Email deliverability is the sum of many small decisions: how you authenticate, how you send, who you send to, and how closely you watch the results. There is no single switch that fixes the inbox, so the reliable path is a checklist you work through and then keep monitoring. This guide organizes the essentials into seven pillars you can audit today, starting with the one mailbox providers check first.
Reads public DNS only. Nothing is stored unless you save the domain to an account.
The seven pillars at a glance
Deliverability problems almost always trace back to one of these areas. Work top to bottom; the earlier pillars gate the later ones.
| Pillar | What it proves | Primary signal |
|---|---|---|
| Authentication | The message really came from you | SPF, DKIM, DMARC |
| Infrastructure | Your sending host is legitimate | PTR, TLS, MX, HELO |
| Warm-up | Volume grew at a believable pace | Sending history |
| List hygiene | You send to real, willing people | Bounce and spam-trap rates |
| Engagement | Recipients want your mail | Opens, replies, deletes |
| Thresholds | You stay under provider limits | Complaint and bounce rates |
| Monitoring | You see problems before they compound | Reports and dashboards |
Pillar 1: Authenticate every message
Authentication is non-negotiable. Google, Yahoo, and Microsoft now require SPF, DKIM, and a DMARC policy for anyone sending in bulk (5,000 or more messages per day to Gmail is the line Google draws), and unauthenticated mail is increasingly rejected outright rather than filed in spam.
- SPF. Publish a single
TXTrecord listing every service that sends on your behalf. Stay under the hard limit of 10 DNS-querying mechanisms (include,a,mx,ptr,exists, andredirectall count); exceeding it returns aPermError, which DMARC treats as a fail. End the record with-all(hard fail) or~all(soft fail), never+all. See our walkthrough on how to set up SPF. - DKIM. Sign every message with a
2048-bitkey published under a named selector, for exampleselector1._domainkey.example.com. Rotate keys on a schedule and keep a second selector ready so you can rotate without downtime. - DMARC. Publish a policy at
_dmarc.example.com. Start atp=noneto collect reports, then move top=quarantineand finallyp=rejectonce your legitimate streams pass. DMARC passes when SPF or DKIM aligns with the visibleFrom:domain, so alignment, not just a raw pass, is what matters.
Authentication is also the fastest thing to verify, which is why it belongs first in any deliverability audit. Fix it before you touch anything else, because every later signal is discounted while your mail is unauthenticated.
Pillar 2: Get the sending infrastructure right
Once your domain is authenticated, mailbox providers evaluate the machine doing the sending.
- Forward-confirmed reverse DNS. Every sending IP needs a
PTRrecord, and the hostname it returns must resolve back to the same IP. This forward-confirmed pairing (often called FCrDNS) is a baseline requirement; a missing or generic PTR is an immediate downgrade. Our guide on what a PTR record is covers the setup. - TLS in transit. Serve mail over opportunistic TLS at minimum. Consider MTA-STS and TLS-RPT to enforce encryption and get reporting on failures.
- Consistent HELO and MX. The
HELO/EHLOname should match the PTR hostname, and yourMXrecords should be clean and reachable so bounces and replies route correctly. - Return-Path alignment. Use a custom return-path (envelope sender) on a subdomain of your organizational domain so SPF aligns under DMARC even with relaxed alignment.
Pillar 3: Warm up new domains and IPs
A brand-new domain or IP has no reputation, and dumping full volume on day one looks exactly like a compromised account. Ramp gradually: start with a few hundred of your most engaged recipients per day and roughly double volume every two to three days, watching complaint and bounce signals at each step before you increase. Send your best content first, because early engagement builds the reputation that carries later, less-engaged sends. Separate transactional and marketing streams onto different subdomains so a marketing complaint spike does not drag down password resets and receipts. Our dedicated guide on how to warm up an email domain has a full schedule.
Pillar 4: Keep the list clean
The single fastest way to wreck a good sending reputation is mailing addresses that never agreed to hear from you.
- Use confirmed (double) opt-in. A confirmation click proves the address is real, typed correctly, and owned by a willing recipient. It is the strongest protection against typos and malicious signups.
- Never buy or scrape lists. Purchased lists are riddled with spam traps, which are addresses that exist only to catch senders who did not get permission. A single pristine trap hit can blacklist you.
- Validate at the point of capture. Reject role accounts and obvious typos in your signup form rather than after the fact.
- Sunset inactive contacts. Suppress addresses that have not opened or clicked in a defined window (commonly 90 to 180 days). Stale addresses turn into spam traps and drag down engagement metrics.
Pillar 5: Earn engagement
Modern filtering is behavioral. Providers watch whether recipients open, reply, move you out of spam, or delete without reading, and they weight those signals heavily. To keep engagement high:
- Send relevant content at a cadence people expect, and let them set frequency preferences.
- Segment so you mail engaged and disengaged users differently.
- Make replies possible; a monitored, human
From:address earns positive signals that ano-replyaddress never will. - Prune the disengaged before they start deleting or complaining. Low engagement is a leading cause of the slide into the spam folder.
Pillar 6: Respect complaint and bounce thresholds
Mailbox providers publish hard numbers, and crossing them has direct consequences. These are the ones to keep on a dashboard.
| Metric | Target | Provider guidance |
|---|---|---|
| Spam complaint rate | Under 0.1% | Google enforces a 0.3% ceiling; sustained rates above it cost you filtering mitigation until you stay under 0.3% for seven consecutive days |
| Authentication | 100% of bulk mail | SPF, DKIM, and DMARC required by Google, Yahoo, and Microsoft |
| One-click unsubscribe | On every marketing message | List-Unsubscribe and List-Unsubscribe-Post headers per RFC 8058; honor requests within two days |
| Hard bounce rate | Under roughly 2% | High permanent-failure rates signal poor list quality |
One-click unsubscribe deserves emphasis: bulk senders must include the RFC 8058 headers so recipients can leave with a single click, and the request must be processed within 48 hours. Making it easy to leave feels counterintuitive, but an easy unsubscribe prevents the spam complaint that actually damages you, because a complaint teaches the provider to filter every message you send. The full requirement set is in our bulk email sender requirements guide.
Handle bounces correctly, too. A 5xx permanent failure means remove the address immediately; a 4xx transient failure (for example 421 or 450) can be retried, but repeated soft bounces should eventually be suppressed. Enhanced status codes like 5.1.1 (no such user) and 5.7.1 (rejected by policy) tell you exactly why, so parse them rather than guessing.
Pillar 7: Monitor continuously
Everything above degrades over time, so treat deliverability as an operational metric, not a one-time project. Track it from several angles:
- DMARC aggregate reports (the
ruastream) show every source sending as your domain, including shadow IT and spoofers. Read them weekly. - Google Postmaster Tools exposes your domain and IP reputation, spam rate, and authentication pass rates for Gmail traffic. Set it up early so you have history when you need it.
- Blacklist checks against major lists such as Spamhaus (SBL, XBL, PBL, and the combined ZEN) catch listings before they spread.
- Seed and inbox-placement tests reveal folder placement across providers that raw delivery logs cannot.
Reputation is the thread running through all seven pillars; if you want the underlying model, read what sender reputation is and how to improve it.
A quick pre-send checklist
Before any significant campaign, confirm:
- SPF, DKIM, and DMARC all pass and align on a test message.
- Sending IPs have forward-confirmed PTR and TLS is active.
- The list is permission-based and recently cleaned.
List-Unsubscribeone-click headers are present.- Complaint and bounce rates from your last send were within target.
- Monitoring (DMARC reports, Postmaster Tools, blacklist checks) is live.
Frequently asked questions
What is the most important factor in email deliverability?
Authentication is the gate: without passing, aligned SPF, DKIM, and DMARC, bulk mail is now rejected by major providers before any other factor is considered. Once you clear authentication, sender reputation driven by low complaint rates and high engagement becomes the dominant factor.
What spam complaint rate is too high?
Keep your complaint rate below 0.1%. Google enforces a ceiling of 0.3%, and staying above it costs you filtering mitigation until you drop back under 0.3% for seven consecutive days. At roughly one complaint per thousand messages you are already at risk.
How long does it take to build a good sending reputation?
Warming a new domain or IP to full volume typically takes four to eight weeks of gradual ramp-up with strong engagement. Recovering a damaged reputation can take longer, because you must first fix the underlying list or content problem and then rebuild positive signals over weeks of clean sending.
Do I still need SPF if I have DKIM and DMARC?
Yes. DMARC passes when either SPF or DKIM aligns, but many providers and forwarding paths still evaluate SPF independently, and some services require it. Publishing all three gives you the widest compatibility and the most resilient authentication.
Ready to check where you stand? Run a free SPFWise scan to see your SPF, DKIM, and DMARC status in seconds and find the gaps that are keeping your mail out of the inbox.