Email remains the backbone of business communication, transactional notifications, and marketing outreach. Yet getting an email from your server to someone's inbox, consistently and at scale, is far more complex than calling an API. This post covers everything you need to know about sending email reliably.
The fundamental problem
When you send an email, it doesn't just arrive. It passes through a gauntlet of checks: DNS lookups, authentication verification, reputation scoring, content filtering, and mailbox provider heuristics. Any one of these can silently drop, defer, or junk your message. Reliability means understanding and optimizing for every stage of that journey.
Authentication: the non-negotiable foundation
Before a receiving mail server even looks at your content, it checks whether you're authorized to send from your domain. Three protocols form the authentication trifecta.
SPF (Sender Policy Framework)
A DNS TXT record that lists which IP addresses are allowed to send email on behalf of your domain. When a mail server receives your message, it checks the sending IP against your SPF record.
v=spf1 include:amazonses.com include:_spf.google.com ~all
SPF has a 10-lookup limit. Exceeding it causes a permanent failure (permerror), which many providers treat as a hard fail. Use include for third-party senders sparingly, and prefer -all (hard fail) over ~all (soft fail) once you're confident in your setup.
DKIM (DomainKeys Identified Mail)
A cryptographic signature attached to every outgoing email. The receiving server fetches your public key from DNS and verifies the signature, proving the message wasn't altered in transit.
Use 2048-bit keys minimum. 1024-bit keys are increasingly rejected. Rotate keys periodically (every 6–12 months), and sign with your own domain, not just your ESP's domain. Alignment matters for DMARC.
DMARC (Domain-based Message Authentication, Reporting & Conformance)
DMARC ties SPF and DKIM together and tells receiving servers what to do when authentication fails. It also provides reporting so you can see who's sending email as your domain.
v=DMARC1; p=reject; rua=mailto:dmarc-reports@yourdomain.com; adkim=s; aspf=s;
The progression: start with p=none to monitor without affecting delivery. Review aggregate reports to identify legitimate senders you haven't authorized. Move to p=quarantine, then p=reject once you're confident. p=reject with strict alignment is the gold standard and a requirement for BIMI, the verified logo that appears next to your emails in supporting clients.
IP and domain reputation
Authentication proves you can send. Reputation determines whether providers want to accept your mail.
Dedicated vs. shared IPs
Shared IPs (default with most ESPs) pool your reputation with other senders. Good for low volume, but you're at the mercy of your neighbors. Dedicated IPs give you full control but require active management.
IP warming
A brand-new IP has no reputation, which is treated as suspicious. Warming is the process of gradually increasing send volume so mailbox providers can build a positive reputation profile.
A common approach is calendar-based warming:
| Day | Daily volume |
|---|---|
| 1-3 | 50-100 |
| 4-7 | 200-500 |
| 8-14 | 1,000-5,000 |
| 15-21 | 5,000-20,000 |
| 22-30 | 20,000-50,000 |
| 30+ | Full volume |
A better approach is volume-based staging, where you advance to the next tier based on how many emails you've successfully sent, not how many days have passed. This avoids the problem of calendar-based schedules advancing senders who aren't actually building reputation (e.g., a sender on "Day 8" who only sent 20 emails total). IvyMail uses volume-based domain warmup with stages at 50, 100, and 200 emails/day, advancing automatically as you hit each tier's cumulative threshold.
Send to your most engaged recipients first during warming. Opens and clicks build positive signals fast. Never spike volume. A sudden 10x jump will trigger rate limiting or blocks. Monitor bounce rates daily; if they exceed 2%, slow down.
Domain reputation
Modern providers (especially Gmail) weigh domain reputation as heavily as, or more than, IP reputation. You can't outrun a bad domain reputation by switching IPs. Monitor with Google Postmaster Tools, Microsoft SNDS, and your ESP's reputation dashboards.
Bounce handling
Bounces are the most direct signal that something is wrong. Handling them correctly is critical.
Hard bounces are permanent failures: the address doesn't exist, the domain doesn't exist, or the mailbox is permanently unavailable. Remove hard-bounced addresses immediately. Never retry them. Continuing to send to hard bounces is the fastest way to tank your reputation.
Soft bounces are temporary failures: mailbox full, server temporarily unavailable, message too large, or rate-limited. Retry with exponential backoff (1 hour, 4 hours, 12 hours, 24 hours). After 3–5 consecutive soft bounces across separate campaigns, treat as a hard bounce.
Keep your bounce rate below 2%. Between 2–5% is a warning sign. Above 5%, most ESPs will suspend your account and mailbox providers will block you.
Complaint handling and feedback loops
When a recipient clicks "Report Spam," that generates a complaint. Mailbox providers expose these through Feedback Loops (FBLs).
Register for FBLs with all major providers (Yahoo, Outlook, AOL). Gmail doesn't offer a traditional FBL, so use Postmaster Tools instead. Immediately suppress any address that generates a complaint. Do not send to them again, ever.
Target a complaint rate below 0.08%, which aligns with Amazon SES's recommended threshold. Gmail's hard limit is 0.3%, but you should never get anywhere near it. At 0.08%, many platforms (including IvyMail) will begin throttling your sends. Exceed it and you'll see bulk folder placement spike.
Suppression lists
A suppression list is your single source of truth for addresses you must not send to. It should contain hard bounces, complaint reporters, manual unsubscribes, addresses from regulatory opt-out lists, and known spam traps.
Check the suppression list before every send, not after. Make it global across all mail streams, and ideally platform-wide if you're building a multi-tenant sending platform. A bounced address is a bounced address regardless of which workspace or account originated the send. Shared suppression data protects every sender on the platform. Never delete entries unless you have explicit, fresh consent from the recipient.
List hygiene
Dirty lists are the root cause of most deliverability problems.
Double opt-in is the single most effective thing you can do for list quality. Send a confirmation email after signup, and only add to your list after they click. This eliminates typos, fake signups, and bot registrations.
Sunset inactive subscribers. If someone hasn't opened or clicked in 6–12 months, run a re-engagement campaign. If they still don't engage, remove them.
Validate at the point of collection. Use real-time email validation APIs to catch typos and disposable addresses at signup.
Never buy or rent lists. This isn't just bad practice. It's a guaranteed path to blocklisting.
Spam traps
Mailbox providers and blocklist operators seed the internet with fake addresses. Pristine traps have never belonged to a real person. Hitting one means you're sending to scraped or purchased lists. Recycled traps are old, abandoned addresses repurposed as traps. Hitting one means you're not cleaning your list.
There's no way to identify spam traps retroactively. The only defense is good list hygiene.
Content and sending practices
Headers and structure
Always include a List-Unsubscribe header (both mailto: and HTTPS URL). Gmail and Apple Mail surface this as a native unsubscribe button. As of 2024, Google and Yahoo require it for bulk senders.
Use a consistent From address. Changing it frequently confuses reputation systems. Set a proper Message-ID header for threading and deduplication. Include both HTML and plain-text parts (multipart/alternative), as some filters penalize HTML-only messages.
Content
Keep your text-to-image ratio balanced. All-image emails with minimal text are a spam signal. Avoid URL shorteners (bit.ly, etc.) in email bodies. They're heavily abused by spammers and trigger filters. Don't use deceptive subject lines or misleading From names. Minimize the number of distinct domains linked in your email, as multiple unrelated domains is a phishing signal.
Sending cadence
Be consistent. Sending 100,000 emails once a month is worse for reputation than 25,000 per week.
Separate your mail streams: use different subdomains (or even different IPs) for transactional vs. marketing email. A complaint spike on marketing shouldn't affect your password resets. For example, notifications@mail.yourdomain.com for transactional and updates@marketing.yourdomain.com for promotional.
Infrastructure considerations
Choosing a sending provider
The major players (Amazon SES, Postmark, SendGrid, Mailgun, Resend) differ in meaningful ways. Look for granular event webhooks (delivery, bounce, complaint, open, click), dedicated IP availability, automatic suppression management, deliverability tooling, and proactive abuse monitoring.
Retry and queue architecture
For high-volume senders building their own infrastructure, use a message queue (SQS, RabbitMQ, etc.) to decouple email generation from sending. Implement per-domain rate limiting. Gmail, Yahoo, and Microsoft all have per-IP, per-domain receiving limits. Exceeding them causes temporary blocks. Use exponential backoff with jitter for retries, and set a maximum retry window (typically 72 hours). After that, fail permanently.
Observability
You can't fix what you can't see. Track these metrics:
- Delivery rate - percentage of emails accepted by the receiving server
- Bounce rate - broken down by hard vs. soft, and by domain
- Complaint rate - via FBLs and Postmaster Tools
- Inbox placement rate - use seed testing tools to measure actual inbox vs. spam placement
- Time to delivery - how long between send and delivery event
Set alerts on bounce rate exceeding 2%, complaint rate exceeding 0.08%, sudden drops in open rates (often indicates bulk folder placement), and delivery delays exceeding your SLA.
Regulatory compliance
CAN-SPAM (United States)
Include a physical mailing address. Provide a clear unsubscribe mechanism that works within 10 business days. Don't use deceptive headers or subject lines. Identify the message as an ad if it is one.
GDPR (European Union)
Obtain explicit, affirmative consent before sending marketing email. Maintain records of when and how consent was obtained. Honor data deletion requests. Legitimate interest can apply to transactional email, but marketing requires consent.
CASL (Canada)
The strictest of the major regulations. Requires express consent (not implied) for most commercial messages. Consent must include the sender's identity, contact information, and a statement that consent can be withdrawn.
Google & Yahoo bulk sender requirements
If you send more than 5,000 messages/day to Gmail or Yahoo addresses: SPF, DKIM, and DMARC are all required. One-click List-Unsubscribe header is mandatory. Complaint rate must stay below 0.3%. Unsubscribes must be processed within 2 days.
The reliability checklist
A summary distilled into an actionable checklist.
Authentication: SPF record configured and under 10 lookups. DKIM signing with 2048-bit keys on your own domain. DMARC at p=reject (or progressing toward it).
Reputation: Dedicated IPs for high volume, properly warmed. Registered with Google Postmaster Tools and Microsoft SNDS. Separate subdomains for transactional and marketing mail.
Bounce & complaint handling: Hard bounces suppressed immediately. Soft bounces retried with backoff, suppressed after repeated failures. FBLs registered, complaints suppressed immediately. Global (platform-wide) suppression list checked before every send.
List quality: Double opt-in for all new subscribers. Inactive subscribers sunset after 6–12 months. Email validation at point of collection. No purchased or rented lists, ever.
Content & headers: List-Unsubscribe header on all bulk email. Multipart messages (HTML + plain text). No URL shorteners in email body. Consistent From address and domain.
Infrastructure: Message queue for send decoupling. Per-domain rate limiting. Pre-send safety checks enforced in sequence (reputation, domain verification, rate limits, warmup, payment, suppression). Webhook processing for delivery events. Alerting on bounce rate, complaint rate, and delivery anomalies.
Compliance: Physical address in footer. Working unsubscribe link processed within 2 days. Consent records maintained. Compliant with CAN-SPAM, GDPR, and/or CASL as applicable.
The bottom line
Email deliverability isn't a one-time setup. It's an ongoing discipline. The senders who land in the inbox consistently are the ones who treat every bounce, every complaint, and every reputation signal as actionable data. Authenticate rigorously, respect your recipients, clean your lists, and monitor relentlessly. The inbox rewards senders who earn trust.