Email deliverability — the practitioner's guide

Deliverability isn't a single setting. It's four distinct systems running at the same time, each watching you from a different angle, each punishing you for different sins. Break one and the damage usually shows up as something else entirely — low opens, slow throughput, complaint spikes you can't trace.

1. Authentication.SPF, DKIM, DMARC. DNS-level plumbing that proves to mailbox providers you're allowed to send from your domain. Miss any of the three and Gmail, Yahoo, and Microsoft will reject bulk senders at the door.Source · GoogleEmail sender requirementsGoogle's sender requirements updated in 2024 mandating SPF, DKIM, DMARC, and one-click unsubscribe for bulk senders.support.google.com/a/answer/81126

2. Reputation.Providers score your IPs and domains based on how you've behaved over weeks and months. Reputation is earned slowly and drained fast — one bad week can erase a half-year of clean sending.

3. Engagement. The forward-looking one. Opens, clicks, replies, adds-to-contacts, moves-out-of-spam — providers treat them as the strongest signal of whether your mail is worth inboxing tomorrow.

4. List hygiene. The boring, continuous discipline of removing dead weight. Clean list drives engagement. Engagement protects reputation. Reputation delivers the mail. It compounds — in both directions.

SPF (Sender Policy Framework) publishes which servers are allowed to send on your behalf, via a DNS TXT record. DKIM (DomainKeys Identified Mail) cryptographically signs every message so recipients can verify it hasn't been tampered with. DMARC (Domain-based Message Authentication, Reporting and Conformance) tells recipients what to do when SPF or DKIM fails, and sends you reports on what's passing and what isn't.

All three, configured correctly, no exceptions. Gmail and Yahoo hardened the requirement for bulk senders in 2024; Microsoft has equivalent policy for Outlook.com. When it's misconfigured, the deliverability damage is the worst kind — slow, silent, and hard to debug because every other dashboard still looks fine.

If you're on Braze or any bulk ESP, use a dedicated sending subdomain — mail.yourbrand.com, not the root domain. Isolates marketing reputation from your corporate transactional mail and makes authentication easier to debug. Launch DMARC in monitoring mode (p=none) first, read the reports for two to four weeks, then promote to quarantine or reject once you're sure nothing legitimate is failing.

Short version: SPF says who can send. DKIM proves the message wasn't altered. DMARC tells the receiver what to do when one of the first two fails and emails you a report about it. Skip any one and Gmail treats you like a stranger.

Reputation is tracked per IP and per sending domain, independently. You earn it by being boring: same sender, same volume band, same content character, same kind of engaged recipients, week after week. For a fresh IP that means a disciplined ramp before you hit full volume — the IP warm-up playbook has the schedule.

Three things trash reputation fastest. Sudden volume spikes. Bounce rates over 2%. Complaint rates over 0.1% for watch, over 0.3% for damage. Healthy numbers: under 2% hard bounces, under 0.1% complaints. Anything above those and the mailbox providers are already adjusting how they treat you. The biggest driver of climbing complaint rate is mailing dormant users who've forgotten they ever subscribed — which is less a mystery than a policy failure.

Watch it with Google Postmaster Tools (free, covers Gmail) and Microsoft SNDS (free, covers Outlook.com and Hotmail). Beyond those, Validity and Mailgun's deliverability product give cross-ISP views if you want them.Source · GooglePostmaster ToolsGoogle's free service for monitoring Gmail sender reputation, spam complaint rates, authentication results, and delivery errors.postmaster.google.comCheck weekly at minimum. A reputation drop usually leads delivery failure by three to five days — catching it early means pausing, diagnosing, and recovering before the inbox placement craters.

Engagement is what separates a sender whose reputation survives a bad week from one that doesn't. Providers weight engaged recipients heavily. If your active base opens, clicks, and replies at healthy rates, you get treated as a legitimate sender even when a specific send misses. If it doesn't, one sloppy campaign can tip the whole domain.

Protect engagement actively, not passively. Suppress dormant users from marketing sends. Segment so every campaign ships to an audience with above-baseline engagement probability. Run re-engagement programs early — before the 90-day cliff — because a 30-day-dormant user comes back roughly twice as often as a 180-day-dormant one, in my experience across consumer programs.

The Orbit Braze Deliverability Health Check skill pulls bounce and complaint data directly from Braze and flags segments where engagement is eroding faster than average — so you see the issue before it becomes a reputation problem.

List hygiene isn't cleanup. It's a standing policy, applied to every send, every day. Three rules do most of the work:

Hard-bounce once, remove forever. An address that hard-bounces is dead or disabled. Mailing it again is a loud negative signal to every provider watching.

Soft-bounce three times, suppress. Soft bounces are recoverable in theory — full mailbox, server hiccup — but three in a row almost always means the address is abandoned. Suppress until the user re-engages through some other signal.

Sunset inactive users.Anyone who hasn't opened mail in 90 to 180 days — the threshold depends on your product's natural cadence — comes off marketing sends. Keep transactional, invite them back through a re-engagement flow, and if they don't come back, let them go. A list that never shrinks is a list slowly poisoning the domain it sits on.

Diagnose before you treat. A sudden deliverability drop has three usual suspects, and the fix depends on which one bit you.

Reputation collapse. Usually follows a volume spike or a high-complaint send. Postmaster Tools and SNDS will show you the crash. Scale back volume, suppress dormant users, send only to the most-engaged segment for two to three weeks. Watch reputation recover before you open up volume again.

Authentication failure. Symptom: delivery drops overnight with no volume change, often paired with a recent DNS change or ESP config update. DMARC reports will name the failure mode. Fix the record, redeploy, and reputation recovers within days once mail authenticates cleanly again.

Blacklisting.Spamhaus or SORBS has listed your IP or domain. Symptom: hard delivery failures with bounce strings that name the blacklist. Work out why you got listed — usually a volume spike, a compromised account, or a complaint surge — fix the cause, then request delisting through the blacklist's official channel. Repeat listings compound; don't assume one delisting buys you forever.

Recovery is always slower than the breakage. Budget three to six weeks for full reputation repair after a serious incident. Prevention is cheaper every time.