Email deliverability: a practical guide to reaching the inbox

Email deliverability is whether your message reaches the recipient's inbox — not whether it leaves your server, and not merely whether the receiving server accepted it. Those are different things, and the gap between them is where most senders get burned.

Your sending platform will happily report a high "delivery rate." Usually that just means the receiving mail server returned a success code instead of a bounce. It says nothing about where the message went. A message can be accepted and then silently filed into spam, or dropped into a promotions tab nobody opens. That is still a deliverability failure.

The honest framing: a mailbox provider like Gmail or Outlook is constantly deciding whether to trust you. Deliverability is the running result of that judgment. You don't set it in a config file — you earn it over time, and you can lose it fast. The good news is that the inputs are mostly things you control. This guide is about those levers.

Before authentication, before content, before warmup — fix your list. Sending to bad addresses is one of the most common ways to wreck deliverability, and it is among the easiest to prevent.

When you send to addresses that don't exist, you generate hard bounces. A high bounce rate is a clear signal to a mailbox provider that you don't know who's on your list — which is exactly what a spammer's list looks like. Worse, some long-dead addresses get recycled into spam traps: a hit on one of those is a direct reputation penalty, because legitimate permission-based senders generally shouldn't have them.

The fix is to verify addresses before you send. Verification checks syntax, confirms the domain has working mail servers (MX records), flags disposable and role-based addresses, and — when the receiving server allows it — runs a live SMTP probe to check whether the mailbox accepts mail. Catch validation at two points:

• At capture — validate the address in real time on your signup or checkout form, so bad data never enters the list.
• Before a send — re-validate the whole list before any large campaign, especially a list that's been dormant. Addresses decay constantly as people change jobs and abandon mailboxes.

You can do both with the MailBounce API, in real time or in bulk. List hygiene is unglamorous, but it's the foundation everything else sits on.

Authentication proves that mail claiming to come from your domain actually came from you. It won't get you into the inbox on its own, but failing it will keep you out — major providers now require it, particularly for bulk senders.

There are three records, and they do different jobs:

• SPF (RFC 7208) — a DNS record listing which servers are authorized to send mail for your domain. The receiver checks whether the connecting server is on the list.
• DKIM — a cryptographic signature added to each message. The receiver fetches your public key from DNS and verifies the signed parts of the message weren't forged or altered in transit.
• DMARC — ties the two together. It tells receivers what to do when a message fails alignment (none, quarantine, or reject) and sends you reports on what's being sent in your name.

The subtle part is alignment: DMARC requires that the domain in the visible From: header match the domain validated by SPF and/or DKIM. You can pass a raw SPF check and still fail DMARC if the domains don't line up. Start DMARC at p=none to collect reports without affecting delivery, fix what the reports reveal, then move toward quarantine and eventually reject.

One note on standards: DMARC was originally published as RFC 7489 and was revised in 2026 into a Standards Track set (RFCs 9989, 9990, and 9991). The mechanics above — alignment, policy, reporting — are unchanged; the newer documents formalize and clarify them.

Reputation is the mailbox provider's running judgment of whether your mail is wanted. It attaches to both your domain and your sending IP, and it's built from your history: bounce rates, spam complaints, how recipients engage, and how consistent your sending looks.

You can't read this score directly — there's no API that returns a trust percentage. But you can see proxies for it. Google Postmaster Tools, for example, exposes domain and IP reputation buckets, spam rate, and authentication results for mail you send to Gmail. If you send any real volume, set it up; it's one of the few honest windows into how a major provider sees you.

Google's own sender guidelines make one threshold concrete: they ask senders to keep the spam complaint rate reported in Postmaster Tools below 0.3%, and ideally well under it. That's a rare published number worth knowing — most provider thresholds are not disclosed.

A practical reputation rule: be boringly consistent. Reputation is built on patterns. Sending a few hundred emails one day and a few hundred thousand the next looks like a compromised account or someone who just bought a list. Steady, predictable volume from a consistent set of IPs and domains is what trust looks like to a filter.

Here's the part that surprises people: some of the strongest signals a mailbox provider has are the recipients themselves. Modern filtering leans heavily on how people react to your mail.

Positive signals — replies, moving a message out of spam, adding you to contacts, and (where it can be measured) opens and clicks — suggest your mail is wanted. Negative signals do the opposite, and the worst is the spam complaint: when a recipient hits "report spam." Complaint rate is closely watched, and providers want it kept very low. A small number of complaints can outweigh a large number of accepted sends.

What this means in practice:

• Only send to people who asked. Permission is the single biggest predictor of low complaints. Avoid purchased lists entirely — they combine bad addresses, no permission, and spam traps in one package.
• Make unsubscribing trivial. A visible, working unsubscribe — and one-click unsubscribe for bulk marketing, which Gmail and Yahoo now require — is your pressure-release valve. If leaving is hard, frustrated recipients hit "report spam" instead, which costs you far more.
• Prune the unengaged. A subscriber who hasn't interacted in many months is dead weight dragging your engagement metrics down. Run a re-engagement attempt, then let the silent ones go.

Counterintuitively, sending to fewer, more engaged people often improves inbox placement for the whole list.

A few remaining levers round out the picture.

Warmup. A brand-new domain or IP has no reputation, and "no reputation" is treated with suspicion. Warming up means starting with low volume to your most engaged recipients and ramping gradually over weeks, letting providers build a positive history before you send at full scale. Blasting a cold IP on day one is a reliable way to land in spam.

Infrastructure. Use a dedicated sending domain or subdomain (e.g. mail.yourcompany.com) so marketing sends don't put your primary corporate domain's reputation at risk. Make sure reverse DNS (PTR) is configured for your sending IPs and that your From domain resolves with a real website behind it. These are basic trust signals receivers check.

Content. Content matters less than the myths suggest — you won't get filtered for using the word "free" once. But the basics still apply: keep a sensible text-to-image ratio, point links at reputable domains rather than sketchy redirect chains, include a plain-text alternative alongside HTML, and don't disguise what the message is. Filters are good at spotting mail that's trying to hide its intent.

None of these is a silver bullet. Deliverability is the sum of all of them, sustained over time.

If you do nothing else, do these, roughly in order of impact:

• Validate your list at capture and before every major send. Bad addresses are the fastest path to a wrecked reputation.
• Set up SPF, DKIM, and DMARC with proper alignment. Start DMARC at p=none, read the reports, then tighten the policy.
• Send only to people who opted in. No purchased lists, ever.
• Keep complaint and bounce rates low with an obvious unsubscribe and ruthless list pruning.
• Be consistent in volume and cadence; warm up new domains and IPs gradually.
• Monitor via Google Postmaster Tools and your DMARC reports so you catch problems before they compound.

Notice that almost everything here is upstream of the actual send. Deliverability isn't a setting you flip after mail starts bouncing — it's the cumulative result of decisions you make before and between sends. The cheapest of those decisions is keeping a clean list. You can start verifying addresses for free and clean your list before the next send goes out.