Gmail Bulk Sender Compliance Checklist

Who Does This Checklist Apply To?

Gmail's bulk sender rules apply to any domain that sends 5,000 or more messages per day to Gmail addresses. Outlook uses a similar threshold. But even if you send fewer than 5,000, compliance directly determines whether your emails land in the inbox or spam folder.

The 12-Step Gmail Bulk Sender Compliance Checklist

Step 1: Publish a Valid SPF Record

Sender Policy Framework (SPF) tells mailbox providers which IP addresses are authorized to send email on behalf of your domain. Without SPF, Gmail immediately flags your emails as suspicious. An invalid or missing SPF record causes a 73% drop in inbox placement.

Your SPF record lives in your DNS as a TXT record. It lists every service that sends email for your domain: your ESP (Mailchimp, SendGrid, Klaviyo), your web server, and any third-party tools.

"v=spf1 include:mailgun.org include:sendgrid.net ~all"

// v=spf1   → SPF version identifier (required)
// include: → Authorize third-party senders
// ip4:     → Authorize your own mail server IPs
// ~all     → SoftFail: mark unauthorized as suspicious
// -all     → HardFail: reject unauthorized (stricter)

Verification: Run dig TXT yourdomain.com and confirm the SPF record is present and parseable. Tools like MXToolbox SPF Checker validate syntax automatically.

Step 2: Sign Emails with DKIM

DomainKeys Identified Mail (DKIM) adds a digital signature to every email you send. When Gmail receives a message, it verifies the signature against the public key published in your DNS. A valid DKIM signature proves the email wasn't altered in transit.

Most ESPs (SendGrid, Mailgun, Klaviyo) handle DKIM signing automatically once you add their CNAME records to your DNS. For self-hosted sending, use OpenDKIM or your MTA's built-in signing.

// DKIM public key published in DNS (TXT record)
// Host: selector._domainkey.yourdomain.com
"v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GN..."

// Verify DKIM is working:
// Send a test email to check-auth@verifier.port25.com

Step 3: Enforce Policy with DMARC

DMARC (Domain-based Message Authentication, Reporting & Conformance) ties SPF and DKIM together under a single policy. It tells Gmail what to do when authentication fails: quarantine the email, reject it entirely, or just monitor.

Gmail requires a DMARC policy for bulk senders. Start with p=none to monitor, then move to p=quarantine, and eventually p=reject for maximum protection.

// DMARC TXT record
// Host: _dmarc.yourdomain.com
"v=DMARC1; p=quarantine; rua=mailto:dmarc@domain.com; pct=100"

// p=quarantine → Send failures to spam (start here)
// p=reject     → Block failures entirely (target)
// p=none       → Monitor only (initial setup)
// rua=         → Aggregate reports sent to this address

Step 4: Implement One-Click Unsubscribe

Gmail mandates a List-Unsubscribe header for all bulk senders. Recipients must be able to unsubscribe with a single click—no login required, no multi-step forms. The mailto: method is accepted, but HTTP-based one-click is preferred.

List-Unsubscribe: <https://domain.com/unsub?id=abc123>
List-Unsubscribe-Post: List-Unsubscribe=One-Click

// The List-Unsubscribe-Post header tells Gmail
// that the unsubscribe URL works with one click

Step 5: Keep Spam Complaints Below 0.3%

Gmail's spam complaint threshold is 0.3%—three complaints per 1,000 delivered messages. Exceed this and Gmail throttles your delivery, pushes more emails to spam, and may temporarily block your domain. This is the single most critical operational metric.

Step 6: Validate Email Lists Before Every Campaign

Invalid email addresses inflate your bounce rate and trigger spam traps. Gmail treats high bounce rates as a signal that you're sending to purchased or stale lists. Before any campaign, run your list through an email validation API to remove:

• Invalid syntax and formatting errors—catches misspellings like user@gmial.com
• Non-existent mailboxes—SMTP verification confirms the mailbox exists without sending email
• Disposable email domains—blocks temporary addresses from 5,000+ services
• Role-based addresses—flags abuse@, postmaster@, and spam@
• Catch-all domains—identifies domains that accept all emails but may not deliver them

const response = await fetch(
  'https://api.email-check.app/v1/validate',
  {
    method: 'POST',
    headers: {
      'Authorization': 'Bearer YOUR_API_KEY',
      'Content-Type': 'application/json'
    },
    body: JSON.stringify({ email: 'user@example.com' })
  }
);

const result = await response.json();

// Filter out invalid emails before sending
const shouldSend = result.status === 'deliverable'
  && !result.disposable
  && !result.roleBased;

// For bulk validation, upload CSV files directly
// via the Email-Check.app dashboard:
// 1. Upload your subscriber CSV
// 2. Select validation checks (SMTP, disposable, etc.)
// 3. Download cleaned list with invalid emails removed

Step 7: Set Up Google Postmaster Tools

Google Postmaster Tools provides direct insight into your domain reputation with Gmail. It shows your spam rate, authentication pass rate, IP reputation, and domain reputation. This is the single most important monitoring tool for bulk senders—and it's free.

1. Add and verify your domain at postmaster.google.com using a DNS TXT record
2. Monitor spam rate weekly—keep it under 0.3% at all times
3. Track authentication rate—should be 99%+ for both SPF and DKIM
4. Watch domain reputation—starts at "Low" and improves as you build positive sending history
5. Set up alerts—configure notifications when any metric drops below safe thresholds

Step 8: Use Consistent From Headers

Gmail expects the From: header domain to match your sending domain. The From domain must be the authenticated domain—no exceptions for bulk senders. Avoid frequently changing display names or From addresses. Consistency builds trust with Gmail's filters and reduces phishing detection triggers.

Step 9: Make Unsubscribe Easy in Email Body

Beyond the List-Unsubscribe header, include a visible, functional unsubscribe link in the email body itself. Gmail's algorithms detect hidden or misleading unsubscribe links and penalize senders. Place the link in the footer with clear text like "Unsubscribe" or "Manage preferences."

Step 10: Warm Up New Sending Domains

New domains have no sender reputation. Gmail treats unknown senders with suspicion until they build a positive track record. A proper warmup schedule gradually increases sending volume over 4-6 weeks:

Step 11: Implement BIMI for Brand Logos

Brand Indicators for Message Identification (BIMI) displays your company logo next to emails in Gmail and supported providers. While not mandatory for compliance, BIMI requires fully deployed DMARC and serves as a trust signal that boosts open rates by 10-15%.

Requirements: DMARC policy at p=quarantine or p=reject, an SVG logo file, and a VMC (Verified Mark Certificate) from a DigiCert-approved provider.

Step 12: Remove Spam Traps with List Hygiene

Spam traps are email addresses created specifically to catch senders with poor list hygiene. They look like normal addresses but trigger immediate reputation damage when you send to them. Types include:

• Pristine traps—email addresses that never signed up for anything. Hitting one signals you purchased or scraped a list.
• Recycled traps—abandoned email addresses repurposed by ISPs. Common in old lists that haven't been cleaned in 6+ months.

The most effective defense is proactive list validation before every send. Email-Check.app's SMTP verification identifies non-existent mailboxes and catch-all domains that often harbor recycled traps.

Pre-Campaign Quick Reference

Run through this checklist before every campaign send to ensure compliance:

Case Study: E-Commerce Brand Avoids Gmail Blacklisting

A mid-market e-commerce brand sending 120K emails daily discovered their spam rate had crept to 0.47% after six months without list cleaning. Gmail started throttling 40% of their sends, and domain reputation dropped to "Low."

Key action: Pre-send list validation with Email-Check.app removed 14,400 invalid addresses from their 120K list in under 2 minutes via bulk CSV upload. Bounce rate dropped from 11.2% to 1.1% in the first campaign after implementation, and domain reputation recovered from "Low" to "High" in 18 days.

Monitoring & Responding to Issues

Compliance isn't a one-time setup—mailbox providers continuously evaluate your sending behavior. Build a monitoring routine:

• Daily: Check spam complaint rate in Google Postmaster Tools and your ESP dashboard
• Weekly: Review DMARC aggregate reports (use dmarcian or Valimail for automated analysis)
• Monthly: Run a full list validation and remove decayed addresses
• Quarterly: Audit SPF includes (remove services you no longer use) and review DKIM key rotation
• Immediately: If spam rate exceeds 0.2%, pause campaigns, investigate the source, and validate your list

Getting Started

The fastest path to compliance is tackling these three items today, then working through the remaining checklist items over the next two weeks:

1. Validate your email list now—use the Email-Check.app bulk CSV upload to clean your subscriber database before your next campaign
2. Set up Google Postmaster Tools—verify your domain and establish baseline metrics
3. Audit SPF, DKIM, and DMARC—use MXToolbox or Google Admin Toolbox to verify all three authentication protocols are passing

Email-Check.app handles list validation with 99.9% accuracy and 25ms response time—validate your entire list in minutes, not hours. Bulk CSV upload supports files up to 1M rows with automatic cleanup and downloadable results.

Related guides: Learn about Gmail & Outlook authentication compliance, spam trap detection and prevention, and pre-send email cost reduction strategies.