Every day we run hundreds of inbox placement tests, and the same patterns come up over and over. When an email lands in Spam, the cause is almost never mysterious. It is one of twelve things, all of them fixable in an afternoon. This is the list.
If you only read one part of this article: check authentication first. SPF, DKIM and DMARC account for more Spam placements than every content issue combined. Every other fix on this list matters less than a passing dmarc=pass with domain alignment.
1. Missing or misconfigured SPF
SPF tells receiving servers which IPs are allowed to send mail for your domain. Without it, Gmail and Outlook treat every message as potentially spoofed. The two most common problems: no SPF record at all, or an SPF record that doesn't include your actual sending service (e.g. you use SendGrid but your record only includes your Google Workspace IP range).
Fix: publish a TXT record at your domain root that includes every ESP, transactional service and mail server that sends on your behalf. End it with ~all during rollout, move to -all once you're confident. Watch the 10-lookup limit — too many include: chains silently break SPF.
2. DKIM not signing, or signing with the wrong selector
DKIM is a cryptographic signature your mail server adds to every outgoing message. The receiving server looks up your public key in DNS and verifies the signature. If the signature is missing, broken, or signed by a domain that doesn't match your From address, Gmail quietly routes you to Spam.
Fix: enable DKIM in your ESP admin, publish the provided TXT record at selector._domainkey.yourdomain.com, and verify with a test send. Every major provider — Google Workspace, Microsoft 365, SendGrid, Postmark — has a one-click DKIM setup. There is no excuse for not signing in 2026.
3. DMARC record missing or set to p=none forever
DMARC ties SPF and DKIM together and tells receivers what to do when authentication fails. Gmail and Yahoo's 2024 sender requirements made DMARC mandatory for bulk senders. No DMARC record = Spam or outright reject.
Fix: publish a TXT record at _dmarc.yourdomain.com starting with v=DMARC1; p=none; rua=mailto:reports@yourdomain.com. Read the reports for two weeks, fix any alignment failures, then move to p=quarantine. Don't leave it on p=none forever — receivers notice.
4. Brand-new domain with no sending history
A fresh domain has zero reputation. Sending a thousand emails on day one is the deliverability equivalent of sprinting onto the motorway from a standing start. Gmail's ML model sees the pattern and treats every message as suspicious.
Fix: warm up for at least 3–4 weeks. Start at 10–20 emails per day, all to engaged recipients, then double every 2–3 days. Automated warm-up tools (Mailwarm, Lemwarm, Warmup Inbox) can accelerate this but don't replace genuine engagement.
5. Spam-trigger content and shouty subject lines
"FREE!!! 🎉 Limited time offer — act now" still triggers Bayesian filters like SpamAssassin and Rspamd. Modern ML filters are more forgiving than they were in 2015, but the old patterns — ALL CAPS subjects, multiple exclamation marks, money-emoji combos, the word "viagra" near the word "free" — still carry weight.
Fix: write subject lines like a human. Use sentence case. Test your copy through SpamAssassin or Rspamd before sending — a score above 5.0 is a red flag. Remove emoji storms, excessive punctuation, and promotional language that doesn't match your actual offer.
6. Poor text-to-HTML ratio (or HTML-only)
Sending pure HTML with no plain-text alternative is a classic spammer fingerprint. Same for HTML that's 95% images with two lines of text. Filters see image-heavy bodies as attempts to hide content from content scanners.
Fix: always include a plain-text part in every multipart message. Keep HTML simple — text-to-image ratio above 60/40. If you're sending through an ESP, check the "plain text version" field is auto-populated.
7. Links to newly-registered or blacklisted domains
Spamhaus DBL, SURBL and URIBL flag domains that have appeared in spam runs or were registered less than 30 days ago. A single bad link in your body can drag the whole message to Spam even if your domain reputation is perfect.
Fix: run every link through a DNSBL checker before sending. Avoid URL shorteners (bit.ly, tinyurl) — they're disproportionately flagged. If you use a custom tracking domain, keep it at least 30 days old and never share it across unrelated brands.
8. No List-Unsubscribe header
Since 2024 Gmail and Yahoo require one-click unsubscribe in bulk mail. No List-Unsubscribe and List-Unsubscribe-Post headers = instant Spam routing. Most ESPs add them automatically, but custom sending servers and cold outreach tools often don't.
Fix: make sure every bulk message includes both headers, with a mailto: and an HTTPS URL. Handle the POST request and actually remove the recipient within 48 hours, or Gmail will start ignoring the header.
9. Bought, scraped or old recipient list
The single fastest way to destroy a good sender reputation: send to addresses that don't want your mail, don't exist any more, or are spam traps. One spam trap hit can tank your score with a major ISP for weeks.
Fix: verify every list with a validation service (NeverBounce, ZeroBounce, Kickbox) before sending. Remove any address that hasn't opened or clicked in 12+ months. If you bought a list — stop sending to it today. There is no salvaging that path.
10. High bounce rate from dead addresses
Related to list quality but with its own mechanics. A bounce rate above 2% makes ISPs think you're either sending to scraped data or running a dictionary attack. Gmail starts throttling above 5%, Outlook above 3%.
Fix: hard-bounce addresses should be permanently suppressed immediately, never retried. Soft bounces: retry 3 times over 48 hours, then suppress. Run list validation monthly on anything older than 6 months.
11. Shared sending IP with bad neighbours
If you're on a shared-IP plan at a low-tier ESP, your deliverability depends on every other sender on that IP. One spammer on the pool can put you on every major blacklist overnight.
Fix: check your sending IP against Spamhaus, SORBS, SpamCop and Barracuda. If you're consistently listed and sending more than ~50k emails/month, upgrade to a dedicated IP. Below that volume, switch to a reputable shared-pool ESP (Postmark, SendGrid Pro).
12. Inconsistent sending volume — burst patterns
Sending 100 emails on Monday, 0 on Tuesday, 5,000 on Wednesday is a pattern ISPs associate with compromised accounts and spam campaigns. Even legitimate senders get caught by this — a marketing team dropping a big newsletter after three quiet weeks looks the same as an attacker.
Fix: smooth your send curve. If you have a big campaign, warm the volume up over the preceding 7–10 days. Send at the same hour every day where possible. Avoid weekends for B2B — engagement patterns break weekday models.
Fix in priority order
If you're debugging a live Spam problem right now, don't work through the list in order. Work in priority order:
- Authentication (#1, #2, #3) — fixes ~60% of Spam cases on their own.
- List hygiene (#9, #10) — second biggest category. Clean list, suppress bounces.
- Domain / IP reputation (#4, #11) — needs weeks to move, but you can start today.
- Compliance headers (#8) — quick win if you're a bulk sender.
- Content (#5, #6, #7) — the part SDRs obsess over, but rarely the actual cause.
- Volume patterns (#12) — easy to fix once you're aware.
An inbox placement test catches most of these in a single run: SPF, DKIM, DMARC, SpamAssassin / Rspamd content scores, DNS health, per-provider folder placement. Free, unlimited, no signup — see what's wrong before your next send.