Email Deliverability: Stop Your Emails Landing in Spam

Why Legitimate Emails End Up in Spam

If your legitimate transactional emails are landing in spam folders, the problem is usually one of three things: authentication configuration, email content, or sending reputation. Each of these can be addressed systematically, which means poor deliverability is rarely permanent.

Spam filters do not simply flag suspicious messages. They assess a combination of signals from the sending infrastructure, the message itself, and the behaviour of previous emails sent from the same domain or IP address. If any of these signals fall outside acceptable ranges, the email gets filtered regardless of whether the content is genuine.

This guide covers the practical steps you can take to improve inbox delivery, starting with authentication because that is where most problems begin. If you are not familiar with how email authentication works, reading a detailed explanation of SPF, DKIM, and DMARC before continuing is useful.

How Email Authentication Works

Email was designed in an era when trust was assumed. The protocol that sends email across the internet, SMTP, does not verify that the sender address is genuine. This gap allowed spoofing to become widespread, and spam filters evolved specifically to address it.

Authentication records in your DNS tell receiving servers that your emails genuinely come from your domain and have not been forged in transit. Without these records, filters treat your emails with suspicion even when the content is perfectly legitimate.

SPF: Specifying Which Servers Can Send for Your Domain

Sender Policy Framework defines which mail servers are permitted to send email for your domain. When a receiving server receives an email claiming to be from your domain, it checks your SPF record to see if the sending server is authorised. If it is not, the email is treated as suspicious.

You publish SPF as a TXT record in your DNS. A basic record listing your own mail server and any third-party sending services looks like this:

v=spf1 mx ip4:YOUR_SERVER_IP include:sending_service.com ~all

The ~all at the end means "soft fail". Emails from unlisted servers are marked as suspicious but not automatically rejected. Once you are confident your configuration is complete, changing this to -all (hard fail) provides stronger protection but only if every legitimate sending source is already listed.

DKIM: Cryptographic Signatures That Verify Integrity

DomainKeys Identified Mail adds a digital signature to every email you send. This signature is generated using a private key held on your sending server and can be verified by anyone using the public key published in your DNS.

If the signature does not verify, the email was altered in transit or sent from an unauthorised server. A typical DKIM record looks like this:

mail._domainkey IN TXT ( "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA..." );

Most mail servers and transactional email services handle DKIM signing automatically once the DNS record is in place. If you are managing your own mail server, you need to configure the signing daemon to use your private key.

DMARC: Setting Policy and Getting Reports

Domain-based Message Authentication, Reporting and Conformance builds on SPF and DKIM. It tells receiving servers what to do when an email fails authentication and sends you reports about authentication activity on your domain.

A basic DMARC record that quarantines failing emails and sends aggregate reports looks like this:

v=DMARC1; p=quarantine; rua=mailto:[email protected]; pct=100


The pct value controls what percentage of failing emails are affected. Setting this to 100 applies the policy to all failing emails. Starting with a lower percentage while you monitor results is sensible if your email volume is high.

Verifying Your Authentication Setup

Before moving on to content, verify that your authentication is actually working. Several free tools check your SPF, DKIM, and DMARC records against real receiving server checks:


  
MXToolbox: Enter your domain and it reports the status of all three authentication records.
  
Mail-tester: Send a test email to their address and receive a detailed report covering authentication and content scoring.
  
Google Postmaster Tools: If you send to Gmail addresses, this shows your domain reputation, complaint rate, and authentication status in Google-side terms.


What Spam Filters Actually Check in Email Content

Authentication opens the door. Content determines whether your email stays there. Spam filters analyse message content against patterns associated with unsolicited or malicious email, and certain elements consistently trigger filters regardless of how legitimate the rest of the message is.

Link Density and URL Patterns

Emails that consist mostly of links, especially bare URLs without descriptive text, read as promotional or suspicious to filters. This is especially true when the same domain appears multiple times in the message or when the links point to URL-shortened addresses.

If your transactional emails include links, ensure the surrounding text provides context. Links should feel like part of a coherent message rather than a list of destinations.

Language That Signals Urgency or Promotion

Certain phrases are strongly associated with spam and phishing campaigns. Even when used in legitimate transactional contexts, they can trigger filters:


  
"Act now", "limited time offer", "expires today"
  
"Urgent action required", "immediate response needed"
  
"Congratulations you've won", "exclusive deal"


If your transactional emails need to convey time sensitivity, use factual language rather than urgency phrasing. "Your order ships within 24 hours" is different from "Ship your order NOW before it's too late".

Formatting That Reads as Promotional

Excessive use of capital letters, multiple exclamation marks, and bright colours in HTML email all signal promotional intent. Spam filters flag these patterns because legitimate transactional communication rarely uses them.

Test your email formatting by sending a copy to yourself and checking how it renders. If it looks like a flyer, it may read like one to filters as well.

Attachment Types That Raise Risk Flags

Executable files and macro-enabled documents are high-risk attachment types. Filters routinely flag .exe, .zip, .js, and .docm files because these are common vectors for malware distribution.

If your transactional emails include attachments, ensure the file types are appropriate for the communication and that recipients genuinely expect them. Plain documents in PDF or standard Office formats are considerably safer than compressed or executable files.

The Importance of Plain Text Alternatives

HTML-only emails without a plain text version score poorly with many spam filters. The absence of a plain text alternative suggests the email was generated programmatically rather than composed for readability, which is a common spam characteristic.

Most mailing libraries and transactional email services generate a plain text version automatically from your HTML content. If you are hand-coding emails, adding a plain text version is worth the effort.

Sending Infrastructure: From Address and Reply-To Configuration

The From address in your email header must align with your sending infrastructure. If your server sends from IP address 203.0.113.42 but the From address claims to be from @anotherdomain.com, the mismatch triggers authentication failures that lead to spam classification.

Use a From address at your own domain that matches where your sending infrastructure is configured. A typical transactional From address looks like this:

From: Your Business Name <[email protected]>

Free email addresses from Gmail, Hotmail, and similar services are unsuitable for transactional email. They are associated with individual accounts rather than verified businesses, and receiving servers apply stricter filtering to them. More importantly, you cannot control SPF, DKIM, and DMARC for @gmail.com, which means your authentication options are limited.

Reply-To Domain Considerations

If your Reply-To address uses a different domain than your From address, you need to publish SPF records for the Reply-To domain as well. Without this, many filters treat the mismatch as a spoofing indicator.

The simplest approach is to keep Reply-To at the same domain as From. This avoids additional DNS configuration and removes a potential filter trigger.

List Quality and Maintenance for Bulk Senders

If your setup includes sending to a subscriber or customer list, the quality of that list matters significantly for deliverability. Purchased lists, rented lists, and scraped lists contain addresses that bounce, belong to spam traps, or are monitored by anti-spam organisations.

Spam traps are email addresses published specifically to catch senders who do not follow permission-based practices. Even one trap address in a large list can damage your sending reputation across the board, because receiving servers learn to associate your domain with low-quality sending behaviour.

Building a Clean List From Scratch

Permission-based list building means every address on your list opted in through a form on your website or a direct sign-up process. Double opt-in, where subscribers confirm their address by clicking a verification link, produces the cleanest lists because it verifies the address is real and belongs to the person who entered it.

Maintaining List Hygiene Over Time

List quality degrades over time. Addresses become abandoned, mailboxes get closed, and some addresses are converted to spam traps specifically to monitor sender behaviour. Regular maintenance keeps your list healthy:


  
Remove hard bounces immediately: A hard bounce means the address does not exist or cannot accept mail. Continuing to send to it damages your reputation.
  
Address repeated soft bounces: Soft bounces happen when a mailbox is temporarily full or the server is unavailable. After three consecutive soft bounces, remove the address.
  
Re-engage inactive subscribers: If an address has not opened or clicked in six to twelve months, send a re-engagement campaign before removing it. Addresses that do not respond to re-engagement attempts should be removed.


A simple maintenance script removes hard bounce addresses from your list:

# Remove addresses that have hard bounced

bounce_addresses = get_hard_bounces()

for address in bounce_addresses:
    remove_from_list(address)

Testing Your Emails Before Sending to the Full List

The most effective way to check deliverability is to test against the actual tools spam filters use. Services like Mailtrap and Mailchimp's inbox preview show how your email renders across different clients and flag content that may trigger filters.

The free mail-tester.com tool provides a thorough analysis. Send an email to the address they provide, and within seconds you receive scores for SPF, DKIM, DMARC, content, and formatting. A score of 8 out of 10 or higher indicates your email is likely to pass most filters. Scores below that usually have specific, actionable feedback.

You can send a test email from your existing server using a command-line tool like swaks:

swaks --to [email protected] \
 --from [email protected] \
 --server mail-tester.com

This sends a basic test email to mail-tester's analysis system and returns detailed results within a minute or two.

When a Transactional Email Service Makes Sense

Direct server sending works well for low to moderate volumes, but as email volume increases, managing reputation and authentication becomes more demanding. Transactional email services maintain dedicated IP addresses with established sending reputations, handle authentication configuration, and provide analytics that show exactly how many emails reached inboxes versus spam folders.

Services like SendGrid, Mailgun, Postmark, Amazon SES, and Mailjet fall into this category. Each has different pricing structures, deliverability track records, and feature sets. Choosing one depends on your volume, budget, and which analytics matter most to your situation.

Switching to a Transactional Service

If you currently send email directly from your own server and want to move to a transactional service, the technical change is usually straightforward. Most PHP applications use PHPMailer or a similar library, and switching requires updating the SMTP host, port, username, and password.

SendGrid uses apikey as the username with your API key as the password. The API key is separate from your account password and provides sending access only:

$mail->isSMTP();
$mail->Host = 'smtp.sendgrid.net';
$mail->SMTPAuth = true;
$mail->Username = 'apikey';
$mail->Password = 'SG.your_api_key_here';
$mail->SMTPSecure = PHPMailer::ENCRYPTION_STARTTLS;
$mail->Port = 587;

The rest of your application code remains unchanged. Once the SMTP credentials are updated, emails route through the transactional service's infrastructure with their reputation and deliverability handling.

If you are considering a move to a managed transactional email service, setting up the SMTP configuration correctly from the start is worth the effort. Proper configuration of your email system's SMTP setup affects deliverability from day one, whether you send directly or through a service.

Monitoring Your Sending Reputation Over Time

Email deliverability is not a one-time configuration. Your sending reputation changes based on ongoing sending behaviour, complaint rates, and bounce rates. Monitoring tools help you catch problems before they affect your inbox placement.

Google Postmaster Tools provides data on your domain's reputation as seen by Gmail, including complaint rates, spam rates, and authentication status. Microsoft SNDS does the same for Outlook and Hotmail addresses. These tools are free and worth setting up even if you only send a modest volume of email.

If your sending volume is significant, consider setting up alerts for sudden changes in bounce rates or complaint rates. A spike in bounces often indicates a list hygiene problem, while a rising complaint rate usually points to content or targeting issues.

What to Check First When Emails Are Not Delivering

If you are experiencing deliverability problems right now, the fastest way to identify the cause is to run your domain through MXToolbox or send a test email to mail-tester.com. Authentication failures are usually the first issue to surface and the quickest to fix.

Work through these checks in order: authentication records first, then content review, then sending reputation monitoring. Each layer affects the others, and addressing authentication eliminates one of the most common root causes of poor inbox placement.

If you need help reviewing your current email configuration, prepare a note with your domain name, your current email sending method (direct server or third-party service), examples of emails that are not delivering, and any error messages you have seen. That context makes it easier to identify the specific issues affecting your setup.