Deliverability · Reputation
How to Improve Email Deliverability: Authentication, Reputation, and Engagement
Improving email deliverability in 2026 starts with authentication but no longer ends there. You must have SPF, DKIM, and DMARC configured and aligned, plus one-click unsubscribe — these are now the precondition for sending at all, since Gmail and Microsoft permanently reject non-compliant bulk mail rather than filtering it. But the decisive shift is that authentication only confirms who you are; engagement decides where you land. Corpus analysis in 2025 found that fully authenticated mail still hit spam more than 30% of the time, because once identity is confirmed providers weigh how recipients actually behave — opens, clicks, replies, and above all complaints. So improving deliverability means keeping your complaint rate below 0.1%, practising rigorous list hygiene by removing inactive and invalid addresses, warming new domains gradually, sending consistently to people who want your mail, and monitoring your reputation continuously through tools like Google Postmaster.
Key takeaways
- Authentication is the entry gate, not the finish line. Authenticated mail still hit spam over 30% of the time in 2025.
- Engagement now decides placement. Providers weigh opens, clicks, and complaints above a passing auth check.
- Complaints bite hardest. Stay below 0.1%; Gmail treats 0.3% as critical and excludes you until you recover.
- List hygiene is continuous. Lists decay 20–30% a year — remove bounces and sunset the inactive.
- It’s a practice, not a setup. Warm up gradually, send consistently, and monitor reputation always.
For years the deliverability playbook was simple: set up SPF, DKIM, and DMARC, and your mail reaches the inbox. That advice is now actively misleading. The major providers have moved from politely delaying non-compliant mail to rejecting it outright, so authentication has become the precondition for sending at all — but clearing that gate is just the start. The counterintuitive heart of 2026 deliverability is that you can pass every authentication check and still land in spam, because providers now weigh engagement far more heavily than identity. This guide covers both halves: getting the technical baseline right, then earning the inbox through reputation and engagement.
What actually determines inbox placement?
Inbox providers use hundreds of signals to decide where your mail lands, but they cluster into five categories worth understanding as a whole, because improving deliverability means working all of them rather than obsessing over one. The diagram lays them out.
Authentication proves you’re authorised to send from your domain. Sender reputation is the behavioural profile providers build from your full sending history — complaints, bounces, engagement, and blocklist appearances. List quality reflects whether you’re mailing real, interested people or a pile of invalid and inactive addresses. Content is whether the message itself trips spam patterns. And engagement is how recipients actually respond. The critical 2026 insight is the weighting: once authentication confirms your identity, providers shift to a behavioural question — do the people you mail actually want it? — and they answer it with engagement signals that now outweigh the authentication check itself.
Delivery versus inbox placement
A distinction worth fixing early, because it quietly hides most deliverability problems, is the difference between delivery and inbox placement. Delivery simply means the receiving mail server accepted your message — it didn’t bounce. Inbox placement means the message actually reached the primary inbox rather than the spam folder, the promotions tab, or oblivion. These are not the same number, and the gap between them is where campaigns silently fail: you can have a 99 percent delivery rate and a 60 percent inbox placement rate at the same time, which means nearly half your list never sees the message even though it was technically delivered.
That gap has a direct cost. If 40 percent of your list never sees a campaign, you lose 40 percent of the potential clicks and conversions while still paying to send every message. Placement also varies by provider — compliant senders see roughly 87 percent placement at Gmail but closer to 76 percent industry-wide at Microsoft — so a single overall number hides real differences. This is why measuring placement, not just delivery, is essential, and it’s the metric the rest of this guide works to improve. One bonus lever once you’ve reached full DMARC enforcement is BIMI, which displays your verified brand logo beside your messages in supported inboxes; senders using it report meaningfully higher open rates, which feed back as positive engagement.
Getting authentication right
Authentication is the non-negotiable foundation, and getting it exactly right is now the precondition for sending rather than a nice-to-have. Three records form the baseline. SPF is a DNS record listing the servers authorised to send for your domain — you keep it under the ten-DNS-lookup limit and end it with a hard fail once complete. DKIM adds a cryptographic signature proving the message wasn’t altered in transit, using at least a 2048-bit key rotated periodically. DMARC ties the two together and tells receivers what to do on failure, and you progress it from monitoring toward enforcement as covered in our DMARC enforcement guide. To these three, the providers have added a fourth requirement for bulk senders: working one-click unsubscribe headers.
The subtlety that trips up the most senders is alignment. SPF and DKIM can each pass while DMARC still fails, because the domain they authenticated doesn’t match the From domain recipients see — a classic problem when you use a sending subdomain or an ESP’s own tracking domain. Fixing alignment across every sending platform is one of the highest-value technical steps you can take. A related best practice is using a dedicated, branded sending domain or subdomain rather than a shared one, and separating your streams — marketing, transactional, cold outreach — onto different subdomains so one stream’s reputation problems don’t drag down the others.
Why isn’t authentication enough anymore?
This is the question that reframes everything about modern deliverability, and the answer is backed by hard data. A 2025 corpus analysis found that fully authenticated mail — valid SPF, DKIM, and DMARC — still experienced spam placement rates above 30 percent. Passing every authentication check is simply no longer a guarantee of reaching the inbox, which makes the old “set up authentication and you’re done” advice genuinely counterproductive if you stop there.
The reason is structural. Once authentication confirms you are who you claim to be, the mailbox provider has answered the identity question and moves on to a behavioural one: do the people you mail actually want what you send? They answer it with engagement signals — opens, clicks, replies, time spent reading, and the powerful inverse signals of deleting without reading and marking as spam. This is why two senders with identical, perfect authentication can see completely different inbox rates: the one mailing engaged, interested recipients reaches the inbox, while the one blasting a stale list does not. Deliverability has converged on the same logic as the rest of marketing — relevance wins — and that shifts the real work from your DNS records to your list and your sending behaviour, the focus of our guide to avoiding the spam folder.
The complaint rate and its thresholds
Among all the engagement signals, the complaint rate is the one providers act on most aggressively, so it deserves specific attention and specific numbers. When recipients mark your mail as spam, that’s the strongest possible negative signal, and the thresholds are concrete. The table summarises the key reputation numbers.
| Metric | Target | Danger |
|---|---|---|
| Spam complaint rate | Below 0.1% | 0.3% critical |
| Bounce rate | Below 2% | Above 2% |
| Inbox placement | 90%+ | Below 80% |
| Spam traps hit | Zero | Even one |
Google’s guidance is to keep your spam complaint rate below 0.1 percent and treats 0.3 percent as critical — and the consequence is severe: at or above 0.3 percent, your domain becomes ineligible for Gmail’s delivery mitigation, and you must hold the rate below that threshold for seven consecutive days before recovery even begins, with inbox restoration after that depending on your broader history. This creates a punishing feedback loop where poor engagement causes prolonged inbox exclusion. A bounce rate above 2 percent is a separate red flag, and hitting even a single spam trap — an address that exists only to catch poor list hygiene — damages your reputation. These numbers are why the engagement-driven practices that follow aren’t optional.
What about content and spam triggers?
While engagement and reputation do most of the heavy lifting, the content of your messages still matters, because providers evaluate it alongside authentication and reputation signals. Content won’t save a message from a bad-reputation sender, but spam-like content will actively hurt an otherwise healthy one. The patterns that reliably raise filtering risk are well known: misleading or clickbait subject lines, broken or sloppy HTML formatting, an unbalanced text-to-image ratio, and suspicious link structures such as mismatched or URL-shortened destinations. None of these are exotic, and avoiding them is mostly a matter of sending clean, honest, well-formed messages.
A few specific practices help. You run large campaigns through a spam-score checker before sending, which flags content and formatting issues, broken links, and authentication problems before your recipients ever see them. You avoid sending purely from role-based addresses like info@ or noreply@ where it matters, since they tend to draw lower engagement and higher complaint rates. And you keep your sending honest — the same relevance logic that governs engagement applies to content, because a subject line that overpromises earns the open but also earns the complaint when the body disappoints. Content optimisation is the smallest of the levers here, but it’s the one most fully within your control on any given send, and it complements the deeper reputation work rather than substituting for it.
How do you keep your list healthy?
Because engagement now decides placement, list hygiene has shifted from housekeeping to a core deliverability practice, and the central fact is that lists decay. Even a healthy, opt-in list loses 20 to 30 percent of its valid addresses each year as people change jobs, abandon accounts, and switch addresses, so a list you’re not actively pruning is steadily filling with addresses that bounce, never engage, or have quietly become spam traps. Mailing into that decay is exactly how senders mail themselves into a reputation hole.
Good hygiene is a set of consistent habits. You remove hard bounces promptly, since continuing to mail invalid addresses signals carelessness to providers. You sunset inactive subscribers — people who haven’t engaged in 90 or more days are far likelier to mark you as spam, so the counterintuitive but correct move is to stop mailing them rather than trying to win them back indefinitely. You never purchase lists, which are full of spam traps and unengaged addresses. You use double opt-in or a captcha at signup to keep fake and mistyped addresses out from the start, and you run a verification pass every few months. The discipline feels like shrinking your list, but it’s really concentrating it on the engaged recipients whose positive signals lift your whole program — and making leaving easy through that one-click unsubscribe is part of the same logic, since an unsubscribe hurts far less than a spam complaint.
Warming up and sending consistently
How you ramp and pace your sending matters as much as who you send to, especially with a new domain or IP that has no reputation history. Sending a large volume from a cold domain is one of the surest ways to get flagged, because providers have no basis to trust you yet. Warmup solves this by starting with a small daily volume to your most engaged recipients — people who clicked in the last couple of weeks — and increasing gradually over four to eight weeks, roughly doubling every few days as long as bounce and complaint rates stay low. This is doubly important if you’re switching ESPs or have a large list, and our IP warmup guide covers the cadence in detail.
Beyond warmup, consistency is its own reputation signal. Providers trust senders whose patterns are steady, so you send on regular days at similar volumes and avoid sudden ten-times spikes that look suspicious; for genuinely large campaigns, you throttle the send over several hours rather than firing everything at once. Sending at unusual hours or in irregular bursts trips filters. And once you’re sending more than around 100,000 emails a month, a dedicated IP becomes worth it, since on a shared IP you inherit the reputation — good or bad — of everyone else sending from it. The terminal shows the authentication records and the monitoring checks that tie this together.
# The authentication baseline (DNS records) v=spf1 include:_spf.yourmta.com -all # SPF, <10 lookups, hard fail selector._domainkey v=DKIM1; k=rsa; p=… # DKIM, 2048-bit _dmarc v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com # One-click unsubscribe headers (required for bulk senders) List-Unsubscribe: <https://example.com/unsub?id=…> List-Unsubscribe-Post: List-Unsubscribe=One-Click # Monitor what providers actually see $ # Google Postmaster Tools — domain/IP reputation + spam rate $ # Microsoft SNDS — complaint + trap data $ dig TXT _dmarc.example.com +short # verify the record is live
Monitoring and recovering
Deliverability is an ongoing practice rather than a one-time configuration, so continuous monitoring is the thread that holds everything together — you can’t improve what you don’t measure. The essential free tool is Google Postmaster Tools, which shows your domain and IP reputation and your spam rate exactly as Gmail sees it; its 2025 revision replaced subjective reputation grades with binary compliance checks, making the signal clearer. Microsoft’s SNDS and Yahoo’s postmaster tools give similar visibility for their networks. Before large sends, you also test proactively with a spam-score checker and a seed-list placement test to catch problems before recipients do.
When deliverability does get damaged — a spike, a bad list, a complaint-rate breach — there’s a reliable recovery path. You pull back to sending only a small, warm segment of your most engaged subscribers from the last couple of months, maintain full authentication, keep volumes steady, and fix whatever caused the original damage, then scale gradually once metrics stabilise. The placement gap discussed earlier is exactly what you’re working to close as you recover — technically delivered mail that never reaches the inbox is the failure mode to watch. For senders who want full control over the sending infrastructure itself — IP reputation, authentication, throttling — running your own platform is the strongest foundation, which is what our PowerMTA server hosting provides, while the engagement discipline above is what actually earns the inbox.