Tax season is a deliverability problem disguised as a workflow problem. Accounting firms know they need to chase document submissions from clients, so they send sequences of reminders. Each reminder is technically transactional — it relates to a specific engagement — but the patterns trigger every spam filter trained on financial phishing: urgency, financial keywords, document requests, often a PDF attachment. The result is firms wondering why their clients keep saying "I never got the email" when in fact the email landed in spam.
Tax season runs roughly January 20 through April 15 in the US, with similar windows globally. Financial-keyword spam scoring peaks in the same window because phishing volume peaks. Avoid attachments, use a secure client portal with a single authenticated link, set up dedicated "tax.firmname.com" subdomain, warm it in December, segment client communication from prospecting, and run weekly seed tests through April.
The tax season volume calendar
IRS opens for individual e-filing in late January each year. From that date, accounting firms shift from year-end planning mode to high-volume client communication mode. Volume runs 4-7x normal February through April 15. After the deadline, volume falls sharply to a quieter May-July before audit season picks up in August.
Within the season, peaks are predictable: late January (initial document requests), mid-February (gentle reminders), mid-March (firmer reminders for clients still missing documents), April 1-10 (extension warnings), April 11-14 (final-week panic). Filters get steadily stricter through the season because phishing volume tracks the same curve.
For UK firms, the comparable window is October through January 31 self-assessment deadline. For Canada, March through April 30. Each country's tax authority creates its own seasonal pattern, with its own associated phishing wave.
Financial keyword scoring
SpamAssassin, Rspamd, and the proprietary models used by Gmail and Outlook all score combinations of financial terms as risk signals. The combinations that trigger most often in tax season:
- "W-2" + "urgent" + "attached" — high spam score regardless of sender.
- "1099" + "please confirm" + link to PDF — phishing template match.
- "refund" + dollar amount in subject — IRS impersonation pattern.
- "tax return" + "verify" + authentication request — credential phishing pattern.
A legitimate accounting firm using language that is clinically reasonable can match these patterns. The fix is not to rewrite around the keywords (clients need to understand what document you are asking for) but to neutralise the risk signals around them: no urgency manipulation, no unexpected attachments, no inline credential requests, clear sender identity that Gmail/Outlook can verify.
Attachment risk: PDFs and the W-2 trap
The single highest-leverage change for tax-season deliverability is to stop sending PDF attachments. PDFs carry historical risk — many phishing payloads were PDFs with embedded JavaScript or external resource calls. Mailbox providers score unsolicited PDFs from senders without established relationship as suspicious. Even from established senders, PDFs trigger additional inbound scanning that delays delivery and occasionally results in deferral.
Worse, sending a client's W-2 (or asking them to send you theirs) by email attachment is a security violation in most jurisdictions. Tax authorities, professional bodies (AICPA), and cyber-insurance carriers all classify attached tax documents as a serious data-handling failure. The deliverability problem is the smaller of the two issues.
Replace attachments with secure client-portal links. Most modern tax software (Intuit ProConnect, Drake, UltraTax) has a client portal built in. Workflow tools like SmartVault, TaxDome and Karbon are purpose-built for this. The email becomes "please log in to upload your W-2" with a single authenticated link, no attachment, no inline form. Filter score drops sharply.
The secure-link CTA pattern
A well-formed tax-season reminder email looks like this:
- From: a real partner or staff member at the firm, with a recognisable display name ("Sarah Chen, Smith & Associates").
- Subject: specific to the client ("Documents requested for your 2026 return"), not generic.
- Opening: brief context referring to the engagement ("As part of preparing your 2026 return, we still need...").
- One CTA: a single button or link to the firm's portal, on the firm's domain, with a session-bound short URL.
- No attachments. No inline forms. No embedded JavaScript or external pixels beyond a single open-tracking pixel.
- Plain-text version mirroring the HTML.
- Compliant unsubscribe footer (even though this is arguably transactional, gives recipients an out and satisfies CAN-SPAM).
Test this template in a seed-test panel before scaling to the full client list. A single line of poorly-chosen copy can move the whole sequence into Promotions or Spam at Gmail.
Subdomain strategy for tax firms
Run a dedicated subdomain for tax-season client communication: tax.firmname.com or clients.firmname.com. Warm it from December 1 through January 15 so it has Postmaster reputation before the volume surge. This isolates tax-season risk from year-round operational mail (audit notices, advisory practice, payroll services) and from general firm marketing.
DMARC policy on the subdomain should be p=quarantinewith strict alignment, escalating to p=reject once you have monitored aggregate reports for a month. Phishing impersonation of tax firms is rampant in February-April, and a strict DMARC policy is the only defence that prevents your domain from being spoofed in client-targeted phishing.
BIMI on the tax subdomain is high-leverage during tax season specifically. Clients who see the firm's verified logo in Gmail are markedly more likely to engage with the message, and the visual trust signal counters the phishing concerns clients have learned to associate with tax-related email.
Tax season is the highest-volume window for phishing impersonation of accounting firms. Strict DMARC, BIMI, and a documented policy explaining to clients that you will never email attachments protect both your deliverability and your clients' finances. Audit logs from January-April will show the impersonation attempts your DMARC policy blocked.
Cadence and segmentation through the season
Different clients need different reminder cadences. A client who responded within 48 hours of the first request does not need a second reminder. A client who has not responded after two reminders needs a phone call, not a third email. Treating reminder sequences as one-size-fits-all generates complaints from responsive clients and dead air from non-responsive ones.
Useful segmentation through the season:
- Engaged: opened initial request, uploaded documents. Move to thank-you sequence, no further reminders.
- Partial: uploaded some documents, missing others. Specific follow-up listing only the missing items.
- No response: two reminders maximum, then escalate to phone or text. Do not send a third email reminder.
- Deadline-extension candidates: clients still missing documents by April 1. Single direct message about extension, then phone call.
Post-April reputation maintenance
After April 15, tax-subdomain volume falls sharply. Resist the temptation to use it for off-season marketing — the engagement profile of off-season newsletter subscribers is very different from in-season transactional recipients, and mixing them on the same subdomain dilutes reputation. Keep tax.firmname.com for tax-related communication only; marketing belongs on a separate marketing subdomain.
Maintenance sends through May-December: monthly engagement-only newsletter to active clients, quarterly planning reminders, audit-season communication in late summer. The goal is to keep the subdomain's reputation warm enough that the January resurgence does not look like a cold start. Postmaster Tools should show steady Medium-or- better reputation year-round.