Most email deliverability problems trace back to three things: missing authentication, a degraded sender reputation, and list hygiene that’s been ignored too long. Fix those, and your inbox placement improves. Leave them unaddressed, and no amount of subject line testing will save you. This guide covers the full picture: authentication, list quality, reputation management, infrastructure choices, content considerations, and the monitoring stack you need to catch problems before they compound. It’s written for SaaS teams sending both transactional and lifecycle email, where a missed notification or an onboarding sequence landing in spam has real revenue consequences.
Delivery vs. Deliverability: Why the Distinction Matters
Delivery means the receiving server accepted the message. Deliverability means it reached the inbox rather than the spam folder or being silently discarded. You can have 100% delivery and 60% inbox placement at the same time.
Inbox placement is governed primarily by sender reputation (domain and IP), authentication, and recipient engagement. Content plays a supporting role, but modern spam filters weight behavioral signals far more heavily than the presence of certain words. As Litmus summarizes, spam filters now look at how a subscriber engages with email, whether positive or negative, rather than scanning for trigger phrases. The question mailbox providers are really asking is whether your recipients want your mail.
Authentication: SPF, DKIM, and DMARC
Authentication is the non-negotiable foundation. Without it, Gmail, Yahoo, and every major mailbox provider will either reject your mail or route it to spam. The three standards work together:
SPF (Sender Policy Framework) declares which mail servers are authorized to send on behalf of your domain. It’s a DNS TXT record that receiving servers check against the envelope-from address.
DKIM (DomainKeys Identified Mail) adds a cryptographic signature to outgoing messages. The receiving server verifies the signature against a public key in your DNS, confirming the message wasn’t altered in transit.
DMARC (Domain-based Message Authentication, Reporting, and Conformance) ties SPF and DKIM together and tells receiving servers what to do with messages that fail both checks: nothing (p=none), quarantine, or reject. It also sends aggregate and forensic reports back to you, which is the only reliable way to know whether someone is spoofing your domain.
For a full walkthrough of configuring these records, see What Is Email Authentication? SPF, DKIM, DMARC and the dedicated How to Set Up DMARC guide.
The 2024 Gmail and Yahoo Bulk-Sender Requirements
Starting in February 2024, Gmail and Yahoo imposed mandatory requirements on senders reaching the bulk threshold. Gmail defines bulk senders as those sending more than 5,000 messages per day to Gmail accounts. Yahoo applies similar requirements without publishing a hard volume threshold.
The three core requirements for bulk senders:
| Requirement | Gmail | Yahoo |
|---|---|---|
| Email authentication | SPF and DKIM required; DMARC required (p=none acceptable) | “Implement both SPF & DKIM” and “Publish a valid DMARC policy” |
| One-click unsubscribe | Required for marketing and promotional messages | “Implement a functioning list-unsubscribe header, which supports one-click unsubscribe” |
| Spam rate | Keep below 0.10%; never reach 0.30% | Keep below 0.30% |
The exact language from Google’s sender guidelines: “Set up SPF and DKIM email authentication for your domain” and “Set up DMARC email authentication for your sending domain.” For one-click unsubscribe, the requirement is that “Marketing messages and subscribed messages must support one-click unsubscribe, and include a clearly visible unsubscribe link in the message body.”
Yahoo requires honoring unsubscribes within 2 days and DMARC alignment, meaning “the domain in the From: header is aligned with either the SPF domain or the DKIM domain.”
Even if you’re below the 5,000-message threshold today, building to these standards now avoids a scramble later and signals good-faith sending behavior to mailbox providers.
List Hygiene
A clean list is as important as authentication. Sending to addresses that bounce, have never engaged, or are known spam traps signals to mailbox providers that your list was acquired carelessly or aged out.
Hard bounces. A hard bounce means permanent failure: the address doesn’t exist or the domain is dead. Remove hard bounces immediately. Letting them accumulate is one of the fastest ways to damage domain reputation. Industry benchmarks treat anything above 2% as a warning sign; above 5%, expect throttling or blacklisting. For a precise breakdown of bounce types and what each means for your sending program, see Soft Bounce vs Hard Bounce.
Soft bounces. Temporary failures like a full mailbox. Most ESPs retry automatically, but addresses that soft-bounce repeatedly over 30 days should be suppressed.
Spam traps. Recycled traps are old addresses that were once valid, then abandoned, then converted into traps by ISPs to catch senders with poor hygiene. Pristine traps are addresses that were never used by a real person, so if they’re on your list, you acquired them improperly. Both will hurt your reputation, but pristine traps are a more serious signal.
Inactive subscribers. Define inactivity for your program (no open or click in 6 months is a reasonable baseline for lifecycle mail), then either run a re-engagement sequence or remove non-responders before they drag down your engagement rates. Low engagement is a signal that filters weight heavily.
Opt-in quality. Double opt-in reduces trap risk and ensures you’re only adding addresses whose owners actively want your email. For transactional sequences triggered by user actions, this is handled automatically by the product flow. For marketing lists, it’s worth the minor friction.
Sender Reputation: Domain and IP
Your sender reputation is the score mailbox providers assign to your sending domain and IP address based on sending history, spam complaint rates, bounce rates, and engagement signals.
Domain reputation is now weighted more heavily than IP reputation at most mailbox providers. It persists across IP changes, which is why protecting your sending domain matters more than worrying about which shared pool you’re in.
IP reputation still matters, especially at scale. You can monitor both through Google Postmaster Tools, which provides dashboards for domain reputation, IP reputation, spam rate, authentication, and encryption on traffic to Gmail accounts.
Consistent sending volume. Sudden volume spikes, even from a legitimate campaign, look like spam behavior. If you’re increasing send volume substantially, do it gradually over several weeks.
Complaint rates. Keep spam complaint rates below 0.10% as a sustained target. Google’s guidelines are explicit: “Keep spam rates reported in Postmaster Tools below 0.10% and avoid ever reaching a spam rate of 0.30% or higher.” Exceeding 0.30% triggers filtering that takes time to recover from, and the recovery requires seven consecutive days below threshold.
Infrastructure: Shared IP vs. Dedicated IP
Choosing between shared and dedicated IP infrastructure is one of the first decisions SaaS teams face when setting up a sending program.
| Factor | Shared IP | Dedicated IP |
|---|---|---|
| Warmup required | No (pre-warmed by ESP) | Yes (4-8 weeks typically) |
| Reputation ownership | Shared across pool | Entirely yours |
| Risk from others | Yes (neighbor behavior affects you) | No |
| Best for | Low-to-medium volume, new senders | High volume, consistent programs |
| Volume threshold | Under 100K/month | Over 100K/month |
A shared IP pool is the right default for most SaaS teams early on. The IP arrives pre-warmed, you’re not responsible for managing its history, and the ESP’s reputation management covers the baseline. The tradeoff is that another sender on the same pool can affect your placement if they run a problematic campaign.
A dedicated IP gives you full ownership of your reputation, which is an advantage once you’re sending consistently at high volume. Below roughly 100,000 emails per month, a dedicated IP can actually hurt deliverability because there isn’t enough volume to establish a strong reputation signal with mailbox providers.
Separate subdomains for transactional vs. marketing. Regardless of your IP setup, keep transactional mail (receipts, password resets, notifications) on a different subdomain from marketing and lifecycle campaigns. Transactional email typically has higher engagement and lower complaint rates. Isolating it means a high-complaint promotional campaign can’t contaminate your transactional stream. Each subdomain needs its own SPF, DKIM, and DMARC records. For the underlying mechanics of how SMTP routes these messages, see What Is SMTP?.
Content and Technical Factors
Authentication and reputation are the primary levers, but content and technical hygiene contribute to whether individual messages pass filter checks.
Sending infrastructure signals. Is your sending IP on a blocklist? Are your links pointing to blocklisted domains? These are the content-side flags that filters check first, ahead of message text.
HTML quality. Well-formed HTML, a reasonable text-to-image ratio, and a plain-text alternative all reduce filter friction. Broken HTML or messages that are entirely images with no text look like phishing attempts.
Link hygiene. Use your own tracking domain rather than a generic shortener domain. Link shorteners from free services share infrastructure with spammers and carry negative reputation signals.
Subject lines and preheader text. Misleading subject lines that don’t reflect the message content generate spam complaints. Spam complaints, not specific words, are what damages your sender reputation.
Sending domain alignment. The From address domain should match the domain you’ve authenticated. Mismatched From domains fail DMARC alignment checks.
If you’re debugging why a specific message ended up in spam, Why Do My Emails Go to Spam? covers the diagnostic process step by step.
Engagement Signals
Mailbox providers infer inbox worthiness from how recipients interact with your mail. High open rates, replies, and clicks signal positive engagement. Deletions without opening, spam reports, and low interaction signal the opposite.
The practical implication: a highly engaged list of 10,000 subscribers will out-deliver a disengaged list of 100,000. Engagement quality matters more than list size.
To improve engagement signals:
- Send to segments that have shown recent activity rather than your entire list on every campaign
- Use send-time optimization where your ESP supports it
- Write subject lines and preview text that accurately reflect the content (misleading teaser lines generate complaints)
- Make unsubscribing easy; a recipient who unsubscribes is better for your reputation than one who marks you as spam
Monitoring: Knowing Before It Becomes a Problem
Deliverability problems that compound undetected for weeks are far harder to recover from than problems caught early. The monitoring stack for a SaaS email program should cover at minimum:
Google Postmaster Tools. Free, and the most authoritative source for your reputation signals at Gmail. Track domain reputation, IP reputation, spam rate, authentication pass rate, and delivery errors. If you’re sending from multiple subdomains, set up a Postmaster Tools property for each one.
Complaint feedback loops. Yahoo operates a feedback loop program that sends complaint notifications back to senders. Microsoft (Outlook/Hotmail) has the Smart Network Data Services (SNDS) program. These give you direct visibility into spam complaints at those providers.
Bounce tracking. Your ESP should report bounce rates per campaign. Set thresholds and alerts so you catch spikes before they become sustained patterns.
Inbox placement testing (seed testing). Seed testing sends your campaigns to a set of test addresses across Gmail, Yahoo, Outlook, and other providers, then reports where each message landed: inbox, spam, or missing. Services like GlockApps, MailMonitor, and similar tools provide this. Run seed tests before major campaign launches and after any significant changes to your sending setup.
Blocklist monitoring. Periodic checks against major blocklists (Spamhaus, Barracuda, SURBL) catch listing events before they affect a full send. Most inbox testing tools include blocklist checks alongside placement results.
A Practical Checklist for SaaS Teams
Use this as a setup audit and ongoing reference:
Authentication (one-time setup, then maintain)
- SPF record published for all sending domains and subdomains
- DKIM signing active (minimum 1024-bit key; 2048-bit recommended)
- DMARC record published; escalate from p=none to p=quarantine once reporting looks clean
- Separate authentication records for each sending subdomain
List hygiene (ongoing)
- Hard bounces removed immediately after each send
- Soft bounce addresses suppressed after repeated failures
- Inactive subscribers re-engaged or removed on a defined schedule
- Unsubscribes processed within 2 days (Yahoo requirement, Google best practice)
Infrastructure
- Transactional and marketing mail on separate subdomains
- Dedicated IP only if you’re above ~100K emails/month consistently
- IP warmup plan in place for new IPs
Monitoring
- Google Postmaster Tools configured for each sending domain
- Yahoo feedback loop registered
- Spam rate alert threshold set at 0.08% (buffer before the 0.10% target)
- Baseline inbox placement test run before each major campaign
Frequently Asked Questions
What is the difference between email delivery and email deliverability?
Delivery means the receiving mail server accepted your message. Deliverability means the message reached the recipient’s inbox rather than the spam folder. A message can be delivered successfully and still never be seen if it’s routed to spam. Deliverability is what actually drives opens and engagement.
What are the Gmail bulk sender requirements for 2024 and beyond?
Senders sending more than 5,000 messages per day to Gmail accounts must set up both SPF and DKIM authentication, publish a DMARC record (p=none is acceptable), support one-click unsubscribe for marketing messages, and keep spam rates below 0.10% with a hard ceiling of 0.30%. These requirements have been enforced since February 2024.
How do I check if my emails are landing in spam?
Google Postmaster Tools shows your domain reputation and spam rate for traffic to Gmail. For broader inbox placement visibility, use a seed testing tool (GlockApps, MailMonitor, or similar) that sends to test accounts across multiple providers and reports where each message landed. Run a seed test before major campaigns and after any changes to your sending setup.
Should I use a dedicated IP or a shared IP for email sending?
For most SaaS teams under 100,000 emails per month, a shared IP is the better choice: it arrives pre-warmed and the ESP manages baseline reputation. A dedicated IP makes sense above that threshold when you have consistent, predictable sending volume. Inconsistent or low-volume sending on a dedicated IP can actually hurt deliverability because there’s not enough traffic to establish a clear reputation signal.
What is a spam trap and how do I avoid hitting one?
Spam traps are email addresses used by ISPs and blocklist operators to identify senders with poor list hygiene. Recycled traps are old, abandoned addresses that have been converted to traps; hitting them means you’re sending to an aged-out list. Pristine traps were never valid user addresses; hitting them means you scraped or purchased the address. Avoid both by collecting email through explicit opt-in and regularly removing unengaged addresses.
Why should I keep marketing and transactional email on separate subdomains?
Transactional messages like receipts, password resets, and notifications typically have high engagement and low complaint rates. Marketing campaigns are more variable. Separating them onto distinct subdomains, such as mail.yourdomain.com for transactional and campaigns.yourdomain.com for marketing, means a poorly performing campaign can’t drag down the reputation of your transactional stream. Each subdomain needs its own SPF, DKIM, and DMARC records.
How long does it take to recover from a deliverability problem?
Recovery time depends on what caused the problem. A complaint rate spike that’s corrected quickly may recover within days once Google Postmaster shows seven consecutive days below 0.30%. A domain that’s been added to a major blocklist may take two to four weeks to clear, depending on the blocklist’s review process. Prevention, primarily list hygiene and keeping complaint rates consistently low, is considerably faster than recovery.
I’ve spent my career building software at scale with a soft spot for email: deliverability, lifecycle campaigns, and getting messages to actually land. I started Coldletter to fix what bugged me about transactional and marketing email tools. I’m based in Vancouver.