Your emails are going to spam because of one (or more) of three things: broken authentication, poor sender reputation, or content that triggers filters. The fix is not guesswork. It is a systematic walk through 12 checkpoints, starting with the ones that cause the most damage. This checklist covers each one, explains why it matters, and links to free tools so you can test your domain right now.
Key Takeaway
- Authentication is the #1 cause. Gmail began rejecting unauthenticated messages outright in November 2025. If your SPF, DKIM, or DMARC records are missing or broken, fix them first.
- Spam complaints above 0.3% trigger active filtering at Gmail. The target is under 0.1%.
- Only 65% of emails reach the inbox. Another 32% land in spam, and the rest vanish entirely (EmailToolTester, 2026).
- Run a health check now: Domain Email Health Score tests authentication, blacklists, and DNS in one scan.
Why emails go to spam: the three root causes
Every spam filter, whether at Gmail, Outlook, Yahoo, or Apple Mail, evaluates incoming email on three dimensions. Think of them as layers. If you fail the first layer, the other two barely matter.
| Layer | What it checks | Impact if broken | Fix difficulty |
|---|---|---|---|
| 1. Authentication | SPF, DKIM, DMARC records and alignment | Messages rejected or sent to spam immediately | Low (DNS changes) |
| 2. Sender reputation | Domain/IP history, complaint rates, blacklists | Gradual deliverability decline, then sudden drops | Medium (behavioral changes over weeks) |
| 3. Content & engagement | Spam triggers, formatting, engagement signals | Individual messages flagged, not the whole domain | Low (content edits) |
Start at layer 1. If authentication is broken, improving your content or cleaning your list will not help. The messages are being rejected before anyone reads them.
Layer 1: Authentication fixes (steps 1 to 5)
Authentication is the foundation. Gmail's February 2024 sender requirements made SPF, DKIM, and DMARC mandatory for bulk senders. By November 2025, Gmail moved from warnings to outright rejection. Yahoo, Microsoft, and Apple followed with similar enforcement. Without proper authentication, inbox providers treat your emails as potentially fraudulent.
Check your SPF record
SPF tells receiving servers which IP addresses are authorized to send email for your domain. Run your domain through the SPF Record Checker and verify:
- You have exactly one SPF TXT record (two records invalidate SPF entirely)
- All sending services are included (Google Workspace, SendGrid, Mailchimp, your CRM, etc.)
- You are under the 10 DNS lookup limit (exceeding it causes a PermError, which fails every message)
- The record ends with
-all(hard fail) or~all(soft fail), not+all(which authorizes everyone)
Verify DKIM signing
DKIM uses cryptographic signatures to prove your email was not altered in transit. Use the DKIM Record Checker to confirm:
- Your sending service has DKIM enabled (it is not always on by default)
- The DKIM public key is published in DNS as a TXT record
- The key length is at least 1024 bits (2048 is recommended, and Google Workspace uses it by default)
- You are signing with a key that matches your visible From: domain (this is what DMARC alignment checks)
Publish a DMARC record
DMARC ties SPF and DKIM together by checking that the domain in your visible From: header aligns with the domains authenticated by SPF or DKIM. Use the DMARC Record Generator to create one.
- At minimum, publish
v=DMARC1; p=none; rua=mailto:[email protected] p=noneis monitoring-only (no enforcement), but it gives you visibility into who is sending email as your domain- Once you have confirmed all legitimate senders pass alignment, move to
p=quarantineand thenp=reject - Google requires at least
p=nonefor bulk senders. Yahoo requires DMARC for all senders.
Check DMARC alignment
Having SPF and DKIM pass is not enough. DMARC requires alignment, meaning the domain in the From: header must match the domain authenticated by SPF (Return-Path) or DKIM (d= tag). This is where many senders fail, especially when using third-party services. Send a test email and check the headers for dmarc=pass. If you see dmarc=fail with SPF and DKIM both passing, you have an alignment problem.
Use the Email Header Analyzer to inspect authentication results from any email.
Set up reverse DNS (PTR record)
Google and Microsoft both require valid forward and reverse DNS records for sending IPs. A PTR record maps your sending IP back to a hostname, and that hostname must resolve forward to the same IP. This is typically configured by your hosting provider or email service, but it is worth verifying. If you send from a VPS or dedicated server, missing PTR records are a common cause of spam placement.
Check yours with the Reverse DNS (PTR) Checker.
Quick Authentication Test
The fastest way to check all five steps at once: run your domain through the Domain Email Health Score tool. It tests SPF, DKIM, DMARC, reverse DNS, and blacklist status in a single scan.
Layer 2: Sender reputation fixes (steps 6 to 9)
Authentication gets your foot in the door. Reputation determines whether you stay. Inbox providers assign a reputation score to your domain and sending IP based on historical behavior. A poor reputation means even perfectly authenticated emails land in spam.
Check your domain and IP reputation
Google Postmaster Tools is the single most important monitoring tool for any sender. It shows your domain reputation (High, Medium, Low, Bad), your spam rate, and whether you are meeting compliance standards. Sign up at postmaster.tools.google.com and verify your domain.
- High reputation: inbox delivery is normal
- Medium reputation: some messages may be filtered
- Low or Bad reputation: most messages will land in spam or be rejected
For Microsoft, check your reputation through the Smart Network Data Services (SNDS) portal. For Yahoo, monitor bounce codes in your email logs.
Check blacklists
Your domain or sending IP may be listed on one or more email blacklists. The ones that matter most are Spamhaus (SBL, XBL, PBL), Barracuda BRBL, and SpamCop. A Spamhaus listing causes immediate rejection at Microsoft, Yahoo, and most enterprise mail servers. Run a check with our Email Blacklist Checker.
If you are listed, read the companion guide on how to check if your domain is blacklisted and get delisted for step-by-step removal instructions for each major blacklist.
Keep spam complaint rates below 0.1%
Google's threshold is clear: keep your spam rate below 0.1% as reported in Postmaster Tools. Never exceed 0.3%. At 0.3%, Gmail begins actively rejecting your messages, and you lose access to mitigation support until you maintain rates below 0.3% for seven consecutive days (Google Workspace Admin Help, 2024).
- Make unsubscribe easy and obvious (one-click unsubscribe is required for bulk senders per Google, Yahoo, and Microsoft requirements)
- Honor unsubscribe requests within 2 days
- Never send to users who did not explicitly opt in
- Remove recipients who mark you as spam from all future sends
Clean your email list
List quality directly impacts sender reputation. High bounce rates signal purchased or scraped lists. Spam traps (recycled addresses that inbox providers use to catch bad senders) will destroy your reputation overnight.
- Remove hard bounces immediately after every send
- Remove contacts inactive for more than 6 months
- Never buy, rent, or scrape email lists
- Use double opt-in for new subscribers
- Run your list through an email verification service before large sends
Layer 3: Content and engagement fixes (steps 10 to 12)
Content filters are the final layer. Even with perfect authentication and a clean reputation, certain content patterns will trigger spam placement for individual messages.
Avoid spam trigger words and formatting
Modern spam filters are more sophisticated than keyword blocklists, but certain patterns still trigger them consistently. Check your emails with the Email Spam Word Checker before sending.
- Avoid excessive capitalization ("FREE MONEY NOW")
- Avoid urgency phrases with no context ("Act now!", "Limited time!", "Don't miss out!")
- Do not use URL shorteners (bit.ly, tinyurl) in email bodies. They are heavily associated with phishing.
- Keep your text-to-image ratio balanced. An email that is one large image with minimal text is a spam signal.
- Avoid too many links. More than 3 to 5 links in a short email raises flags.
Use consistent sending patterns
Sudden spikes in volume are one of the fastest ways to trigger spam filters. If you normally send 500 emails per day and suddenly send 50,000, inbox providers assume something is wrong.
- Warm up new domains and IPs. Start with small volumes (50 to 100 per day) and increase gradually over 2 to 4 weeks.
- Send consistently. Regular, predictable sending patterns build reputation faster than sporadic large blasts.
- Segment large sends. If you need to send to a large list, break it into batches spread across hours or days.
Monitor engagement signals
Inbox providers track how recipients interact with your emails. High open rates and reply rates improve placement. Low engagement (no opens, no clicks, frequent deletes without reading) tells the provider your emails are not wanted.
- Segment by engagement: send more frequently to active readers, less to disengaged ones
- Re-engage or remove subscribers who have not opened in 90 days
- Write subject lines that accurately reflect the content (misleading subjects cause complaints)
- Make it easy for people to reply (replies are a strong positive signal)
The complete checklist at a glance
| # | Check | Tool to test | Priority |
|---|---|---|---|
| 1 | SPF record valid, under 10 lookups, single record | SPF Checker | Critical |
| 2 | DKIM enabled, public key published, 2048-bit key | DKIM Checker | Critical |
| 3 | DMARC record published with at least p=none | DMARC Generator | Critical |
| 4 | DMARC alignment passing (From: matches SPF/DKIM domain) | Header Analyzer | Critical |
| 5 | Reverse DNS (PTR) record valid for sending IP | PTR Checker | High |
| 6 | Domain reputation is High in Google Postmaster Tools | Google Postmaster Tools | Critical |
| 7 | Not listed on Spamhaus, Barracuda, or SpamCop | Blacklist Checker | Critical |
| 8 | Spam complaint rate below 0.1% | Google Postmaster Tools | Critical |
| 9 | List cleaned of hard bounces, inactive contacts, spam traps | Email verification service | High |
| 10 | No spam trigger words, balanced text/image ratio | Spam Word Checker | High |
| 11 | Consistent sending volume, new domains warmed up | Email logs / sending platform | High |
| 12 | Engagement monitored, disengaged contacts segmented | Email platform analytics | Medium |
Provider-specific spam filter behavior
Each major inbox provider weighs these factors differently. What works at Gmail may not be enough for Outlook, and vice versa. Here is how the big four differ.
| Provider | Authentication enforcement | Blacklist usage | Primary reputation signal |
|---|---|---|---|
| Gmail | Rejects unauthenticated messages since Nov 2025 | Spamhaus PBL only; relies on internal signals | Engagement (opens, replies, complaint rate) |
| Microsoft (Outlook) | Requires SPF + DKIM for bulk senders since April 2025 | Spamhaus SBL/XBL, internal lists | Sending IP reputation via SNDS |
| Yahoo | Requires SPF + DKIM + DMARC for all senders | Spamhaus, SpamCop | Complaint rate (via feedback loop) |
| Apple (iCloud) | Requires authentication for bulk senders | Spamhaus | Authentication pass rates |
The common thread: all four now require SPF, DKIM, and DMARC. Authentication is no longer optional anywhere. For a detailed breakdown of each provider's requirements, including enforcement timelines and volume thresholds, read the Google, Yahoo, and Microsoft Bulk Sender Requirements guide.
How long recovery takes
Fixing the technical issue is step one. Seeing results takes time, and the timeline depends on what was broken.
| Issue | Fix time | Recovery time |
|---|---|---|
| Missing SPF/DKIM/DMARC records | 15 to 30 minutes (DNS changes) | Under 48 hours (DNS propagation) |
| DMARC alignment failure | 1 to 2 hours (configuration) | Under 48 hours |
| Blacklisted IP or domain | Fix root cause + submit delisting | 24 hours to 7 days (varies by blacklist) |
| Poor domain reputation | Fix sending practices | 2 to 4 weeks of consistent good behavior |
| High spam complaint rate | Improve list hygiene + unsubscribe flow | 7 days below 0.3% to regain Gmail mitigation access |
| New domain warmup | Start low, increase gradually | 2 to 4 weeks to establish reputation |
Frequently asked questions
Why are my emails suddenly going to spam?
The most common cause is a change in provider enforcement. Gmail shifted from sending warnings to outright rejecting unauthenticated messages in November 2025. If your SPF, DKIM, or DMARC records are missing or misconfigured, emails that previously reached the inbox may now land in spam or be rejected entirely. Other triggers include a spike in spam complaints (above Google's 0.3% threshold), a blacklisted sending IP, or a sudden increase in send volume without proper warmup.
How do I check if my emails are going to spam?
Use Google Postmaster Tools to monitor your spam rate for Gmail recipients. For broader testing, send test emails to seed accounts at Gmail, Outlook, and Yahoo, then check whether they land in the inbox or spam folder. The Domain Email Health Score tool can test your domain's authentication, blacklist status, and DNS configuration in one scan. You can also check raw email headers for authentication pass/fail results on any message you receive using the Email Header Analyzer.
Does SPF, DKIM, and DMARC prevent emails from going to spam?
Authentication alone does not guarantee inbox placement, but missing authentication almost guarantees spam placement. SPF, DKIM, and DMARC are table stakes as of 2024: Google, Yahoo, Microsoft, and Apple all require them for bulk senders. Having all three properly configured removes the biggest single cause of spam folder delivery. After authentication, inbox placement depends on sender reputation, engagement rates, content quality, and list hygiene. For a full explanation of how these protocols work, read Email Authentication Explained: SPF, DKIM, and DMARC.
How long does it take to fix email deliverability after being flagged as spam?
Authentication fixes (SPF, DKIM, DMARC) take effect within hours after DNS propagation, typically under 48 hours. Reputation recovery takes longer. If your domain or IP has a poor reputation with Gmail, expect 2 to 4 weeks of consistent good sending behavior before seeing improvement. Blacklist removal varies: SpamCop auto-delists in 24 to 48 hours, Spamhaus processes requests in 24 to 48 hours, and Barracuda typically responds within 12 to 24 hours. The key is fixing the root cause before requesting delisting, otherwise you will be re-listed.
