Email Deliverability: The Complete Guide for Developers (2026)

Email deliverability is the measure of how often your emails actually reach the inbox — not just whether they're accepted by the receiving mail server. An email can be "delivered" (not bounced) and still land in spam. True deliverability is about inbox placement.

The challenge is that inbox providers like Gmail, Outlook, and Apple Mail never publish their exact spam-scoring algorithms. What they do publish — and enforce — are authentication standards, sender reputation signals, and content guidelines. This guide covers all of them.

1. How inbox providers decide where your email goes

Every major inbox provider runs incoming email through a scoring pipeline before placing it in the inbox, spam folder, or rejecting it outright. The exact weights differ, but the signal categories are consistent across Gmail, Outlook, and Yahoo.

The important thing to understand: these signals are cumulative and historical. One bad campaign doesn't destroy your deliverability, but sustained poor signals — high complaint rates, no engagement — will drag your domain and IP reputation down over weeks. Rebuilding takes time.

2. Email authentication: SPF, DKIM, DMARC

Authentication is the foundation. Before inbox providers even look at reputation or content, they check whether you're legitimately who you claim to be. The three protocols that handle this are SPF, DKIM, and DMARC.

For a minimal SPF record, you're declaring which sending services are authorized. If you're using tinysend plus Google Workspace:

A minimal DMARC record to start monitoring (not yet enforcing):

Once you've reviewed DMARC reports for a few weeks and confirmed legitimate traffic is authenticating correctly, move to enforcement:

3. Sender reputation: IPs, domains, and engagement

Authentication proves you are who you say you are. Reputation is the track record of how the emails from that identity have behaved. Inbox providers maintain reputation scores at two levels:

IP reputation

The sending IP's history of spam complaints, bounce rates, and blacklist appearances. When you start with a new IP — whether from a new ESP or a dedicated IP you've provisioned — it has no reputation at all. That's actually worse than having a good reputation. Mail from new, unknown IPs is treated with suspicion.

Shared IPs (used by most email services by default) mean your inbox placement is partially affected by other senders on the same IP pool. Reputable ESPs actively manage shared IPs and remove bad actors, but it's still a dependency you don't fully control.

Domain reputation

Gmail has shifted heavily toward domain reputation since around 2022. Your sending domain (the domain in the DKIM signature and From header) accumulates its own reputation score independent of the sending IP. This is good news — you can move between ESPs without losing your domain reputation, as long as you bring your DKIM-signing domain with you.

The three factors that most influence domain reputation:

• Spam complaint rate — Gmail's threshold is <0.10% for warnings, <0.30% for delivery problems. Yahoo is similar. This is measured via feedback loops (FBLs) that ESPs register for.
• Engagement rate — Opens, clicks, and forwards signal that recipients want your email. Low engagement over time tells inbox providers your emails aren't valued.
• Consistency — Sudden volume spikes (10x your normal send volume overnight) trigger spam filters even if content is clean. Consistent sending volume builds trust.

4. IP and domain warming

Whether you're on a new dedicated IP or starting to send from a new domain, you need to build reputation gradually. Inbox providers treat new senders cautiously — they haven't seen your traffic before, so they're conservative with inbox placement until you establish a track record.

The warming principle: start with small volumes to your most-engaged recipients, then increase volume week over week. Your most engaged recipients will open, click, and not mark as spam — which generates the positive signals that build reputation.

For domain warming (new sending domain, shared IPs), the same principle applies but with shorter timeframes — 2–3 weeks is often enough if you're sending clean, engaged traffic.

Key warning signs during warming: bounce rate above 5%, spam complaint rate above 0.1%, or inbox providers starting to defer your messages (temporarily rejecting with a 4xx code). If you see these, pause and investigate before continuing to ramp.

5. List hygiene: the hidden deliverability killer

Bad list hygiene is responsible for more deliverability problems than almost any other factor, and it's one of the least obvious. The issue is simple: every email you send to an address that doesn't exist, hasn't engaged in years, or is a spam trap hurts your reputation.

Hard bounces

A hard bounce means the address is permanently invalid — the domain doesn't exist, the mailbox doesn't exist, or the server has permanently rejected the message. You must suppress hard-bounced addresses immediately. Continuing to send to them signals to inbox providers that you're not maintaining your list.

// tinysend sends a webhook when a bounce is recorded
POST /webhooks/email

{
  "event": "bounce",
  "type": "hard",           // vs "soft"
  "email": "[email protected]",
  "reason": "Mailbox does not exist",
  "timestamp": "2026-03-15T14:23:00Z"
}

// Your handler should immediately:
// 1. Mark this address as suppressed in your database
// 2. Never send to it again unless manually re-validated
await db.users.update({
  where: { email: event.email },
  data: { emailStatus: 'hard_bounced', suppressedAt: new Date() }
})

Soft bounces

Soft bounces are temporary failures — mailbox full, server temporarily unavailable. Most ESPs retry soft bounces automatically. But an address that soft-bounces consistently over 3–5 attempts should be treated as a hard bounce and suppressed.

Spam traps

Spam traps are email addresses maintained by inbox providers and anti-spam organizations to catch senders with poor list hygiene. There are two types:

• Pristine trapsAddresses that have never signed up for anything. If you're sending to them, you're either scraping addresses or using purchased lists. High severity — even a few pristine trap hits can get you blacklisted.
• Recycled trapsOld addresses that were once valid but have been inactive for years, then repurposed as traps. Hitting these signals that you're not pruning inactive subscribers. Lower severity, but still damaging.

Re-engagement and sunset policies

Subscribers who haven't opened any email in 6–12 months are a deliverability liability. You have two options: run a re-engagement campaign, or suppress them.

A re-engagement campaign is a short series (2–3 emails max) specifically to inactive subscribers, asking if they still want to hear from you. Subject lines like "Still interested?" or "We're cleaning our list — stay or go?" tend to work. Anyone who doesn't open or click after the re-engagement sequence should be permanently suppressed.

6. Bounce handling and complaint management

Handling bounces and complaints correctly is non-negotiable. Beyond list hygiene, it's also a compliance requirement under CAN-SPAM, GDPR, and similar regulations.

Feedback loops (FBLs)

When a Gmail or Yahoo user marks your email as spam, the provider sends a complaint notification back to the sending ESP via feedback loop. Your ESP aggregates these and should provide them to you via webhooks.

{
  "event": "complaint",
  "email": "[email protected]",
  "complaintType": "abuse",
  "timestamp": "2026-03-15T14:23:00Z"
}

// Suppress immediately — do not attempt to re-engage
await db.suppressions.create({
  data: {
    email: event.email,
    reason: 'spam_complaint',
    suppressedAt: new Date()
  }
})

One-click unsubscribe

Google and Yahoo's 2024 requirements mandated one-click unsubscribe for bulk senders. This is the List-Unsubscribe-Post header combined with a List-Unsubscribe mailto/URL header. When a user clicks "Unsubscribe" in Gmail's UI, Gmail sends a POST to the URL in that header — no redirect, no confirmation page.

List-Unsubscribe: <https://yourdomain.com/unsubscribe?token=abc123>, <mailto:[email protected]?subject=unsubscribe>
List-Unsubscribe-Post: List-Unsubscribe=One-Click

Failing to process one-click unsubscribes within 2 days is a violation that can result in your emails being marked as spam by Gmail automatically, regardless of your complaint rate.

7. Content best practices

Content scoring is less deterministic than authentication — there's no single rule that always triggers spam. But there are patterns that reliably hurt deliverability.

HTML email structure

A few structural rules that matter for spam scoring:

• Always include a plain-text alternative (multipart/alternative). Emails without a text part are often treated as spam.
• Avoid JavaScript entirely. No mail client renders it, and its presence is a spam signal.
• Use absolute URLs for images — relative paths don't work in email.
• Limit external resource domains. Emails that load content from 10+ different domains look like phishing attempts.

8. Monitoring and debugging deliverability

You can't manage what you don't measure. These are the metrics and tools to track.

Key metrics to track

Useful tools

• Google Postmaster Tools — Free dashboard from Google showing your domain reputation, spam rate, and authentication success rate for mail sent to Gmail. If you're not using this, set it up today.
• Microsoft SNDS / JMRP — Microsoft's equivalent for Outlook/Hotmail. Requires registration. Shows IP reputation and complaint data for Microsoft inboxes.
• MXToolbox — Check if your IPs or domains are on any major blacklists. Also useful for verifying SPF/DKIM/DMARC records.
• DMARC aggregate reports — Your DMARC rua address will receive XML reports from major inbox providers showing you which messages passed/failed authentication. Use a DMARC report reader (many free options exist) to parse them.
• mail-tester.com — Send a test email to a unique address and get a deliverability score with specific issues flagged. Quick sanity check before a campaign.

Reading bounce codes

SMTP response codes tell you exactly what happened. The ones that matter for deliverability debugging:

# Common SMTP codes and what they mean

550 5.1.1   # User/mailbox does not exist → hard bounce, suppress immediately
550 5.7.1   # Message rejected due to policy → authentication or reputation issue
421 4.7.0   # Service temporarily unavailable → soft bounce, ESP will retry
452 4.2.2   # Mailbox full → soft bounce, retry later
421 4.7.28  # Gmail temporary block → reputation issue, reduce volume
550 5.7.350 # Outlook blocked → likely blacklisted, check SNDS

9. How tinysend handles deliverability for you

Deliverability infrastructure is genuinely complex to build and maintain. Here's what tinysend handles out of the box so you don't have to: