Yahoo & AOL Sender Requirements

Yahoo announced its sender requirements jointly with Gmail and began the rollout in February 2024, gradually through the first half of that year. They look a lot like Google’s, with two important differences: Yahoo refuses to publish a volume threshold, and it runs its own Complaint Feedback Loop through Sender Hub rather than a Postmaster-Tools-style dashboard.

Scope matters here. Yahoo states these rules apply to “all domains and consumer email brands hosted by Yahoo Mail,” which includes AOL. One carve-out: “Yahoo Japan is a separate entity, and we cannot speak to their plans as we do not coordinate with them.”

The 60-second version

• Effective February 2024, gradual through H1 2024. One-click unsubscribe enforcement began June 2024.
• All senders: implement SPF or DKIM at a minimum and keep the spam rate below 0.3%.
• Bulk senders: both SPF and DKIM, a valid DMARC policy at minimum p=none that passes and is aligned, and one-click unsubscribe for marketing mail.
• No published volume threshold. Yahoo “will not specify a volume threshold”; bulk classification is by sending/From-domain volume.
• Unsubscribe must be honored within 2 days. DKIM keys: minimum 1024-bit, 2048 recommended.

There is no magic number

This is the single biggest difference from Gmail. Yahoo is explicit:

“A ‘bulk’ sender is classified as an email sender sending a significant volume of mail. We will not specify a volume threshold.”

So there is no 5,000/day line to design around. Classification is based on the authenticated domain / From header domain level. The practical takeaway: do not assume that staying under Gmail’s 5,000 keeps you out of Yahoo’s bulk bucket - Yahoo decides by volume without telling you the cutoff.

Requirements for all senders

Requirement	Rule
Authentication	”Implement SPF or DKIM at a minimum”
Spam rate	”Keep your spam rate below 0.3%“

Requirements for bulk senders

Requirement	Rule
SPF + DKIM	Both required (authenticate every message with DKIM)
DKIM key length	Minimum 1024-bit; 2048 recommended
DMARC	”Publish a valid DMARC policy with at least p=none - DMARC must pass”
DMARC alignment	From: header domain must align with the SPF domain or the DKIM domain
DMARC rua	Including a rua tag is “strongly recommended”
One-click unsubscribe	RFC 8058 List-Unsubscribe-Post method “highly recommended”; mailto method “acceptable”
Spam rate	”Keep your spam rate below 0.3%“

DKIM key length, quoted

“Authenticate every email with DKIM… with a minimum 1024-bit key length… We recommend a 2048-bit key length for improved security, if possible.”

How Yahoo measures your spam rate

Yahoo computes the rate differently from how you might internally, and it tells you so:

“Spam rate is calculated in our system based on mail delivered to the inbox - keep this in mind when referencing CFL data and calculating the rate in your own system.”

If you divide complaints by total volume sent, your denominator includes mail that never reached an inbox, so your number will read lower than Yahoo’s. Calculate against inbox-delivered mail to match what Yahoo sees.

One-click unsubscribe

Yahoo enforces the List-Unsubscribe policy as of June 2024: “Enforcement of the List-Unsubscribe policy will begin in June 2024.” The mechanics, from the FAQ:

• Scope is promotional/marketing only. “One-click unsubscribe is only required for promotional/marketing messages. The requirement does not apply to transactional messages (e.g. order confirmations, password resets).”
• RFC 8058 is preferred, mailto is acceptable. “You must implement the list-unsubscribe header (preferably according to RFC 8058) in order to meet the requirement… You may also have an unsubscribe link in the body.”
• Honor it within 2 days. “If the unsubscribe is not honored in 2 days, then it would not meet the requirement.”

That 2-day window is a concrete SLA Gmail does not publish - process opt-outs well inside it.

Complaint Feedback Loop (CFL) and Sender Hub

Yahoo’s feedback mechanism is the Complaint Feedback Loop, and it is DKIM-based, enrolled through Sender Hub:

• You enroll the DKIM signing domain via Sender Hub (senders.yahooinc.com). DKIM signing is required to participate.
• Reports arrive in ARF format. The From: is “Yahoo! Mail AntiSpam Feedback”; the envelope MAIL FROM is feedback@arf.mail.yahoo.com; the CFL reports are themselves DKIM-signed with arf.mail.yahoo.com.
• There is no IP-based feedback loop. “Yahoo no longer offers IP or CIDR-based CFL reporting.” Re-enrollment in the new Sender Hub system was required, with a deadline of August 1, 2024.

Sender Hub is also the portal for domain management and sender support requests.

BIMI, ARC, and connection behavior

• BIMI: Yahoo will display a BIMI logo if a BIMI record exists, a DMARC policy of quarantine or reject is in place, the mailing is bulk, and there is sufficient reputation and engagement. Note the policy floor: p=none is enough to deliver, but not enough for a BIMI logo.
• ARC: “If you forward emails, implement ARC (Authenticated Received Chain).” Recommended, not required.
• Per-connection limits: “Yahoo accepts a limited number of messages per SMTP connection. If this per-connection limit is reached, no further messages will be accepted… our server automatically terminates the connection, without giving an error message.” Concurrent connections are allowed, but “we do not publish specific guidelines for the numbers of connections.” Expect silent connection drops rather than an error if you push a single connection too hard.

PTR / reverse DNS

Yahoo lists reverse DNS under “Additional Recommendations” rather than the hard-requirement section, but treats failure as a reputation hit:

“Publish valid, meaningful, non-generic reverse DNS (PTR) records for all of your sending IPs. Reverse DNS should reflect your domain name in some way. Do not use a reverse DNS that looks like a dynamically-assigned IP instead of a static mail server.”

Missing or generic PTR is noted to “downgrade an IP’s sending reputation.”

What Yahoo does not state

To stay honest about the source: Yahoo’s published pages do not state an explicit TLS requirement, and they do not name a HELO requirement (RFC 5321 / RFC 5322 compliance is expected generally). They also do not publish a volume threshold or per-connection numbers. “Not stated” here means absent from Yahoo’s guidance, not “safe to skip.”

Common mistakes

• Assuming Gmail’s 5,000/day keeps you out of Yahoo’s bulk rules. Yahoo publishes no threshold and classifies by volume regardless.
• Computing your complaint rate against total sent. Yahoo measures against inbox-delivered mail; match its denominator.
• Treating the unsubscribe as best-effort. The 2-day honor window is an explicit requirement, not a courtesy.
• Expecting an error when a connection is over-pushed. Yahoo drops the connection silently at the per-connection limit.
• Enrolling an IP in a feedback loop. There is no IP-based CFL; enroll the DKIM domain via Sender Hub.

What Egressif does

We authenticate every Yahoo-bound message with both SPF and DKIM (2048-bit), publish and watch DMARC with a rua address, and implement RFC 8058 one-click unsubscribe on marketing streams with opt-outs processed well inside Yahoo’s 2-day window. We enroll the DKIM signing domain in Yahoo’s Complaint Feedback Loop through Sender Hub - the only way Yahoo exposes complaint data, since there is no IP-based loop - and we calculate complaint rate against inbox-delivered mail so our number matches Yahoo’s, keeping it under 0.3%. On owned infrastructure we keep meaningful, non-generic reverse DNS that reflects the sending domain, and we manage connection concurrency so Yahoo’s silent per-connection drops do not strand a queue. We do not promise placement; these are the entry requirements, and reputation and engagement decide the rest.