inboxes.
← Blog How-to July 2026 · 11 min read

How to Stop Emails Going to Spam: a 12-Step Checklist That Actually Works

To stop emails going to spam, fix things in this order: authenticate your domain with SPF, DKIM, and DMARC; get off any blacklists; add one-click unsubscribe; clean your list; then stabilize your sending patterns and content. The checklist below covers all twelve steps, and every step ends with a specific way to verify it worked, because "I changed a DNS record" and "the fix is live and passing" are two very different states.

Work through the steps in sequence. The first five fix the failures that cause most spam foldering in 2026; the rest harden your sending so the problem does not come back. Budget a focused day for steps 1-6 and two to six weeks for the reputation effects to show up, because mailbox providers move reputation on a multi-week timetable, not a same-day one.

The 12-step checklist at a glance

# Step Layer Effort
1Publish and pass SPFAuthentication30 min
2Enable DKIM with a 2048-bit keyAuthentication30 min
3Publish DMARC and fix alignmentAuthentication1 hour
4Check and clear blacklistsReputation1 hour + wait
5Add one-click unsubscribeCompliance1 hour
6Purge and verify your listList hygieneHalf a day
7Sunset the disengagedList hygiene1 hour + policy
8Get complaints under 0.1%ReputationOngoing
9Flatten volume spikesSending patternsPolicy change
10Fix template and content flagsContent2 hours
11Separate mail streamsArchitectureHalf a day
12Monitor continuouslyOperations15 min/week

Steps 1-3: authentication first, always

Step 1: publish and pass SPF

Publish a single SPF TXT record on your From domain listing every service that sends for you, ending in ~all or -all. Exactly one record: two SPF records is a permanent error, and more than 10 DNS lookups inside the record is too. Since February 2024, Google and Yahoo require SPF or DKIM from every sender and both from bulk senders (5,000+ messages per day).

Verify it worked: run your domain through an SPF checker, then send a real message from your ESP to a Gmail account and confirm spf=pass in the Authentication-Results header (Show original).

Step 2: enable DKIM with a 2048-bit key

Turn on DKIM signing in your ESP or mail server and publish the public key it gives you as a DNS record. Choose 2048-bit keys where offered; 1024 is the minimum providers accept, not the recommendation. Sign with your own domain, not the ESP's shared domain, or you will fail alignment in step 3.

Verify it worked: a DKIM checker against your selector, plus dkim=pass header.d=yourdomain.com in a real message's headers. The header.d value matters: it must be your domain.

Step 3: publish DMARC and fix alignment

Publish _dmarc.yourdomain.com with at least v=DMARC1; p=none; rua=mailto:[email protected]. DMARC only passes when SPF or DKIM passes and the passing domain aligns with your visible From domain. Start at p=none to observe, then move to quarantine and reject once reports show legitimate mail passing; the full progression is covered in our SPF, DKIM, DMARC guide.

Verify it worked: dmarc=pass in live headers, and within a few days your first aggregate (RUA) reports arriving. Parsed DMARC monitoring turns those XML reports into a pass-rate you can actually read; target 98%+ on mail you send.

Steps 4-5: clear the blocks, respect the exit

Step 4: check and clear blacklists

Check your sending domain and IPs against the major DNS blocklists. Spamhaus, SpamCop, and Barracuda are the ones that measurably affect delivery at scale. If listed, read the listing reason, fix the cause (usually stale data or a compromised form), and file the delisting request. Legitimate lists delist at no charge once the cause is fixed; typical turnaround is 24 hours to a week.

Verify it worked: re-run a blacklist check 48 hours after the delisting request and weekly thereafter. Cleared means absent from the list, not just "request submitted".

Step 5: add one-click unsubscribe

Add RFC 8058 one-click unsubscribe: both List-Unsubscribe and List-Unsubscribe-Post: List-Unsubscribe=One-Click headers. Gmail and Yahoo have required this for bulk marketing senders since 2024 (Gmail enforcement from June 1, 2024), and unsubscribes must be honored within 2 days. Every person who cannot find the exit clicks "Report spam" instead, and that click costs you far more than the subscriber.

Verify it worked: send yourself a campaign at Gmail and confirm the native "Unsubscribe" link appears next to the sender name; click it and confirm your ESP suppresses the address within 48 hours.

Steps 6-8: the list is the reputation

Step 6: purge and verify your list

Remove every address that has hard bounced, everything role-based you never got explicit consent from (info@, admin@), and anything imported from a source you cannot document. Run new signups through verification at capture time. Lists decay 20-30% per year; a list untouched for two years is roughly half dead, and the dead half includes recycled spam traps.

Verify it worked: your next send's hard bounce rate. Under 2% is acceptable; under 0.5% is healthy.

Step 7: sunset the disengaged

Stop mailing anyone with zero opens or clicks in the past 6-12 months (pick the window based on your cadence). Send one honest re-permission message first if you like, then suppress. Shrinking your list this way almost always raises revenue per send, because providers start inboxing the mail your engaged readers actually see.

Verify it worked: open and click rates rise within 2-3 sends, and Gmail Postmaster Tools domain reputation trends upward over 3-6 weeks.

Step 8: get complaints under 0.1%

Google's published thresholds: stay under 0.3% user-reported spam rate at all costs, and target under 0.1%. If you are above, the usual causes are mailing stale segments, misleading subject lines, or frequency nobody agreed to. Fix the cause, not the symptom.

Verify it worked: the spam-rate graph in Postmaster Tools, checked weekly, below 0.1% for four consecutive weeks.

Steps 9-11: patterns, content, architecture

Step 9: flatten volume spikes

Send consistent daily volumes. When scaling, increase gradually, on the order of doubling every few days, rather than jumping 10x in one send, and ramp new domains and IPs with your most engaged recipients first. A note on honesty: this is real ramping with real mail. Warmup networks that fake opens and replies violate provider policies, and Google and Microsoft have been actively dismantling them; we do not offer one and recommend you avoid them.

Verify it worked: deferral (4xx) rates in your ESP logs return to near zero during and after the ramp.

Step 10: fix template and content flags

Keep a reasonable text-to-image balance, avoid link shorteners, make link text match destinations, keep the HTML under Gmail's 102 KB clipping limit, and include a plain-text part. Test the actual rendered campaign, not a lorem-ipsum draft.

Verify it worked: run the real message through a mail tester before each send and confirm no content flags remain; then confirm placement did not regress with a seed test.

Step 11: separate your mail streams

Send marketing and transactional mail from different subdomains (for example news.example.com and tx.example.com), each with its own authentication. Reputation accrues per domain, so a rough newsletter month stops dragging your receipts and password resets into spam. Keep the root domain for person-to-person mail.

Verify it worked: Postmaster Tools shows separate reputation lines per subdomain, and transactional placement holds steady even when marketing metrics dip.

Step 12: monitor continuously instead of firefighting

Deliverability failures are cheap to catch early and expensive to catch late. A weekly 15-minute routine covers it: spam rate and reputation in Postmaster Tools, blacklist status, DMARC pass rate, and a placement test across the providers your audience uses. Automating those four checks is exactly what a monitoring platform is for.

Verify it worked: the honest test is time-to-detection. When something breaks, a rotated DKIM key, a new blacklist listing, you should know from an alert within a day, not from a revenue chart three weeks later.

How long until mail stops going to spam?

Set expectations by layer, because they recover at very different speeds. Authentication fixes (steps 1-3) take effect as soon as DNS propagates, usually within hours, and the November 2025 Gmail rejections for unauthenticated mail stop immediately once records pass. Blacklist delistings (step 4) typically clear filtering within 24-72 hours of removal. Compliance and content fixes (steps 5 and 10) affect the very next campaign. Reputation and engagement damage (steps 6-9) is the slow one: Google's own documentation describes reputation change as a matter of weeks, and in practice a domain that spent months at a Low reputation needs 4-8 weeks of clean, consistent sending to climb back. If placement has not started improving after two weeks of verified fixes, re-run the diagnosis from step 1; the usual culprit is a fix that was deployed but never actually verified, like a DKIM record published on the wrong selector.

What this checklist will not do

A boundary, stated plainly: these steps make legitimate mail deliverable; they do not make unwanted mail wanted. If a list was scraped or purchased, no checklist rescues it, and we would rather say so than sell you a workaround. Placement tests along the way are directional estimates too. Gmail personalizes filtering per recipient, so no test, ours included, can promise an exact inbox rate, and nobody can guarantee placement.

When you have worked through the steps, measure the result: run a placement test with Inboxes across Gmail, Outlook, Yahoo, iCloud, GMX, and Zoho. You will see where your mail lands now, and the ranked fix list tells you which remaining step buys the most improvement.