Most people who discover their newsletters are landing in spam assume they did something wrong in the email itself. Wrong words, too many images, a link that looked suspicious. That's almost never the actual cause.
Inbox providers in 2026 use layered filtering systems. Content analysis is one layer and it's not the first one they apply. Before your email's text is evaluated for anything, the receiving server has already checked your sending identity, your domain's authentication records, your IP address's history, and your domain's accumulated reputation signals. By the time content filtering runs, most placement decisions are already made.
How sender reputation actually works
Sender reputation is a score that inbox providers maintain for your sending domain and IP address. It's not a single number in a central database. Each major provider builds and maintains its own reputation model. Gmail's signals differ from Outlook's, which differ from Yahoo's. The behaviors that damage reputation are broadly consistent across providers, but the exact weighting isn't published.
Reputation is built on signals from people who receive your email. When someone marks your email as spam, that's a complaint signal. When someone moves your email from spam to inbox, that's a positive signal. When someone opens and clicks, that's engagement. When email bounces because the address doesn't exist, that raises questions about your list quality.
Google Postmaster Tools (free, available to domain owners) gives you visibility into Gmail's view of your domain reputation. The categories are: bad, low, medium, and high. Moving from low to medium can take weeks of clean sending. Moving from bad to low takes longer. There's no shortcut through this process.
SPF: Sender Policy Framework
SPF is a DNS record that lists which mail servers are allowed to send email on behalf of your domain. That's the entire concept. Everything else is implementation detail.
When a receiving server gets an email claiming to be from yourcompany.com, it looks up the SPF record for yourcompany.com in DNS. That record contains a list of IP addresses and server names that you've authorized. If the IP that just sent the email is on that list, SPF passes. If it isn't, SPF fails.
v=spf1 include:_spf.google.com include:sendgrid.net ip4:203.0.113.42 -all
This record says: email from this domain is allowed to come from Google's servers, SendGrid's servers, and the specific IP 203.0.113.42. The -all at the end means reject everything else.
The ending mechanism matters. -all means hard fail (reject). ~all means soft fail (accept but mark). ?all means neutral (no policy). +all means allow everything, which defeats the purpose entirely. Most deliverability guidance recommends -all once you're confident your record is complete.
SPF has a critical limitation: it only checks the SMTP envelope sender, not the visible "From" address in your email client. This is why SPF alone isn't sufficient and why DMARC exists.
DKIM: DomainKeys Identified Mail
DKIM works differently from SPF. Where SPF checks which server sent the email, DKIM cryptographically signs the email content and headers. The signature travels with the email and can be verified by anyone who has the corresponding public key.
Here's the mechanism. When your sending server signs an email with DKIM, it creates a hash of specific parts of the email (selected headers and optionally the body) and encrypts that hash with a private key. This encrypted hash becomes the DKIM signature, added to the email's headers.
The receiving server fetches your public key from DNS (stored as a TXT record under a specific subdomain). It decrypts the signature using that public key, then independently hashes the same parts of the email. If the two hashes match, the signature is valid. This means the email wasn't altered in transit and it came from someone who has your private key.
DKIM requires two things: your sending service configured to sign outgoing email with your domain's private key, and a DNS TXT record published at selector._domainkey.yourdomain.com containing your public key. Most email platforms handle the signing automatically once the DNS record is in place.
DMARC: Domain-based Message Authentication, Reporting and Conformance
DMARC is the policy layer that ties SPF and DKIM together. It does two things: it specifies what receiving servers should do with email that fails authentication, and it requests reports from those servers about what they're seeing.
For DMARC to pass, at least one of SPF or DKIM must pass, and the passing domain must align with the visible "From" address. Alignment is the key concept. An email can pass SPF based on the envelope sender while showing a completely different domain in the From header. DMARC catches this discrepancy.
v=DMARC1; p=quarantine; rua=mailto:[email protected]; ruf=mailto:[email protected]; pct=100
This record sets policy to quarantine (send to spam, don't reject), requests aggregate reports to the rua address, failure reports to the ruf address, and applies the policy to 100% of messages.
The three policy values are none (monitor only), quarantine (send to spam), and reject (don't deliver). Starting with p=none while you review the aggregate reports is standard practice. The reports show you what's failing before you apply a policy that might block legitimate email.
DMARC aggregate reports (RUA) are XML files sent daily. They list every IP that sent email using your domain, the authentication results for each, and the counts. Parsing them manually is tedious. Several free tools will visualize them for you.
How Gmail decides where your email lands
Gmail's tabbed inbox sorts email into Primary, Social, Promotions, Updates, and Forums. For newsletter senders, the relevant distinction is Primary versus Promotions. Gmail doesn't publish the exact signals it uses, but its behavior has been studied extensively and certain patterns are clear.
Structural signals matter more than you might expect. Emails with many images and few words are more likely to go to Promotions. Emails with multiple links to different domains are more likely to go to Promotions. Emails using HTML table-based layouts common to email marketing tools score differently than plain-text or simple HTML emails.
Unsubscribe headers are a significant signal. Marketing email sent through platforms typically includes a List-Unsubscribe header. Gmail reads this header. Its presence is associated with Promotions placement. This doesn't mean you should remove it (the unsubscribe mechanism matters for compliance and reputation), but it's one reason why transactional email looks different to Gmail than newsletter email.
Engagement history shapes individual placement. If a recipient has moved your emails from Promotions to Primary or has consistently opened and replied, Gmail will learn from that and start placing your email differently for that individual. The categorization is personalized at the account level, not just the sender level.
Gmail's guidelines published for bulk senders now require authenticated email with DMARC policy, a functional one-click unsubscribe mechanism, and maintained complaint rates below certain thresholds. These requirements apply to senders sending large volumes to Gmail addresses.
Why buying an email list damages your reputation permanently
Purchased email lists cause lasting deliverability damage through several concurrent mechanisms. Understanding each one helps clarify why the damage is so difficult to reverse.
Spam trap hits are the most direct mechanism. Spam traps are email addresses maintained by inbox providers and anti-spam organizations specifically to identify senders who are harvesting or buying addresses. Some traps are addresses that were never valid. Some are addresses that were valid once but have been inactive so long that only someone working from an old list would have them. Purchased lists frequently contain both types.
Complaint rates spike immediately. People on purchased lists didn't consent to hear from you. They've never heard of your brand. The first email they receive from an unknown sender with no context gets marked as spam at much higher rates than email sent to people who signed up voluntarily. Even a short campaign to a purchased list can establish a complaint rate that takes months of clean sending to offset.
Bounce rates reveal list quality. Purchased lists contain addresses that no longer exist. Hard bounces to non-existent addresses signal to inbox providers that you're not maintaining list hygiene. High hard bounce rates correlate strongly with low-quality sending practices and are weighted heavily in reputation scoring.
The reputation damage from a purchased list persists because it's recorded in the reputation systems of every inbox provider your emails reached. Stopping the bad sending doesn't erase the history. It only stops adding to it. Recovery is possible but it's a slow process of rebuilding positive signals while the negative ones age out of the window that reputation systems typically use.
How to clean a list you haven't emailed in six months
A list that's been dormant for six months has changed in several ways you can't see from your subscriber database. Some addresses have been abandoned. Some have become spam traps. Some belong to people who have completely forgotten who you are. Sending to all of them at once is one of the more reliable ways to damage deliverability.
The approach that protects your sender reputation involves a staged re-engagement sequence. Start with your most engaged historical segment. These are people who opened or clicked something in the last campaign you sent before the pause. Send to them first, in a small batch, and monitor bounce rates, complaint rates, and engagement closely for several days.
If the first segment performs well (low bounces, low complaints, some engagement), proceed to the next tier: people who engaged at some point in the year before the pause but not in the final campaign. Continue in stages, moving to less-engaged segments only when earlier stages are performing cleanly.
Email verification services can be run on the entire list before you start. They check whether addresses are syntactically valid, whether the domain's mail server exists, and in some cases whether the specific address is likely to accept mail. This won't catch spam traps, but it removes the clearly invalid addresses before they become hard bounces.
For subscribers in the least-engaged tier, a re-permission email is worth considering. A message that explicitly says you haven't been in touch for a while and asks whether they still want to hear from you serves two purposes: it re-establishes consent context, and it separates people who are actively interested from people who simply never bothered to unsubscribe.
What open rates actually measure now
Email open tracking works by embedding a tiny invisible image in the email body. When the email is opened and the image loads, a request hits your tracking server and the open is recorded. This mechanism has been the foundation of email metrics for decades.
Apple's Mail Privacy Protection, introduced in iOS 15 and macOS Monterey in 2021, changed this. When MPP is enabled, Apple's servers pre-fetch email content, including tracking pixels, before the user ever opens the email. This pre-fetching registers as an open in your analytics. The actual human may have never looked at the email.
Apple Mail is used by a significant portion of email users, particularly on mobile. This means that a substantial portion of the "opens" in any campaign's statistics may be proxy fetches rather than human opens. The inflated open rate makes it impossible to use open rates as a reliable measure of engagement.
What this means practically is that click-through rate has become more important as an engagement signal. Clicks require an actual human decision. They can't be faked by a proxy server pre-fetching content. If your open rate looks high but your click rate is proportionally low, MPP inflation is a likely explanation.
Segment-level patterns still provide some signal even in an MPP world. If a segment of your list that previously had low open rates suddenly shows very high rates, something changed. If a segment shows zero opens across multiple campaigns, those subscribers may have abandoned their inboxes entirely. The absolute numbers are less reliable, but the relative patterns and directional changes still carry information.
Some email platforms now attempt to filter out proxy opens by looking for patterns associated with Apple's proxy infrastructure. These filtered rates are more accurate but still not perfectly reliable. The honest framing is: open rates are now a directional signal with significant noise, not the reliable engagement metric they were before 2021.