Deliverability · Reputation

How to Improve Email Deliverability: Authentication, Reputation, and Engagement

Improving email deliverability in 2026 starts with authentication but no longer ends there. You must have SPF, DKIM, and DMARC configured and aligned, plus one-click unsubscribe — these are now the precondition for sending at all, since Gmail and Microsoft permanently reject non-compliant bulk mail rather than filtering it. But the decisive shift is that authentication only confirms who you are; engagement decides where you land. Corpus analysis in 2025 found that fully authenticated mail still hit spam more than 30% of the time, because once identity is confirmed providers weigh how recipients actually behave — opens, clicks, replies, and above all complaints. So improving deliverability means keeping your complaint rate below 0.1%, practising rigorous list hygiene by removing inactive and invalid addresses, warming new domains gradually, sending consistently to people who want your mail, and monitoring your reputation continuously through tools like Google Postmaster.

Key takeaways

  • Authentication is the entry gate, not the finish line. Authenticated mail still hit spam over 30% of the time in 2025.
  • Engagement now decides placement. Providers weigh opens, clicks, and complaints above a passing auth check.
  • Complaints bite hardest. Stay below 0.1%; Gmail treats 0.3% as critical and excludes you until you recover.
  • List hygiene is continuous. Lists decay 20–30% a year — remove bounces and sunset the inactive.
  • It’s a practice, not a setup. Warm up gradually, send consistently, and monitor reputation always.

For years the deliverability playbook was simple: set up SPF, DKIM, and DMARC, and your mail reaches the inbox. That advice is now actively misleading. The major providers have moved from politely delaying non-compliant mail to rejecting it outright, so authentication has become the precondition for sending at all — but clearing that gate is just the start. The counterintuitive heart of 2026 deliverability is that you can pass every authentication check and still land in spam, because providers now weigh engagement far more heavily than identity. This guide covers both halves: getting the technical baseline right, then earning the inbox through reputation and engagement.

What actually determines inbox placement?

Inbox providers use hundreds of signals to decide where your mail lands, but they cluster into five categories worth understanding as a whole, because improving deliverability means working all of them rather than obsessing over one. The diagram lays them out.

Five factors behind inbox placementAuththe entrygateSPF/DKIM/DMARCReputationsendinghistoryListreal, engagedaddressesContentnot spam-likeEngagementweighed mostopens, clicks,complaints
Authentication gets you through the door; reputation, list quality, content, and especially engagement decide whether you reach the inbox.

Authentication proves you’re authorised to send from your domain. Sender reputation is the behavioural profile providers build from your full sending history — complaints, bounces, engagement, and blocklist appearances. List quality reflects whether you’re mailing real, interested people or a pile of invalid and inactive addresses. Content is whether the message itself trips spam patterns. And engagement is how recipients actually respond. The critical 2026 insight is the weighting: once authentication confirms your identity, providers shift to a behavioural question — do the people you mail actually want it? — and they answer it with engagement signals that now outweigh the authentication check itself.

Delivery versus inbox placement

A distinction worth fixing early, because it quietly hides most deliverability problems, is the difference between delivery and inbox placement. Delivery simply means the receiving mail server accepted your message — it didn’t bounce. Inbox placement means the message actually reached the primary inbox rather than the spam folder, the promotions tab, or oblivion. These are not the same number, and the gap between them is where campaigns silently fail: you can have a 99 percent delivery rate and a 60 percent inbox placement rate at the same time, which means nearly half your list never sees the message even though it was technically delivered.

That gap has a direct cost. If 40 percent of your list never sees a campaign, you lose 40 percent of the potential clicks and conversions while still paying to send every message. Placement also varies by provider — compliant senders see roughly 87 percent placement at Gmail but closer to 76 percent industry-wide at Microsoft — so a single overall number hides real differences. This is why measuring placement, not just delivery, is essential, and it’s the metric the rest of this guide works to improve. One bonus lever once you’ve reached full DMARC enforcement is BIMI, which displays your verified brand logo beside your messages in supported inboxes; senders using it report meaningfully higher open rates, which feed back as positive engagement.

Getting authentication right

Authentication is the non-negotiable foundation, and getting it exactly right is now the precondition for sending rather than a nice-to-have. Three records form the baseline. SPF is a DNS record listing the servers authorised to send for your domain — you keep it under the ten-DNS-lookup limit and end it with a hard fail once complete. DKIM adds a cryptographic signature proving the message wasn’t altered in transit, using at least a 2048-bit key rotated periodically. DMARC ties the two together and tells receivers what to do on failure, and you progress it from monitoring toward enforcement as covered in our DMARC enforcement guide. To these three, the providers have added a fourth requirement for bulk senders: working one-click unsubscribe headers.

The subtlety that trips up the most senders is alignment. SPF and DKIM can each pass while DMARC still fails, because the domain they authenticated doesn’t match the From domain recipients see — a classic problem when you use a sending subdomain or an ESP’s own tracking domain. Fixing alignment across every sending platform is one of the highest-value technical steps you can take. A related best practice is using a dedicated, branded sending domain or subdomain rather than a shared one, and separating your streams — marketing, transactional, cold outreach — onto different subdomains so one stream’s reputation problems don’t drag down the others.

Why isn’t authentication enough anymore?

This is the question that reframes everything about modern deliverability, and the answer is backed by hard data. A 2025 corpus analysis found that fully authenticated mail — valid SPF, DKIM, and DMARC — still experienced spam placement rates above 30 percent. Passing every authentication check is simply no longer a guarantee of reaching the inbox, which makes the old “set up authentication and you’re done” advice genuinely counterproductive if you stop there.

The reason is structural. Once authentication confirms you are who you claim to be, the mailbox provider has answered the identity question and moves on to a behavioural one: do the people you mail actually want what you send? They answer it with engagement signals — opens, clicks, replies, time spent reading, and the powerful inverse signals of deleting without reading and marking as spam. This is why two senders with identical, perfect authentication can see completely different inbox rates: the one mailing engaged, interested recipients reaches the inbox, while the one blasting a stale list does not. Deliverability has converged on the same logic as the rest of marketing — relevance wins — and that shifts the real work from your DNS records to your list and your sending behaviour, the focus of our guide to avoiding the spam folder.

The complaint rate and its thresholds

Among all the engagement signals, the complaint rate is the one providers act on most aggressively, so it deserves specific attention and specific numbers. When recipients mark your mail as spam, that’s the strongest possible negative signal, and the thresholds are concrete. The table summarises the key reputation numbers.

Key deliverability thresholds (provider guidance, 2026).
MetricTargetDanger
Spam complaint rateBelow 0.1%0.3% critical
Bounce rateBelow 2%Above 2%
Inbox placement90%+Below 80%
Spam traps hitZeroEven one

Google’s guidance is to keep your spam complaint rate below 0.1 percent and treats 0.3 percent as critical — and the consequence is severe: at or above 0.3 percent, your domain becomes ineligible for Gmail’s delivery mitigation, and you must hold the rate below that threshold for seven consecutive days before recovery even begins, with inbox restoration after that depending on your broader history. This creates a punishing feedback loop where poor engagement causes prolonged inbox exclusion. A bounce rate above 2 percent is a separate red flag, and hitting even a single spam trap — an address that exists only to catch poor list hygiene — damages your reputation. These numbers are why the engagement-driven practices that follow aren’t optional.

What about content and spam triggers?

While engagement and reputation do most of the heavy lifting, the content of your messages still matters, because providers evaluate it alongside authentication and reputation signals. Content won’t save a message from a bad-reputation sender, but spam-like content will actively hurt an otherwise healthy one. The patterns that reliably raise filtering risk are well known: misleading or clickbait subject lines, broken or sloppy HTML formatting, an unbalanced text-to-image ratio, and suspicious link structures such as mismatched or URL-shortened destinations. None of these are exotic, and avoiding them is mostly a matter of sending clean, honest, well-formed messages.

A few specific practices help. You run large campaigns through a spam-score checker before sending, which flags content and formatting issues, broken links, and authentication problems before your recipients ever see them. You avoid sending purely from role-based addresses like info@ or noreply@ where it matters, since they tend to draw lower engagement and higher complaint rates. And you keep your sending honest — the same relevance logic that governs engagement applies to content, because a subject line that overpromises earns the open but also earns the complaint when the body disappoints. Content optimisation is the smallest of the levers here, but it’s the one most fully within your control on any given send, and it complements the deeper reputation work rather than substituting for it.

How do you keep your list healthy?

Because engagement now decides placement, list hygiene has shifted from housekeeping to a core deliverability practice, and the central fact is that lists decay. Even a healthy, opt-in list loses 20 to 30 percent of its valid addresses each year as people change jobs, abandon accounts, and switch addresses, so a list you’re not actively pruning is steadily filling with addresses that bounce, never engage, or have quietly become spam traps. Mailing into that decay is exactly how senders mail themselves into a reputation hole.

Good hygiene is a set of consistent habits. You remove hard bounces promptly, since continuing to mail invalid addresses signals carelessness to providers. You sunset inactive subscribers — people who haven’t engaged in 90 or more days are far likelier to mark you as spam, so the counterintuitive but correct move is to stop mailing them rather than trying to win them back indefinitely. You never purchase lists, which are full of spam traps and unengaged addresses. You use double opt-in or a captcha at signup to keep fake and mistyped addresses out from the start, and you run a verification pass every few months. The discipline feels like shrinking your list, but it’s really concentrating it on the engaged recipients whose positive signals lift your whole program — and making leaving easy through that one-click unsubscribe is part of the same logic, since an unsubscribe hurts far less than a spam complaint.

Warming up and sending consistently

How you ramp and pace your sending matters as much as who you send to, especially with a new domain or IP that has no reputation history. Sending a large volume from a cold domain is one of the surest ways to get flagged, because providers have no basis to trust you yet. Warmup solves this by starting with a small daily volume to your most engaged recipients — people who clicked in the last couple of weeks — and increasing gradually over four to eight weeks, roughly doubling every few days as long as bounce and complaint rates stay low. This is doubly important if you’re switching ESPs or have a large list, and our IP warmup guide covers the cadence in detail.

Beyond warmup, consistency is its own reputation signal. Providers trust senders whose patterns are steady, so you send on regular days at similar volumes and avoid sudden ten-times spikes that look suspicious; for genuinely large campaigns, you throttle the send over several hours rather than firing everything at once. Sending at unusual hours or in irregular bursts trips filters. And once you’re sending more than around 100,000 emails a month, a dedicated IP becomes worth it, since on a shared IP you inherit the reputation — good or bad — of everyone else sending from it. The terminal shows the authentication records and the monitoring checks that tie this together.

deliverability-checks
# The authentication baseline (DNS records)
v=spf1 include:_spf.yourmta.com -all          # SPF, <10 lookups, hard fail
selector._domainkey  v=DKIM1; k=rsa; p=…     # DKIM, 2048-bit
_dmarc  v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com
# One-click unsubscribe headers (required for bulk senders)
List-Unsubscribe: <https://example.com/unsub?id=…>
List-Unsubscribe-Post: List-Unsubscribe=One-Click
# Monitor what providers actually see
$ # Google Postmaster Tools — domain/IP reputation + spam rate
$ # Microsoft SNDS — complaint + trap data
$ dig TXT _dmarc.example.com +short   # verify the record is live

Monitoring and recovering

Deliverability is an ongoing practice rather than a one-time configuration, so continuous monitoring is the thread that holds everything together — you can’t improve what you don’t measure. The essential free tool is Google Postmaster Tools, which shows your domain and IP reputation and your spam rate exactly as Gmail sees it; its 2025 revision replaced subjective reputation grades with binary compliance checks, making the signal clearer. Microsoft’s SNDS and Yahoo’s postmaster tools give similar visibility for their networks. Before large sends, you also test proactively with a spam-score checker and a seed-list placement test to catch problems before recipients do.

When deliverability does get damaged — a spike, a bad list, a complaint-rate breach — there’s a reliable recovery path. You pull back to sending only a small, warm segment of your most engaged subscribers from the last couple of months, maintain full authentication, keep volumes steady, and fix whatever caused the original damage, then scale gradually once metrics stabilise. The placement gap discussed earlier is exactly what you’re working to close as you recover — technically delivered mail that never reaches the inbox is the failure mode to watch. For senders who want full control over the sending infrastructure itself — IP reputation, authentication, throttling — running your own platform is the strongest foundation, which is what our PowerMTA server hosting provides, while the engagement discipline above is what actually earns the inbox.

Frequently asked questions

How do I improve my email deliverability?
Start with the technical baseline: configure SPF, DKIM, and DMARC correctly and aligned, plus one-click unsubscribe, since these are now required to send to major providers at all. But don’t stop there — authentication only confirms your identity, while engagement decides placement. Keep your spam complaint rate below 0.1%, practise rigorous list hygiene by removing hard bounces and sunsetting subscribers inactive for 90+ days, warm up new domains gradually over 4 to 8 weeks, send consistently to engaged recipients rather than blasting your whole list, and monitor your reputation continuously through Google Postmaster Tools. Deliverability is an ongoing practice, not a one-time setup.
Does setting up SPF, DKIM, and DMARC guarantee inbox placement?
No, and believing it does is one of the most common mistakes in 2026. Authentication is the entry gate — without it, major providers now reject your mail outright — but it’s no longer sufficient on its own. A 2025 corpus analysis found that fully authenticated mail still landed in spam more than 30% of the time. Once authentication confirms who you are, providers shift to a behavioural question: do recipients actually want your mail? They answer it with engagement signals like opens, clicks, replies, and complaints, which now outweigh the authentication check. So authentication gets you to the inbox’s door; engagement determines whether you’re let in.
What spam complaint rate is safe?
Keep it below 0.1%, which is the target experienced senders aim for. Google treats 0.3% as critical: at or above that rate, your domain becomes ineligible for Gmail’s delivery mitigation, and you must hold the complaint rate below 0.3% for seven consecutive days before recovery even begins — with full inbox restoration after that depending on your broader sending history. This creates a punishing feedback loop where poor engagement leads to prolonged inbox exclusion. The complaint rate is the engagement signal providers act on most aggressively, so making unsubscribe easy is actually protective: an unsubscribe hurts your reputation far less than a spam complaint does.
How often should I clean my email list?
Every three to six months as a baseline, with ongoing removal of hard bounces as they occur. This matters because lists decay 20 to 30 percent per year as people change jobs, abandon accounts, and switch addresses, so an unpruned list steadily fills with addresses that bounce, never engage, or have become spam traps. Beyond removing bounces, sunset subscribers who haven’t engaged in 90 or more days, since they’re far likelier to mark you as spam — stop mailing them rather than trying to re-engage indefinitely. Use double opt-in at signup to keep fake addresses out, and never purchase lists, which are full of spam traps.
How long does domain or IP warmup take?
Typically four to eight weeks. A new domain or IP has no reputation history, so sending a large volume immediately gets you flagged as suspicious. Instead, start with a small daily volume to your most engaged recipients — those who clicked in the last 15 to 30 days — and increase gradually, roughly doubling every two to three days as long as your bounce and complaint rates stay low. Warmup is especially important if you have a large list (50,000+) or are switching ESPs, since a new ESP connects your domain to new sending IPs. Send only to engaged segments during warmup, and avoid cold or purchased lists until your reputation is stable.