The sender requirements, without the panic.

For most of email's history, authentication and list hygiene were best practices: things good senders did and bad senders skipped with few consequences. That era ended. The major providers now enforce a baseline, and mail that misses it gets rejected or junked regardless of how legitimate the sender's business is. The receivers are not being hostile. They are drowning in spoofed and unwanted mail, and the baseline is how they tell the difference at scale.

The requirements cluster into three groups: prove who you are, make leaving easy, and stay under the complaint ceiling. Every rule below is one of those three ideas wearing technical clothes.

All senders need SPF or DKIM passing. Bulk senders (the common threshold cited is around 5,000 messages a day to a provider, but treat that as a floor, not a safe harbor) need both, plus a DMARC record, with the domain in your visible From address aligned to the domain that authenticated. Alignment is where most legitimate senders quietly fail: SPF passes for your ESP's domain, DKIM signs with the ESP's key, and DMARC fails anyway because none of it matches the From your recipients see.

The operational traps worth knowing: SPF has a hard limit of 10 DNS lookups, and nested includes from years of accumulated tools blow past it silently. DKIM keys need rotation, and a selector that worked at setup can be broken by a website migration two years later. DMARC at p=none satisfies the letter of the requirement today, but the direction of travel is clearly toward enforcement policies, and a record parked at none since 2021 is a signal in itself.

Also in this group: a PTR (reverse DNS) record that resolves and matches your sending host, and TLS on the sending connection. Both are table stakes that self-hosted setups most often miss.

Bulk and promotional senders must support RFC 8058 one-click unsubscribe: the List-Unsubscribe and List-Unsubscribe-Post headers, honored within two days. The logic is blunt and correct: a recipient who cannot leave easily leaves by pressing "spam" instead, and that button costs you far more than the subscriber did.

The subtlety: the unsubscribe must actually work, immediately and without a login wall, and the suppression must hold even when your marketing tools re-import an old list next quarter. Honored requests that get un-honored by a sync bug are how careful senders end up with complaint problems.

Gmail's published threshold: keep spam complaint rates below 0.3%, and ideally below 0.1%. Above the line, placement degrades for the whole sender, not just the offending campaign. The practical implications are bigger than the number suggests. You need a feedback signal to know your rate at all (Postmaster Tools, FBLs, complaint indicators), you need list hygiene so dead and disposable addresses are not inflating your denominators and bounce rates, and you need stream separation so one aggressive campaign cannot spend the complaint budget your receipts depend on.

This is also the group where "we only send to people who signed up" stops being a policy statement and starts being something you have to demonstrate continuously, with bounce classification, suppression, and complaint handling running underneath every send.

Every requirement above was a recommendation for years before it became a rule. That pattern is the single most useful thing to take from this page: the providers tell you where enforcement is going long before the deadline, in postmaster guidelines and standards work. DMARC enforcement policies, stricter alignment, tighter complaint math: the writing is on the wall in the usual places. Senders who implement at the recommendation stage experience enforcement day as a non-event. Senders who wait experience it as a quarter of remediation under pressure. We run our network on the first approach, and mail here already passed when the 2024 rules landed.