The Complete Email Deliverability Handbook

Sarah Chen

Email Strategy Lead at MiN8T

Published March 2026

Email deliverability is the single most important metric most senders ignore. You can design the most beautiful email campaign in existence, craft subject lines that would make a copywriter weep, and target a list so precisely segmented it borders on clairvoyance -- but if your email lands in spam, none of it matters. It simply does not exist.

This handbook is the resource we wish existed when we started building MiN8T's DeliverIQ suite. It covers everything from DNS authentication records to mailbox provider-specific behaviors, with concrete steps you can take today to improve your inbox placement rates.

1 Why Deliverability Matters

Deliverability is the percentage of your emails that actually reach the inbox -- not just get accepted by the receiving server, but bypass spam filters and land where your subscriber can see them. The distinction is critical. An email accepted by a server but routed to the spam folder has a 0.1% chance of being read. An email in the primary inbox has a 20-40% open rate.

The financial impact is staggering. For a sender doing 1 million emails per month with a 10% inbox placement problem, that is 100,000 emails per month that never get seen. At an average revenue-per-email of $0.08, that is $8,000 per month in lost revenue -- $96,000 annually -- from a problem most teams do not even realize they have.

The three pillars of deliverability

Deliverability rests on three pillars, and all three must be solid:

• Authentication -- proving to receiving servers that you are who you claim to be (SPF, DKIM, DMARC)
• Reputation -- your historical track record as a sender, measured by IP address and domain
• Content & engagement -- what you send, how recipients interact with it, and whether your list is clean

Weakness in any single pillar can undermine the other two. Perfect authentication with a terrible reputation still lands you in spam. A sterling reputation with broken DKIM signatures triggers phishing filters. A clean list with spammy content gets flagged by machine learning classifiers. This handbook addresses all three.

2 Email Authentication (SPF, DKIM, DMARC)

Email authentication is the foundation. Without it, you are asking mailbox providers to trust you on faith -- and in 2026, they do not. Google, Microsoft, and Yahoo have all announced that unauthenticated senders will see significantly degraded deliverability, and as of February 2024, Gmail actively rejects messages from bulk senders without proper authentication.

SPF (Sender Policy Framework)

SPF tells receiving servers which IP addresses are authorized to send email on behalf of your domain. It is a DNS TXT record that lists your legitimate sending sources.

v=spf1 include:_spf.google.com include:sendgrid.net include:mailchimp.com ~all

Key rules for SPF records:

• One record per domain -- multiple SPF records cause both to fail. Merge them into one.
• DNS lookup limit of 10 -- each include: counts as a lookup. Nested includes count too. Exceeding 10 causes a permanent error (permerror), which is treated as a fail by most providers.
• Use ~all (softfail) during setup, then migrate to -all (hardfail) once you have confirmed all legitimate sources are listed.
• Flatten if needed -- SPF flattening tools resolve includes to IP addresses, reducing lookup count. Be cautious: IP addresses change, so flattened records require regular updates.

DKIM (DomainKeys Identified Mail)

DKIM attaches a cryptographic signature to each outgoing email. The receiving server verifies this signature against a public key published in your DNS. If the signature checks out, the server knows the email was not tampered with in transit and that it genuinely came from your domain.

Every ESP and sending service provides DKIM keys for you to publish. The process is always the same: generate a key pair, publish the public key as a DNS TXT record under a selector subdomain, and configure your sending service to sign outbound messages with the private key.

DMARC (Domain-based Message Authentication, Reporting & Conformance)

DMARC ties SPF and DKIM together and tells receiving servers what to do when authentication fails. It also provides a reporting mechanism so you can see exactly who is sending email using your domain -- including unauthorized senders.

A DMARC policy has three enforcement levels:

• p=none -- monitor only. No action taken on failing messages. Use this during initial deployment to collect data.
• p=quarantine -- route failing messages to spam. A strong signal but still allows recipients to find the message.
• p=reject -- block failing messages entirely. The strongest protection against spoofing, and the gold standard for deliverability.

_dmarc.yourdomain.com  TXT  "v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com; pct=100; adkim=s; aspf=s"

The recommended enforcement path: start at p=none for 2-4 weeks while monitoring aggregate reports. Once you have confirmed all legitimate sources pass SPF and DKIM, move to p=quarantine for 2-4 weeks. Then move to p=reject.

• SPF record published with all sending sources included and fewer than 10 DNS lookups
• DKIM signing enabled with 2048-bit keys on every sending service
• DMARC record published with rua reporting address configured
• DMARC policy at quarantine or reject after monitoring period
• Alignment set to strict (adkim=s; aspf=s) for maximum protection

3 Sender Reputation & IP Warming

Even with perfect authentication, your emails can still land in spam if your sender reputation is poor. Mailbox providers maintain reputation scores for both your IP address(es) and your sending domain. These scores are influenced by bounce rates, complaint rates, spam trap hits, engagement patterns, and sending volume consistency.

IP reputation vs. domain reputation

Historically, IP reputation was dominant. If you sent from a clean IP, you were trusted. This has shifted dramatically. Google, Microsoft, and Yahoo now weigh domain reputation more heavily than IP reputation, because domain reputation follows the sender across IP changes, ESP migrations, and infrastructure shifts. You cannot escape a bad domain reputation by switching IPs.

That said, IP reputation still matters -- particularly for dedicated IP senders. Shared IP pools (used by most ESP plans) mean your reputation is partially determined by the behavior of other senders on the same IPs. This is one reason high-volume senders migrate to dedicated IPs: full control over reputation.

IP warming

A new IP address has no reputation -- it is a blank slate. Mailbox providers treat unknown IPs with suspicion. Sending a large volume from a new IP is one of the fastest ways to get blacklisted. IP warming is the process of gradually increasing your sending volume over 2-4 weeks to build a positive reputation.

Maintaining reputation

Once established, reputation must be maintained through consistent sending patterns. Avoid volume spikes (sending 10x your normal volume on a holiday promotion without gradual ramp-up), keep bounce rates under 2%, keep complaint rates under 0.1%, and regularly clean your list to remove disengaged subscribers.

4 List Hygiene & Bounce Management

Your email list decays at a rate of 2-3% per month. People change jobs, abandon email addresses, switch providers, and mark messages as spam instead of unsubscribing. A list that was perfectly clean in January will have lost 25-35% of its viability by December if you do nothing.

Hard bounces vs. soft bounces

A hard bounce is a permanent delivery failure -- the email address does not exist, the domain is invalid, or the receiving server has permanently rejected the message. Hard bounces must be removed from your list immediately. There is no second chance. Continuing to send to hard-bounced addresses destroys your sender reputation faster than almost anything else.

A soft bounce is a temporary failure -- the recipient's mailbox is full, the server is temporarily unavailable, or the message was too large. Soft bounces should be retried (most ESPs handle this automatically), but if an address soft-bounces repeatedly across multiple campaigns, it should be treated as a hard bounce and removed.

Verification before sending

The best time to catch bad email addresses is before you send to them. Email verification services check addresses through multiple methods:

• Syntax validation -- catches obvious typos like user@gmial.com
• MX record lookup -- confirms the domain has a mail server configured to receive email
• SMTP handshake -- connects to the mail server and confirms the specific address exists without actually sending an email
• Catch-all detection -- identifies domains that accept all addresses (which makes individual verification impossible and increases spam trap risk)
• Disposable email detection -- flags temporary email addresses from services like Guerrilla Mail, Temp-Mail, and others

Suppression list management

Beyond bounced addresses, you need to maintain suppression lists for: unsubscribes (legally required under CAN-SPAM and GDPR), spam complainers (required by all major ESPs), role-based addresses (info@, support@, admin@ -- high spam trap risk), and long-term disengaged subscribers (no opens or clicks in 90+ days).

5 Spam Traps & Blacklists

Spam traps are email addresses operated by mailbox providers, anti-spam organizations, and blacklist operators to catch senders with poor list practices. Hitting a spam trap is one of the most damaging events for your sender reputation, and in some cases, a single hit can get your IP or domain blacklisted.

Types of spam traps

• Pristine traps -- email addresses that were never used by a real person. They exist solely to catch senders who buy lists or scrape addresses. Hitting a pristine trap is the most severe -- it is definitive proof of bad list acquisition practices.
• Recycled traps -- email addresses that once belonged to real people but were abandoned and then repurposed by the provider as trap addresses. Typically, the address is deactivated for 6-12 months (during which it hard bounces), then reactivated as a trap. If you are still sending to it, you were not processing your bounces.
• Typo traps -- addresses on domains like gnail.com or yaho.com that catch senders who are not validating email input at the point of collection.

Blacklists

Blacklists (or blocklists) are databases of IP addresses and domains identified as spam sources. There are over 300 active blacklists, but only a handful significantly impact deliverability:

• Spamhaus (SBL, XBL, PBL, DBL) -- the most influential. A Spamhaus listing will devastate your inbox placement across virtually all providers.
• Barracuda (BRBL) -- widely used by corporate email gateways
• SpamCop -- driven by user complaints, typically short-duration listings
• SURBL / URIBL -- domain-level blacklists that flag URLs within email content, not sending IPs

If you are blacklisted, the removal process varies by list. Spamhaus requires you to identify and fix the root cause before requesting delisting. SpamCop listings typically expire automatically within 24-48 hours if spam complaints stop. The key is monitoring: you need to know when you are listed, on which blacklist, and why.

6 Gmail & Microsoft Specifics

Gmail and Microsoft (Outlook.com, Hotmail, Office 365) collectively handle over 60% of consumer and business email. Their filtering algorithms have distinct behaviors that require specific attention.

Gmail

Gmail's filtering is primarily driven by engagement signals. Google's machine learning models analyze open rates, click rates, reply rates, time spent reading, and whether users move your messages between tabs or to spam. Aggregate engagement across all Gmail recipients determines whether your future emails land in Primary, Promotions, or Spam.

Key Gmail requirements (effective since February 2024):

• SPF or DKIM required for all senders. Both recommended.
• DMARC required for bulk senders (5,000+ messages/day to Gmail addresses)
• One-click unsubscribe required via List-Unsubscribe header with HTTPS endpoint
• Spam complaint rate must stay below 0.1% (measured via Google Postmaster Tools), with 0.3% as the absolute maximum before aggressive filtering kicks in
• TLS encryption required for transmission
• Valid forward and reverse DNS for sending IPs

Microsoft (Outlook/Hotmail/Office 365)

Microsoft uses SmartScreen filtering, which relies heavily on complaint data from their Smart Network Data Services (SNDS) program, combined with content analysis and sender reputation. Microsoft is more aggressive than Gmail at junking email from new or low-reputation senders.

Key Microsoft considerations:

• Enroll in SNDS -- Microsoft's SNDS provides data on your complaint rates, trap hits, and reputation scores specific to the Microsoft network. Without SNDS data, you are flying blind on Microsoft deliverability.
• Enroll in JMRP -- the Junk Mail Reporting Program forwards complaint reports (FBL) to you so you can identify and suppress complainers in real time.
• Avoid content triggers -- Microsoft's content filtering is stricter than Gmail's. Excessive capitalization, multiple exclamation marks, URL shorteners, and certain phrases ("act now", "limited time", "free money") carry heavier penalties.
• Throttling is common -- Microsoft aggressively throttles senders who ramp volume too quickly. Error code 421 RP-001 means you are being rate-limited. Back off and reduce sending speed.

7 Monitoring & Troubleshooting

Deliverability is not a set-and-forget configuration. It requires ongoing monitoring because the landscape shifts constantly -- mailbox providers update their algorithms, your list quality changes over time, and new sending sources introduce authentication gaps.

Essential metrics to track

• Inbox placement rate -- the percentage of sent emails that reach the inbox (not just "delivered"). Use seed testing or panel-based monitoring. Aim for 95%+.
• Bounce rate -- should stay below 2%. Track hard and soft bounces separately.
• Spam complaint rate -- must stay below 0.1%. Above 0.3% is an emergency.
• DMARC pass rate -- should be 98%+ for legitimate sources. Monitor aggregate reports weekly.
• Blacklist status -- check daily. Automated monitoring is essential.
• Engagement trends -- declining open and click rates often precede deliverability drops. They are a leading indicator.

Troubleshooting flowchart

When deliverability drops, follow this diagnostic sequence:

1. Check authentication -- are SPF, DKIM, and DMARC all passing? Use mxtoolbox.com or DeliverIQ's authentication checker. A single misconfigured DNS record can tank deliverability overnight.
2. Check blacklists -- are you listed on Spamhaus, Barracuda, or SpamCop? A fresh listing often explains a sudden drop.
3. Check complaint rates -- have spam complaints spiked? Review recent campaigns for content issues or list quality problems.
4. Check bounce rates -- a spike in hard bounces suggests list quality degradation. Verify your list and suppress invalid addresses immediately.
5. Check content -- run your email through a spam score checker. Look for URL reputation issues, image-to-text ratio problems, and known spam trigger words.
6. Check sending patterns -- did you recently change your sending volume, frequency, or infrastructure? Sudden changes trigger scrutiny.

Deliverability is not glamorous work. It is infrastructure, hygiene, and discipline. But it is the work that determines whether every other investment you make in email -- design, copywriting, segmentation, personalization -- actually reaches a human being. Master the fundamentals in this handbook, monitor relentlessly, and your emails will reach the inbox.