Roughly one in six emails never reach the inbox. Validity's 2025 benchmark report puts the global inbox placement average at about 84%, and Gmail's own numbers dropped from 89.8% to 87.2% over the course of 2024 as stricter sender rules took hold. If you've been watching your open rates slide and blaming the subject lines, the problem might be happening before your subscriber ever sees the message.
We've spent years helping businesses sort out their email infrastructure, and the pattern is always the same. The marketing team is focused on copy, segmentation, and send timing. Nobody is watching the technical foundation underneath. Authentication records are misconfigured or missing. The sending IP has a reputation nobody's checked. The list hasn't been cleaned in 18 months. And every week, a percentage of perfectly good emails quietly disappear into spam folders or get rejected outright.
This checklist covers the five areas that actually determine whether your email reaches the inbox. Not the creative. Not the offer. The plumbing.
Authentication: The Non-Negotiable Foundation
If you've read our guide to SPF, DKIM, and DMARC, you know these three DNS records are the baseline for email trust. But authentication doesn't end at "I set up the records." It requires ongoing maintenance.
Here's what your checklist should include:
SPF record exists and is current. Every service that sends email as your domain needs to be listed. This means your email provider, your CRM, your marketing platform, your helpdesk software, your transactional email service, and that invoicing tool someone added two years ago. Run your domain through MXToolbox's SPF lookup and count the DNS lookups. The spec caps you at 10 nested lookups. Go over, and SPF fails silently for every message you send.
DKIM is signing for every sending source. Each service that sends on your behalf should have its own DKIM key published in your DNS. Google Workspace, Mailchimp, SendGrid, ActiveCampaign, HubSpot, Postmark — they all provide DKIM records you need to add. One common failure: DKIM keys are long base64 strings, and some DNS providers silently truncate TXT records over 255 characters. The record looks present, but verification fails because the key is incomplete.
DMARC policy is enforced, not just monitoring. A DMARC record set to p=none tells receiving servers to check authentication but do nothing when it fails. That was fine as a temporary step when you were first setting up. If it's been more than a month, you should be at p=quarantine or p=reject. Google and Yahoo both require DMARC at quarantine or higher for anyone sending more than 5,000 messages per day to their users. But even small senders benefit from enforcement. A p=none policy is like installing a security camera that doesn't record.
Reverse DNS (PTR records) are configured. This is the one people forget. Google's sender guidelines explicitly require valid forward and reverse DNS records for sending IPs. If you're sending from a dedicated IP or a VPS, check that the PTR record for your IP resolves to your sending domain. MXToolbox has a reverse lookup tool for this.
You check authentication results regularly. In Gmail, open any message you've sent, click the three dots, and select "Show original." The Authentication-Results header tells you exactly what passed and failed. Do this once a month with messages from each sending service. If you see spf=softfail or dkim=fail, something has changed since you last configured things.
List Hygiene: Where Most Deliverability Problems Actually Live
Authentication gets you in the door. List hygiene keeps you there.
The M3AAWG Sender Best Common Practices document (version 3.0) is blunt on this point: the volume of permanent delivery failures is one of the primary signals receivers use to build a reputation profile about a sender. Every hard bounce you generate tells Gmail, Yahoo, and Outlook that you don't maintain your list. Send enough of them and your domain's reputation tanks, which affects delivery for every message you send going forward.
If your bounce rate is above 2% on any given send, you have a list problem. Fix it before you send another campaign.
Remove hard bounces immediately. A 5xx SMTP response code means the address doesn't exist. There's no reason to retry. Most email platforms do this automatically, but some require manual intervention or have delayed cleanup cycles. Verify that your platform suppresses hard bounces from all future sends on the first failure, not after two or three attempts.
Suppress soft bounces after repeated failures. A 4xx response means the mailbox was temporarily unavailable. That's fine once. If the same address returns soft bounces across three or four consecutive sends, move it to a suppression list. The mailbox is probably full, abandoned, or misconfigured.
Prune inactive subscribers. Someone who hasn't opened or clicked in six months is dead weight. Worse, they're actively hurting you. Mailbox providers track engagement signals. If a large portion of your list never interacts with your messages, that low engagement rate drags down your sender reputation. Run a re-engagement campaign for subscribers who've been inactive for 90 days. If they don't respond within two sends, remove them.
Use confirmed opt-in for new subscribers. M3AAWG's best practices recommend double opt-in — sending a confirmation email that requires a click before adding the address to your list. Single opt-in is acceptable, but confirmed opt-in virtually eliminates fake signups, typos, and spam trap hits. If you're getting list quality complaints, switch to confirmed opt-in. The reduction in list size is more than offset by the improvement in engagement and deliverability.
Watch for spam traps. Spam traps are email addresses operated by mailbox providers and blocklist operators specifically to catch senders with poor list practices. Pristine traps are addresses that have never belonged to a real person. Recycled traps are old addresses that were abandoned and later repurposed. Hitting either type is a serious reputation hit. You won't know you've hit one unless you're monitoring delivery data through Google Postmaster Tools or a tool like Validity's Sender Score. The fix is proactive list cleaning, not reactive damage control.
Sending Reputation: The Score You Can't See
Your domain and your sending IP both carry a reputation score with every major mailbox provider. This score is invisible to you unless you go looking for it, and most senders never do.
Check your domain reputation in Google Postmaster Tools. If any meaningful portion of your audience uses Gmail (and they do), Postmaster Tools is where Google shows you exactly how it views your sending domain. As of October 2025, Google retired the legacy dashboard and launched Postmaster Tools v2, which evaluates senders on a pass/fail compliance model rather than the old reputation tiers. You're either compliant or you're not.
Check your Sender Score. Validity's Sender Score rates your sending IP on a scale of 0 to 100 based on data from their network. Scores below 70 mean a significant portion of your email is likely going to spam. Scores above 80 are healthy. If your score is low, the fix usually involves a combination of better list hygiene, lower complaint rates, and consistent sending patterns.
Keep your spam complaint rate below 0.1%. Google's sender guidelines are explicit: stay below 0.1%, and never let it reach 0.3%. A complaint happens when someone clicks "Report spam" on your message. At 0.3%, Gmail starts throttling or rejecting your mail. This is a hard line. If you're close to it, reduce sending frequency, improve your unsubscribe process, and make sure your content actually matches what people signed up for.
Maintain consistent sending volume. M3AAWG's documentation notes that volume consistency is a core factor in IP reputation, particularly with large mailbox providers. If you normally send 5,000 emails a week and suddenly blast 50,000, spam filters notice the spike and react defensively. When ramping up volume (after a list migration, a platform change, or a seasonal campaign), increase gradually over two to three weeks. The industry term is "IP warming" and it applies to domain reputation too.
Don't send from a shared IP if you can avoid it. On shared sending infrastructure (common with lower-tier email platform plans), your deliverability is partially determined by the behaviour of other senders on the same IP. If someone else on your shared IP is sending spam, your mail gets caught in the fallout. If email is a meaningful revenue channel for your business, a dedicated sending IP is worth the cost. But only if you send enough volume to maintain a reputation on it. Low-volume senders on a dedicated IP can actually see worse deliverability than they would on a well-managed shared IP.
Content and Infrastructure Details That Trip People Up
Authentication, list hygiene, and reputation are the big three. But there's a layer of smaller technical details that can quietly erode your delivery rates even when the big pieces are in place.
The Quick-Reference Deliverability Checklist
- SPF record is current, lists all sending services, and stays under 10 DNS lookups
- DKIM is configured and passing for every platform that sends as your domain
- DMARC is set to
p=quarantineorp=reject(notp=none) - Reverse DNS (PTR) records are set for sending IPs
- Hard bounces are suppressed on first occurrence
- Inactive subscribers (90+ days, no engagement) are pruned or re-engaged
- Spam complaint rate stays below 0.1%
- Sending volume is consistent week to week, with gradual ramps for increases
- One-click unsubscribe header is present in all marketing emails
- Plain text version is included alongside HTML
- Image-to-text ratio stays reasonable (not image-only emails)
- No URL shorteners in email body (use your own domain for tracking links)
- Sending domain and envelope sender align (DMARC alignment)
- You're monitoring Google Postmaster Tools at least monthly
- You run mail-tester.com checks after any template or infrastructure changes
Include a plain text alternative. Every HTML email should also contain a plain text version. Spam filters penalise messages that are HTML-only, and some corporate email clients display plain text by default. Most email platforms generate a plain text version automatically, but check that it's actually populated and not a blank fallback.
One-click unsubscribe is mandatory. Google's 2024 sender requirements added RFC 8058 one-click unsubscribe as a hard requirement for marketing emails. This is a List-Unsubscribe-Post header, not just a link in the footer. Your email platform should handle this, but verify it's active. If someone can't unsubscribe easily, they hit "Report spam" instead, and that's far worse for your reputation.
Be careful with URL shorteners. Links from bit.ly, t.co, and similar services are heavily associated with phishing. Using them in email bodies raises spam scores. Use your own domain for click tracking. Every major email platform supports custom tracking domains. Set it up.
Watch your image-to-text ratio. An email that's a single large image with no text content looks suspicious to spam filters. It's also terrible for accessibility. Include real text content, not just images of text. A good baseline is at least as much text as image content by area.
Don't ignore the "Promotions" tab. Getting sorted into Gmail's Promotions tab is not the same as going to spam. It's not ideal, but your open rates from the Promotions tab are often better than you'd think. The real problem is the spam folder. Focus your energy on staying out of spam rather than trying to game your way into the Primary tab. Content that reads like personal correspondence rather than marketing copy tends to land in Primary, but artificially mimicking personal email style when you're clearly sending marketing will backfire.
Monitoring: The Part Everyone Skips
Setting up authentication, cleaning your list, and writing good content is one-time work. Monitoring is ongoing, and it's where most senders fall down.
Google Postmaster Tools. We've mentioned this already, but it bears repeating. The v2 dashboard shows compliance status, spam rate, authentication pass rates, and delivery errors. If you send to Gmail users and you're not checking this tool, you're flying blind. Sign up at postmaster.google.com, verify your domain, and check it at least monthly.
mail-tester.com after every change. Any time you change your email template, switch sending platforms, update DNS records, or modify your sending infrastructure, send a test message to mail-tester.com and review the score. It checks SPF, DKIM, DMARC, content analysis, blacklist status, and a dozen other factors. A score below 7 out of 10 means something needs fixing.
Blacklist monitoring. Your sending IP or domain can end up on a blacklist without you knowing. MXToolbox has a free blacklist check that scans your domain against 100+ lists. Set a calendar reminder to run this monthly, or use a monitoring service that alerts you if you appear on a list.
Track delivery metrics, not just opens. Open rate tracking is increasingly unreliable. Apple's Mail Privacy Protection, which launched in 2021, pre-fetches tracking pixels regardless of whether the recipient actually reads the email. That inflates open rates and makes them a poor signal for deliverability. Track click-through rates, reply rates, and unsubscribe rates instead. If click-throughs are dropping while reported opens stay stable, you may have a delivery problem that inflated open tracking is masking.
If this feels like a lot to manage alongside the actual marketing work, that's because it is. We set up and audit email infrastructure as part of our web development and email marketing services. The technical side of email is the same work we do for DNS, SSL, and domain management on websites. If your email campaigns aren't converting and you've already tried adjusting the creative, the problem is probably somewhere on this checklist.
The single thing to remember: email deliverability is not a marketing problem. It's an infrastructure problem. Treat it like one.
Sources
- Google Email Sender Guidelines — Google's official requirements for all senders and bulk senders (5,000+ messages/day), including authentication mandates and spam rate thresholds
- Google Postmaster Tools — Google's compliance and delivery monitoring dashboard for Gmail, updated to v2 in October 2025
- Validity 2025 Email Deliverability Benchmark Report — Industry benchmark data on global inbox placement rates, including the 84% average and Gmail's decline to 87.2%
- M3AAWG Sender Best Common Practices, Version 3.0 — Industry-wide recommendations from the Messaging, Malware and Mobile Anti-Abuse Working Group on list management, bounce handling, and volume consistency
- Sender Score by Validity — Free IP reputation scoring tool and deliverability benchmarks
- RFC 5321: Simple Mail Transfer Protocol — IETF specification covering SMTP delivery, bounce code classifications (4xx/5xx), and message handling requirements
- RFC 8058: One-Click Unsubscribe — IETF specification for the List-Unsubscribe-Post header required by Google and Yahoo for marketing emails
- MXToolbox — Free DNS lookup, SPF/DKIM/DMARC validation, blacklist monitoring, and reverse DNS tools
- mail-tester.com — Free email spam scoring tool that checks authentication, content, and blacklist status
- Yahoo Sender Best Practices — Yahoo's sender requirements and authentication guidelines