Email Deliverability: Why Your Emails Land in Spam (And How to Fix It)

How Inbox Providers Actually Decide Where Your Email Lands

When your email arrives at Gmail, Outlook, or Yahoo, a filtering system makes a placement decision in a fraction of a second: inbox, spam folder, or outright rejection. That decision rests on three pillars, and understanding them is the whole game.

The first pillar is authentication — can the receiving server verify you are who you claim to be? Email was designed in an era when nobody imagined forgery at scale, so anyone can technically put any address in the From line. Authentication protocols close that gap, and mail that fails them is treated with suspicion or refused entirely.

The second pillar is reputation — the track record of the domain and IP address this mail comes from. Providers keep long memories: every complaint, every bounce, every message sent to a dead address gets attached to your sending identity and follows you into every future send.

The third pillar is engagement — what recipients actually do with your mail. If people open, click, reply, and rescue your messages from spam, providers learn your mail is wanted. If people delete without reading, ignore you for months, or hit the spam button, they learn the opposite. Modern filtering is heavily personalized: the same campaign can land in one subscriber’s inbox and another’s spam folder based on each person’s history with you.

Notice what’s missing: magic subject-line formulas and forbidden words. Content plays a role, but a smaller one than most marketers believe. The senders who stay out of spam aren’t the ones avoiding the word “free” — they’re the ones with clean authentication, a protected reputation, and an audience that demonstrably wants their mail.

Authentication in Plain English: SPF, DKIM, and DMARC

The acronyms scare people off, but the concepts are simple. All three live as DNS records on your domain, and all three answer one question: is this message really from who it says it’s from?

SPF is a published guest list — a DNS record declaring which servers may send mail on behalf of your domain. When your email platform sends a campaign for you, the receiving server checks whether that platform’s servers are on your list. Send through a platform that isn’t in your SPF record and the check fails.

DKIM is a tamper-proof seal. Your sending platform cryptographically signs each message, and the receiving server verifies the signature against a public key in your DNS. A valid signature proves the message came from a system authorized to sign for your domain and that nothing was altered in transit.

DMARC is the policy that ties them together. It tells receiving servers what to do when SPF or DKIM fails — just report it (p=none), send it to spam (p=quarantine), or reject it outright (p=reject). Crucially, DMARC also enforces alignment: the domain people see in the From line must match the domain that passed authentication, so a spammer can’t pass SPF on their own domain while displaying yours. Its reports also show you who is sending mail claiming to be you — often the first place businesses discover forgotten internal systems and active spoofing.

Since early 2024, this stopped being optional. Gmail and Yahoo now require bulk senders — broadly, around five thousand or more messages a day — to authenticate with SPF and DKIM, publish at least a basic DMARC policy, support one-click unsubscribe in the message headers, honor unsubscribes promptly, and keep spam complaint rates under strict thresholds. In practice the requirements have rippled down to senders of every size, because the same infrastructure judges everyone. If you haven’t verified your records since these rules landed, check now — many “sudden” deliverability collapses trace back to them.

Sender Reputation: Your Domain Has a Credit Score

Reputation attaches to two identities: the IP address your mail is sent from, and your domain itself. Over the past decade the weight has shifted decisively toward the domain — authentication now ties mail firmly to a domain, and domains are harder to swap than IPs. The sobering implication: you can change email platforms, but your reputation comes with you.

Most businesses send from shared IPs — pools used by many customers of the same email platform. You inherit the collective behavior of everyone on the pool while the platform polices the worst offenders, and for most senders this is the right setup: the pool has established volume and history a small sender could never build alone. Dedicated IPs make sense only at consistent, substantial volume — one that sends sporadically never builds enough history to be trusted.

New identities start with no reputation, and providers treat unknown senders cautiously. This is the new-domain problem: a fresh domain that suddenly blasts ten thousand emails looks exactly like a spam operation, because spammers burn domains and register new ones constantly. The answer is warming — small volumes to your most engaged recipients first, ramping up gradually over weeks while positive signals accumulate. The same logic applies when you switch platforms or activate a dedicated IP: ramp, don’t blast.

One practical safeguard: put marketing mail on a subdomain so a campaign mistake doesn’t drag down the root domain that carries day-to-day correspondence. Damage to a subdomain is contained; damage to your primary domain affects every email your company sends, including invoices and support replies.

Engagement Signals: Why Opens Lie and What to Track Instead

Inbox providers watch what recipients do, and those behaviors feed back into placement. Positive signals: opening, clicking, replying, forwarding, rescuing a message from spam, adding you to contacts. Negative signals: deleting without reading, prolonged ignoring, and — most damaging by far — the spam complaint. Replies deserve special mention as among the strongest positive signals available, which is one reason a real, monitored sending address beats a no-reply address every time.

Here’s the complication: your open-rate data is no longer trustworthy. Apple’s Mail Privacy Protection, introduced in 2021, preloads email images on Apple’s servers whether or not the recipient ever looks at the message — registering an open in your analytics. Corporate security scanners do similar things, so open rates are inflated by phantom opens. Opens can still flag directional problems — a sudden collapse usually means something real — but as a measure of genuine engagement, clicks and replies are the currencies that still hold value.

This is also why sunset policies matter. Subscribers who haven’t engaged in many months aren’t neutral — mailing them teaches providers that your mail gets ignored, and dormant addresses are where spam traps and dead mailboxes accumulate. A sunset policy works in stages: after a defined period of inactivity, reduce frequency, then send a re-engagement sequence asking plainly whether they want to keep hearing from you, then stop mailing those who don’t respond. Suppressing them costs nothing real — they weren’t reading anyway. Counterintuitive but true: a smaller list that engages will outperform a bigger list that doesn’t, on deliverability and usually on revenue too.

Content: What Matters Less Than You Think, and What Actually Matters

Ask most marketers about spam filters and they’ll recite a list of forbidden words: free, guarantee, act now, exclamation points. That model of filtering is roughly twenty years out of date. Modern filters weigh the full picture — authentication, reputation, engagement, and content together — and a trusted sender can say “free” all day long. Your own inbox proves it: legitimate retailers send “FREE SHIPPING!” subject lines constantly and land in the inbox, because their other signals are strong. Word-level superstition leads teams to spend hours sanding down copy while ignoring the authentication and list problems actually causing the trouble.

That said, a few content factors are real. Broken or sloppy HTML is one: malformed markup is characteristic of hastily assembled spam — a reputable template or platform editor takes care of this. Image-only emails are another: a message that’s one giant image with little real text is a classic spam evasion technique, hiding the pitch where text filters can’t read it, so legitimate senders who do it inherit the suspicion. Keep a sensible balance of real text to images, and always include alt text. Link reputation matters too: every domain you link to carries its own reputation, and low-quality link shorteners or flagged domains can hurt an otherwise clean message. Finally, mismatched link text — displaying one URL while linking to another — is a phishing pattern filters specifically look for.

The honest summary: make your email technically clean, don’t imitate spammer techniques, then put the energy into reputation and list quality, where the real leverage is.

List Hygiene: How Lists Go Bad and How to Keep Yours Clean

Most deliverability disasters are list problems wearing a technical costume. List quality determines your bounce rate, complaint rate, and engagement profile — all three pillars at once.

Start with how addresses get on the list. Double opt-in — where a new subscriber must click a confirmation link before receiving anything — is the gold standard: it guarantees the address is real, reachable, and genuinely wanted by its owner, and it keeps typos and bot signups out at the door. Single opt-in grows lists faster, and that speed is exactly the trade: faster growth, dirtier list.

Next, bounce handling. A hard bounce means the address doesn’t exist — remove it immediately and never mail it again, because repeatedly mailing dead addresses is signature spammer behavior. Soft bounces (full mailbox, temporary server issues) deserve a few retries, then suppression if they persist. Reputable platforms handle much of this automatically, but imports and integrations can quietly bypass those protections, so confirm suppression actually happens.

Then there are spam traps — addresses that exist solely to catch senders with bad practices. Pristine traps never belonged to a real person and are often planted where address-scrapers will harvest them; hitting one proves you acquired addresses you were never given. Recycled traps are long-abandoned mailboxes reactivated as monitoring addresses; hitting one proves you mail addresses that haven’t engaged in ages. You can’t detect traps — you can only avoid them through clean acquisition and sunset policies.

Which brings us to purchased lists: don’t. A bought list is, almost by definition, full of people who never consented, dead addresses, and spam traps — the three things that poison a domain fastest. And for Canadian senders, mailing purchased contacts isn’t just bad practice — it runs straight into the law, which is the next section.

CASL: What Canadian Senders Are Required to Do

If you send commercial electronic messages in or from Canada, you operate under CASL — Canada’s Anti-Spam Legislation, one of the stricter regimes in the world. This isn’t legal advice, but every Canadian sender should know its shape.

CASL rests on consent, and recognizes two kinds. Express consent means the person actively agreed to receive commercial messages from you — an unchecked box they ticked themselves, a clear signup. It doesn’t expire, and the burden of proving it sits with you, so keep records of when and how each consent was obtained. Implied consent arises from a relationship: an existing business relationship gives you roughly two years from a purchase, and about six months from an inquiry, after which it lapses unless renewed by new activity. Note the default: a pre-checked box is not express consent, and silence is not consent. This is the inverse of the American CAN-SPAM model, which permits sending until someone opts out — under CASL, you generally need permission before the first message.

Beyond consent, every commercial message must clearly identify who is sending it — your business name, mailing address, and a way to contact you — and must contain an unsubscribe mechanism that works at no cost to the recipient, remains functional for at least sixty days after the send, and is honored within ten business days. Honest practice (and the Gmail and Yahoo rules) argue for processing unsubscribes effectively immediately.

The penalties have teeth — they can reach into the millions per violation for businesses, and Canadian regulators have enforced against real companies, not just offshore spammers. The practical takeaway is reassuring, though: a sender doing everything this guide recommends — confirmed opt-in, clear identification, instant unsubscribe, no purchased lists — is already most of the way to compliance. CASL mostly punishes the behavior that wrecks deliverability anyway.

Diagnosing the Problem: Find Out Where Your Mail Is Actually Landing

Before fixing anything, establish facts. Deliverability problems are often discovered late because the metric most platforms show — delivery rate — only measures whether mail was accepted, not where it was placed. An email sitting in the spam folder counts as delivered.

Start with authentication. Send a message to a Gmail account you control, open it, and use the “show original” option: it displays plainly whether SPF, DKIM, and DMARC each passed. If any of them fails, stop — that’s your problem, and nothing else matters until it’s fixed. Free DNS-checking tools can help you pinpoint the broken record.

Next, set up Google Postmaster Tools. It’s free, takes minutes to verify your domain, and shows data you can’t get anywhere else: your spam complaint rate as Gmail measures it, your domain and IP reputation on a simple scale, and authentication success over time. Given the post-2024 spam-rate thresholds, every bulk sender should treat it as mandatory instrumentation — the published guidance is to keep complaints below a fraction of one percent, ideally far below.

For placement itself, run seed tests: send your campaign to a panel of addresses across Gmail, Outlook, Yahoo, and others, and observe where it lands; commercial seed-testing services automate this across dozens of providers. Seed tests can’t reflect the personalized filtering applied to your actual subscribers, but they reliably catch systemic problems, like landing in spam at one provider across the board.

Finally, read your own data for the telltale pattern: clicks collapsing at a specific point in time while the “delivered” number stays flat is the signature of a placement problem, and the date of the collapse is your first clue about what changed — a new platform, a big import, a missed authentication update, or one bad campaign.

The Recovery Playbook for a Burned Domain

If you’ve diagnosed real spam-folder placement, here is the recovery sequence. Fair warning: reputation is rebuilt the same way it’s built — through sustained good behavior — so this takes weeks, not days.

First, stop the bleeding. Pause non-essential campaigns; full-volume sending to a list that’s generating complaints digs the hole deeper every day.

Second, fix authentication completely — SPF, DKIM, and DMARC, all passing, all aligned with your From domain. There’s no point warming a domain whose mail fails verification.

Third, cut the list down hard. Suppress everyone who hasn’t engaged in recent months, remove every address that has ever hard-bounced, and audit how your list was built — if any segment came from a purchase, a giveaway, or a scraped source, remove it entirely. This step hurts, and it’s non-negotiable: recovery means proving to providers that your mail gets wanted, and only your engaged core can prove that.

Fourth, re-warm. Resume sending at a small fraction of normal volume, exclusively to your most engaged segment — recent clickers, recent customers, recent repliers — with your genuinely best content. As placement and engagement hold steady, expand volume and audience gradually over several weeks, watching Postmaster Tools at every step. If complaints tick up or reputation dips, pull back and hold before expanding again.

Fifth, fix the root cause, or you’ll run this playbook again next year. Burned domains almost always trace back to a process: an acquisition source that imports unconsenting contacts, a missing sunset policy, a frequency the audience never agreed to, an unsubscribe link that’s hard to find. Sometimes the honest root cause is strategy — sending email people tolerate instead of email people want.

Deliverability isn’t a technical trick; it’s a reputation system that pays senders who behave like welcome guests. Authenticate properly, mail only people who said yes, retire the ones who’ve gone quiet, and watch the data that tells the truth. Do that consistently and the inbox takes care of itself.