Everything that decides whether your email reaches the inbox: authentication with SPF, DKIM, and DMARC, sender reputation, list quality, and engagement.
Getting an email written and sent is the easy part. Getting it into the inbox is the hard part. Email deliverability is the measure of how reliably your messages reach the inbox rather than the spam folder or a silent block. It is not a single setting you turn on; it is the cumulative result of who you are (authentication), how you have behaved over time (reputation), and who you send to (list quality).
This guide is organized around those three pillars. Each one reinforces the others: strong authentication earns you the benefit of the doubt, a good reputation keeps you out of filters, and a clean list keeps your reputation intact. Neglect any one and the other two will not save you. We will walk through each pillar in order, then close with a short monitoring checklist you can run on a schedule.
Email was designed in an era of implicit trust, so the protocol itself does nothing to stop a sender from forging the "From" address. Authentication standards were added on top to close that gap. There are three you need to understand, and they answer three different questions.
SPF (Sender Policy Framework) is a DNS record that lists the IP addresses and servers authorized to send mail on behalf of your domain. When a receiving server gets a message claiming to come from [email protected], it looks up your SPF record and checks whether the connecting server's IP is on the approved list. If it is not, the message fails SPF.
SPF proves that the sending server is permitted. It does not protect the message contents, and it checks the envelope sender (the address used during the SMTP exchange), not the visible "From" header — a distinction that matters when we get to alignment below.
DKIM (DomainKeys Identified Mail) adds a cryptographic signature to each message. Your sending system signs key parts of the message — typically the headers and body — with a private key, and publishes the matching public key in DNS. The receiving server uses the public key to verify the signature. If it checks out, the receiver knows two things: the message genuinely came from your domain, and it was not altered in transit.
Where SPF authorizes a server, DKIM authenticates the message itself. Because the signature travels with the email, DKIM survives forwarding in many cases where SPF does not.
DMARC (Domain-based Message Authentication, Reporting, and Conformance) sits on top of SPF and DKIM. It does two things. First, it lets you publish a policy telling receivers what to do with mail that fails authentication: none (monitor only), quarantine (send to spam), or reject (refuse outright). Second, it requires alignment.
Alignment is the concept that ties the pillar together. A message can pass SPF or DKIM while still being a forgery, because those checks can validate a domain that differs from the one your recipients actually see in the "From" field. DMARC closes that loophole by requiring that the domain validated by SPF or DKIM matches the visible "From" domain. A message passes DMARC when it passes at least one of SPF or DKIM and that passing check is aligned with the "From" domain.
| Standard | What it proves | What it checks |
|---|---|---|
| SPF | This server may send for the domain | The envelope sender's domain against a DNS list of IPs |
| DKIM | The message is genuine and unaltered | A cryptographic signature against a published public key |
| DMARC | The visible sender is not forged | Alignment of SPF/DKIM with the "From" domain, plus a policy |
This is no longer optional housekeeping. Major mailbox providers now effectively require SPF, DKIM, and a DMARC policy for anyone sending at bulk volume. If you send marketing or transactional mail in any quantity and you have not set up all three with alignment, that is the first thing to fix — before tuning anything else in this guide.
Authentication tells a receiver you are who you say you are. Sender reputation tells them whether being you is a good thing. Mailbox providers track how recipients react to your mail — opens, replies, deletions, complaints, bounces — and build a trust score that determines whether your future messages land in the inbox, the spam folder, or nowhere at all.
Reputation is tracked at two levels. IP reputation is attached to the specific server IP address you send from. Domain reputation is attached to your sending domain and follows you even if you change IPs. Both matter, but domain reputation has become the more durable signal, because senders move between IPs and shared infrastructure more often than they change domains. You cannot escape a damaged domain reputation by switching providers.
A brand-new IP or domain has no reputation, and "no reputation" is treated with suspicion, because that is exactly what a spammer's fresh infrastructure looks like. IP warming is the practice of starting with a small daily volume to your most engaged recipients and increasing it gradually over days or weeks. This gives providers a steady, positive track record to learn from before you reach full scale. Sending 100,000 messages from an IP that sent zero yesterday is one of the fastest ways to get filtered.
Providers reward predictability. A sender who delivers a similar volume of wanted mail on a regular cadence looks trustworthy; one whose volume spikes and collapses looks like a compromised account or a list buyer. Keep your sending volume and frequency consistent.
The hard truth about reputation is that it is slow to build and quick to lose. Months of careful sending can establish good standing, and a single bad campaign — a purchased list, a spike of complaints, a wave of hard bounces — can undo it in hours. Recovery is much slower than the damage.
An email blocklist (also called a blacklist or DNSBL) is a published list of IPs or domains that have been flagged for sending spam. Many receivers consult these lists during the SMTP handshake and may reject or filter mail from anything listed. Getting on a blocklist is easy — a burst of spam complaints or hitting a spam trap can do it — and getting off requires fixing the underlying problem and requesting delisting. Monitor the major blocklists for your sending IPs and domain so you learn about a listing before your delivery rate collapses.
Authentication and reputation can both be undone by a single factor you fully control: the quality of your list. Mailbox providers infer your intentions from how recipients respond, so sending to bad addresses actively trains the filters against you.
Email verification checks whether an address is real and deliverable before you send to it, so invalid addresses never reach your mail stream. This is where BounceShift fits. Its engine runs an ordered pipeline — syntax and typo correction (it suggests gmail.com for gmial.com), disposable and role-account detection, MX-record lookup, provider and forwarder detection, and an SMTP mailbox probe that issues a RCPT TO command without ever sending a message — then returns a status (valid, invalid, risky, catch_all, unknown, and others), a granular sub-status, and a confidence score from 0 to 100.
A point worth dwelling on: when a probe is genuinely inconclusive — a catch-all domain that accepts everything, greylisting, rate-limiting, or a blocked port — the engine reports unknown or catch_all with low confidence rather than guessing valid. A false "valid" sends a real bounce or complaint into your stream and damages your reputation, which is worse than an honest abstention. You can read more in how email verification works.
Verification at capture is not enough, because addresses decay — people change jobs, abandon accounts, and let domains lapse. List hygiene is the recurring practice of removing addresses that have gone bad and suppressing recipients who never engage. Re-verify your list periodically, and prune long-term non-openers; a smaller engaged list outperforms a large stale one.
Your complaint rate is the share of recipients who mark your mail as spam. It is one of the strongest negative signals a provider has. As an industry rule of thumb, a complaint rate above ~0.1% — roughly one complaint per thousand delivered messages — is dangerous and can trigger filtering or blocks. Keep it well below that by mailing only people who asked to hear from you, making unsubscribing easy, and honoring opt-outs immediately.
A spam trap is an address that exists only to catch senders with poor list practices. Pristine traps are addresses never used by a human; recycled traps are once-real addresses that providers have reclaimed. Hitting either signals that you are mailing addresses you did not earn through genuine opt-in, and traps are a fast route onto a blocklist. Verification and hygiene reduce — though never fully eliminate — trap exposure, which is one more reason to avoid purchased lists entirely.
Positive engagement is the other half of the equation. Opens, clicks, replies, and messages moved out of spam tell providers your mail is wanted. Low engagement and high deletion-without-reading tell them the opposite. Segment by activity, send relevant content, and let dormant segments cool off rather than mailing your whole list every time.
Deliverability is not a one-time project. Run through these on a regular cadence:
The three pillars are a system, not a menu. Authentication earns trust, reputation accumulates it, and list quality protects it. BounceShift addresses the part you control most directly — verifying that the addresses you send to are real and deliverable before they ever touch your reputation — through a real-time API, batch processing of up to 100,000 addresses, and a crowdsourced reputation network where bounce and complaint outcomes (stored only as one-way hashes) feed back into scoring. Get all three pillars working together and the inbox stops being a gamble.
Get 100 free validations to test our service. No credit card required.
Start Free Trial