Email Deliverability: Why Your Transactional Mail Goes to Spam
Growth Systems
SPF, DKIM, DMARC, BIMI, and sending IP reputation are the quiet infrastructure that decides whether your password reset emails ever arrive. Switching ESPs doesn't fix bad fundamentals.
By Arjun Raghavan, Security & Systems Lead, BIPI · August 7, 2024 · 7 min read
A fintech client came to us convinced their ESP was broken. Magic link emails were landing in spam roughly 40% of the time, and support tickets had spiked. Their actual problem: a misaligned DKIM signature, a DMARC policy stuck on p=none, and three years of sending from a shared IP that had been burned by a previous tenant.
Switching ESPs would have changed nothing. We fixed the auth chain in two weeks and inbox placement climbed from 61% to 94%.
The auth chain everyone gets wrong
SPF, DKIM, and DMARC are not optional and not interchangeable. SPF says which servers can send for your domain. DKIM cryptographically signs the message. DMARC tells receivers what to do when one or both fail and gives you reporting.
- SPF should include every legitimate sender (ESP, Google Workspace, helpdesk, billing)
- DKIM keys should be 2048-bit and rotated yearly
- DMARC starts at p=none for visibility, moves to p=quarantine, eventually p=reject
- Aggregate reports must actually be parsed, not sent into a black hole inbox
- Subdomains need their own policy, not just the root
Roughly 70% of the audits we do find at least one of these wrong. The most common issue is an SPF record that exceeds the 10 DNS lookup limit, silently failing for half of all sends.
BIMI is mostly marketing, until it isn't
BIMI requires DMARC enforcement at p=quarantine or stricter and a verified mark certificate. The actual deliverability lift is modest. The brand recognition lift in Gmail and Apple Mail is real. We treat BIMI as the forcing function that makes teams finally enforce DMARC, which is where the actual deliverability gains live.
Sending IP reputation and the warmup nobody does properly
If you're on a shared IP, you inherit your neighbors' reputation. If you're on a dedicated IP, you start from zero and have to warm it up over 4-6 weeks by ramping volume gradually. Most teams skip this, blast 200,000 emails on day one, and wonder why Gmail throttles them for the next quarter.
List hygiene is unglamorous and decisive
The single biggest deliverability killer we see is sending to old, unengaged lists. If 30% of your list hasn't opened anything in 18 months, every send to that segment trains Gmail and Microsoft to view your domain as low-quality. The fix is brutal: suppress anyone who hasn't engaged in 6 months. Yes, your list size will drop. Yes, your inbox placement will climb.
We had a client refuse to suppress 240,000 inactive subscribers because the list was a 'company asset'. Six months later their open rates were 4% and they were renting a list to send to their own customers. Don't do this.
Transactional vs marketing should not share infrastructure
Mixing transactional sends (password resets, receipts, magic links) with marketing on the same domain and IP is the deliverability equivalent of mixing your wedding rings with the household coins. When a marketing send tanks reputation, your password resets stop arriving. Use a dedicated subdomain (mail.yourcompany.com for marketing, transactional.yourcompany.com for system mail) and dedicated IPs for each.
What to actually fix this week
- Run an MXToolbox check on your sending domain and fix every red flag
- Set DMARC to p=none and pipe aggregate reports into a parser like Postmark or Valimail
- Audit your SPF record for lookup count (should be under 10)
- Segment your list by engagement and suppress dormant subscribers
- Separate marketing from transactional onto different subdomains and IPs
None of this is complicated. It's just unglamorous work that nobody's job depends on until something breaks at 11pm on a Saturday.
Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.