Roarke Logo

Email Deliverability in 2025: How SaaS Teams Can Stay Compliant with Google, Yahoo, and Microsoft Guidelines

Author

Ishaan Sharma Roarke

Date Published

If you’re a founder or RevOps manager at a SaaS business, you already know email marketing is essential. For every dollar spent, email delivers an average ROI of $36. Despite being an old technology, billions of people still use email (93% check their inbox daily). It remains the most effective channel for 50% of B2B marketers.

But none of this matters if your emails never reach users. 

In 2024, Google and Yahoo updated their email guidelines with strict rules. If your company doesn’t comply, your emails might not reach your audience, leading to missed activations, slow demo responses, and even invoices not delivered which could cause churn.

Because email is crucial and widely abused by bad actors, Google and Yahoo enforced new requirements in February 2024 for anyone sending over 5,000 emails per day: you must authenticate your emails, offer one-click unsubscribes, and keep your spam rate below the required threshold.

What Do The New Email Guidelines Say?

Google and Yahoo now require senders to follow the SPF, DKIM, and DMARC protocols for their emails. Bulk senders must authenticate their messages with DMARC, provide a one-click unsubscribe option for marketing emails, and keep spam complaint rates at or below 0.3% at all times.

Starting in May 2025, Microsoft has also made email authentication mandatory.

You can read the full list of requirements for major mailbox providers using these links: Google, Yahoo, Outlook, Apple.

Let’s use a table to quickly lay out some of the key metrics you should be focusing on from now on. Don’t worry if you aren’t familiar with some of these terms yet. Everything will be explained later in this article.

Requirement

Google

Yahoo

Microsoft

Apple

SPF

Required for everyone (SPF or DKIM mandatory for all, both recommended; for bulk, both effectively required

Required for everyone (at least SPF or DKIM for all, both for bulk)

Required for bulk senders

Required for bulk senders

DKIM

Required for everyone (DKIM or SPF for everyone; DKIM with 2048-bit key for bulk)

Required for everyone (at least SPF or DKIM for all, both for bulk)

Required for bulk senders

Required for bulk senders

DMARC

Required for bulk senders: DMARC record in DNS, at least p=none

Required for bulk senders: DMARC record in DNS, at least p=none

Required for bulk senders: DMARC record in DNS, at least p=none

Required for bulk senders: DMARC record in DNS, at least p=none

DMARC Alignment

Required for bulk senders

Required for bulk senders

Required for bulk senders

Required for bulk senders

TLS Encryption

Required for everyone

Not specified

Not specified

Not specified

PTR (reverse DNS)

Required for everyone

Required for everyone

Required for everyone

Required for bulk senders

From/Reply-To Validity

Required for everyone 

Required for everyone

Recommended

Required for bulk senders

Format Messages (RFC compliance)

Required for everyone (must comply with RFC 5322)

Required for everyone (must comply with RFC 5321 and RFC 5322)

Required for everyone (must comply with RFC 5321 and RFC 5322)

Required for everyone (must comply with RFC 5321 and RFC 5322)

Unsubscribe Link

Required for bulk

Required for bulk

Required for bulk

Required for bulk

List-Unsubscribe header

Required for bulk

Required for bulk

Recommended for bulk

Not specified

Honor Unsubscribe Requests

Within 48 hours

Within 48 hours

Not specified

As soon as possible

Spam Rate


0.1% is optimal. Less than 0.3%

Less than 0.3%

Not specified

Not specified

ARC Headers

Required if forwarding 

Required if forwarding 

Recommended if forwarding 

Required if forwarding 

Bounce Management / List hygiene

Recommended

Recommended

Recommended

Required for bulk senders

Understanding Essential Email Authentication Terms

You’ve probably seen terms like SPF and DKIM before. If you’re not deeply technical, they might sound confusing. Here’s what they really mean:

SPF (Sender Policy Framework)

SPF Example

SPF is a security record you add to your domain’s DNS settings. It tells email providers which mail servers are allowed to send emails on your behalf, helping to prevent scammers from faking your address.

Here’s an example SPF record:

v=spf1 ip4:192.0.2.0 ip4:192.0.2.1 include:examplesender.email -all

  • v=spf1 shows which SPF version your server uses (version 1 is the standard).
  • ip4: and include: tell which IP addresses and domains are allowed to send emails for your domain.
  • -all means only these senders are allowed and others get rejected. You can also use ~all (soft fail), which means unauthorized senders might be marked as spam instead of fully rejected.

Here's how this works: 

If your domain is example.com and you send marketing emails from marketing@example.com, the recipient's email server (Gmail, Yahoo, etc.) checks the return-path (bounce@example.com) and its SPF record. 

If an SPF record exists, it verifies which IP addresses are authorized to send emails for your domain. The email server then checks marketing@example.com's IP address against the SPF record. If it matches, the email is authorized. If not, or if the IP addresses don't match, it suggests potential email spoofing. To learn more about SPF records, consider reading this guide from Dmarcian.

DKIM (DomainKeys Identified Mail)

DomainKeys Identified Mail (DKIM) authentication uses public key cryptography to authenticate your emails. Think of your email as a lockbox. You have two keys for it, but one can only lock it and the other can only unlock it. One key is private. No one has access to it except whoever locked it (your email service). The other key is public, and anyone can use it to unlock the lockbox.

Your email service uses the private key to “lock” (sign) your email by attaching a digital signature in your email’s header. When someone receives an email from your domain, their email service looks up your domain’s DNS records and finds the public key.

It then uses this public key to unlock your email. If it works, it proves the email was sent by you and hasn’t been tampered with in transit.

DMARC (Domain-based Message Authentication, Reporting and Conformance)

DMARC Example

DMARC is the final check performed by email services to ensure that an email coming from your domain is actually from you.

While SPF and DKIM authenticate your email using its return-path, they don't verify if the “From:” email shown to the recipient matches the return-path. This is where DMARC comes in. It explicitly checks if the “From:” header domain aligns with the actual return-path.

With DMARC, you can define one of three rules: None, Quarantine and Reject.

Here’s an example of each rule:

  • v=DMARC1; p=none; rua=mailto:dmarc-reports@example.com;
  • v=DMARC1; p=quarantine; pct=50; rua=mailto:dmarc-reports@example.com;
  • v=DMARC1; p=reject; rua=mailto:dmarc-reports@example.com; ruf=mailto:dmarc-forensics@example.com;

None is used for monitoring. It doesn’t take any action to block or filter emails for your domain, but it does send reports to the address specified in your rua tag. Quarantine tells the receiving server to deliver failing messages to the spam or junk folder. Reject instructs the mail server to block emails that don’t align with your domain’s DMARC policy.

There are also optional tags like pct (percentage), rua (reporting URI for aggregate data), and ruf (reporting URI for forensic data). The pct tag specifies the percentage of emails that fail DMARC where the policy should be enforced. The rua tag takes an email address to receive aggregate reports about your domain’s email traffic. These reports are usually sent once a day and contain summary data, not personal details. The ruf tag also takes an email address; forensic reports sent to it are generated in real time and include more detailed information about specific failed messages.

One-Click Unsubscribe: What It Means and Why It Matters

One click unsubscribe example

Another thing Google now requires is that bulk email senders provide a one-click unsubscribe option.

There are two relevant email standards for this: RFC 2369 and RFC 8058. When you receive an email, Google shows an “Unsubscribe” button next to the sender’s address. This uses the RFC 2369 specification, which supports a mailto address, an HTTPS URL, or both. But clicking this button might still require extra steps, like confirming your request or giving feedback, before you’re actually unsubscribed.

RFC 8058 solves this by adding a “List-Unsubscribe-Post” header in your email with the value “List-Unsubscribe=One-Click.” This enables true one-click unsubscribe.

Think of it like this: with RFC 2369, you might still have to jump through hoops to unsubscribe. With RFC 8058, it’s really just one click. Google and Yahoo require that all unsubscribe requests be honored within 48 hours.

Example of RFC 2369:

List-Unsubscribe: <mailto:unsubscribe@example.com>, <https://example.com/unsubscribe>

When the recipient clicks the unsubscribe button, they’re either asked to send an email to the address specified in the List-Unsubscribe header or go to a URL.

Example of RFC 8058:

List-Unsubscribe: <mailto:unsubscribe@example.com>, <https://example.com/unsubscribe/12345>

List-Unsubscribe-Post: List-Unsubscribe=One-Click

When the recipient clicks the unsubscribe button, their mail server sends a POST request to the URL mentioned in the sender’s List-Unsubscribe header, and they’re automatically unsubscribed from the mailing list. No additional steps are required on their end. Here, the mailto address is optional, because one-click unsubscribe is only done by sending a POST request to the HTTPS server. It works as a backup in case an email client doesn’t support one-click unsubscribe.

Crafting a Robust SaaS Email Sending Architecture

Subdomain vs. Main Domain Strategy

Main domain vs Sub domain Strategy

Another best practice is to use different email addresses for different types of emails. For any critical emails sent on a case-by-case basis (user onboarding, free trial notifications, billing, or password resets) send them from your main domain (e.g., hello@example.com).

For marketing or promotional emails, use an address hosted on a subdomain (for example, marketing@promo.example.com). This helps isolate the reputation of your main domain from your marketing domain. If the marketing address ever gets flagged and its deliverability drops, your users will still reliably receive essential notifications such as renewal reminders or billing alerts.

Dedicated IP vs. Shared IP: Pros and Cons

Dedicated vs Shared IP Example


If you’re using an email service provider (ESP) like MailChimp, you’re probably sending emails through a shared IP.

What’s a Shared IP?

As discussed earlier, email services authenticate your email’s IP address using your SPF record. With an ESP, the same IP address may be assigned to multiple users, each sending to their own customers.

You might follow all the best practices, but if someone else sharing your IP gets reported for spam, the shared IP’s reputation takes a hit, which can affect your own deliverability.

That’s where a dedicated IP comes in. A dedicated IP is a unique, static IP address that only you use. No one else shares it. Every email you send will use this IP, and you alone are responsible for its reputation.

A dedicated IP may sound ideal, but it isn’t always the best choice. If you’re not sending hundreds of thousands of emails per month, a shared IP is usually fine.

If you do opt for a dedicated IP, remember:

  • You need to warm it up. Don’t send huge batches from day one. Instead, build your reputation gradually by sending small batches, monitoring feedback, and increasing volume only as you stay clear of complaints.
  • Managing a dedicated IP is more work. You’re fully responsible for maintaining its reputation, which can be complex.

That’s why most major ESPs recommend a dedicated IP only if your monthly email volume is over 100,000.

Not sure about your shared IP’s reputation? Check it using tools like Google Postmaster Tools.

Maintaining List Hygiene to Meet Spam Thresholds

Google wants to cut down on spam. Their guidelines set hard limits you need to follow. So, what counts as spam? Any email that’s manually flagged by a user as spam.

You should aim for no more than 1 complaint per 1,000 emails delivered. Never let it go above 3 per 1,000. Remember, the metric is:

Number of spam complains / Emails delivered

For example, if you send 1,000 emails but only 950 are delivered (the rest bounced or failed), the complaint rate is based only on the 950 delivered.

A good practice is segmentation. Monitor open rates and see who is engaging. If someone hasn’t opened any of your emails in 30-60 days, move them to a separate list.

Send special re-engagement emails to that group. If they still don’t engage, remove them from your mailing list.

Also, keep a suppression list for undelivered emails, which could be due to invalid addresses or temporary server issues.

Key Metrics for Email Deliverability and Health

Even if you’ve correctly set up your SPF, DKIM, and DMARC records, your job isn’t done. Regularly monitoring your email health is crucial. But which metrics matter most, and how often should you check them?

  • Spam complaints: High complaint rates tank your domain and IP reputation. Keep these below 0.1%.
  • Delivery errors (hard/soft bounces): High bounce rates signal bad email lists or technical misconfigurations.
  • Authentication fails (SPF/DKIM/DMARC): Regularly check to catch misconfigurations early.
  • Bounce rate: Keep overall bounce rate below 2%. Hard bounces are especially problematic.
  • Unsubscribes: Make sure one-click unsubscribe works (required by every major email providers). Sudden spikes could mean mistargeting.
  • Postmaster Tools (Google): Use for monitoring reputation, spam rate, and feedback loop data.
  • SNDS (Microsoft): Track domain reputation with Outlook and Hotmail.
  • Yahoo Sender Hub: Check deliverability and feedback for Yahoo and AOL addresses.

Validating Deliverability with Seed-List Testing

Even if you’re tracking metrics in Google Postmaster or Outlook’s SNDS, those tools can only tell you so much. They show reputation trends, but not where your emails actually land. That’s where seed-list testing comes in.

A seed list is a curated set of inboxes across different providers (Gmail, Outlook, Yahoo, and more). Before or right after launching a campaign, send your email to this list. Then check if it landed in the inbox, promotions, or spam. This helps catch any deliverability issues you’re having.

There are handy tools for this:

  • Litmus: Tests both design rendering and inbox placement.
  • GlockApps: Popular for spam placement tests and blacklist monitoring.
  • Validity / ReturnPath: More advanced, with deeper deliverability analytics.

For most SaaS teams, even running a basic GlockApps test from time to time can prevent weeks of low engagement.  

Handling Email Deliverability Crises

Even with your best efforts, inbox placement can suddenly drop. Having a clear playbook ensures you and your team don’t panic and can resolve the issue quickly. The goal is to do damage control fast and minimize harm to your domain reputation and lost revenue.

Key Warning Signs:

  • Spam complaint rate over 0.1% (Google’s benchmark)
  • A sudden 20–30% drop in inbox placement (via seed tests)
  • Appearance on a major blacklist (like Spamhaus or Barracuda)
  • DMARC failure alerts or signs of unexpected spoofing

Steps to Take During an Incident:

  • Pause all promotional sends immediately to stop further damage
  • Isolate the campaign that triggered the problem
  • Run seed tests (Litmus, GlockApps) to confirm deliverability issues
  • Check authentication (SPF, DKIM, DMARC) for errors or misalignment
  • Audit your list and remove risky sign-ups or stale addresses
  • Re-confirm consent from questionable segments as needed
  • Repair sender reputation with a ramp-up: start with smaller sends (5–10k/day) before returning to full volume
  • Log the incident and update your playbook to prevent future issues

If you've read up to this point and ensured your emails comply with the sender guidelines, there's nothing more to do. Your business's ultimate goal is to keep your customers happy, thus reducing spam complaints. This improves your email deliverability, which would reduce unintentional revenue loss.

There was a lot to cover in this guide, and just in case you need a refresher, here's a quick checklist you should make sure to tick:

  • Authenticate emails with SPF, DKIM, and DMARC protocols.
  • Keep your spam rates low (0.1% is ideal, and never over 0.3%).
  • Make your emails easier to unsubscribe from.
  • Regularly monitor your email's health using tools such as Google Postmaster, Microsoft SNDS, and Yahoo Sender Hub.
  • When starting a new campaign, seed test your placements using tools like GlockApps and Litmus.

Major ESPs have already caught up to comply with the sender guidelines. If you're using any of the popular services (such as Mailchimp, Brevo, Hubspot, or Sendgrid), there are dedicated guides to ensure your email reaches your customers.

If you stay consistent with these practices, you’ll see better inbox placement over time. Good email habits protect your reputation and help your business grow. Thanks for sticking with this guide, and here’s to more successful email campaigns ahead.