DMARC, SPF, DKIM, BIMI, engagement metrics, IP warm-up, and list hygiene explained in plain English. A practical checklist to move from the spam folder to the primary inbox.
April 16, 2026·9 min read
Get a Free Demo
See how Leadify AI can grow your business.
No spam. Your information stays confidential.
A SaaS company in Hyderabad sent 180,000 newsletters last month. They got 400 opens. Four hundred. Out of one hundred and eighty thousand.
Their first reaction was to blame the copy. Then the design. Then the segmentation. The actual problem was that 90% of their emails were going straight to Gmail's promotions tab, and another 5% were landing in spam.
This is more common than anyone admits. And in 2026, with stricter sender requirements than ever before, getting into the inbox is harder than ever.
Here's what actually moves the needle.
Why Deliverability Got Harder in 2025–2026
In early 2024, Google and Yahoo rolled out new bulk sender requirements. By mid-2025, Microsoft followed. By 2026, the new rules are the baseline, not the exception.
The key changes:
DMARC is now mandatory for senders over 5,000 emails per day
Spam complaint rates above 0.3% now trigger automatic throttling
One-click unsubscribe is required in the email header (not just a footer link)
Engagement-based filtering weights opens, clicks, and replies more heavily than ever
If your deliverability tanked in the last 12 months and you didn't change your strategy, this is why. For the broader context on how these changes affect list strategy and automation, see our bulk email marketing 2026 playbook.
The Authentication Stack: SPF, DKIM, DMARC, and BIMI
Think of email authentication as a chain of locks. Miss one and the whole chain is weak.
SPF (Sender Policy Framework)
SPF is a DNS record that says "these servers are allowed to send email on behalf of our domain." It prevents basic spoofing.
Common failure: your ESP changes their sending infrastructure and you don't update your SPF record. Emails start failing authentication overnight.
Fix: Audit your SPF record quarterly. Include every platform you send from.
DKIM (DomainKeys Identified Mail)
DKIM is a cryptographic signature. Every email gets signed with a private key, and mailbox providers verify it against your public key in DNS.
Common failure: DKIM keys rotated on the ESP side without updating DNS. Emails fail signing, reputation tanks.
Fix: Use 2048-bit keys. Enable automatic key rotation through your ESP. Verify after any platform change.
DMARC (Domain-based Message Authentication, Reporting, and Conformance)
DMARC tells mailbox providers what to do when SPF or DKIM fails. It also provides daily reports on authentication results across the industry.
You can set DMARC to:
`p=none` (monitor only)
`p=quarantine` (send failing mail to spam)
`p=reject` (block failing mail outright)
Most senders should graduate from `none` → `quarantine` → `reject` over 3–6 months, using the reports to catch legitimate mail that's failing.
Fix: If you don't have DMARC yet, start with `p=none`. If you've had `p=none` for 90+ days, move to `quarantine`. Read your DMARC reports — they tell you exactly which servers are sending as your domain.
BIMI (Brand Indicators for Message Identification)
BIMI puts your logo next to your emails in supported inboxes. Requires DMARC enforcement at `p=quarantine` or stricter, plus a VMC (Verified Mark Certificate) for Gmail.
Not mandatory, but a strong trust signal. Expect ~10% lift in opens when you deploy it properly.
IP and Domain Warm-Up
A brand new IP or domain sending 100,000 emails on day one looks like a spammer to Gmail. Even if your list is clean and your content is perfect, you'll be throttled.
The warm-up playbook:
Day 1: 500 emails to your most-engaged segment
Day 2: 1,000 emails
Day 3–7: Double daily volume each day
Week 2: Hold at 10,000–20,000/day to build reputation
Week 3–4: Gradually ramp to full volume
Skip steps at your peril. Rushing warm-up is the single most common mistake enterprise senders make when switching ESPs.
Modern platforms automate this. If yours doesn't, you're manually managing a process that should take zero human attention.
The Engagement Problem
Mailbox providers in 2026 care less about content and more about engagement. If your subscribers open, click, and reply, Gmail learns that mail from your domain is wanted. If most subscribers ignore or delete without opening, Gmail learns the opposite — and starts filtering you into promotions or spam.
This creates a feedback loop: good engagement → better placement → more engagement. And the opposite vicious cycle.
To protect engagement:
1. Suppress Unengaged Subscribers
If someone hasn't opened in 90 days, they're a liability, not an asset. Try one re-engagement email. If they still don't engage, move them to a suppression segment.
2. Send Less, Not More
Counterintuitive, but true. Reducing send frequency to your most-engaged segment often lifts overall deliverability because engagement rates rise.
3. Use Two Sending Domains
Run a separate subdomain for your high-engagement sends (e.g., `promos.yoursite.com`) and another for re-engagement attempts. If the re-engagement domain suffers, your primary mail is protected.
4. Make It Easy to Unsubscribe
An unsubscribe is better than a spam complaint. Spam complaints damage reputation long-term; unsubscribes are neutral.
List Hygiene: The Boring Practice That Wins
List hygiene is unsexy and deeply impactful. Teams that skip it pay for it in deliverability.
Monthly
Purge hard bounces (dead email addresses)
Remove spam complainers immediately
Flag subscribers with 0 opens in 60+ days
Quarterly
Run a re-engagement campaign to the flagged segment
Suppress anyone who didn't engage with the re-engagement attempt
Verify the list against an email validation service for syntax and deliverability
Annually
Audit your opt-in sources. Any source that produces low-engagement subscribers should be fixed or removed.
Review your consent records. If you can't prove consent, you shouldn't be emailing.
A 500,000-subscriber list with 40% engagement outperforms a 2M-subscriber list with 8% engagement every time, because deliverability to the smaller list is better and every metric compounds from there. The campaign management process top teams follow bakes this hygiene into every send.
Content That Doesn't Trigger Filters
Spam filters in 2026 use machine learning, not keyword lists from 2005. The old "don't use the word 'free'" advice is obsolete. Modern filters flag patterns, not individual words.
That said, a few things still hurt:
Heavy image-to-text ratios (pure image emails look suspicious)
URL shorteners (use your own branded links)
Lots of exclamation points and all-caps
Mismatched from name and from address
Broken HTML or inline CSS that doesn't render
No plain-text version
Attachments (don't, just don't)
Pass these, and your content rarely flags filters. The filter's job is mostly about the sender, not the message.
How to Diagnose Poor Deliverability
If your open rates dropped suddenly or your spam complaints spiked, work through this list in order:
Check authentication. SPF, DKIM, DMARC still passing? Use a tool like mail-tester.com to verify.
Check blocklists. Is your sending IP or domain on any major blocklists (Spamhaus, Barracuda, SORBS)?
Check DMARC reports. Any spike in authentication failures? That's usually a misconfigured sender or an attacker.
Check engagement trends. Did opens drop gradually (reputation problem) or suddenly (technical problem)?
Check list source. Did you import a new list recently? That's the most common cause of sudden deliverability crashes.
Check content changes. Did you change templates, from names, or subject patterns recently?
Run an inbox placement test. Tools like Email on Acid or Litmus show where your mail is landing across providers.
Nine times out of ten, the problem is one of these seven. The rare exception is a mailbox provider changing their rules, in which case you wait and adapt.
The Deliverability Checklist
Print this. Audit against it monthly.
[ ] SPF record lists all legitimate senders
[ ] DKIM is enabled with 2048-bit keys
[ ] DMARC is enforced at `p=quarantine` or `p=reject`
[ ] Separate domain for marketing and transactional mail
[ ] IP warm-up completed if on dedicated IP
[ ] List hygiene audit completed in last 30 days
A failed item isn't an emergency, but more than two failed items at once usually is.
Frequently Asked Questions
How long does it take to fix deliverability problems?
Authentication fixes work within 24–48 hours. Reputation recovery from a bad send or dirty list takes 4–8 weeks. Be patient and consistent.
Can I recover from a spam trap hit?
Yes, but slowly. Remove the trap from your list immediately, reduce volume for 2–4 weeks, focus on your most-engaged segment, and watch for reputation recovery. Don't import any new lists during recovery.
Does switching ESPs fix deliverability?
No. Reputation follows your domain and content, not your ESP. Switching platforms without fixing the underlying issues (dirty list, bad authentication, poor engagement) just moves the problem.
Is it worth getting a dedicated IP?
Only at volume. Below 100,000 emails/month consistently, shared IP pools outperform a cold dedicated IP. Above that, dedicated becomes valuable.
How much do mailbox providers care about open rate vs click rate?
Both matter, but click rate is weighted higher because opens can be triggered by tracking pixels (Apple Mail Privacy Protection inflates this). Real engagement — clicks and replies — is what mailbox providers trust.
Deliverability in 2026 rewards senders who treat it as an ongoing practice, not a one-time setup. Leadify's bulk email marketing platform automates the authentication and reputation monitoring, so you can focus on what you can't outsource: clean lists, engaged subscribers, and content people actually want to open.
