Home / Blog / Email Deliverability: The Signals That Actually Determine Inbox Placement

Email Deliverability: The Signals That Actually Determine Inbox Placement

Email Security By Alex Chen 9 min read

SPF, DKIM, and DMARC are authentication protocols. They prove you're authorized to send mail from your domain. They're necessary, but they're not sufficient. Passing authentication doesn't guarantee inbox placement.

Mailbox providers (Gmail, Outlook, Yahoo, etc.) use authentication as a baseline, then apply reputation scoring, engagement analysis, content filtering, and behavioral signals to decide whether your message lands in the inbox, spam folder, or gets rejected entirely.

Here's what actually determines deliverability.

Authentication: The Baseline

SPF, DKIM, and DMARC prove identity. They tell the receiver "this message was authorized by the domain owner." Without them, your mail is treated as unauthenticated, which is a strong negative signal.

SPF (Sender Policy Framework) lists which IP addresses are authorized to send mail for your domain. Publish an SPF record, keep it updated when your sending infrastructure changes, and make sure your sending IPs are included.

DKIM (DomainKeys Identified Mail) cryptographically signs your messages. The receiver validates the signature against a public key in your DNS. DKIM survives forwarding (unlike SPF) and proves message integrity.

DMARC (Domain-based Message Authentication, Reporting, and Conformance) ties SPF and DKIM to the visible From: header. It tells receivers "if this message doesn't pass SPF or DKIM alignment, quarantine or reject it."

These are mandatory for serious senders. If you don't have them configured, fix that first. But passing authentication is just entry to the game. Inbox placement is determined by reputation.

IP Reputation

Every IP address that sends mail has a reputation score. Mailbox providers track:

  • Volume and velocity: How much mail this IP sends, and how quickly sending ramps up or down.
  • Complaint rate: How often recipients mark messages from this IP as spam.
  • Trap hit rate: How often this IP sends to spam traps (email addresses that don't opt in to anything and exist solely to catch spammers).
  • Bounce rate: How often this IP sends to invalid addresses.
  • Engagement rate: How often recipients open, reply to, or interact with messages from this IP.

A new IP starts with zero reputation. If you suddenly send 100,000 messages from a new IP, mailbox providers will throttle or block you. You need to warm up the IP: start with small volumes to engaged recipients, gradually increase over weeks, and build positive engagement history.

Shared IPs (used by ESPs and marketing platforms) pool reputation across multiple senders. If one sender on the shared pool has poor practices, everyone's deliverability suffers. Dedicated IPs give you control, but you're responsible for maintaining reputation.

Domain Reputation

Your sending domain has a separate reputation score. Domain reputation is more persistent than IP reputation. You can switch IPs, but your domain follows you.

Signals that build domain reputation:

  • Age: New domains are treated with suspicion. A domain registered yesterday that starts sending bulk mail is flagged.
  • Consistency: Domains that send regularly with stable patterns are trusted. Domains that sit idle for months and then send a campaign are flagged.
  • Complaint rate: Same as IP reputation, but tied to the domain.
  • Authentication posture: DMARC policy (p=reject is a strong positive signal), BIMI (Brand Indicators for Message Identification), and consistent DKIM signing all contribute.
  • Engagement history: Long-term engagement rates for mail from this domain.

If your IP gets blacklisted, you can switch IPs. If your domain reputation tanks, you have to rebuild it or switch domains (which is expensive and damages brand trust).

Engagement Rates

Mailbox providers measure how recipients interact with your mail:

  • Open rate: Do people open messages from you?
  • Reply rate: Do they reply?
  • Folder movement: Do they move your messages to folders, or delete without reading?
  • Spam complaints: Do they click "Report Spam"?

High engagement is the strongest positive signal. If 40% of your recipients open your messages, click links, and reply, you're getting inbox placement. If 2% open and 5% mark as spam, you're going to the spam folder.

This is why list hygiene matters. Sending to unengaged recipients (people who haven't opened mail from you in 6 months) drags down engagement rates and harms deliverability. Prune inactive recipients, send re-engagement campaigns, and remove non-responders.

Sending Patterns

Sudden changes in sending volume or frequency trigger filters:

  • Volume spikes: Sending 10,000 messages a day for months, then suddenly sending 500,000 in a day, looks like a compromised account or spam run.
  • Irregular sending: Sending once a month with long gaps signals low-quality sender.
  • Time-of-day anomalies: If you normally send during business hours and suddenly send at 3am, that's a flag.

Consistent sending patterns build trust. If you send 50,000 messages every Tuesday at 10am, that's predictable. Mailbox providers learn your pattern and expect it.

List Hygiene

Sending to invalid addresses, spam traps, and role accounts (abuse@, postmaster@, noreply@) damages reputation.

Hard bounces (permanent delivery failures, like "mailbox does not exist") should be removed immediately. If your bounce rate is above 2%, you have a list quality problem.

Spam traps are email addresses that never opted in to receive mail. Some are honeypots run by anti-spam organizations. Others are recycled addresses that were valid years ago, went dormant, and are now reactivated as traps. If you're hitting traps, it means you're either buying lists (don't) or not cleaning old addresses.

Role accounts have lower engagement and higher complaint rates. Minimize sending to them.

Scrub your list regularly. Remove hard bounces, suppress spam complaints, track engagement, and remove addresses that haven't interacted in 12+ months.

Content Characteristics

Content filtering looks for spam signals in message body, headers, and structure:

  • Spammy words: "Free money," "click here now," "limited time offer," excessive exclamation marks.
  • HTML-to-text ratio: Messages with huge images and minimal text look like spam.
  • Link density: Too many links or links to suspicious domains (shortened URLs, newly registered domains, known bad neighborhoods).
  • Attachment types: .exe, .zip, .scr attachments are high risk.
  • Subject line: ALL CAPS, misleading subject lines, or subject lines that don't match body content.

Most content filters are trained on millions of spam samples. They recognize patterns. Write like a human, not like a spammer. Avoid manipulative language, keep link-to-text ratios reasonable, and don't disguise your sender identity.

Feedback Loops

Major mailbox providers offer feedback loops (FBLs): when a recipient marks your message as spam, the provider sends you a report. This lets you remove complainers from your list immediately.

Complaint rates above 0.1% (1 complaint per 1,000 messages) are a problem. Above 0.3%, you're likely to see deliverability impact. Remove complainers fast.

Gmail doesn't offer a traditional FBL, but they provide postmaster tools (https://postmaster.google.com) that show domain reputation, spam rate, and authentication stats. Use it.

What Mailbox Providers Weight Most

Gmail prioritizes engagement. If users interact with your mail (opens, replies, non-spam), you get inbox placement. If they ignore it or mark it spam, you go to spam folder or promotions tab. Gmail also enforces DMARC and penalizes domains without it.

Microsoft (Outlook/Hotmail) weighs IP reputation heavily, uses machine learning for content filtering, and enforces DMARC. They offer SNDS (Smart Network Data Services) to monitor your IP reputation.

Yahoo is aggressive on authentication. They were the first to enforce DMARC at scale (2014). If you're sending from a Yahoo or AOL domain (or any DMARC p=reject domain), you must use that domain's infrastructure or implement proper DKIM signing with your own domain.

Apple Mail (iCloud) focuses on engagement and authentication. They quietly filter to junk without much transparency.

All providers use spam trap hits and complaint rates as strong negative signals.

Monitoring Your Deliverability

Track these metrics:

  • Inbox placement rate: Percentage of messages landing in inbox vs. spam folder. Use seed list testing or third-party tools (GlockApps, EmailOnAcid, etc.).
  • Bounce rate: Hard bounces should be near zero. Soft bounces (temporary failures) should be low.
  • Complaint rate: Under 0.1% is good. Above 0.3% is a crisis.
  • Engagement rate: Open rate, click rate, reply rate. Declining engagement predicts deliverability problems.
  • Blacklist status: Monitor whether your IPs or domains are on public blacklists. Blacklist Monitoring provides real-time alerts when you're listed.

Set up Google Postmaster Tools and Microsoft SNDS. Parse your DMARC aggregate reports to see authentication failures. Use feedback loops to catch complaints immediately.

Fixing Deliverability Problems

If your deliverability drops:

  1. Check authentication. Verify SPF, DKIM, and DMARC are passing. Use the email health check on mrdns.com to get a combined grade and per-check validation, or check individual records with the SPF, DKIM, and DMARC checkers.
  2. Check blacklists. If you're listed, identify the cause (compromised account, spam complaints, trap hits) and request delisting. The blacklist checker on mrdns.com queries 15+ major RBLs in parallel.
  3. Review sending patterns. Did you change volume, frequency, or content recently?
  4. Segment your list. Send only to engaged recipients until reputation recovers.
  5. Clean your list. Remove hard bounces, suppressions, and unengaged users.
  6. Improve content. Reduce spammy language, improve relevance, and match expectations set during signup.

Reputation recovery takes time. You can't fix it overnight. Reduce volume, improve engagement, and rebuild trust incrementally.

Best Practices for Legitimate Senders

  • Authenticate everything. SPF, DKIM, DMARC with p=reject.
  • Warm up new IPs. Start small, ramp gradually over 4-6 weeks.
  • Maintain consistent sending. Don't go silent for months, then blast a campaign.
  • Segment by engagement. Send to engaged users more often, unengaged users less often or not at all.
  • Respect unsubscribes. Honor opt-outs immediately. CAN-SPAM and GDPR require it, and complaint rates skyrocket if you ignore unsubscribes.
  • Monitor reputation. Use postmaster tools, feedback loops, blacklist monitoring, and seed list testing.
  • Prune your list. Remove inactive addresses regularly.

Deliverability is reputation management. Build good reputation by sending relevant mail to engaged recipients. Maintain it by staying consistent, authenticated, and responsive to feedback.

Authentication is the floor. Engagement is the ceiling. Focus on both, and your mail will land in the inbox.

Back to Blog