Email deliverability fundamentals: why emails end up in spam
For startups, email is lifeblood—user onboarding, product updates, and sales outreach depend on it. Yet, even perfectly written emails can end up in spam. The main culprits:
- Lack of authentication (SPF/DKIM/DMARC).
- Poor domain/IP reputation.
- Spammy content signals (excessive links, keywords).
- Shared sending infrastructure abuse (if you’re on a low-quality bulk sender).
Deliverability isn’t just about writing good emails—it’s about proving your identity to mailbox providers (Gmail, Outlook, Yahoo).
SPF records: basics and step-by-step implementation
SPF (Sender Policy Framework) tells mail servers which hosts are allowed to send email on behalf of your domain.
Step-by-step SPF setup
- Identify your sending services (e.g., Gmail, AWS SES, Mailgun).
- Create a TXT record in DNS for your domain:
v=spf1 include:_spf.google.com include:mailgun.org ~all
- Use
-all
(fail) only after testing. Start with~all
(soft fail). - Test with tools like MXToolbox.
Common SPF mistakes that hurt deliverability
- Multiple SPF records (invalid). Must be one per domain.
- Exceeding the 10 DNS lookup limit.
- Forgetting to update records when switching providers.
Multiple service providers and record management
If using several ESPs:
- Consolidate into a single SPF record with multiple includes.
- Use subdomains (e.g.,
news.yourstartup.com
) for marketing platforms.
DKIM signing: technical setup and key management
DKIM (DomainKeys Identified Mail) cryptographically signs your emails. Receiving servers verify the signature using your public DNS key.
Setup steps:
- Generate DKIM keys (your ESP often provides them).
- Add the public key as a TXT DNS record, e.g.:
default._domainkey.yourstartup.com
v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBA...
- Enable DKIM signing in your ESP.
- Validate via Gmail headers (
Show Original
→DKIM=pass
).
Best practices:
- Rotate keys annually.
- Use 2048-bit keys where supported.
- Ensure each sending service has its own DKIM selector.
DMARC policy: protection and monitoring setup
DMARC (Domain-based Message Authentication, Reporting & Conformance) builds on SPF + DKIM to tell receivers what to do if checks fail.
Gradual rollout strategies to avoid disruption
Start small:
- Step 1:
p=none
(monitor only). - Step 2:
p=quarantine
(suspect emails → spam). - Step 3:
p=reject
(block unauthenticated emails).
Example DNS record:
_dmarc.yourstartup.com
v=DMARC1; p=none; rua=mailto:dmarc-reports@yourstartup.com; fo=1
Report analysis and policy refinement
- DMARC aggregate reports (XML) show who’s sending with your domain.
- Tools: DMARCian, Postmark DMARC Digests, Postmark App.
- Use reports to spot unauthorized senders or misconfigured services.
Domain reputation building for new startups
New domains = zero reputation. Best practices:
- Warm up sending gradually (start <100/day, scale slowly).
- Authenticate with SPF/DKIM/DMARC before first campaign.
- Keep bounce rates <2%, spam complaints <0.1%.
- Send from a branded subdomain (e.g.,
hello@startup.com
).
Email service provider comparison: deliverability focus
- Google Workspace: High trust, limited for bulk campaigns.
- SendGrid/Mailgun/AWS SES: Powerful but require reputation management.
- Postmark: Transactional focus, excellent deliverability.
- Brevo (ex-Sendinblue): Balanced marketing + transactional.
Pro tip: Use separate providers/subdomains for transactional vs marketing.
Monitoring and troubleshooting deliverability issues
Checklist:
- Test SPF/DKIM/DMARC alignment.
- Check blacklist status (Spamhaus, Barracuda).
- Use seed inbox testing (Mail Tester, GlockApps).
- Monitor bounce codes (soft vs hard).
- Track open/click rates for anomalies.
Compliance considerations: CAN-SPAM, GDPR
- CAN-SPAM (US): unsubscribe link, real company address, no deception.
- GDPR (EU): explicit opt-in, data minimization, right to erasure.
- Best practice: double opt-in + clear unsubscribe.
Compliance isn’t optional—violations damage reputation and can lead to blacklist bans.
Conclusion
Email deliverability is about trust + technical setup.
- SPF → defines who can send.
- DKIM → proves authenticity.
- DMARC → enforces and reports.
For startups, implementing these early avoids painful spam-folder struggles and builds long-term domain reputation.
FAQs
Do I need all three (SPF, DKIM, DMARC)?
Yes. Together, they form the baseline for deliverability.
Why do my emails still land in spam after setup?
Other factors: IP/domain reputation, content filters, user complaints.
Can I test before rollout?
Yes, use staging domains + DMARC p=none
mode for monitoring.