Why Your Marketing Emails Keep Going to Spam
It is almost never the subject line. It is an unauthenticated domain, a shared IP carrying someone else's reputation, and a list nobody has cleaned in years.
You sent three thousand emails to a list of people who asked to hear from you. Two hundred opened it. Not because the offer was weak and not because the subject line was flat, but because most of those three thousand messages never reached an inbox at all. They landed in Spam, or in Gmail's Promotions tab where nobody scrolls, or they were dropped silently by a mailbox provider that decided your domain was not worth the risk. Your sending dashboard says delivered. Delivered is not the same thing as arrived.
This is the least glamorous problem in marketing, and the one that quietly caps every other number you track: open rate, click rate, revenue per send. It is almost never fixed by writing a better email. It is fixed by treating your outbound mail the way you would treat any other piece of infrastructure you actually own: authenticated, monitored, and maintained on a schedule, instead of borrowed from whatever tool was cheapest this year.
Why are your marketing emails going to spam?
Mailbox providers do not grade the message. They grade the sender. If your domain has no authentication records, if you are sending from a shared IP address that also carries a stranger's spam complaints, or if a third of your list is dead addresses and disengaged subscribers, Gmail, Outlook, and Yahoo will route you to spam no matter what the email says.
Every major provider runs some version of the same system underneath the inbox: a reputation score attached to your sending domain and your sending IP, recalculated on every batch you send. Since February 2024, Google and Yahoo have formally enforced this for anyone sending real volume: your domain must be authenticated, your spam complaint rate has to stay under roughly 0.3 percent, and one-click unsubscribe has to actually work. Miss any one of those and filtering gets aggressive fast. None of it is about your copy.
Three things are usually doing the damage, in this order.
An unauthenticated domain. Without the right records published, a mailbox provider cannot verify that the mail claiming to come from your domain actually came from you. Anyone could be sending it, including someone spoofing your brand to phish your own customers. The provider's default response to that uncertainty is distrust, and distrust routes to spam.
A shared IP carrying someone else's reputation. Most low-cost marketing platforms send every customer's mail from a pooled set of IP addresses. If another business on that same pool gets reported for spam, your delivery rate absorbs the damage, and you will never see it in your own account because the platform has no reason to tell you whose mess you inherited.
A list nobody has ever cleaned. Dead addresses generate hard bounces. Uninterested subscribers who never open anything generate low engagement signals. Both feed the same reputation score, and both are entirely within your control to remove.
A shared IP carries somebody else's reputation into your send, and you never agreed to inherit their sins.
How do you set up SPF, DKIM, and DMARC for a small business?
SPF tells mailbox providers which servers are allowed to send mail as your domain. DKIM attaches a cryptographic signature so a message cannot be altered in transit without detection. DMARC tells providers what to do when either check fails, and it is the one most small businesses skip entirely, which is exactly why phishing built on top of legitimate-looking domains keeps working.
Here is the order that actually holds up:
- Use a subdomain for bulk and marketing mail, something like mail.yourdomain.com, so a rough campaign never touches the reputation your one-to-one business email depends on.
- Publish one SPF record listing only the services that actually send for you. Your email provider, your CRM, nothing else. Every forgotten platform left in that record is an attack surface nobody is watching.
- Turn on DKIM signing inside whatever you send through (Resend, Postmark, and similar providers all support it) and confirm the CNAME records actually resolve. Pasting them into your DNS is not the same as verifying they work.
- Publish a DMARC record starting at a monitor-only policy so you can read real reports before you block anything, then move to quarantine once those reports come back clean, then to reject.
- Set up an inbox to receive the DMARC aggregate reports and actually read it monthly. Nobody checks that inbox, which is exactly how someone can spend three months impersonating your domain before you notice.
This is not exotic infrastructure. It is the same category of work we wired into a working scholar's own platform so his transactional mail and subscriber list ran on infrastructure he owns outright instead of a rented feature; you can see the shape of that build in the John Lantos rebuild. It takes an afternoon. Most businesses never spend it.
How do you fix email deliverability that is already broken?
You cannot flip authentication on and expect full volume to land cleanly the same day. A brand-new sending domain with no history looks almost as suspicious to a mailbox provider as one with a bad history, so the real fix runs in order: authenticate first, then warm the domain deliberately, then keep suppression rules that never get overridden for the sake of one more send.
A dedicated sending domain, warmed on purpose. Start with a few hundred sends a day to your most engaged segment, people who opened something in the last ninety days, and ramp over two to four weeks toward your full list. Early positive signals, opens and clicks with almost no bounces or complaints, are what teach the provider that this new domain is worth trusting. Skip the ramp and send to your whole list on day one, and you teach the provider the opposite lesson before you have said a word.
Suppression rules with no exceptions. Hard bounces come off the list immediately and permanently, not at the end of the month when someone remembers. Anyone who has not opened anything in six to twelve months gets one honest re-engagement attempt, and if that fails, they get suppressed, not kept "just in case." A list carrying that kind of dead weight drags down the trust score attached to every message you send to a subscriber who is actually there. Owning the list only pays off if you also maintain it; that is the operational half of the list is the asset.
A cadence, not a blast. Deliverability rewards senders who show up in a predictable, moderate rhythm and punishes the founder who goes quiet for three months and then fires one enormous campaign at everyone who ever gave an email address. The same discipline that makes automation worth building at all, steady and monitored instead of sporadic, is what we lay out in marketing automation that compounds.
None of this requires exotic tooling. It requires not renting your sender identity from a platform that pools your reputation in with everyone else's, which is the same argument we make about the rest of your stack in escape SaaS hell: the cheap version costs you the one thing you actually needed, control over your own outcome.
The email deliverability checklist
If you want the short version to hand to whoever owns your sending, here it is.
- SPF, DKIM, and DMARC all published and actually passing, not just SPF alone
- A dedicated subdomain for marketing and transactional mail, separate from your primary domain
- Hard bounces suppressed immediately and permanently
- Subscribers unengaged for six to twelve months moved to a win-back sequence, then suppressed
- One-click unsubscribe that works instantly, not after a support ticket
- Spam complaint rate monitored and kept under roughly 0.3 percent
- New sending domains warmed gradually, starting with the most engaged segment first
- DMARC aggregate reports read by an actual person, monthly
Run down that list honestly and most delivery problems resolve themselves inside a month, because almost none of it is about the words in the email.
Own the mail, not just the list
This is the direct companion to the argument in own your acquisition engine: a list you own means nothing if the pipe carrying it to the inbox belongs to someone else's reputation, someone else's shared IP, someone else's decision to cut corners on authentication because their other customers never asked. We wired a 40,000-plus subscriber email and SMS list into an owned, direct channel for CineVita's ticketed event precisely because a rented, opaque path between a brand and its buyers is the same problem in a different channel: you cannot fix, monitor, or trust what you do not control.
The fix is not glamorous and it is not fast. It is authentication published correctly, a domain warmed on purpose, and a suppression list maintained without exceptions. If you want us to audit what is actually happening to your mail right now, not your copy, your subject lines, or your send times, but the infrastructure underneath all of it, book a call and we will tell you exactly which of the three is costing you the inbox.
One email when a new transmission ships. Everything we learn building acquisition systems, nothing else.