Klaviyo and the Gmail/Yahoo bulk sender requirements

---

title: "Klaviyo and the Gmail/Yahoo bulk sender requirements" description: "What Gmail and Yahoo's February 2024 bulk sender requirements actually require — DKIM, SPF, DMARC, one-click unsubscribe, complaint-rate ceiling — and where Klaviyo senders trip." slug: "klaviyo-gmail-yahoo-sender-requirements" publishedAt: "2026-05-19" updatedAt: "2026-05-19" painCluster: 3 intent: 9 tier: 2 faq:

• q: "What are the Gmail and Yahoo bulk sender requirements?" a: "As of February 2024, bulk senders (over 5,000 emails per day to Gmail or Yahoo) must authenticate mail with both DKIM and SPF, publish a DMARC policy at the root domain, support one-click unsubscribe (List-Unsubscribe-Post header), and keep their spam complaint rate below 0.3%. Smaller senders are encouraged but not required to meet the same standards."
• q: "Do the Gmail and Yahoo requirements apply to Klaviyo users?" a: "Yes, if you send more than 5,000 emails per day to Gmail or Yahoo addresses combined. The threshold counts inbox sends, not total list size. Most serious DTC senders cross 5,000/day at modest list sizes, so the rules apply broadly. Klaviyo's infrastructure handles the technical requirements, but the operator must configure DKIM, SPF, and DMARC correctly on their sending domain."
• q: "What happens if I don't meet the Gmail/Yahoo requirements?" a: "Gmail and Yahoo will progressively reduce delivery to their inboxes. Initial enforcement was warning-level (some throttling); current enforcement is firm — sustained non-compliance leads to inbox placement dropping to spam folder, and in severe cases, full sender blocking. The path back is hard once you've fallen out of trust."
• q: "Is Klaviyo's default sending compliant with the requirements?" a: "Klaviyo's sending infrastructure is compliant by default — they handle the DKIM signing and SPF authentication. The piece that requires operator action is configuring your sending domain's DNS records (DKIM CNAMEs, SPF includes, DMARC TXT) and ensuring one-click unsubscribe is enabled on your account. Without correct DNS configuration on your end, you won't pass."
• q: "What is one-click unsubscribe and how do I enable it in Klaviyo?" a: "One-click unsubscribe is the List-Unsubscribe-Post header — a technical header that lets email clients show an 'Unsubscribe' button next to the From: line and process the unsubscribe with a single POST request. Klaviyo enables this by default for accounts that have completed sender setup correctly. Verify in Settings → Email → Sender info that List-Unsubscribe-Post is enabled."
• q: "How does Klaviyo measure my complaint rate for the 0.3% ceiling?" a: "Klaviyo aggregates complaint signals from ISP feedback loops with Gmail, Yahoo, Microsoft, and Apple. The complaint rate is expressed as percentage of delivered emails (not sent — only emails that reached the inbox). Gmail's ceiling specifically is for sends to Gmail addresses; the same logic applies per-ISP."
• q: "Will my deliverability recover if I fix my authentication after failing?" a: "Slowly. ISP reputation has long memory. Fixing authentication immediately stops further damage, but recovering trust takes 4-8 weeks of clean sending. Severe non-compliance (sustained sending without authentication for months) takes longer; some senders never fully recover and end up needing to migrate to a new sending domain." related:
• klaviyo-branded-sending-domain-not-working
• klaviyo-dmarc-failure-fix
• klaviyo-spam-complaint-rate-high
• klaviyo-bounce-rate-suddenly-high

---

The Gmail and Yahoo bulk-sender requirements that took effect in February 2024 changed how serious email senders operate. The technical requirements aren't novel — DKIM, SPF, and DMARC have been best-practice for years. What changed is the enforcement. ISPs that previously accepted unauthenticated mail at low engagement penalty now penalize it sharply. The complaint-rate ceiling, previously a soft guideline, became a hard line.

This page covers what the requirements actually demand, how Klaviyo handles each piece, and where operator action is required to stay compliant. If you're seeing delivery drops to Gmail or Yahoo specifically, work through this checklist — most of the time, the cause is one of the five items below.

Quick diagnosis checklist

• Settings → Domains → check DKIM, SPF, and DMARC status for your sending domain. All three should show verified/passing.
• Send a test email to a Gmail address. View headers ("Show original"). Look for dkim=pass, spf=pass, dmarc=pass.
• Check your spam complaint rate in Analytics → Deliverability. Should be below 0.1%. Above 0.3% triggers Gmail enforcement.
• Open a recent email in Gmail. Confirm there's an unsubscribe button at the top, next to the From: line. That's one-click unsubscribe. If it's not there, your List-Unsubscribe-Post header isn't being set.
• Calculate your daily volume to Gmail and Yahoo combined. If over 5,000/day, full requirements apply.
• Check From: alignment. Your From: domain should match (or be a subdomain of) your DKIM signing domain for DMARC alignment.

1. DKIM signing and alignment

DKIM signs each outgoing email with a cryptographic signature that the receiving ISP verifies against a public key published in your DNS. Without valid DKIM, Gmail and Yahoo treat the mail as unauthenticated.

What Klaviyo handles. Klaviyo signs all sends with DKIM using their default sender key by default. For accounts with a branded sending domain configured, Klaviyo signs with your domain's key instead.

What you handle. Publishing the DKIM CNAME records in your domain's DNS. Klaviyo's branded-sending-domain setup walks you through this. Verify the records are correctly published and verified in Settings → Domains.

The alignment requirement. DKIM-pass alone isn't enough — DMARC alignment requires the DKIM signing domain match (or be a subdomain of) your From: address domain. Sending from hello@yourbrand.com with DKIM signed by Klaviyo's default sender means DKIM passes but DMARC doesn't align. The fix is a branded sending domain that matches your From: domain.

2. SPF record with Klaviyo included

SPF lists the IPs and services authorized to send mail for your domain. Without Klaviyo in your SPF, mail sent through Klaviyo can fail SPF authentication from receiving ISPs.

What Klaviyo handles. Klaviyo's sending IPs are stable and Klaviyo provides the SPF include string for you to add.

What you handle. Adding the include to your SPF record. The exact value is in Klaviyo's domain setup documentation. The include directive looks like include:_spf.klaviyo.com and should be added to your existing SPF record, not as a separate record.

The lookup-limit gotcha. SPF allows up to 10 DNS lookups per evaluation. Each include uses one or more lookups. If your existing SPF is already at or near the limit, adding Klaviyo's include pushes you over and SPF fails entirely. See the branded sending domain page for how to handle this.

3. DMARC policy at the root domain

DMARC ties DKIM and SPF together and tells receiving ISPs what to do when authentication fails. The Gmail/Yahoo requirements demand a DMARC policy of at least p=none (which monitors but doesn't enforce) with valid reporting addresses.

What Klaviyo handles. Nothing directly — DMARC is a domain-level policy.

What you handle. Publishing a DMARC TXT record at _dmarc.yourbrand.com. The minimum-viable record is:

v=DMARC1; p=none; rua=mailto:dmarc-reports@yourbrand.com

p=none is monitor-only — it doesn't block failed mail but tells ISPs you have DMARC in place. Stricter policies (p=quarantine, p=reject) actively reject unauthenticated mail.

The progression. Start with p=none while you fix authentication issues. Once DKIM and SPF are consistently passing, you can move to p=quarantine (failed mail goes to spam) and eventually p=reject (failed mail is rejected outright). Don't move to strict policies until your authentication is solid; you'll reject your own mail otherwise.

4. One-click unsubscribe (List-Unsubscribe-Post header)

The new requirement that surprised most operators. Bulk senders must support one-click unsubscribe — a header that lets the receiving email client process unsubscribe with a single POST request rather than redirecting the user through a web form.

What Klaviyo handles. Klaviyo sets the List-Unsubscribe and List-Unsubscribe-Post headers automatically on all sends, provided your account is configured correctly.

What you handle. Confirming the headers are enabled. Settings → Email → Sender info. The headers should be on by default for new Klaviyo accounts; older accounts that pre-date the requirement may need to enable them explicitly.

How to verify it's working. Send a test email to Gmail. Open the email. Look at the top of the message, next to the From: line. There should be an "Unsubscribe" link visible directly in Gmail's UI (separate from any unsubscribe link in your email body). That's the one-click unsubscribe Gmail expects.

Why this matters more than it looks. When users can't unsubscribe easily, they mark spam instead. Gmail's research showed that mandatory one-click unsubscribe drove the average complaint rate of bulk senders down meaningfully. It's not just a checkbox — it's a structural reduction in complaints.

5. Spam complaint rate below 0.3%

Gmail's hard ceiling. Sustained complaint rates above 0.3% to Gmail trigger reputation degradation that compounds. The ceiling is per-ISP — Yahoo, Microsoft, and Apple have their own thresholds but Gmail's is the publicly stated one.

What Klaviyo handles. Klaviyo aggregates ISP feedback loops and computes your complaint rate. You can see it in Analytics → Deliverability.

What you handle. Keeping the rate low. The mechanisms: send to engaged audiences, manage frequency, write content that matches subscriber expectations, make unsubscribe one-click easy, and clean up duplicate sends. See Klaviyo spam complaint rate too high for the full playbook.

The hidden ceiling. Gmail's threshold is 0.3% but most senders should aim for under 0.1%. The buffer matters because complaint rate is volatile — a single bad campaign can push you up significantly, and you want headroom to absorb that without crossing the line.

What happens when you fail

Gmail and Yahoo's enforcement is progressive:

• First level. Reduced inbox placement. Your mail goes to inbox at lower rates; more lands in spam or promotional tabs. You see this as an open-rate cliff.
• Second level. Temporary throttling. Gmail starts deferring (delaying) your mail and limiting throughput. You see this as slow campaign sends and rising bounce rates with 4xx deferred codes.
• Third level. Filtering and blocking. Mail is reliably classified as spam, or rejected outright. You see this as catastrophic delivery rates to Gmail addresses.
• Fourth level. Domain-level blocks. In severe cases, Gmail blocks all mail from your sending domain. Recovery from this state can require migrating to a fresh sending domain.

The progression usually takes weeks. If you catch the issue at level one, recovery is straightforward. If you're at level three, recovery is slow.

How to verify your compliance

1. Send a test email to a Gmail address. View source (Show original). Confirm:
   • dkim=pass
   • spf=pass
   • dmarc=pass
   • From: domain aligns with DKIM signing domain
2. Confirm one-click unsubscribe is visible in Gmail's UI when viewing the message.
3. Check Analytics → Deliverability. Complaint rate under 0.1%. Bounce rate under 2%.
4. Repeat for a Yahoo address. Same authentication checks apply.
5. Schedule a monthly compliance check. Authentication can break without warning; complaint rate drifts.

Why this keeps happening

The Gmail/Yahoo requirements aren't one-time configuration — they're an ongoing operational state. DKIM records can be removed by team members or DNS provider changes. SPF records get edited as you add other services and exceed the lookup limit. DMARC policies can be tightened or loosened without coordination. Complaint rate drifts based on every campaign you send.

Each individual change is small. The cumulative effect over months is drift away from compliance, often invisible until the deliverability impact arrives. Continuous monitoring of authentication status, complaint rate, and per-ISP delivery rates is the structural fix — catching drift the day it happens rather than the quarter you notice. We track each of these signals hourly so the requirements stay met, not just configured once and forgotten.