Email Deliverability13 min read

Gmail Sender Requirements: Compliance Checklist

Gmail sender requirements explained: learn SPF, DKIM, DMARC, unsubscribe, spam-rate, and list hygiene steps to keep mail delivered.

B
The Bounceable Team
Checklist clipboard next to an authenticated envelope and invalid email warnings

Gmail sender requirements are not just a DNS task. You need authentication, clean sending practices, and list controls that keep Gmail users from bouncing, ignoring, or reporting your mail.

Use this checklist to turn Gmail’s rules into concrete setup, monitoring, and email list hygiene actions.

What Gmail sender requirements apply to

Gmail sender requirements apply to anyone sending mail to Gmail or Google Workspace recipients, with stricter rules for high-volume bulk senders.

Google separates requirements into two broad groups:

  1. Technical authentication requirements
  2. Reputation and user-experience expectations

You need both. Passing authentication does not guarantee inbox placement. It only proves that your mail is authorized and traceable. Gmail still evaluates how users react to your messages.

Who needs to comply

If you send mail to @gmail.com or Google Workspace inboxes, Gmail’s filtering systems evaluate your mail. That includes:

  • Marketing newsletters
  • Lifecycle and product notifications
  • Account alerts
  • Sales sequences
  • Cold outreach
  • Transactional mail
  • Community or marketplace messages
  • CRM-driven campaigns

Bulk sender requirements apply when you send high volumes to Gmail recipients. Google defines bulk senders by daily volume to personal Gmail accounts. Even if you send less than that, you should still follow the same baseline. It protects sender reputation and prevents future problems as volume grows.

Technical rules vs. reputation rules

Technical compliance answers questions like:

  • Is this sending server allowed to send for the domain?
  • Is the message signed with DKIM?
  • Does DMARC exist?
  • Does the domain in the visible From header align with authenticated domains?
  • Can Gmail verify the sending infrastructure?

Reputation and list-quality expectations answer different questions:

  • Do Gmail users want this mail?
  • Do they open, click, reply, archive, or delete it?
  • Do they mark it as spam?
  • Does the sender keep sending to invalid addresses?
  • Does the sender honor unsubscribes?
  • Is the list sourced with consent?

You can pass spf dkim dmarc checks and still land in spam if your complaint rate is high or your list is stale.

Different mail streams have different risk

Not every stream carries the same compliance burden.

Mail typeMain Gmail riskWhat to watch
Transactional mailAuthentication failures or shared-domain reputationDedicated subdomain, strong DKIM, stable infrastructure
Lifecycle mailLow engagement over timeSuppression rules, segmentation, frequency
Marketing mailComplaints and unsubscribe frictionOne-click unsubscribe, consent, complaint monitoring
Product notificationsOver-sending and unclear valuePreference controls, event triggers, relevance
Cold outreachLow consent and spam reportsSource quality, targeting, volume, opt-out handling

Use separate subdomains where it helps you isolate reputation. For example, send receipts from one subdomain and promotional campaigns from another. Do not hide bad practices behind subdomains. Gmail can connect related sending patterns.

Gmail sender requirements checklist

A compliant Gmail setup starts with authentication, then adds unsubscribe handling, reputation monitoring, and list controls.

Use this checklist before you scale volume.

Set up SPF for every sending domain or subdomain

SPF tells receiving mail servers which systems can send mail for your domain.

Publish an SPF record on each domain or subdomain used in your envelope sender, return-path, or ESP configuration.

Example:

example.com.  TXT  "v=spf1 include:your-esp.example -all"

In practice:

  • Include every legitimate ESP or sending platform.
  • Avoid duplicate SPF records on the same hostname.
  • Keep DNS lookup limits in mind.
  • Remove old vendors you no longer use.
  • Use ~all while testing if needed, then move toward stricter handling when ready.

SPF alone is not enough. Forwarding can break SPF. Gmail expects a stronger authentication setup.

Sign mail with DKIM and verify alignment where applicable

DKIM adds a cryptographic signature to your messages. It proves that the message was authorized by the signing domain and was not materially changed in transit.

Set up DKIM for every sending platform. Use a selector that points to the public key in DNS.

Example:

selector1._domainkey.example.com. TXT "v=DKIM1; k=rsa; p=PUBLIC_KEY_HERE"

Check two things:

  • DKIM passes on delivered messages.
  • DKIM aligns with the visible From domain, or a domain under the same organizational domain, when required by DMARC.

Alignment matters because users see the From domain. If your ESP authenticates only its own domain, Gmail may treat your setup as weaker than you expect.

Publish a DMARC record and move toward stronger policy over time

DMARC tells receivers what to do when SPF and DKIM do not align with the visible From domain. It also gives you reporting.

Start with a monitoring policy if you are not ready to enforce:

_dmarc.example.com. TXT "v=DMARC1; p=none; rua=mailto:dmarc-reports@example.com"

Then move toward stronger policies after you verify legitimate mail streams:

_dmarc.example.com. TXT "v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@example.com"

Eventually, many mature senders move to:

_dmarc.example.com. TXT "v=DMARC1; p=reject; rua=mailto:dmarc-reports@example.com"

Do not jump to reject without auditing all sources. You can break legitimate mail from billing tools, CRMs, support desks, or internal systems.

Use TLS, valid forward/reverse DNS, and consistent From domains

Gmail expects responsible sending infrastructure.

Confirm that:

  • Your ESP uses TLS for mail transfer.
  • Sending IPs have valid reverse DNS.
  • Reverse DNS maps to a sensible hostname.
  • The hostname has forward DNS.
  • HELO/EHLO names are valid.
  • Your visible From domain stays consistent.
  • Your return-path and tracking domains are configured correctly.

Consistency helps Gmail build trust. Constantly changing domains, IPs, From names, and tracking hosts looks risky.

Add one-click unsubscribe for subscribed marketing mail

Marketing and subscription mail should support easy unsubscribing.

For Gmail bulk sender requirements, one-click unsubscribe matters because Gmail wants users to leave lists without hitting “Report spam.”

Use the List-Unsubscribe and List-Unsubscribe-Post headers where applicable:

List-Unsubscribe: <https://example.com/unsubscribe/abc123>, <mailto:unsubscribe@example.com>
List-Unsubscribe-Post: List-Unsubscribe=One-Click

You should also include a visible unsubscribe link in the message body.

Make unsubscribe handling fast and reliable:

  • Do not require login.
  • Do not hide the link.
  • Do not make users confirm multiple times.
  • Suppress unsubscribed users across all relevant systems.
  • Process unsubscribe requests quickly.

If a Gmail user wants out, make the unsubscribe easier than the spam button.

Keep spam complaint rates low and monitor reputation signals

A high spam complaint rate tells Gmail that users do not want your mail. Keep it as low as possible.

Watch these signals:

  • Spam complaint rate
  • Hard bounce rate
  • Deferrals and temporary failures
  • Inbox vs. spam placement trends
  • Open and click trends by segment
  • Unsubscribe rate
  • “Never engaged” audience size
  • Domain and IP reputation in available postmaster tools

Do not rely on one metric. Gmail filtering uses many signals. A low bounce rate does not offset poor engagement or high complaints.

Why list quality matters for Gmail compliance

List quality matters because Gmail uses recipient response and delivery outcomes to judge whether your mail deserves inbox placement.

Authentication gets you through the identity check. Your list determines what happens next.

Bad addresses create bad signals

Invalid and risky addresses hurt you in several ways:

  • Hard bounces show poor list maintenance.
  • Recycled mailboxes may belong to users who never requested your mail.
  • Disposable addresses often create low engagement and high churn.
  • Role accounts like info@ or admin@ may have unclear ownership.
  • Typos create avoidable bounces.
  • Catch-all domains can accept mail during SMTP but still hide mailbox-level risk.

A few bad addresses will not destroy a sender. A pattern of sending to bad addresses will.

Bounces and complaints affect Gmail filtering

Gmail does not need to wait for a campaign to finish. It can react during delivery.

If early sends produce hard bounces, spam complaints, low engagement, or negative filtering signals, later messages in the same campaign may perform worse.

This is why “send first, clean later” is risky. You pay the reputation cost before you get the data.

Verify before you send

Verify email addresses at the points where bad data enters your system:

  • Signup forms
  • Lead capture forms
  • Webinar registrations
  • Checkout flows
  • Free trial forms
  • CRM imports
  • Partner lead uploads
  • Re-engagement campaign prep
  • Cold outreach list review

Verification should not replace consent. It answers a different question. A verified address may be deliverable, but that does not mean the recipient asked for your mail.

Use verification to reduce hard bounces and obvious risk. Use permission, relevance, and segmentation to reduce complaints.

How to audit your current Gmail readiness

A Gmail readiness audit checks authentication, reputation, list sources, and operational ownership.

Do this before high-volume sends, domain migrations, ESP changes, or major campaigns.

Review DNS authentication records and alignment

Start with your active sending domains and subdomains.

For each one, document:

  • Visible From domain
  • Return-path domain
  • DKIM signing domain
  • SPF record
  • DMARC record
  • Tracking domain
  • Sending ESP or platform
  • Mail stream owner
  • Current policy and enforcement level

Then send test messages to Gmail and inspect the headers. Confirm that SPF, DKIM, and DMARC pass. Check which domains align.

You want to see results like:

spf=pass
dkim=pass
dmarc=pass

If DMARC passes only because SPF aligns, make sure DKIM alignment also works. DKIM tends to survive forwarding better than SPF.

Look beyond account-level averages.

Break metrics down by:

  • Domain, especially Gmail
  • Mail stream
  • Signup source
  • Campaign type
  • Audience age
  • Engagement recency
  • Geography, if relevant
  • ESP or sending IP pool

A total bounce rate can look fine while one imported segment is damaging reputation. Segment-level review finds the problem sooner.

Watch for patterns like:

  • Gmail deferrals increasing
  • Gmail opens dropping faster than other domains
  • Hard bounces concentrated in one source
  • Complaints from old or unengaged users
  • High unsubscribe rates after list imports
  • Repeated sends to suppressed users

Identify risky sources

Most Gmail compliance problems start upstream.

Review these sources closely:

  • Old lists that have not been mailed in months or years
  • Scraped contacts
  • Purchased lists
  • Imported CRM records with unknown origin
  • Event badge scans without clear consent
  • Co-marketing lists
  • Disposable email signups
  • Free trial abuse
  • Role accounts from enrichment tools
  • Contacts added manually by sales teams

Assign a risk level before sending.

SourceRisk levelRecommended action
Recent double opt-in subscribersLowSend normally and monitor
Recent product signupsLow to mediumVerify at signup and segment by engagement
CRM contacts with clear consentMediumVerify before campaigns and suppress inactive users
Old newsletter listMedium to highVerify, re-permission, and ramp slowly
Scraped or purchased contactsHighDo not send marketing mail
Disposable-heavy signup sourceHighBlock or challenge risky signups

Document ownership

Compliance fails when no one owns the process.

Document who owns:

  • DNS records
  • ESP authentication
  • DMARC reporting
  • Complaint monitoring
  • Unsubscribe handling
  • Suppression lists
  • Lead import approval
  • Verification rules
  • Campaign segmentation
  • Incident response when Gmail performance drops

You do not need a large team. You need clear responsibility.

Common Gmail sender requirement mistakes

Most Gmail sender requirement mistakes come from treating compliance as a setup task instead of a sending discipline.

Avoid these common failures.

Using SPF but forgetting DKIM or DMARC

SPF is only one part of email authentication. Gmail expects modern senders to use SPF, DKIM, and DMARC together.

If you only configure SPF, you leave gaps:

  • Forwarding may break SPF.
  • DMARC may fail without alignment.
  • Gmail has less confidence in your domain identity.
  • Spoofing protection stays weak.

Authenticating the ESP domain but not aligning the visible From domain

Some senders see “authenticated” in an ESP dashboard and assume everything is done.

Check the actual message headers. The ESP may authenticate its own domain while your visible From domain remains unauthenticated or unaligned.

That can cause DMARC failures and weaker trust.

Continuing to send to hard bounces or inactive users

A hard bounce should usually be suppressed immediately. Repeated sends to addresses that already failed tell Gmail you are not maintaining your list.

Inactive users also need rules. If someone has not opened, clicked, logged in, or purchased for a long time, reduce frequency or move them into a re-engagement path. If they still do not respond, suppress them.

Relying on a one-time list clean

A one-time clean helps before a large campaign. It does not protect your list tomorrow.

Bad addresses enter constantly through:

  • Typos
  • Fake signups
  • Bots
  • Disposable domains
  • CRM imports
  • Manual entry
  • Old integrations

Use ongoing verification at entry points and before risky sends.

Treating compliance as a one-off setup

DNS can pass while reputation declines.

Review Gmail readiness on a schedule. Also review it after:

  • ESP migrations
  • Domain changes
  • New lead sources
  • New automation flows
  • Volume increases
  • Deliverability drops
  • Product-led growth changes
  • Sales process changes

Gmail compliance is operational. Keep it maintained.

How Bounceable supports Gmail deliverability

Bounceable supports Gmail deliverability by reducing invalid and risky addresses before they reach your campaigns.

It verifies whether an address is deliverable before you send. That helps reduce hard bounces, protect sender reputation, and keep your list cleaner over time.

Use real-time verification before the first send

The best time to catch a bad address is at signup.

Real-time verification lets you:

  • Block obvious invalid addresses
  • Suggest typo fixes like gmial.com to gmail.com
  • Flag disposable domains
  • Detect risky catch-all domains
  • Score bounce risk before adding a contact to campaigns

A typical verification result might look like this:

{
  "email": "alex@example.com",
  "verdict": "risky",
  "deliverability": "unknown",
  "risk_score": 72,
  "checks": {
    "syntax": "pass",
    "mx": "pass",
    "disposable": false,
    "role_account": false,
    "catch_all": true
  },
  "suggestion": null
}

You can use that result to decide whether to accept, block, challenge, suppress, or route the address for review.

Check the risk signals that matter

For Gmail readiness, focus on risk signals that affect bounce and complaint outcomes.

Bounceable can help identify:

  • Undeliverable addresses that would likely hard bounce
  • Disposable or burner domains that often produce low-quality signups
  • Role accounts like support@, sales@, or info@
  • Catch-all domains where mailbox-level certainty is lower
  • Typo domains that create preventable bounces
  • Free provider addresses for segmentation and analysis
  • Risky addresses that need throttling, confirmation, or exclusion

Do not treat every risky result the same. A catch-all business domain may be worth keeping with lower confidence. A disposable signup on a free trial abuse path may deserve a hard block.

Add verification to the workflows that feed Gmail sends

Put verification where it prevents damage.

Good insertion points:

  1. Signup forms
    Verify in real time before creating a marketing subscriber.

  2. Lead imports
    Check CSV and CRM imports before sales or lifecycle sequences start.

  3. Campaign prep
    Re-verify older segments before large sends to Gmail-heavy lists.

  4. Reactivation campaigns
    Clean stale addresses before asking inactive users to engage.

  5. Automation entry rules
    Keep risky addresses out of high-frequency journeys.

Bounceable ships a REST API and integrations through Zapier, Pipedream, and Apify, so you can add checks without rebuilding your stack.

A simple API flow looks like this:

curl -X POST "https://api.example.com/verify" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"email":"alex@example.com"}'

Use the response to apply your own policy. For example:

  • Accept deliverable
  • Suppress undeliverable
  • Ask for confirmation on risky
  • Review or throttle unknown
  • Suggest corrections for common typos

That policy keeps list quality connected to Gmail compliance. It also gives marketing, lifecycle, and RevOps teams a shared rulebook.

Catch bad addresses before they bounce.
Verify your list free

Frequently asked questions

Keep reading