Why Your Emails Still Land in Spam Even Though SPF, DKIM and DMARC All Pass

You did everything the guides told you to do. SPF passes. DKIM passes. DMARC passes. Your mail-tester score is a perfect 10/10.

And your emails still land in spam.

If that sounds familiar, you're in good company - it's one of the most repeated questions in every email marketing community. The frustrating answer is that authentication was never the thing keeping you out of spam. It's just the entry ticket. Passing SPF, DKIM and DMARC proves who you are. It says nothing about whether anyone wants your email.

This article explains what actually decides inbox placement once authentication passes, how to diagnose which factor is hurting you, and what to do about it.

Authentication is a passport, not an invitation

Think of SPF, DKIM and DMARC as a passport check at the border. Failing the check gets you turned away immediately - since Gmail and Yahoo made authentication mandatory for bulk senders in 2024, unauthenticated mail barely gets delivered at all.

But passing the check doesn't get you a warm welcome. It just means the border agent knows exactly who you are. What happens next depends entirely on your reputation and how people have responded to you in the past.

Spammers pass SPF, DKIM and DMARC too. Setting up authentication on a fresh domain takes twenty minutes, and every serious spam operation does it. That's precisely why mailbox providers stopped treating authentication as a trust signal and started treating it as a baseline requirement. Once everyone passes, passing tells Gmail nothing about whether your mail belongs in the inbox.

So if your authentication is genuinely correct and you're still hitting spam, one of the following five factors is the real culprit.

1. Your sender reputation is doing the talking

Every mailbox provider keeps a running score on your sending domain (and, to a lesser extent these days, your sending IP). That score is built from months of history:

  • How much mail you send and how consistently. A domain that sends 500 emails a week for a year is far more trusted than one that appeared last month and immediately sent 50,000.
  • How recipients have reacted historically. Complaints, bounces, and unread-then-deleted messages all accumulate against you.
  • Your domain's age and track record. New domains start with no reputation, which in practice means low trust. This is why cold emailers warm up domains for weeks before real campaigns.

The key insight: reputation is attached to your domain, not your ESP. Moving from Mailchimp to Klaviyo won't outrun a bad domain reputation, and a good ESP's shared IPs can't rescue a domain that recipients keep flagging.

Check it: Google Postmaster Tools shows your domain reputation for Gmail specifically, on a scale from Bad to High. It's free and takes five minutes to set up. If your domain reputation reads Low or Bad, you've found your answer - and everything else in this article is your repair plan.

2. Engagement signals outweigh almost everything else

Gmail in particular has been open about this: how your recipients treat your mail is the strongest inbox placement signal there is. The signals that matter:

  • Positive: opens, replies, forwards, moving mail from spam to inbox, adding you to contacts, starring
  • Negative: deleting without reading, ignoring repeatedly, and above all, hitting "report spam"

Two things make this brutal for marketers.

First, engagement is measured per recipient. Gmail personalizes placement, so your newsletter can land in one subscriber's inbox and another's spam folder based on their individual behavior. This is why "my emails go to spam for Gmail users but not Outlook users" (or vice versa) is such a common report - the two providers weigh signals differently and know different things about your list.

Second, low engagement compounds. When mail goes to spam, fewer people see it. Fewer opens means worse engagement metrics, which means worse placement. Escaping this spiral usually requires deliberately cutting your list down to your most engaged subscribers for a while - more on that below.

The complaint rate red line: Gmail and Yahoo enforce a spam complaint threshold of 0.3%, and recommend staying under 0.1%. That's one complaint per thousand emails. Exceed 0.3% and placement problems are close to guaranteed, regardless of anything else you do.

3. Your list is quietly poisoning you

If your engagement numbers are bad, the list itself is usually why. Three list problems damage deliverability directly:

  • Stale addresses. Subscribers who haven't opened anything in a year aren't neutral - they're dead weight dragging your engagement rate down, and some of them have become spam traps.
  • Spam traps. Mailbox providers and blocklist operators recycle abandoned addresses into traps. There's no way to detect them from the outside; hitting them tells providers you're mailing an old, unmaintained list. The only defense is regular list hygiene.
  • High bounce rates. Bouncing more than about 2% of a send signals a low-quality or purchased list. Purchased lists are the fast lane to spam: they bounce heavily, they're seeded with traps, and the recipients never asked to hear from you, so they complain.

This is the unglamorous truth behind most "mystery" spam problems: the authentication is fine, the content is fine, but the list is full of people who stopped caring in 2023.

4. Your sending patterns look wrong

Mailbox providers profile how you send, not just what:

  • Volume spikes. Jumping from 1,000 emails a week to 40,000 in a day looks exactly like a compromised account or a spam run. Big sends to cold lists after a long silence are especially damaging.
  • No warmup. New domains and new ESP setups need gradually increasing volume over 2-4 weeks. Full-volume sends from day one hit spam even with flawless authentication - reputation hasn't been earned yet.
  • Inconsistency. Erratic gaps and bursts read as untrustworthy. A steady, predictable cadence is itself a trust signal.

One structural fix worth making early: separate your mail streams. Send marketing email from a subdomain like news.yourdomain.com and keep transactional email (receipts, password resets) on its own subdomain. That way a marketing misstep can't drag down the reputation of the mail your customers must receive.

5. Content matters less than you think - with exceptions

The classic advice about "spam trigger words" is mostly outdated. Modern filters are driven by reputation and engagement, not by whether you wrote "free" in a subject line. But a few content factors still bite:

  • Link reputation. Filters follow your links. URL shorteners (bit.ly and friends) are heavily abused by spammers and are best avoided entirely. The same goes for cheap tracking domains shared with bad actors - if your ESP uses a shared click-tracking domain, consider setting up a custom one.
  • Domain mismatch. Sending from yourdomain.com while every link points to unrelated domains looks phishy to filters.
  • Image-heavy, text-light emails. One big image with almost no text is a classic spam pattern, because it hides content from text analysis.
  • Sloppy HTML. Broken markup from copy-pasting out of Word can trip filters. Well-formed, mobile-friendly templates are safe.

And one thing that is not spam: Gmail's Promotions tab. Landing in Promotions means Gmail delivered your mail and classified it as marketing - which it is. Fighting the Promotions tab is largely wasted effort and, done badly (disguising marketing as personal mail), can generate the complaints that cause real spam problems.

How to diagnose your specific problem

Work through these in order:

  • Set up Google Postmaster Tools for your sending domain. Check domain reputation, spam complaint rate, and whether authenticated traffic dips. This is the single most useful diagnostic for Gmail placement.
  • Check your complaint and bounce rates in your ESP. Complaints above 0.1% or bounces above 2% point straight at list quality.
  • Segment your placement problem. Is it all providers or just one? Gmail-only problems are usually engagement-driven. Outlook/Hotmail-only problems are often IP or content-driven (Microsoft's filtering is more traditional). Everything-everywhere problems suggest reputation or infrastructure.
  • Read your DMARC aggregate reports. "Passing" DMARC on your tests doesn't mean everything passes in the wild. Reports (via a free tool like a DMARC report analyzer) reveal forwarding breakage, misconfigured third-party senders, and alignment failures you'd never see otherwise.
  • Test with real seed accounts. Send to fresh Gmail, Outlook, and Yahoo accounts you control. Single-score testing tools check your setup, not your reputation - a 10/10 on mail-tester and spam placement at Gmail are entirely compatible, as many frustrated senders discover.

The repair plan

If your reputation and engagement are the problem, here's the sequence that rebuilds trust:

  • Cut the list. Ruthlessly. Suppress everyone who hasn't opened or clicked in 90-180 days. Yes, your list shrinks; that's the point. You're showing mailbox providers a sender whose mail gets opened.
  • Run one careful re-engagement campaign to the lapsed segment before removing them - a single "do you still want these?" email. No response means they go. Don't mail the dead segment repeatedly "just in case"; that's how the problem started.
  • Rebuild volume gradually. Start with your most engaged segment (recent openers, clickers, buyers) and expand outward over several weeks as metrics improve.
  • Fix the intake. Use confirmed (double) opt-in so every new address is real and wanted. Never buy lists. Set expectations at signup for what you'll send and how often.
  • Make leaving easy. A prominent one-click unsubscribe is your friend - every person who unsubscribes instead of hitting "report spam" is protecting your sender reputation. Unsubscribes are a hygiene mechanism, not a failure.
  • Send consistently. Pick a cadence you can sustain and hold it. Reputation is built on predictability.

Expect the recovery to take 4-8 weeks of consistent good behavior. Domain reputation moves slowly in both directions - which, once yours is good, works in your favor.

The takeaway

SPF, DKIM and DMARC answer the question "is this sender who they claim to be?" Inbox placement answers a different question: "do this sender's recipients actually want this mail?"

Once authentication passes, the second question is the only one that matters. The senders who reliably reach the inbox aren't the ones with the most technically perfect setups - they're the ones mailing clean lists of people who open, read, and reply.

Audit your engagement before you audit your DNS records again. That's almost certainly where the answer is.

Further reading: Google's Email Sender Guidelines - the canonical requirements for bulk senders reaching Gmail inboxes.