FreeTool
Network Tools

Email Deliverability Guide: Why Emails Land in Spam and How to Fix It

Understand SPF, DKIM, DMARC, and sender reputation — the technical and content factors that determine whether your emails reach the inbox.

7 min read

Email inbox on a laptop screen

You craft a perfect email campaign, hit send to 10,000 subscribers — and 40% land in spam. Or worse, you send a transactional email (password reset, order confirmation) and a customer never receives it. Email deliverability is one of the most technically complex and business-critical problems in modern software. Here's how it actually works.

How email servers decide what's spam

When your email arrives at Gmail, Outlook, or any other mail server, it goes through multiple layers of evaluation:

  1. Authentication checks — Does this email really come from who it claims?
  2. Reputation checks — Does the sending IP/domain have a history of spam?
  3. Content analysis — Does the email contain spam signals?
  4. Engagement signals — Do recipients actually open and interact with emails from this sender?

Failing at step 1 often means automatic rejection. Poor performance at steps 2–4 means the spam folder.

The three authentication standards

SPF (Sender Policy Framework)

SPF lets you publish a list of authorized mail servers in your DNS. When a receiving server gets your email, it checks: "Is this server allowed to send email for this domain?"

# DNS TXT record for yourdomain.com
v=spf1 include:_spf.google.com include:sendgrid.net ip4:203.0.113.50 -all

Breaking this down:

  • v=spf1 — SPF version 1
  • include:_spf.google.com — Google Workspace is authorized
  • include:sendgrid.net — SendGrid is authorized
  • ip4:203.0.113.50 — This specific IP is authorized
  • -all — Reject all others (hard fail)

Use -all (hard fail) rather than ~all (soft fail) or ?all (neutral). Soft fail tells receivers to accept the mail but mark it as suspicious — not what you want.

DKIM (DomainKeys Identified Mail)

DKIM adds a cryptographic signature to outgoing emails. The receiving server retrieves your public key from DNS and verifies the signature. If the email was modified in transit, the signature fails.

Your email provider generates the key pair. You publish the public key in DNS:

# DNS TXT record
selector1._domainkey.yourdomain.com  →  v=DKIM1; k=rsa; p=MIGfMA0GCS...

The p= value is your public key. The private key lives on your mail server and signs every outgoing message.

DKIM protects against:

  • Email spoofing (forging the From: address)
  • Content tampering in transit

DMARC (Domain-based Message Authentication, Reporting & Conformance)

DMARC ties SPF and DKIM together and tells receiving servers what to do when authentication fails:

# DNS TXT record
_dmarc.yourdomain.com  →  v=DMARC1; p=quarantine; pct=100; rua=mailto:dmarc-reports@yourdomain.com

Policy options (p=):

  • none — Monitor only, take no action (start here)
  • quarantine — Send to spam folder
  • reject — Block the email entirely

Recommended rollout:

  1. Start with p=none and collect reports for 2–4 weeks
  2. Review reports — identify legitimate senders that might fail
  3. Move to p=quarantine once confident
  4. Move to p=reject for maximum protection

The rua= address receives aggregate XML reports showing how your domain is being used across the internet.

Sender reputation

Even with perfect authentication, a bad sender reputation kills deliverability. Reputation is tracked by:

  • Sending IP address — shared IPs mean you share reputation with other senders
  • Sending domain — your domain's history
  • From: email address — the specific address used

What hurts reputation

Signal Impact
High bounce rate (> 2%) Severe
High spam complaint rate (> 0.1%) Severe
Sending to spam traps Severe
Low open rates (< 10–15%) Moderate
Sending to unverified addresses Moderate
Sudden volume spikes Moderate

What builds reputation

  • Consistent sending volume (gradual ramp-up for new domains)
  • High engagement (opens, clicks, replies)
  • Low unsubscribes and complaints
  • Sending to verified, opted-in addresses

Email list hygiene

A clean list is the foundation of good deliverability. Before sending to any address:

  1. Validate the email format — syntactically correct
  2. Verify it exists — check with an MX lookup that the domain accepts email
  3. Remove obvious disposables@mailinator.com, @guerrillamail.com, etc.
  4. Suppress unsubscribes and complaints — immediately and permanently

Use our Email Validator to check individual addresses for format validity and domain reachability before adding them to your list.

Regular list maintenance

  • Remove hard bounces immediately — sending to invalid addresses tanks your reputation
  • Suppress after soft bounces — after 3–5 consecutive soft bounces, treat as a hard bounce
  • Run re-engagement campaigns — contacts who haven't opened in 6+ months should receive a re-engagement sequence; if no response, remove them
  • Never buy email lists — purchased lists are full of spam traps and will destroy your reputation

Transactional vs. marketing email

Transactional email: triggered by user action — password resets, order confirmations, invoices, account notifications. Expected and wanted by the recipient.

Marketing email: newsletters, promotions, announcements. Sent to a list.

Best practice: send these from different subdomains and IP pools.

Transactional: noreply@mail.yourdomain.com
Marketing:     news@newsletter.yourdomain.com

If your marketing emails generate spam complaints (inevitable at scale), they don't drag down the reputation of your transactional emails. A user complaining about your newsletter should still receive their password reset.

Content signals

Spam filters analyze email content too. Things that trigger filters:

  • Excessive capitalization: "FREE OFFER ONLY TODAY!!!"
  • Spam trigger words: "Act now", "Click here", "Guaranteed", "No obligation"
  • Image-only emails — no readable text
  • Broken HTML — malformed tags
  • Mismatched URLs — link text says paypal.com but href goes elsewhere
  • Missing unsubscribe link (legally required under CAN-SPAM, GDPR, and others)

Write emails like a person, not a flyer. Use our AI Email Writer to draft professional emails that communicate clearly without spam-trigger language.

Testing before you send

Before a major campaign:

  1. Test with mail-tester.com — gives a score and specific issues to fix
  2. Send to seed addresses — Gmail, Outlook, Yahoo test accounts
  3. Check headers — verify SPF, DKIM, DMARC all pass (look for Authentication-Results in the email header)
  4. Preview in multiple clients — email rendering varies significantly

Deliverability checklist

  • SPF record published and accurate
  • DKIM signing enabled for your sending domain
  • DMARC policy set (start with p=none, advance to p=reject)
  • Sending domain/subdomain warmed up gradually
  • List verified before importing (validate format + domain)
  • Unsubscribe mechanism working and one-click
  • Hard bounces removed immediately
  • Marketing and transactional email on separate infrastructure
  • From name and address recognizable to recipients

Email deliverability is a long game. Clean lists, strong authentication, and genuine engagement build a reputation that makes your emails land in the inbox reliably — every time.

Back to all articlesBrowse tools