---
title: "Why Are My Emails Going to Spam? Authentication-First Fix"
description: "Emails landing in spam? 40.8% of 5.5M scanned domains have no email authentication. Use this authentication-first checklist to get back in the inbox."
publishedAt: 2026-06-04
tags: ["deliverability", "email-authentication", "spam", "dmarc", "sender-reputation"]
faq:
- question: "How do I stop my emails from going to spam?"
answer: "Publish SPF, DKIM, and DMARC with From-header alignment, keep your spam-complaint rate below 0.3%, and clean your list. Authentication is the one lever you fully control; reputation and engagement are earned over time. Source: Google sender guidelines."
- question: "How do I stop my messages from going to spam in Gmail specifically?"
answer: "For Gmail, confirm DMARC alignment passes, set up Google Postmaster Tools to watch your daily spam rate, and stay under the 0.3% complaint line (target below 0.1%). Bulk senders sending 5,000 or more messages a day also need one-click unsubscribe per RFC 8058."
- question: "How do I unspam my email address?"
answer: "You cannot force a provider to trust you; you rebuild reputation. Remove complaining recipients, fix authentication, lower volume, and send only to engaged contacts. For bulk senders (5,000 or more messages a day to personal Gmail), Gmail restores mitigation eligibility once your spam rate stays below 0.3% for 7 consecutive days."
- question: "My authentication is correct — why are my emails still going to spam?"
answer: "Authentication is necessary but not sufficient. With SPF, DKIM, and DMARC passing, the remaining causes are domain reputation, spam complaints, list hygiene, and engagement. Check your complaint rate and list age before changing anything else."
- question: "Why are my emails going to spam in Outlook but not Gmail?"
answer: "Outlook weights reputation and engagement differently and runs its own Exchange Online Protection scoring. Check your SNDS color band and JMRP complaints. Since May 2025, Outlook.com also rejects non-compliant senders of 5,000 or more messages a day with 550 5.7.515."
- question: "Does switching email providers fix emails going to spam?"
answer: "Usually not. Domain reputation follows your domain, not your ESP — moving from SendGrid to Postmark does not reset it. Fix authentication, complaints, and list hygiene on the domain you already send from."
---
# Why Are My Emails Going to Spam? An Authentication-First Fix
You set up SPF, DKIM, and DMARC, and your mail _still_ lands in spam. If you are
a founder-operator sending receipts, password resets, and the occasional update
from your own domain — through Google Workspace or Microsoft 365 plus a relay
like Postmark, Resend, or Mailgun — then **why are my emails going to spam** is
a question with a short list of answers, not a black box.
**Emails go to spam for one of two reasons: a deliverability problem you
_control_ (authentication, alignment, sender reputation) or one the mailbox
provider scores against you (complaints, engagement, content).** This guide
separates the two and routes you to the fix. The levers that actually move
placement are the protocols you control, not the ESP you pick.
Here is what you get: a symptom-to-cause decision table to route yourself in
under 30 seconds, an authentication-first checklist, and the exact
`p=none → p=quarantine → p=reject` progression most guides skip. The fastest
emails-going-to-spam fix is correcting the _right_ thing, not every thing.
That figure is drawn from
[our internet-scale email-authentication research](/research/email-authentication/) —
a scan of 5,499,028 Tranco domains. Before you touch a DNS record, you can
[check your domain's email authentication](/tools/domain-health-check/) — free,
no signup — to see exactly what is published today.
## Start here: a symptom → cause decision table
Before you change anything, match your symptom to its most likely cause. The
fastest path to the inbox is fixing the _right_ thing, not every thing.
| Symptom | Most likely cause | First thing to check | Jump to |
| ---------------------------- | -------------------------------------------- | ---------------------------- | ----------------------------- |
| Gmail-only | Authentication alignment + domain reputation | DMARC alignment in a header | Authentication checklist |
| Outlook-only | Reputation/engagement + SPF–DKIM alignment | SNDS color band | Outlook section |
| Sudden ("we changed nothing")| Reputation drop / complaint-rate spike | Postmaster spam rate | Sudden-change section |
| After switching ESP | Domain reputation carryover | Domain reputation, not IP | Sender reputation |
| New domain / new sender | Warm-up + authentication | Sending-volume ramp | Sender reputation |
| Already have SPF/DKIM/DMARC | Reputation + engagement / list hygiene | Complaint rate + list age | Sender reputation |
One caveat that shapes the whole guide: authentication is necessary but not
sufficient. As Al Iverson of Valimail puts it,
["email authentication doesn't guarantee inbox placement, but it can help"](https://www.spamresource.com/2024/07/email-authentication-impact-on-inbox.html)
(Spam Resource, July 2024). Authentication clears the gate; reputation,
engagement, and list hygiene decide what happens inside. Email deliverability
monitoring is how you keep watching once you are past the gate, and inbox
placement is the metric that actually matters.
## The authentication-first checklist: the protocols you control
Authentication is the one set of inbox signals fully under your control. Publish
SPF, DKIM, and DMARC with From-header alignment, and you clear the hard
requirement at Gmail, Yahoo, and Outlook simultaneously. The symptom table
routes here for most controllable causes, because mailbox-provider reputation is
downstream of authentication health. This is how you stop emails going to spam
at the protocol layer.
### SPF — authorize every sender
SPF (Sender Policy Framework, [RFC 7208](https://www.rfc-editor.org/rfc/rfc7208.html))
publishes the list of servers allowed to send for your domain. Publish a record
that names every relay you use, and watch the 10-DNS-lookup limit defined in
RFC 7208 §4.6.4: too many `include:` mechanisms [produce a PermError](/blog/spf-permerror-fix/) and SPF
stops authorizing anyone. If you stack Google Workspace, your CRM, and a
transactional relay, you can quietly cross it. Check
[your SPF record and its 10-lookup count](/learn/spf/) before you assume it
passes — the [SPF checker](/tools/spf-checker/) counts your live lookups for you.
If you are one of them, the [SPF flattener](/tools/spf-flattener/) collapses your
nested `include:` chains back under the lookup limit and clears the PermError.
### DKIM — sign with your own domain
DKIM (DomainKeys Identified Mail, [RFC 6376](https://www.rfc-editor.org/rfc/rfc6376.html))
attaches a cryptographic signature to every message. Sign with a `d=` value that
matches your From domain so DKIM alignment survives. Sending to personal Gmail
accounts requires a DKIM key of 1024 bits or longer; Google recommends 2048-bit
if your provider supports it (Google Email sender guidelines, 2026). Use a free
checker to [validate your DKIM signature](/tools/dkim-checker/) and confirm the
signing domain lines up with what your recipients see.
### DMARC — and why p=none is not enforcement
DMARC (Domain-based Message Authentication, Reporting & Conformance,
[RFC 9989](https://www.rfc-editor.org/rfc/rfc9989.html)) ties SPF and DKIM
together through alignment: the domain in the From header must match the SPF
domain or the DKIM domain. Only one needs to align. When we built our DMARC
parser, the single most common silent failure we saw was authentication that
_passed_ but did not _align_ — a receipt sent through a relay clears SPF and
DKIM individually, yet DMARC fails because neither authenticated domain matches
the From address. Read more on
[DMARC and why alignment matters](/learn/dmarc/).
Here is the part most guides skip: **`p=none` only monitors. It does not stop
spoofing and does not, on its own, fix placement.** The staged progression is
the work:
- `p=none` — receivers report failures; you watch the aggregate reports.
- `p=quarantine` — receivers route failing mail to spam.
- `p=reject` — receivers block failing mail outright.
SPF and DKIM plus DMARC at `p=quarantine` _is_ what email spoofing protection
looks like in practice. `p=none` is a measurement tool, not protection.
Most domains with DMARC are parked at `p=none`. To be precise about the
requirements: Gmail, Yahoo, and Outlook currently require only `p=none` at
minimum, aligned with SPF or DKIM. Google notes it is "likely" that full
SPF-and-DKIM alignment "will eventually be a sender requirement" and recommends
it, but a stricter policy is _not_ mandated as of mid-2026 (Google Email sender
guidelines, 2026). A monitoring record that you publish and read is the start of
control. An enforcing policy is where control becomes protection.
Publish that, [read the reports](/blog/how-to-read-dmarc-report/) for a week or
two until every legitimate sender aligns, then move to `p=quarantine` and finally
`p=reject`.
## How sender reputation is scored (and the 5 inputs you control)
Sender reputation is a rolling score mailbox providers compute from your sending
history — authentication health, spam-complaint rate, list hygiene, sending
consistency, and engagement. New domains start with no track record and must be
warmed gradually. These five inputs are where your domain reputation and sender
score are actually made.
1. **Spam-complaint rate — the single strongest negative signal.** Gmail and
Yahoo draw the red line at **0.3%**; Gmail's _target_ is below **0.1%**.
Verbatim, Google says: "Keep spam rates reported in Postmaster Tools below
0.10% and avoid ever reaching a spam rate of 0.30% or higher"
([Google Email sender guidelines, 2026](https://support.google.com/a/answer/81126?hl=en)).
Postmark's practical threshold is the same shape:
"If your complaint rate exceeds 0.1% (1 complaint per 1,000 emails), you will
likely see a drop in deliverability"
([Postmark support, 2026](https://postmarkapp.com/support/article/why-is-my-email-going-to-the-spam-folder)).
2. **Authentication health.** Covered above — reputation is built partly on
consistent SPF, DKIM, and DMARC results over time.
3. **List hygiene and spam traps.** Pristine traps (addresses that never had a
real user) signal scraped or purchased lists and can trigger blocklisting;
recycled traps (abandoned addresses turned into traps) erode reputation over
time. Double opt-in and routine list cleaning are the founder-operator's most
skipped steps.
4. **Sending consistency and volume.** "Immediately doubling previously sent
volumes suddenly could result in rate limiting or reputation drops" (Google
Email sender guidelines, 2026). New domains need a gradual warm-up — no
dormant periods followed by a blast.
5. **Engagement.** Sending to people who never open lowers reputation, but
correct a common myth here: Google does _not_ track open rates and "can't
verify the accuracy of open rates reported by third parties." Deletes-without-open
are weighted internally and not exposed as a metric (Google Email sender
guidelines, 2026).
**Domain reputation follows you.** If your mail started landing in spam right
after you switched ESP, switching again will not help — reputation attaches to
the domain you send from, not the relay. Valimail's framing is the durable one:
your domain reputation follows you. The fix is on the domain: authentication,
complaints, and list hygiene.
Authenticated, technically valid mail that recipients did not really want —
"graymail" — still draws "Report spam" clicks. Those complaints feed the same
spam-rate metric that governs placement, which is why list hygiene matters even
when every protocol passes.
If you suspect a blocklist is involved, you can
[see if your domain is on a blocklist](/tools/blacklist-check/) in seconds — a
listing tells you exactly which abuse category got you flagged. As Laura Atkins
of Word to the Wise put it, "getting the technical right is necessary for good
inbox delivery, but it's not sufficient"
([Word to the Wise, May 2016](https://www.wordtothewise.com/2016/05/necessary-but-not-sufficient/))
— the framing predates the bulk-sender mandates but holds up exactly.
## Why Gmail flags your emails as spam (and the 0.3% complaint line)
Gmail folds mail to spam when your authentication fails alignment, your domain
reputation is weak, or your user-reported spam rate approaches 0.3%. Since
November 2025, Gmail also rejects non-compliant bulk mail outright with 4xx and
5xx SMTP codes rather than only foldering it. So if Gmail is the only provider
foldering you, start with alignment and your daily spam rate.
For bulk senders — those sending about 5,000 or more messages a day to personal
Gmail accounts (Google Workspace recipients are excluded) — the
[requirements](/tools/gmail-yahoo-bulk-sender/) are: SPF and DKIM both set up,
DMARC at minimum `p=none` with alignment, one-click unsubscribe on marketing
mail, and a spam rate below 0.3%. These took effect February 1, 2024, with the
enforcement ramp beginning November 2025. (Full breakdown of the
[Gmail and Yahoo bulk-sender requirements](/blog/google-yahoo-dmarc-requirements/).)
To prevent emails from going to spam in Gmail at bulk volume, one-click
unsubscribe ([RFC 8058](https://www.rfc-editor.org/rfc/rfc8058.html)) is the
header pair receivers look for:
Transactional messages — password resets, reservation confirmations, form-submission
receipts — are explicitly exempt from the one-click mandate (Google
Email sender guidelines, 2026), which is directly relevant if your mail is
mostly receipts. They are still subject to the spam-rate rules.
Watch all of this in **Google Postmaster Tools**: read the Compliance status and
your daily spam rate. Note that the old High/Medium/Low/Bad reputation
dashboards were retired with the v1 interface in late 2025; Postmaster Tools v2
uses a binary Pass/Fail compliance model, so any guide telling you to "check
your Gmail reputation tier" is citing a deprecated screen. Set up Postmaster
Tools and read it daily. For the authoritative requirements, see
[Google's Email sender guidelines](https://support.google.com/a/answer/81126).
## Why are my emails going to spam in Outlook?
Outlook junks mail mainly on reputation and engagement, then on SPF/DKIM
alignment. Since May 5, 2025, Outlook.com also _rejects_ non-compliant senders
of 5,000 or more messages a day with
[`550 5.7.515 Access denied`](/tools/microsoft-550-diagnostic/). If your mail
hits the Outlook spam folder but not Gmail, the gap is usually reputation and
engagement, not a DNS typo.
The May 2025 enforcement covers Microsoft's consumer service — outlook.com,
hotmail.com, and live.com — and Microsoft 365 business tenants are not yet in
scope (Microsoft Tech Community, 2025). State that precisely; there is no
verified 2026 escalation to assert. For the full Outlook/Microsoft 365
enforcement timeline, see
[our breakdown of Microsoft's DMARC enforcement](/blog/microsoft-dmarc-enforcement/).
For monitoring, **Microsoft SNDS** (Smart Network Data Services) publishes a
filter-result color band per sending IP: Green is spam below 10%, Yellow is
between 10% and 90%, Red is above 90%. Microsoft also names a complaint-rate
"good bar": more than 30% of IPs sending to Outlook.com keep their complaint
rate below 0.3%, "and this represents a good bar to shoot for." Pair SNDS with
**JMRP** (Junk Mail Reporting Program), Microsoft's feedback loop that forwards
you a copy when a consumer recipient marks your mail as junk, so you can suppress
that recipient.
Engagement carries real weight here. Even technically perfect senders can still
face Junk placement if engagement stays weak — Outlook's scoring reads
deleted-without-reading as a negative signal. Set up SNDS and JMRP, then watch
the band. For the official requirements, see Microsoft's
["Strengthening Email Ecosystem" announcement](https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/strengthening-email-ecosystem-outlook%E2%80%99s-new-requirements-for-high%E2%80%90volume-senders/4399730)
## Why your emails suddenly started landing in spam
A "we changed nothing and mail suddenly went to spam" pattern almost always
means a reputation drop or a complaint-rate spike — not a DNS change. Check your
spam rate first, then recent sending-volume changes. This is the most common
reason mail starts foldering all of a sudden.
Three changes flip the switch:
1. **A complaint-rate spike** that crosses the provider's 0.3% line.
2. **A sending-volume jump or a new sending source** that reads as suspicious.
3. **A provider enforcement change** — Gmail's November 2025 ramp, Outlook's May
2025 rejection — catching non-compliance that was previously tolerated.
The frustration is real and common. One operator described it exactly: "As of a
week ago our emails to customers have started going to their junk/spam boxes…
We have changed nothing that we are doing… our IP address is not on any
blacklists. We really don't know what has suddenly changed"
([Microsoft Q&A thread, June 2023](https://learn.microsoft.com/en-us/answers/questions/4589218/why-are-our-outgoing-emails-going-into-spam-junk-f?forum=outlook_com-all)).
The IP was clean — which points straight at domain
reputation and complaints, the signals an IP check never shows.
**If you are a founder-operator sending from your own domain**, the often-skipped
steps when your business mail starts foldering are list hygiene and
sending consistency — not another ESP switch. Confirm your DMARC alignment with
a [free DMARC record check](/tools/dmarc-checker/), then audit who you have been
mailing and how often.
## Beyond the checklist: forwarding, encryption-in-transit, and BIMI
These are power-user concerns once the core checklist is done — complexity is
optional. They are worth knowing because they explain a few stubborn cases the
checklist alone does not.
**ARC for forwarding** ([RFC 8617](https://www.rfc-editor.org/rfc/rfc8617.html)):
forwarding breaks SPF and often DKIM, which sends legitimate mail to spam.
ARC (Authenticated Received Chain) preserves the original authentication verdict
across hops so the final receiver can see the mail passed before it was
forwarded. See [how ARC preserves authentication](/learn/arc/), or
[fix forwarding that breaks DMARC](/blog/dmarc-forwarding-arc-fix/) for the
applied playbook.
**MTA-STS and TLS-RPT** ([RFC 8461](https://www.rfc-editor.org/rfc/rfc8461.html)
and [RFC 8460](https://www.rfc-editor.org/rfc/rfc8460.html)): these enforce and
report on encryption-in-transit for SMTP. Niche, but on-brand for a careful
sender.
**BIMI** is a downstream trust signal — your logo in the inbox — that only
becomes available once DMARC enforcement is in place. It is a reward for getting
the protocols right, not a placement fix on its own.
## Frequently asked questions
### How do I stop my emails from going to spam?
Publish SPF, DKIM, and DMARC with From-header alignment, keep your spam-complaint
rate below 0.3%, and clean your list. Authentication is the one lever you fully
control; reputation and engagement are earned over time. Source: Google sender
guidelines.
### How do I stop my messages from going to spam in Gmail specifically?
For Gmail, confirm DMARC alignment passes, set up Google Postmaster Tools to
watch your daily spam rate, and stay under the 0.3% complaint line (target below
0.1%). Bulk senders sending 5,000 or more messages a day also need one-click
unsubscribe per RFC 8058.
### How do I unspam my email address?
You cannot force a provider to trust you; you rebuild reputation. Remove
complaining recipients, fix authentication, lower volume, and send only to
engaged contacts. For bulk senders (5,000 or more messages a day to personal
Gmail), Gmail restores mitigation eligibility once your spam rate stays below
0.3% for 7 consecutive days.
### My authentication is correct — why are my emails still going to spam?
Authentication is necessary but not sufficient. With SPF, DKIM, and DMARC
passing, the remaining causes are domain reputation, spam complaints, list
hygiene, and engagement. Check your complaint rate and list age before changing
anything else.
### Why are my emails going to spam in Outlook but not Gmail?
Outlook weights reputation and engagement differently and runs its own Exchange
Online Protection scoring. Check your SNDS color band and JMRP complaints. Since
May 2025, Outlook.com also rejects non-compliant senders of 5,000 or more
messages a day with 550 5.7.515.
### Does switching email providers fix emails going to spam?
Usually not. Domain reputation follows your domain, not your ESP — moving from
SendGrid to Postmark does not reset it. Fix authentication, complaints, and list
hygiene on the domain you already send from.
## Putting it together
The answer to _why are my emails going to spam_ is almost always a controllable
signal, not a black box. Work it in this order:
- Match your symptom to its cause before you change anything.
- Fix the protocols you control — SPF, DKIM, and DMARC with From-header
alignment.
- Move past `p=none` to enforcement; monitoring is not protection.
- Guard your spam-complaint rate below 0.3%.
- Remember reputation follows the domain, not the ESP.
Once you have fixed it, the next job is to keep watching — a clean configuration
drifts the moment a new sender or a volume spike shows up.
{/* TODO: link /blog/email-deliverability-monitoring/ once live (publishes 2026-06-22) */}