Why Are My Emails Going to Spam? An Authentication-First Fix

You set up SPF, DKIM, and DMARC, and your mail still lands in spam. If you are a founder-operator sending receipts, password resets, and the occasional update from your own domain — through Google Workspace or Microsoft 365 plus a relay like Postmark, Resend, or Mailgun — then why are my emails going to spam is a question with a short list of answers, not a black box.

Emails go to spam for one of two reasons: a deliverability problem you control (authentication, alignment, sender reputation) or one the mailbox provider scores against you (complaints, engagement, content). This guide separates the two and routes you to the fix. The levers that actually move placement are the protocols you control, not the ESP you pick.

Here is what you get: a symptom-to-cause decision table to route yourself in under 30 seconds, an authentication-first checklist, and the exact p=none → p=quarantine → p=reject progression most guides skip. The fastest emails-going-to-spam fix is correcting the right thing, not every thing.

That figure is drawn from our internet-scale email-authentication research — a scan of 5,499,028 Tranco domains. Before you touch a DNS record, you can check your domain’s email authentication — free, no signup — to see exactly what is published today.

Start here: a symptom → cause decision table

Before you change anything, match your symptom to its most likely cause. The fastest path to the inbox is fixing the right thing, not every thing.

One caveat that shapes the whole guide: authentication is necessary but not sufficient. As Al Iverson of Valimail puts it, “email authentication doesn’t guarantee inbox placement, but it can help” (Spam Resource, July 2024). Authentication clears the gate; reputation, engagement, and list hygiene decide what happens inside. Email deliverability monitoring is how you keep watching once you are past the gate, and inbox placement is the metric that actually matters.

The authentication-first checklist: the protocols you control

Authentication is the one set of inbox signals fully under your control. Publish SPF, DKIM, and DMARC with From-header alignment, and you clear the hard requirement at Gmail, Yahoo, and Outlook simultaneously. The symptom table routes here for most controllable causes, because mailbox-provider reputation is downstream of authentication health. This is how you stop emails going to spam at the protocol layer.

SPF — authorize every sender

SPF (Sender Policy Framework, RFC 7208) publishes the list of servers allowed to send for your domain. Publish a record that names every relay you use, and watch the 10-DNS-lookup limit defined in RFC 7208 §4.6.4: too many include: mechanisms produce a PermError and SPF stops authorizing anyone. If you stack Google Workspace, your CRM, and a transactional relay, you can quietly cross it. Check your SPF record and its 10-lookup count before you assume it passes — the SPF checker counts your live lookups for you.

If you are one of them, the SPF flattener collapses your nested include: chains back under the lookup limit and clears the PermError.

DKIM — sign with your own domain

DKIM (DomainKeys Identified Mail, RFC 6376) attaches a cryptographic signature to every message. Sign with a d= value that matches your From domain so DKIM alignment survives. Sending to personal Gmail accounts requires a DKIM key of 1024 bits or longer; Google recommends 2048-bit if your provider supports it (Google Email sender guidelines, 2026). Use a free checker to validate your DKIM signature and confirm the signing domain lines up with what your recipients see.

DMARC — and why p=none is not enforcement

DMARC (Domain-based Message Authentication, Reporting & Conformance, RFC 9989) ties SPF and DKIM together through alignment: the domain in the From header must match the SPF domain or the DKIM domain. Only one needs to align. When we built our DMARC parser, the single most common silent failure we saw was authentication that passed but did not align — a receipt sent through a relay clears SPF and DKIM individually, yet DMARC fails because neither authenticated domain matches the From address. Read more on DMARC and why alignment matters.

Here is the part most guides skip: p=none only monitors. It does not stop spoofing and does not, on its own, fix placement. The staged progression is the work:

• p=none — receivers report failures; you watch the aggregate reports.
• p=quarantine — receivers route failing mail to spam.
• p=reject — receivers block failing mail outright.

SPF and DKIM plus DMARC at p=quarantine is what email spoofing protection looks like in practice. p=none is a measurement tool, not protection.

Most domains with DMARC are parked at p=none. To be precise about the requirements: Gmail, Yahoo, and Outlook currently require only p=none at minimum, aligned with SPF or DKIM. Google notes it is “likely” that full SPF-and-DKIM alignment “will eventually be a sender requirement” and recommends it, but a stricter policy is not mandated as of mid-2026 (Google Email sender guidelines, 2026). A monitoring record that you publish and read is the start of control. An enforcing policy is where control becomes protection.

v=DMARC1; p=none; rua=mailto:[email protected]

Publish that, read the reports for a week or two until every legitimate sender aligns, then move to p=quarantine and finally p=reject.

How sender reputation is scored (and the 5 inputs you control)

Sender reputation is a rolling score mailbox providers compute from your sending history — authentication health, spam-complaint rate, list hygiene, sending consistency, and engagement. New domains start with no track record and must be warmed gradually. These five inputs are where your domain reputation and sender score are actually made.

1. Spam-complaint rate — the single strongest negative signal. Gmail and Yahoo draw the red line at 0.3%; Gmail’s target is below 0.1%. Verbatim, Google says: “Keep spam rates reported in Postmaster Tools below 0.10% and avoid ever reaching a spam rate of 0.30% or higher” (Google Email sender guidelines, 2026). Postmark’s practical threshold is the same shape: “If your complaint rate exceeds 0.1% (1 complaint per 1,000 emails), you will likely see a drop in deliverability” (Postmark support, 2026).
2. Authentication health. Covered above — reputation is built partly on consistent SPF, DKIM, and DMARC results over time.
3. List hygiene and spam traps. Pristine traps (addresses that never had a real user) signal scraped or purchased lists and can trigger blocklisting; recycled traps (abandoned addresses turned into traps) erode reputation over time. Double opt-in and routine list cleaning are the founder-operator’s most skipped steps.
4. Sending consistency and volume. “Immediately doubling previously sent volumes suddenly could result in rate limiting or reputation drops” (Google Email sender guidelines, 2026). New domains need a gradual warm-up — no dormant periods followed by a blast.
5. Engagement. Sending to people who never open lowers reputation, but correct a common myth here: Google does not track open rates and “can’t verify the accuracy of open rates reported by third parties.” Deletes-without-open are weighted internally and not exposed as a metric (Google Email sender guidelines, 2026).

Domain reputation follows you. If your mail started landing in spam right after you switched ESP, switching again will not help — reputation attaches to the domain you send from, not the relay. Valimail’s framing is the durable one: your domain reputation follows you. The fix is on the domain: authentication, complaints, and list hygiene.

If you suspect a blocklist is involved, you can see if your domain is on a blocklist in seconds — a listing tells you exactly which abuse category got you flagged. As Laura Atkins of Word to the Wise put it, “getting the technical right is necessary for good inbox delivery, but it’s not sufficient” (Word to the Wise, May 2016) — the framing predates the bulk-sender mandates but holds up exactly.

Why Gmail flags your emails as spam (and the 0.3% complaint line)

Gmail folds mail to spam when your authentication fails alignment, your domain reputation is weak, or your user-reported spam rate approaches 0.3%. Since November 2025, Gmail also rejects non-compliant bulk mail outright with 4xx and 5xx SMTP codes rather than only foldering it. So if Gmail is the only provider foldering you, start with alignment and your daily spam rate.

For bulk senders — those sending about 5,000 or more messages a day to personal Gmail accounts (Google Workspace recipients are excluded) — the requirements are: SPF and DKIM both set up, DMARC at minimum p=none with alignment, one-click unsubscribe on marketing mail, and a spam rate below 0.3%. These took effect February 1, 2024, with the enforcement ramp beginning November 2025. (Full breakdown of the Gmail and Yahoo bulk-sender requirements.)

To prevent emails from going to spam in Gmail at bulk volume, one-click unsubscribe (RFC 8058) is the header pair receivers look for:

List-Unsubscribe-Post: List-Unsubscribe=One-Click
List-Unsubscribe: <https://example.com/unsubscribe?id=abc123>

Transactional messages — password resets, reservation confirmations, form-submission receipts — are explicitly exempt from the one-click mandate (Google Email sender guidelines, 2026), which is directly relevant if your mail is mostly receipts. They are still subject to the spam-rate rules.

Watch all of this in Google Postmaster Tools: read the Compliance status and your daily spam rate. Note that the old High/Medium/Low/Bad reputation dashboards were retired with the v1 interface in late 2025; Postmaster Tools v2 uses a binary Pass/Fail compliance model, so any guide telling you to “check your Gmail reputation tier” is citing a deprecated screen. Set up Postmaster Tools and read it daily. For the authoritative requirements, see Google’s Email sender guidelines.

Why are my emails going to spam in Outlook?

Outlook junks mail mainly on reputation and engagement, then on SPF/DKIM alignment. Since May 5, 2025, Outlook.com also rejects non-compliant senders of 5,000 or more messages a day with 550 5.7.515 Access denied. If your mail hits the Outlook spam folder but not Gmail, the gap is usually reputation and engagement, not a DNS typo.

The May 2025 enforcement covers Microsoft’s consumer service — outlook.com, hotmail.com, and live.com — and Microsoft 365 business tenants are not yet in scope (Microsoft Tech Community, 2025). State that precisely; there is no verified 2026 escalation to assert. For the full Outlook/Microsoft 365 enforcement timeline, see our breakdown of Microsoft’s DMARC enforcement.

For monitoring, Microsoft SNDS (Smart Network Data Services) publishes a filter-result color band per sending IP: Green is spam below 10%, Yellow is between 10% and 90%, Red is above 90%. Microsoft also names a complaint-rate “good bar”: more than 30% of IPs sending to Outlook.com keep their complaint rate below 0.3%, “and this represents a good bar to shoot for.” Pair SNDS with JMRP (Junk Mail Reporting Program), Microsoft’s feedback loop that forwards you a copy when a consumer recipient marks your mail as junk, so you can suppress that recipient.

Engagement carries real weight here. Even technically perfect senders can still face Junk placement if engagement stays weak — Outlook’s scoring reads deleted-without-reading as a negative signal. Set up SNDS and JMRP, then watch the band. For the official requirements, see Microsoft’s “Strengthening Email Ecosystem” announcement

Why your emails suddenly started landing in spam

A “we changed nothing and mail suddenly went to spam” pattern almost always means a reputation drop or a complaint-rate spike — not a DNS change. Check your spam rate first, then recent sending-volume changes. This is the most common reason mail starts foldering all of a sudden.

Three changes flip the switch:

1. A complaint-rate spike that crosses the provider’s 0.3% line.
2. A sending-volume jump or a new sending source that reads as suspicious.
3. A provider enforcement change — Gmail’s November 2025 ramp, Outlook’s May 2025 rejection — catching non-compliance that was previously tolerated.

The frustration is real and common. One operator described it exactly: “As of a week ago our emails to customers have started going to their junk/spam boxes… We have changed nothing that we are doing… our IP address is not on any blacklists. We really don’t know what has suddenly changed” (Microsoft Q&A thread, June 2023). The IP was clean — which points straight at domain reputation and complaints, the signals an IP check never shows.

If you are a founder-operator sending from your own domain, the often-skipped steps when your business mail starts foldering are list hygiene and sending consistency — not another ESP switch. Confirm your DMARC alignment with a free DMARC record check, then audit who you have been mailing and how often.

Beyond the checklist: forwarding, encryption-in-transit, and BIMI

These are power-user concerns once the core checklist is done — complexity is optional. They are worth knowing because they explain a few stubborn cases the checklist alone does not.

ARC for forwarding (RFC 8617): forwarding breaks SPF and often DKIM, which sends legitimate mail to spam. ARC (Authenticated Received Chain) preserves the original authentication verdict across hops so the final receiver can see the mail passed before it was forwarded. See how ARC preserves authentication, or fix forwarding that breaks DMARC for the applied playbook.

MTA-STS and TLS-RPT (RFC 8461 and RFC 8460): these enforce and report on encryption-in-transit for SMTP. Niche, but on-brand for a careful sender.

BIMI is a downstream trust signal — your logo in the inbox — that only becomes available once DMARC enforcement is in place. It is a reward for getting the protocols right, not a placement fix on its own.

Frequently asked questions

How do I stop my emails from going to spam?

Publish SPF, DKIM, and DMARC with From-header alignment, keep your spam-complaint rate below 0.3%, and clean your list. Authentication is the one lever you fully control; reputation and engagement are earned over time. Source: Google sender guidelines.

How do I stop my messages from going to spam in Gmail specifically?

For Gmail, confirm DMARC alignment passes, set up Google Postmaster Tools to watch your daily spam rate, and stay under the 0.3% complaint line (target below 0.1%). Bulk senders sending 5,000 or more messages a day also need one-click unsubscribe per RFC 8058.

How do I unspam my email address?

You cannot force a provider to trust you; you rebuild reputation. Remove complaining recipients, fix authentication, lower volume, and send only to engaged contacts. For bulk senders (5,000 or more messages a day to personal Gmail), Gmail restores mitigation eligibility once your spam rate stays below 0.3% for 7 consecutive days.

My authentication is correct — why are my emails still going to spam?

Authentication is necessary but not sufficient. With SPF, DKIM, and DMARC passing, the remaining causes are domain reputation, spam complaints, list hygiene, and engagement. Check your complaint rate and list age before changing anything else.

Why are my emails going to spam in Outlook but not Gmail?

Outlook weights reputation and engagement differently and runs its own Exchange Online Protection scoring. Check your SNDS color band and JMRP complaints. Since May 2025, Outlook.com also rejects non-compliant senders of 5,000 or more messages a day with 550 5.7.515.

Does switching email providers fix emails going to spam?

Usually not. Domain reputation follows your domain, not your ESP — moving from SendGrid to Postmark does not reset it. Fix authentication, complaints, and list hygiene on the domain you already send from.

Putting it together

The answer to why are my emails going to spam is almost always a controllable signal, not a black box. Work it in this order:

• Match your symptom to its cause before you change anything.
• Fix the protocols you control — SPF, DKIM, and DMARC with From-header alignment.
• Move past p=none to enforcement; monitoring is not protection.
• Guard your spam-complaint rate below 0.3%.
• Remember reputation follows the domain, not the ESP.

Once you have fixed it, the next job is to keep watching — a clean configuration drifts the moment a new sender or a volume spike shows up.