You spent hours writing the perfect email campaign. You hit send. Crickets. Low open rates, minimal clicks, no replies. The most likely culprit is not your subject line or your offer — it is your email landing in the spam folder before anyone even sees it.
Email deliverability is the invisible foundation of every successful email marketing program. Get it wrong and nothing else matters. Get it right and every other metric — open rates, clicks, conversions — follows naturally.
This guide covers everything a small business owner needs to know: authentication records (SPF, DKIM, DMARC), sender reputation, list hygiene, Google and Yahoo's 2024-2026 requirements, spam trigger content, and free tools to test and monitor your deliverability.
Quick summary: Deliverability problems almost always come from one of four sources — missing authentication, a damaged sender reputation, a dirty list, or spam-triggering content. This guide addresses all four.
Email deliverability refers to the ability of an email to successfully reach a recipient's inbox. More precisely, it measures what percentage of your sent emails are accepted by receiving mail servers versus being rejected, bounced, or silently dropped.
Deliverability is often confused with open rates. They are related, but distinct:
You cannot optimize open rates if emails are not reaching inboxes in the first place. A 40% open rate sounds great, but if only 60% of your emails are being delivered, your effective reach is just 24% of your list.
Poor deliverability compounds over time. When you send to bad addresses or generate spam complaints, your sender reputation degrades, which makes future emails even less likely to reach the inbox — a downward spiral that takes months to reverse.
The 2024 inflection point: Google and Yahoo's February 2024 requirements changed everything for bulk senders. Missing authentication records that were once merely recommended are now grounds for outright rejection. If you have not audited your setup since early 2024, do it today.
Email authentication is a set of DNS-based standards that verify two things: (1) that an email claiming to be from your domain actually came from an authorized server, and (2) that the email was not tampered with in transit. Think of it as a passport system for email.
There are three records you need to understand and configure.
SPF is a DNS TXT record that lists which mail servers are authorized to send email on behalf of your domain. When a receiving server gets an email from you@yourdomain.com, it checks your domain's DNS to see if the sending server is on the approved list.
What it looks like:
v=spf1 include:_spf.google.com include:sendgrid.net ~allThe ~all at the end means "soft fail" — emails from non-listed servers will be accepted but flagged. Use -all for a hard fail if you are confident in your setup. Important: You can only have one SPF record per domain. If you have multiple email sending services, combine them into a single record.
SPF limitation: SPF breaks during email forwarding because the forwarding server's IP is not in your SPF record. This is why DKIM exists.
DKIM adds a cryptographic signature to every outgoing email. The private key lives on your sending server; the public key is published in your DNS. Receiving servers use the public key to verify that the email was signed by you and was not modified after it left your server.
Your email service provider (ESP) handles the actual signing — you just need to add the DKIM DNS record they provide to your domain. Most modern ESPs like Mailchimp, Kit, and Brevo give you exact DNS records to copy and paste.
What it looks like (DNS name):
google._domainkey.yourdomain.comDKIM survives email forwarding because the signature is embedded in the email headers, not tied to the sending IP address.
DMARC builds on SPF and DKIM by telling receiving servers what to do when authentication fails: deliver anyway (none), send to spam (quarantine), or reject outright (reject). It also tells receiving servers where to send aggregate reports so you can see who is sending email claiming to be from your domain.
A minimal DMARC record:
v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.comStart with p=none (monitor only) while you review the aggregate reports. Once you are confident all legitimate sending is authenticated, move to p=quarantine, then eventually p=reject.
@ and the value provided by your ESP. If you use Google Workspace for email, start with v=spf1 include:_spf.google.com ~all and add other sending services.mail._domainkey) and a long TXT value. Copy both exactly._dmarc and value v=DMARC1; p=none; rua=mailto:your-email@yourdomain.com.In February 2024, Google and Yahoo simultaneously tightened their requirements for bulk senders (anyone sending more than 5,000 emails per day to Gmail addresses). By mid-2024, stricter enforcement was rolled out for all senders. These rules are now table stakes for 2026.
| Requirement | Yahoo | Applies to | |
|---|---|---|---|
| Valid SPF or DKIM | Required | Required | All senders |
| DMARC policy | Required | Required | Bulk senders (>5k/day) |
| Spam rate below 0.10% | Required | Required | All senders |
| One-click unsubscribe | Required | Required | Bulk senders |
| Valid "From" domain alignment | Required | Required | All senders |
| No impersonation of Gmail | Required | Required | All senders |
The 0.10% spam rate threshold is the one that catches most small businesses off guard. That means no more than 1 in 1,000 recipients can mark your email as spam. At 0.30% and above, Google will start throttling or blocking your mail. Monitor your spam rate in Google Postmaster Tools (free — covered below).
The one-click unsubscribe requirement means your unsubscribe link must process the request immediately, with no confirmation steps or account login required. Most major ESPs handle this automatically, but if you use a custom solution or older template, check that your List-Unsubscribe header is correctly configured.
A clean email list is the single highest-leverage thing you can do for deliverability. Sending to invalid addresses generates hard bounces. Sending to unengaged contacts generates spam complaints. Both poison your sender reputation.
info@, admin@, support@ — often shared by multiple people and more likely to generate complaints. Avoid collecting them.Verify your list before your next campaign. Use a free email verification tool to remove invalid addresses and protect your sender reputation.
See Free Verification ToolsModern spam filters are machine-learning-based and evaluate hundreds of signals simultaneously. That said, certain content patterns consistently correlate with spam and are worth avoiding.
Spam filters do not simply flag individual words in isolation — they evaluate word combinations, context, and the sender's reputation together. High-risk phrases include anything promising unrealistic financial outcomes, urgency combined with vague offers, or anything that sounds like a scam pitch. Phrases like "Earn $5,000 a week," "100% free," "Act now," "Guaranteed," "No risk," and "You've been selected" all raise scores.
This does not mean you can never use the word "free." A reputable sender with strong authentication and a clean list can use these words without issue. The problem comes when these phrases appear alongside weak authentication, low engagement, and high bounce rates.
Your sender reputation is a score that major ISPs (Google, Microsoft, Yahoo) assign to your sending IP address and domain based on your sending behavior over time. It determines how much of your mail reaches the inbox. Unlike authentication, you cannot configure your way to a good reputation — you have to earn it through consistent, positive sending behavior.
If you are sending from a new domain or a new dedicated IP address, you need to build reputation gradually. ISPs need to see a track record of positive engagement before they will trust high-volume sends.
| Week | Daily volume | Send to |
|---|---|---|
| Week 1 | 20–50 emails/day | Most engaged subscribers only |
| Week 2 | 50–100 emails/day | Engaged, recent opt-ins |
| Week 3–4 | 200–500 emails/day | Active subscribers (opened in 90 days) |
| Week 5–6 | 1,000–2,500 emails/day | Active + semi-active subscribers |
| Week 7–8 | 5,000+ emails/day | Full list (after cleaning) |
Only increase volume if open rates stay above 20% and spam complaints stay below 0.08%. If metrics deteriorate, pause and investigate before continuing.
Automated warm-up tools can accelerate this process by simulating engagement signals. See our guide to the best free email warm-up tools for options that work well for small business senders.
| Authentication Method | What It Does | Setup Difficulty | Impact on Deliverability |
|---|---|---|---|
| SPF | Authorizes which mail servers can send for your domain | Easy | High — required by all major ISPs |
| DKIM | Cryptographically signs emails to prove they were not tampered with | Easy | High — survives forwarding, required by Google/Yahoo |
| DMARC | Enforces SPF/DKIM and provides aggregate reporting on failures | Medium | High — required for bulk senders; needed for brand protection |
| BIMI | Displays your brand logo in supported email clients (Gmail, Yahoo) | Hard | Low direct impact; improves brand trust and open rates |
| MTA-STS | Forces TLS encryption on email connections to your domain | Medium | Low direct impact; improves security posture |
For most small businesses, SPF + DKIM + DMARC is all you need. BIMI is worth implementing once your DMARC policy is set to p=reject, as it requires a verified mark certificate and is only available to senders with a fully enforced DMARC policy.
You do not need to spend money to diagnose and monitor your email deliverability. These five free tools cover the full spectrum of checks you need.
Mail Tester gives you a temporary email address. You send your actual campaign email to that address, then visit the site to see a score out of 10 with a detailed breakdown of everything affecting your deliverability: SPF/DKIM/DMARC status, spam filter score, blacklist checks, HTML issues, and link analysis.
Strengths
Limitations
MXToolbox is the go-to tool for verifying that your SPF, DKIM, DMARC, and MX records are configured correctly. Enter your domain and it will instantly show you any DNS errors, check your IP against 100+ blacklists, and flag common misconfigurations. The SuperTool can test all record types from a single interface.
Strengths
Limitations
Google Postmaster Tools is the only way to see how Gmail specifically evaluates your sending domain and IP. It shows your domain reputation (high/medium/low/bad), spam rate over time, delivery errors, and authentication pass rates. Data appears after you verify domain ownership and send sufficient volume to Gmail addresses.
Strengths
Limitations
Sender Score gives your sending IP a reputation score from 0 to 100 based on 30 days of sending behavior data. A score above 80 is healthy; below 70 and you likely have deliverability problems; below 50 is critical. It also shows the specific factors dragging down your score. Enter your sending IP address (find it in your ESP's settings or an email header) to check.
Strengths
Limitations
GlockApps goes further than spam score tools by actually delivering your test email to seed accounts at Gmail, Yahoo, Outlook, and Apple Mail, then reporting where it landed: inbox, spam, promotions tab, or missing. The free tier gives you 3 tests per month — enough to check your main campaign template before each major send.
Strengths
Limitations
Deliverability is not a one-time fix — it requires ongoing monitoring. Here is the monitoring cadence that works for most small businesses:
Key benchmarks to maintain: Spam complaint rate below 0.08% • Hard bounce rate below 2% • Open rate above 20% • Sender Score above 80 • Google Postmaster domain reputation: High or Medium
The Promotions tab is not spam — it is a category filter. Your emails are being delivered, just not to the Primary inbox. This reduces open rates but is not a deliverability emergency. To improve Primary inbox placement: reduce the commercial density of your emails (fewer promotional banners, more plain text), encourage subscribers to drag your email to Primary and click "Do this for all messages," and send more personalized, conversational content.
A sudden open rate drop (especially if it correlates with a specific campaign) usually means one of three things: (1) your email landed in spam for a significant portion of recipients, (2) you sent to a cold or inactive segment, or (3) your email service provider is experiencing deliverability issues on their shared IPs. Check Google Postmaster Tools immediately. If domain reputation dropped, review what was different about that campaign's content or recipient list.
Check MXToolbox to identify which blacklist(s) you are on. Most blacklists have a self-serve removal process once you have addressed the underlying cause. The most common blacklists (Spamhaus, SORBS, Barracuda) each have different removal requirements — usually completing a form and agreeing to send only to opt-in subscribers. Resolution typically takes 24-72 hours. If you are on a shared IP through your ESP, contact their support team — they may be able to move you to a cleaner IP.
DMARC aggregate reports (delivered to the email address in your rua tag) will show you which sending sources are failing authentication. Common causes: a third-party service sending email on your behalf that is not in your SPF record, a forwarding server breaking SPF alignment, or an old DKIM key that was rotated. Use a free DMARC report analyzer like Dmarcian's free tier or DMARC Analyzer's free plan to parse the XML reports into readable format.
If spam complaint rate is above 0.1%, the problem is almost always one of: sending to people who did not explicitly opt in, sending too frequently for your audience's preferences, not making the unsubscribe button obvious enough, or having a recognizable brand that people do not associate with email (they mark as spam instead of unsubscribing). The fix: double opt-in, prominent unsubscribe links, preference centers that let subscribers choose frequency, and ruthless list cleaning.
A good email deliverability rate is 95% or higher — meaning at least 95 out of every 100 emails you send successfully reach the recipient's mail server rather than being rejected or silently dropped. Top-tier senders achieve 98-99% deliverability.
Note that deliverability is different from inbox placement rate: deliverability measures whether the email was accepted by the receiving server, while inbox placement measures whether it landed in the inbox versus the spam folder. An email can be delivered but still go to spam.
Warming up a new email domain typically takes 4 to 8 weeks if done properly. During week one, limit sending to 20-50 emails per day to your most engaged contacts. Double volume every 5-7 days as long as your open rates stay above 20% and spam complaints stay below 0.1%.
Rushing the warm-up process is the most common mistake — sending hundreds of emails on day one from a brand-new domain is a reliable way to get blacklisted immediately. Use an automated warm-up tool to accelerate the process safely.
Yes, you need all three for complete email authentication in 2026. SPF alone tells receiving servers which IPs are allowed to send on your behalf, but it breaks when emails are forwarded. DKIM alone adds a cryptographic signature proving the email content was not tampered with, but it does not tell receivers what to do if verification fails.
DMARC ties the two together, tells receiving servers what to do with failed authentication (nothing, quarantine, or reject), and gives you visibility via aggregate reports. Google and Yahoo have required all bulk senders to have SPF, DKIM, and DMARC since February 2024.
Authentication is only one factor in spam filtering. Your emails can still land in spam if: your sending IP or domain is on a blacklist, your spam complaint rate exceeds 0.1%, you are sending to many invalid or inactive addresses, your email content contains spam trigger words or suspicious links, or you have a poor sender reputation built up over time.
Use free tools like Mail Tester, MXToolbox, and Google Postmaster Tools to diagnose exactly which factor is causing the issue. Authentication being correct just means your emails will not be rejected outright — it does not guarantee inbox placement.
You should clean your email list at least every 3 to 6 months, or after every major campaign that reveals high bounce or low engagement rates. Specifically: remove hard bounces immediately after they occur, suppress contacts who have not opened any email in 6-12 months (run a re-engagement campaign first), and verify new subscriber addresses at the point of collection.
For most small businesses sending monthly newsletters, a thorough list cleaning twice a year is sufficient. If you are sending weekly or more frequently, clean quarterly. A clean list of 1,000 engaged subscribers will always outperform a bloated list of 10,000 cold contacts.
Start with a free Mail Tester check on your next campaign, then verify your DNS records in MXToolbox. Most deliverability problems are fixable within a week once you know what to look for.
See the Best Email Tools →