How to Land in the Inbox, Not Spam

Last updated: June 2026

Getting an email accepted by a mail server is easy. Getting it into the inbox is the actual challenge, and it's where most transactional email problems live. This chapter covers the authentication that proves you are who you say you are, the factors that shape your deliverability, and how to handle the bounces and complaints that protect your reputation over time.

How to set up SPF, DKIM, and DMARC

SPF, DKIM, and DMARC are three DNS records that prove your email is legitimate and not spoofed. Mailbox providers now treat them as table stakes: Gmail and Yahoo require authentication for bulk senders, and unauthenticated mail is likely to land in spam or be rejected outright. Set up all three before you worry about anything else.

SPF (Sender Policy Framework) is a DNS TXT record listing the servers allowed to send email for your domain. When a message arrives, the receiving server checks the sending source against that list.

v=spf1 include:sendgrid.net include:amazonses.com -all

One catch: SPF allows a maximum of 10 DNS lookups, and each include counts against it. Chain too many providers and SPF silently breaks. Keep includes minimal, and once you're confident every legitimate sender is listed, prefer -all (hard fail) over ~all (soft fail):

// Too many includes: risks blowing the 10-lookup limit
v=spf1 include:a.com include:b.com include:c.com include:d.com ~all

// Better: only the providers you actually send through, hard fail
v=spf1 include:sendgrid.net include:amazonses.com -all

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to every message. You publish a public key in DNS (usually a CNAME or TXT record your provider generates) and the provider signs each message with the private key, so receivers can verify the message wasn't altered in transit. Confirm a record exists with a quick lookup:

dig +short TXT selector._domainkey.yourdomain.com

DMARC (Domain-based Message Authentication, Reporting, and Conformance) tells receivers what to do when a message fails SPF or DKIM, and where to send reports. It lives at _dmarc.yourdomain.com:

v=DMARC1; p=none; pct=100; rua=mailto:dmarc@yourdomain.com

Roll it out progressively. Start at p=none to monitor without affecting delivery, read the aggregate reports to confirm your legitimate mail passes, then tighten to p=quarantine and finally p=reject. DMARC also requires alignment: the visible From domain has to match your authenticated SPF or DKIM domain, exactly for strict alignment or by subdomain for relaxed.

BIMI (Brand Indicators for Message Identification) displays your logo next to authenticated messages in supporting inboxes like Gmail and Apple Mail. It's a premium step, not a starting point: it requires DMARC at p=quarantine or p=reject, a square SVG logo served over HTTPS, and usually a Verified Mark Certificate (VMC), which runs about $1,000 to $1,500 a year. For most senders, solid SPF, DKIM, and DMARC are enough; add BIMI once you're sending at real volume and want the brand lift.

A pre-send authentication checklist:

1. Add your provider's include to your SPF record, watching the 10-lookup limit.
2. Configure DKIM keys with your provider and publish them in DNS.
3. Publish a DMARC record at p=none and start collecting reports.
4. Send a test message to a tool like mail-tester.com for a full deliverability score.
5. Watch DMARC reports for unauthorized senders, then raise enforcement to quarantine and reject.

What affects email deliverability

Deliverability is the likelihood that your email reaches the inbox rather than the spam folder or the void. It's driven by your sending reputation, which mailbox providers calculate from a mix of signals.

The big ones:

• Sender reputation: a score mailbox providers assign to your domain and sending IP, based on your history. This is the foundation everything else feeds into.
• Authentication: SPF, DKIM, and DMARC, covered above. Failing these is an instant deliverability hit.
• Engagement: opens, clicks, replies, and (negatively) deletions and spam complaints. Mailbox providers watch how recipients treat your mail and adjust accordingly.
• List hygiene: sending to invalid or inactive addresses generates bounces and spam-trap hits that damage reputation quickly.
• Content: spam-trigger phrasing, a bad text-to-image ratio, link-heavy bodies, and broken HTML can all push a message toward spam.
• Infrastructure: whether you send from a shared IP (reputation pooled with other senders) or a dedicated IP (your reputation alone, but you must warm it up by ramping volume gradually).

Mailbox providers publish concrete limits. Gmail asks bulk senders to keep the spam-complaint rate below 0.3%, and ideally under 0.1%. Cross it and your delivery gets throttled or filtered to spam, sometimes for weeks. Keep hard bounces under about 0.5% and soft bounces under about 1.5% to stay clear of provider thresholds.

The throughline is that reputation is earned and easily spent. Consistent volume, clean lists, authenticated mail, and engaged recipients build it up. Spikes, bounces, and complaints tear it down.

How to avoid the spam folder

Staying out of spam comes down to looking legitimate to both the filters and the recipient. There's no single trick; it's a checklist you maintain.

• Authenticate everything with SPF, DKIM, and DMARC.
• Send from a real, monitored domain, not a no-reply address on a throwaway subdomain. Use a reply-to that reaches a human.
• Keep your lists clean by removing hard bounces immediately and suppressing addresses that complain.
• Keep transactional and marketing email on separate streams or subdomains so promotional complaints don't poison your transactional reputation.
• Write honest subject lines that match the body. Mismatched or clickbait subjects train filters and recipients against you.
• Balance content: avoid all-image emails, excessive links, and the spam-trigger phrasing that filters flag.
• Make sure every message has a plain-text version alongside the HTML.

Most spam-folder problems trace back to one of two things: an authentication gap or a reputation problem from poor list hygiene. Fix those two and you've handled the majority of cases.

How to handle bounces, complaints, and unsubscribes

A bounce is an email that couldn't be delivered; a complaint is a recipient marking your message as spam. Handling both correctly is what protects your sending reputation over the long run, and ignoring them is how good senders slowly go bad.

Watch out: The single fastest way to wreck a sending reputation is to keep emailing addresses that hard-bounced or complained. A suppression list isn't optional, and it has to update automatically.

Bounces come in two kinds. A hard bounce is permanent (the address doesn't exist), and you must stop sending to that address immediately and remove it from your list. A soft bounce is temporary (a full mailbox, a server hiccup), and you can retry a few times before giving up. Your ESP reports both, usually through webhooks, and the non-negotiable rule is to maintain a suppression list: addresses you never send to again because they hard-bounced or complained.

Complaints are even more direct signals. When a recipient hits "report spam," mailbox providers often relay that through a feedback loop your ESP subscribes to. Treat a complaint as an immediate suppression. For unsubscribes, remember that genuinely transactional email generally doesn't require an unsubscribe link, but the moment a message drifts toward promotional content, you need one, and as of recent bulk-sender requirements, one-click unsubscribe is expected for non-transactional mail. The practical setup is to wire your ESP's bounce and complaint webhooks to an endpoint that updates a suppression list automatically, so reputation protection happens without a human in the loop.

Frequently asked questions

Do I really need SPF, DKIM, and DMARC?

Yes. Gmail, Yahoo, and other major providers require all three for bulk senders, and unauthenticated mail is far more likely to be filtered to spam or rejected. All three are DNS records you can set up in an afternoon, and they're the highest-impact thing you can do for deliverability.

What is a good email deliverability rate?

Aim for a delivery rate of 98-99% or higher for transactional email, since recipients expect and engage with these messages. Below 98% usually points to an authentication gap, list-hygiene problems, or a blocklist. Inbox placement, not only delivery, is the number that really matters.

Why are my transactional emails going to spam?

Most spam-folder problems come down to two causes: missing or misconfigured authentication, or a damaged sending reputation from poor list hygiene. Fix SPF, DKIM, and DMARC first, remove hard bounces and complainers, keep transactional and marketing mail on separate streams, and send from a real, monitored domain.