inboxes.
← Blog Deep dive July 2026 · 14 min read

How the Gmail Spam Filter Works in 2026: Signals, Thresholds, and What You Control

The Gmail spam filter is a machine-learning system that scores every incoming message against five families of signals: authentication (SPF, DKIM, DMARC), the sender's domain and IP reputation, recipient engagement history, direct user feedback ("Report spam" and "Not spam"), and message content. Since 2024 those models sit behind a set of hard, published rules for bulk senders, and since November 2025 Google enforces the authentication rules with outright SMTP rejections rather than spam foldering.

Understanding the filter matters because Gmail handles mail for well over 1.8 billion accounts plus millions of Google Workspace domains, and Google has stated its protections block more than 99.9% of spam, phishing, and malware. For most senders, Gmail is 40-60% of a consumer list. If you get Gmail wrong, no amount of success elsewhere compensates. This deep dive covers the signals the filter reads, how per-user personalization works, the published bulk sender rules with their exact thresholds and dates, and, importantly, what you can and cannot control.

The five signal families the Gmail spam filter reads

1. Authentication: the gate before the scoring

Before content is evaluated, Gmail checks SPF, DKIM, and DMARC. Authentication is not a ranking bonus; it is identity. An unauthenticated message cannot be attributed to a domain, so it cannot carry that domain's reputation, and since the 2024 requirements it increasingly cannot be delivered at all. Gmail's documentation is explicit that messages failing authentication are likely to be rejected or marked as spam, and that senders must pass DMARC alignment: the domain in the visible From header must match the domain validated by SPF or DKIM. If authentication is new territory, start with our plain-language email authentication explainer.

2. Domain and IP reputation

Gmail maintains separate reputation scores for your sending domain and your sending IP, built from your historical behavior: spam-rate history, spam-trap hits, bounce patterns, authentication consistency, and how users have treated your mail over months. Google exposes a simplified four-level version (Bad, Low, Medium, High) in Postmaster Tools. Domain reputation increasingly outweighs IP reputation, which is why switching ESPs rarely resets a bad reputation: the domain follows you. Continuous sender reputation monitoring is the only way to see the trend rather than a single point.

3. Engagement signals

Gmail watches what recipients do with your mail: open it, reply to it, forward it, star it, move it between tabs, delete it without reading, or ignore it entirely. Positive interactions push future mail toward the inbox; a long pattern of deletions and silence pushes it away. This is why "emailing your whole list to look active" backfires: mailing disengaged people generates precisely the negative engagement the model penalizes. Note that opens themselves became less reliable as a metric after Apple Mail Privacy Protection (2021) began prefetching images, but Gmail measures behavior inside its own clients, so it sees engagement your ESP cannot.

4. User feedback: the strongest vote

Every "Report spam" click is an explicit human label, and Gmail treats it as the highest-quality training signal it has. "Not spam" rescues are the mirror image and are disproportionately powerful for recovery. This feedback is aggregated into your user-reported spam rate, the single metric with a published hard threshold (more on 0.3% below).

5. Content and structure

Content is the tiebreaker, not the headline act. Gmail's models evaluate the rendered message: text-to-image balance, link destinations and their reputations, hidden text, obfuscation tricks, malformed HTML, and similarity to known spam and phishing campaigns. In 2024 Google described upgrades to its text classifiers (the RETVec work) that made lookalike-character and adversarial-text tricks dramatically less effective. Clean, honest templates rarely trip content scoring on their own; content problems usually amplify an existing reputation problem.

Per-user personalization: why the same email lands differently

Gmail's filter is personalized. The same message from the same sender can inbox for one recipient and go to spam for another, because each user's history with you (and with mail like yours) is part of the score. Someone who has replied to you has effectively whitelisted you; someone who deleted your last ten sends unread has been teaching the filter the opposite. Users also personalize explicitly: filters, blocks, "always allow" decisions, and tab preferences all override global scoring for that mailbox.

This has a practical consequence worth being honest about: no seed test can tell you your exact inbox rate, because seed mailboxes have their own (neutral) history, not your subscribers' history. Placement tests, including the inbox placement tests we run, are directional: excellent at catching authentication failures, blacklist-driven filtering, and template problems, and honest about being an estimate of the recipient-level reality. Distrust anyone who sells "guaranteed Gmail inboxing"; Gmail's own architecture makes that promise impossible to keep.

The Gmail bulk sender requirements: February 2024 and after

In October 2023 Google (jointly with Yahoo) announced new requirements for senders, effective February 2024. They apply in full to bulk senders, defined as anyone sending 5,000 or more messages per day to Gmail accounts, measured per primary From domain and counted on any single day, and the status is permanent once triggered.

Requirement All senders Bulk senders (5,000+/day)
SPF or DKIMRequiredBoth SPF and DKIM required
DMARC recordRecommendedRequired (p=none minimum)
From-domain alignmentRecommendedRequired (must pass DMARC alignment)
One-click unsubscribe (RFC 8058)N/A for pure transactionalRequired for marketing mail, honored within 2 days
User-reported spam rateKeep under 0.3%Under 0.3% hard ceiling, under 0.1% target
Valid forward and reverse DNS (PTR)RequiredRequired
TLS for transmissionRequiredRequired

The rollout was staged: temporary errors on non-compliant traffic began in April 2024, rejection of a percentage of non-compliant traffic followed, and one-click unsubscribe enforcement started June 1, 2024.

November 2025: from spam folder to hard SMTP rejection

Through 2024 and much of 2025, a sender who ignored the rules mostly saw degraded placement and intermittent temporary failures. In November 2025 Google tightened enforcement to hard SMTP rejections for non-compliant bulk mail: instead of accepting the message and filing it to spam, Gmail refuses it at the connection with a permanent 5xx error referencing the sender guidelines (the 550 5.7.26 family of rejections for unauthenticated mail). The practical difference is stark. Spam-foldered mail is at least measurable and recoverable; rejected mail simply never arrives, and you find out from your ESP's bounce logs, not from your open rates.

If you see rejection strings mentioning authentication or the sender guidelines in your logs, treat it as a fire alarm: verify SPF and DKIM pass, confirm your DMARC record exists and aligns, and fix it the same day.

What senders control vs what they do not

Fully in your control

  • Authentication: SPF, DKIM (2048-bit keys), DMARC, and alignment. Binary, checkable, fixable in a day.
  • One-click unsubscribe headers and fast suppression.
  • List quality: opt-in standards, bounce handling, sunsetting the disengaged.
  • Volume patterns: consistent daily sending instead of spikes.
  • Content honesty: accurate From names, subjects, and links.

Influenced but not controlled

  • Domain and IP reputation: your behavior feeds it, but the score is Google's and it moves on Google's multi-week timetable.
  • Engagement: you can earn it with relevance and cadence, but you cannot manufacture it. Bot-generated opens from warmup networks are engagement fraud, and Google's models are specifically trained to discount coordinated fake interactions.

Not in your control at all

  • Per-user history and personal filters.
  • The model weights themselves, which Google updates continuously without notice.
  • Tab classification (Primary vs Promotions), which is a routing decision Gmail makes for engaged users; a promotional email landing in Promotions is the system working as designed, not a deliverability failure.

Google Postmaster Tools: the filter's own dashboard

Postmaster Tools (postmaster.google.com) is Google's data feed to senders, and it is the ground truth for Gmail specifically. After verifying your domain with a DNS record, you get: user-reported spam rate (the metric with the 0.3% ceiling), domain and IP reputation (Bad/Low/Medium/High), authentication success rates for SPF, DKIM, and DMARC, encryption rates, and delivery errors. Postmaster Tools v2, rolled out alongside the 2024 requirements, added a compliance dashboard showing your status against each bulk-sender rule directly.

Its limits: data only appears above minimum volume thresholds, it covers Gmail only, and reputation is shown as four coarse buckets with no explanation of movement. That is why serious senders pair it with cross-provider placement data and blacklist and DMARC monitoring; a broader comparison lives in our roundup of email deliverability tools.

What this means in practice

The Gmail filter rewards exactly one long-term strategy: authenticate everything, send wanted mail to people who opted in, keep complaints under 0.1%, and keep your patterns boring and predictable. Everything else, template tuning, send-time tricks, subject-line folklore, operates at the margins. And the boundary is worth restating: Gmail's spam filtering is probabilistic, personalized, and updated constantly, so any specific placement outcome is an estimate. We build diagnostics and ranked fixes, not warmup bots, not spam-folder rescues, and not guarantees, because guarantees about Gmail are not honest.

To see how Gmail is treating your mail right now, alongside Outlook, Yahoo, iCloud, GMX, and Zoho, run a placement test with Inboxes. Each test ends with your authentication results, per-provider placement, and a fix list ranked by impact.