The deliverability mental model: one picture for authentication, reputation, content, and monitoring

Gmail, Outlook, Yahoo, Apple Mail — the entire inbox-placement industry — is built on answering one question: should we put this message in the inbox, the promotions tab, the spam folder, or nowhere? Every other technical artefact (SPF, DKIM, DMARC, BIMI, list-unsubscribe, reputation scores, engagement signals) exists to help the provider answer it.

The providers can't literally ask every user whether they want the message. So they use proxies — provable, automatable proxies that correlate with "users want this". The deliverability stack is a collection of those proxies. Understanding which proxy does what, and how they interact, is the mental model.

When a message arrives at a mailbox provider, three sequential checks happen. Fail any one and the message doesn't reach the inbox. Pass all three and the message is in — though where it lands (primary, promotions, or spam) is then a fourth, fuzzier question.

Layer 1: Identity."Who claims to have sent this, and can they prove it?" This is the authentication layer — SPF, DKIM, DMARC. Pass = the domain can mathematically prove it authorised this send. Fail = the provider treats the sender as potentially spoofed.

Layer 2: Reputation."This sender is authenticated — do we trust them?" Now the provider looks up what it knows about the sending domain and IP. Have other messages from here been liked or disliked by users historically? Strong reputation = inbox candidate. Weak reputation = spam folder candidate regardless of content.

Layer 3: Placement."We trust this sender — now which folder does this specific message belong in?" This is where content, user-specific engagement signals, folder heuristics, and tab-category models (Gmail Promotions vs Primary) come in. The sender already passed layers 1 and 2; this layer decides exactly where the message lands for this user on this day.

Each of the three identity protocols answers a different slice of the "is this really who it claims to be" question. They're complementary, not alternatives. A properly-configured sender has all three.

SPF (Sender Policy Framework). The domain publishes a list of IPs authorised to send email on its behalf. The receiving server looks up the sending IP against that list. Pass = the IP is on the list. Fail = the IP isn't on the list, so the sender is potentially spoofing. What SPF doesn't do: protect the "From:" header the user sees. SPF checks the envelope sender, not the From address. This is why SPF alone is insufficient — spoofers can still impersonate your From header while passing SPF on a different envelope. Full SPF/DKIM/DMARC detail

DKIM (DomainKeys Identified Mail).The sending server cryptographically signs the message body + critical headers with a private key. The domain publishes the matching public key in DNS. The receiving server verifies the signature. Pass = the message body hasn't been tampered with in transit and genuinely came from a server holding the private key. What DKIM doesn't do: cover the envelope, or tell the receiver what to do if the signature fails.

DMARC (Domain-based Message Authentication, Reporting and Conformance).The meta-layer. DMARC does two things: (1) ties SPF and DKIM authentication back to the From header the user sees ("alignment") and (2) tells the receiving server what to do if alignment fails — none (monitor only), quarantine (spam folder), or reject (bounce). DMARC also emits reports to a configured email address so you can see who's sending on your behalf. DMARC is the policy layer; SPF and DKIM are the mechanisms.

A sender with all three correctly configured looks to a mailbox provider like an organisation that controls its own sending identity. A sender missing any of them looks like someone who either doesn't understand the modern email stack or is operating informally — either way, a flag.

Once authentication passes, the receiving server consults its reputation database. That database has two keys: the sending IP and the sending domain. Both carry reputation, and they carry it differently.

IP reputation. Attached to the specific IP address sending the mail. Important for high-volume senders who send from dedicated IPs. Accumulates over weeks of consistent sending. Lost quickly if sending spikes (which looks like compromise), if a bad list is suddenly introduced, or if complaint rates cross a threshold. IP warmup mechanics

Domain reputation. Attached to the sending domain (and the From: domain, via DMARC alignment). Moves more slowly than IP reputation, survives IP changes, and travels with your brand. In 2025, major providers weight domain reputation more heavily than IP — especially Gmail, which has largely shifted its primary signal to domain. Domain vs IP reputation

Signals that feed reputation (positive).Users open your email. They click. They mark your mail as "Not spam" when it lands in spam. They move it from Promotions to Primary. They reply. They don't unsubscribe quickly. Engagement sustained over time = reputation builds.

Signals that damage reputation (negative). Users mark your mail as spam (the single most damaging signal — complaint rate above 0.3% is a red alert). They delete without opening repeatedly. They unsubscribe at high rates. Your mail hits spam traps (dormant addresses used by ISPs to detect careless list building). Your sending patterns look automated (sudden volume spikes, constant send volume with no natural rhythm).

The Google Postmaster walkthrough is the canonical way to see what at least one provider thinks of your reputation right now.

A sender who passes identity and has strong reputation still faces the final question: which folder does this specific message go in? This decision happens per-message, per-user, and is the least deterministic layer.

Content signals. The subject line, preview, HTML structure, image-to-text ratio, presence of unsubscribe links, URL patterns (look-alike domains, URL shorteners, suspicious TLDs). Content scanners look for spammer tells, not writing quality. Good senders occasionally trip content heuristics (all-image emails, shouty subject lines, excessive link density) and pay the placement cost. Gmail Promotions tab heuristics

User-specific engagement.Does THIS user historically open mail from you? Have they ever moved you to Primary? Have they replied? Providers personalise placement based on the individual's past behaviour — a high-reputation sender might still land in Promotions for users who've never opened, and in Primary for users who engage consistently.

Tab / folder classifiers.Gmail Promotions, Updates, Social, Forums. Outlook's Focused/Other. These are ML classifiers trained on commerce/marketing patterns. Landing in Promotions is NOT bad delivery — it's correct classification for most marketing email. Chasing Primary placement is usually a waste of effort; users who engage with Promotions see your mail there, and the ones who don't wouldn't engage with Primary placement either.

BIMI (Brand Indicators for Message Identification) is the logo-beside-the-sender feature you've seen in Gmail and Apple Mail. It sits above layer 2 (reputation) but below layer 3 (placement). BIMI doesn't affect whether your mail reaches the inbox — it affects how your mail looksonce it's there. To display a BIMI logo, you need: DMARC at quarantine or reject (not monitor), a VMC (Verified Mark Certificate) in most cases, and your logo in a specific SVG format published at a specific DNS record.

BIMI's real value isn't the logo per se — it's the trust signal to users ("this is really from that brand") and the implicit confirmation that you're running DMARC properly. It's a layer-2 investment masquerading as a layer-3 one. BIMI setup in detail

When inbox placement tanks, walk down the layers in order. Most real-world problems are layer 2.

Layer 1 check (takes 5 minutes). Use a header-checking tool (mail-tester, mxtoolbox). Do SPF, DKIM, and DMARC all pass on a test send? Are they aligned with the From header? If any fail, fix that first — no other work matters until identity is clean.

Layer 2 check (Google Postmaster, a day of data). Is domain reputation medium-plus? Is complaint rate under 0.3%? Has sending volume been consistent or suddenly spiked? If reputation is bad, the fix is slow: throttle sends to most-engaged segments only, stop acquiring new addresses from the questionable source, and wait 2-4 weeks for signals to recover. Full reputation recovery playbook

Layer 3 check (A/B send with different content).Only after layers 1 and 2 are confirmed clean. If an image-heavy creative lands in Promotions and a lean HTML version lands in Primary, that's a placement / content issue. Most of the time this is fine — Promotions is where marketing email belongs — but if you're getting spam-foldered from a good-reputation domain, content heuristics are your last suspect.

The Deliverability Management skill operationalises this diagnostic order so you walk the layers in the right sequence, not in whichever one feels urgent.

Deliverability infrastructure doesn't matter in isolation — it matters because it determines whether any other lifecycle work produces measurable revenue. Two advanced measurement disciplines close the loop between "we shipped a program" and "the program caused revenue".

Incrementality testing. The only way to know if a lifecycle program caused revenue is to withhold it from a random subset of the audience and compare. Everything else is correlation dressed up as attribution. Incrementality test design

Attribution models. The imperfect-but-necessary art of dividing credit across channels when users touch many before converting. The honest attribution discussion isn't "which model is right" — it's "which model's biases match the question I'm trying to answer". Attribution models in lifecycle

Together, identity → reputation → placement → measurement is the complete arc of advanced deliverability work. Everything else is a specific answer to a specific part of this frame.