basic spoofing
DKIMSigns each message with a key only you holdSpoofing and message tampering
DMARCSets policy for failures and enforces From alignmentLookalike-domain spoofing, unmonitored abuse
BIMIDisplays your verified logo beside authenticated mailImpersonation, low brand trust
List-Unsubscribe (one-click)Lets recipients opt out in a single clickSpam complaints, compliance failures

Authentication gets you in the door, reputation keeps you there

Passing SPF, DKIM, and DMARC is necessary but not sufficient. Mailbox providers also score your sending reputation, and that is where most senders quietly lose placement.

IP warmup and the shared-versus-dedicated choice

A brand-new sending IP has no reputation, and blasting a full campaign from it looks exactly like what spammers do. Warmup is the practice of ramping volume gradually over days and weeks, starting small, sending to your most engaged recipients first, and letting providers build trust before you scale. A dedicated IP gives you full control of your own reputation and makes sense at high, steady volume. A shared IP pools you with other senders, which is easier to start with and keeps a warm reputation even at low volume, but means a neighbor’s bad behavior can affect you. Pick based on how much and how consistently you send.

Feedback loops, list hygiene, and complaints

Feedback loops let mailbox providers tell you when a recipient marks your message as spam, so you can suppress that address immediately. Enroll in them, because complaints are the single fastest way to wreck a reputation, and the 0.3 percent ceiling leaves little room. List hygiene is the other half: remove hard bounces, prune addresses that have not engaged in months, and never buy lists. Sending to dead or unengaged addresses drags down every engagement signal providers watch, opens, clicks, replies, and pushes you toward the spam folder even when your authentication is perfect.

BIMI and the verified logo

Brand Indicators for Message Identification lets your logo appear next to authenticated messages in supporting inboxes, a visible trust signal that also lifts recognition. It requires DMARC at enforcement first, and for most providers a Verified Mark Certificate (VMC) proving you own the trademark on the logo. BIMI is not a deliverability requirement, but it is a strong reason to finish the authentication work you started, and it makes impersonation of your brand markedly harder.

Where this fits

None of this is one-and-done. Records drift as you add new sending tools, DMARC reports need reading, warmup schedules need managing, and complaint rates need watching. Getting the DNS right, wiring up feedback loops, and building sending infrastructure that holds a clean reputation is exactly the kind of work our marketing and email infrastructure services handle, so your campaigns land where they are supposed to, in the inbox.

Email that lands

Fix deliverability at the source.

Authentication, warmup, list hygiene, and reputation monitoring, set up once and watched continuously. Tell us where your mail is going astray and we will map the fix.