Our relay layer exposes an API compatible with Mailgun v3, SendGrid Web API v3, and Postmark — same endpoints, same tag structure, same parameter names. Switch your base URL and API key. Your existing application code, SDK calls, and webhook handlers continue working without modification. See full API compatibility details →
Complete email deliverability guide covering ISP filtering layers, SPF/DKIM/DMARC authentication, IP reputation, inbox placement measurement, and deliverability problem diagnosis.
Email deliverability is the measure of how reliably your outbound email reaches recipients' inboxes rather than being routed to spam, quarantined, or rejected. It's not a single setting or a checkbox — it's an outcome produced by the interaction of dozens of technical, behavioral, and reputational factors that mailbox providers like Gmail, Outlook, and Yahoo evaluate for every message, in real time, before making an inbox/spam/reject decision.
This guide covers the complete technical architecture of email deliverability — what determines it, how to measure it accurately, how to diagnose problems, and how to build infrastructure that produces consistently high inbox placement over the long term.
The filtering decision that determines inbox vs spam happens at multiple layers, each evaluated in sequence. Understanding the sequence helps prioritize where to focus when deliverability is degraded.
Before a single word of your email is transmitted, the receiving mail server evaluates the sending IP address. It runs DNS lookups against major blocklists (Spamhaus ZEN, Barracuda BRBL, others), checks for a valid PTR record with FCrDNS verification, and looks at the sending IP's sending volume relative to its reputation history. A connection from an IP on Spamhaus ZEN gets rejected at this layer — the email never even gets to content evaluation.
This is why IP reputation management and blacklist monitoring are foundational, not optional. A deliverability problem at Layer 1 produces 550 rejections that look indistinguishable from authentication failures to many monitoring systems. Separating connection-level rejections from content-level filtering requires per-ISP delivery analysis at the SMTP response code level.
Assuming the connection passes Layer 1, the receiving server checks email authentication. SPF verification confirms the sending IP is authorized to send on behalf of the envelope-from domain. DKIM signature verification confirms the message hasn't been modified in transit and was signed by a private key associated with the signing domain. DMARC evaluation checks that at least one of these mechanisms passes with proper alignment to the From header domain, and applies the domain's policy if both fail.
Authentication failures at Layer 2 don't always produce rejections — they produce worse reputation signals. A message that fails SPF will receive an "SPF=fail" result in its headers, which downstream content filters use as a negative signal. Repeated SPF failures train ISP filtering systems to treat your sending domain more suspiciously, degrading inbox placement even for messages that pass other checks. Authentication must be fully correct on 100% of messages — there is no acceptable failure rate.
With authentication verified, ISP filtering systems apply reputation scoring to the sending IP and domain. Gmail maintains separate reputation scores for each IP address and for each sending domain. Outlook's systems (protecting Outlook.com, Hotmail, and Exchange Online) maintain IP reputation scores and apply them to throttle and filtering decisions. Yahoo uses a combination of IP and domain reputation feeding into its spam classification systems.
Reputation scores are calculated from behavioral history: complaint rates (percentage of recipients who marked your email as spam), engagement rates (opens, clicks, moves to inbox from spam), bounce rates, and spam trap hit rates. High complaint rates push reputation down quickly. Consistent positive engagement rates build reputation slowly over time. The asymmetry — fast to damage, slow to recover — is by design.
Google Postmaster Tools provides the most transparent window into Gmail's reputation calculation. The four reputation levels (HIGH, MEDIUM, LOW, BAD) map approximately to inbox placement rates of 95%+, 80–94%, 40–79%, and under 40% respectively. Checking Postmaster Tools domain reputation daily is a baseline practice for any organization sending bulk email to Gmail addresses.
Assuming the message passes connection, authentication, and reputation evaluation, content filters analyze the message itself. Modern content filtering is not primarily keyword-based — it analyzes URL reputation (every URL in the message is checked against reputation databases), HTML structure (template patterns that match known spam templates), text-to-HTML ratio, image-to-text ratio, and header structure (presence of proper List-Unsubscribe headers, consistency between From/Reply-To/Return-Path domains).
URL reputation is particularly consequential. If your email contains a link to a domain on URIBL or SURBL, content filters will flag the message regardless of your sending reputation. This can happen when: you're linking to a third-party domain that has been blacklisted, your click tracking domain has been compromised or its reputation has been degraded by other users on a shared tracking platform, or you're using a URL shortener whose domain has a poor reputation.
For Gmail and increasingly other providers, per-recipient engagement history affects inbox placement beyond the aggregate reputation signals. If a specific recipient has never opened your email before, Gmail's filtering may apply more scrutiny than it would for recipients who have engaged positively with previous messages. This is why engagement-based segmentation — sending first to the most engaged recipients — produces better inbox placement even on well-warmed IPs.
Email authentication is the foundation of modern deliverability. Google and Yahoo's 2024 bulk sender requirements made authentication mandatory for all senders above 5,000 daily messages, but the technical requirements are not new — they've been industry best practice for years. What changed is enforcement.
SPF is a DNS TXT record published at your sending domain that authorizes specific IP addresses to send on behalf of that domain. An SPF record like v=spf1 ip4:198.51.100.1 include:sendgrid.net -all says: "Only the IP 198.51.100.1 and the IPs listed in SendGrid's SPF record are authorized to send email from this domain. All others should fail."
The critical operational issue with SPF is the 10 DNS lookup limit defined in RFC 7208. Each include: mechanism consumes one lookup, and include chains (where an included domain itself has includes) compound this quickly. An SPF record that exceeds 10 lookups generates a PermError, which many ISPs treat as an SPF failure. Use an SPF lookup counter tool to verify your record stays under 10 lookups.
DKIM adds a cryptographic signature to every outbound message. The MTA signs the message using a private key, and the public key is published in DNS at a selector-specific subdomain of your sending domain. Receiving servers can verify the signature against the DNS-published public key, confirming the message was signed by someone controlling the private key and hasn't been modified in transit.
Use 2048-bit DKIM keys — 1024-bit keys are no longer accepted by Google as of 2024. DKIM keys should be rotated annually (or after any suspected compromise) through a carefully sequenced process: generate new keypair, publish new public key, wait 48 hours for DNS propagation, update MTA to sign with new key, then remove old key after 7 days of confirmed successful signing.
DMARC ties SPF and DKIM together with alignment requirements and policy enforcement. It also provides reporting: aggregate reports (sent daily by major ISPs) show you every IP that's sending mail claiming your domain, and whether authentication passes or fails. This visibility is invaluable for identifying unauthorized senders using your domain for phishing, and for finding misconfigured legitimate sending sources.
The deployment sequence: start at p=none to collect reports and identify all legitimate sending sources, then authenticate each source, then progress through p=quarantine and p=reject as confidence grows. Rushing to p=reject without completing the authentication inventory blocks legitimate mail and creates immediate deliverability emergencies.
For dedicated IP infrastructure, IP reputation is something you build through demonstrated good sending behavior — and something you protect through ongoing operational discipline.
| Reputation Factor | Impact Level | Target Range |
|---|---|---|
| Spam complaint rate | Very high | <0.08% (Gmail threshold: 0.10% triggers filtering) |
| Hard bounce rate | Moderate-high | <2% per campaign send |
| Spam trap hits | Very high | Zero — any trap hit is damaging |
| Open rate | Positive signal | Varies by industry; higher is better |
| DNSBL listing | Critical negative | Zero — immediate remediation required |
| DMARC compliance rate | Positive signal | 100% of messages should pass DMARC |
The most damaging reputation events — a Spamhaus SBL listing, a Gmail domain reputation drop to BAD — require 8–14 weeks of clean sending to fully recover from, assuming root causes are addressed immediately. This recovery timeline is why prevention (ongoing monitoring, engagement-based segmentation, prompt unsubscribe processing) is worth far more than remediation.
The structural difference between dedicated and shared infrastructure is IP reputation isolation. On a shared ESP, your inbox placement rate is determined by the aggregate behavior of every sender on the same IP pool. A high-complaint campaign from another sender — one you've never interacted with and have no visibility into — can degrade your inbox placement within hours.
With dedicated IPs, your reputation belongs entirely to you. The full impact of your list hygiene, segmentation, and content quality shows up directly in your inbox placement rate. Well-managed programs on dedicated IPs consistently achieve 94–98% inbox placement at Gmail. The same programs on shared IPs typically see 75–85%, with significant volatility from neighbor activity.
Open rates are a lagging indicator of deliverability. By the time open rates drop significantly, inbox placement has been degraded for days or weeks. Earlier-stage monitoring provides more actionable data:
Seed list testing (also called inbox placement testing) sends messages to a set of pre-established test addresses across all major ISPs and checks where they land: inbox, spam, or missing. This is the only accurate way to measure actual inbox placement rate before deploying a campaign. Commercial tools (250ok/Validity, GlockApps, MailGenius) provide seed list testing at various price points.
Diagnosis: Gmail Postmaster Tools spam rate jumps above 0.10%. Check which campaigns sent in the prior 3 days. Pull DMARC aggregate reports for the same period. Check for any list imports or new segments added recently.
Fix: Immediately suppress the highest-risk segments (recent list imports, any segment with below-30-day engagement history). Pause sending to the full list until the spam rate returns below 0.08%. Re-engage with only the most active 30-day openers for the following 2 weeks.
Diagnosis: Check Microsoft SNDS for IP status. Look for 550 error messages containing "banned sending IP" or reference to sendersupport.olc.protection.outlook.com. Run IPs through Spamhaus ZEN lookup — Microsoft subscribes to Spamhaus and blocks IPs on several Spamhaus lists.
Fix: If Spamhaus-related, request Spamhaus removal first, then Microsoft will automatically unblock. If Microsoft-specific, submit removal request through sendersupport.olc.protection.outlook.com. Before submitting either, address the root cause of any ongoing complaint or reputation issue.
Diagnosis: Check authentication pass rates across all sending domains. Run SPF validator to confirm all sending IPs are still authorized. Check DKIM key validity. A DNS provider change, an inadvertent DNS record deletion, or a DKIM key expiration can silently break authentication and cause system-wide delivery degradation.
Fix: Restore any broken authentication records. If DKIM keys expired or were accidentally deleted, generate new keys with the same or new selector, re-publish in DNS, update MTA configuration, and verify authentication passes on test messages before resuming volume sending.
For organizations sending above 500,000 emails per month, the complete deliverability stack includes:
Authentication and IP reputation determine whether your mail is trusted; content determines whether trusted mail gets filtered. Modern spam filters use machine learning to evaluate content patterns statistically, not just keyword matching. The content factors that influence inbox placement in 2025:
Every link in your email is evaluated against URL reputation databases (URIBL, SURBL, Google Safe Browsing). A single link to a recently-blacklisted domain, a URL shortener with poor reputation, or a tracking domain that's been flagged can cause content-level spam filtering regardless of your IP and domain reputation. Audit every URL in your templates — especially third-party redirects and click-tracking domains. Use a sending domain-specific tracking subdomain (click.yourdomain.com) rather than a shared tracking domain from your ESP, which may carry reputation accumulated from other senders.
Spam filters analyze HTML structure patterns statistically. Templates that closely match known spam template structures — excessive table nesting, very high image-to-text ratios, broken or non-standard HTML, invisible text — are flagged regardless of content. Aim for a text-to-image ratio where at least 60% of message content is readable text. Avoid templates that render as pure images with minimal text (this pattern is used to bypass content keyword filters and triggers pattern-based spam detection).
All-caps subject lines, excessive punctuation (!!!), misleading preview text that doesn't match the message body, and certain high-frequency spam trigger phrases all increase spam scoring. More importantly, subject lines that generate low open rates signal to ISPs that your recipients are ignoring your mail — which is itself a negative reputation signal. Test subject lines for open rate impact, not just content filter score.
Required by Gmail and Yahoo for bulk senders since 2024. Messages without properly formatted List-Unsubscribe and List-Unsubscribe-Post headers are at elevated spam filter risk and fail Gmail's Compliance Status check. Verify these headers are present in all commercial and promotional messages.
Each major ISP uses different filtering logic, different reputation models, and different enforcement timelines. What protects your reputation at Gmail may not be the same as what protects it at Outlook.
Gmail (1.8B users): The most sophisticated filtering system. Gmail uses engagement-based filtering heavily — recipient behavior (opens, clicks, "report not spam," deletes without reading) directly impacts filtering decisions for future mail from your domain. Gmail Postmaster Tools v2 is now the primary visibility mechanism. IP and domain reputation dashboards were retired in October 2025 in favor of the Compliance Status dashboard (Pass/Fail). Gmail enforces DMARC alignment for bulk senders and has been progressively tightening compliance enforcement since November 2025.
Microsoft Outlook/Hotmail/Live (500M+ accounts): Since May 5, 2025, Microsoft hard-rejects non-compliant mail from bulk senders with error 550 5.7.515. Microsoft SNDS (Smart Network Data Services) is the primary monitoring tool — register all sending IPs at sendersupport.olc.protection.outlook.com. Microsoft is somewhat less engagement-driven than Gmail and more weighted toward authentication compliance and IP reputation.
Yahoo/AOL: Requires FBL (Feedback Loop) registration to receive complaint data. Yahoo's enforcement of 2024 bulk sender requirements has been somewhat less aggressive than Gmail's, but their FBL data is valuable for complaint rate monitoring. Yahoo is particularly sensitive to spam trap hits — list hygiene directly impacts Yahoo deliverability.
Apple Mail (40%+ of opens): Apple Mail Privacy Protection (MPP) pre-loads tracking pixels regardless of actual opens, inflating open rate metrics for Apple Mail recipients by 10–15%. Filtering is less transparent than Gmail or Outlook — there's no postmaster tools equivalent. Apple's filtering is influenced by engagement from iCloud Mail users and their own spam classification systems.
Email deliverability in 2026 operates under a fundamentally different set of rules than it did two years ago. The changes that now represent the permanent baseline:
The senders who perform above the 83.1% average inbox placement are those who treated these requirements as genuine technical standards rather than bureaucratic overhead. Authentication is not a box to check — it's the foundation that every subsequent deliverability optimization depends on. No amount of content optimization or list hygiene compensates for DMARC alignment failures.
Our deliverability audit covers every layer of this stack — authentication, IP reputation, blacklist status, infrastructure configuration, bounce handling, and engagement segmentation — with a prioritized remediation roadmap specific to your sending program.
Request a Deliverability Audit →