How to Send Email That Lands in the Inbox

You decide to email your past customers about a spring promotion, or you finally start the newsletter you've been meaning to send for a year. You build the list from your own contacts, write something genuinely useful, hit send — and almost nothing happens. No replies, low opens, and when you check, half of it went to spam or never arrived at all. Nothing about your message was spammy. The problem was never the content.

Email reaches the inbox when the receiving provider can verify who sent it and sees a history of people wanting that mail. In practice that means authenticating every message with SPF, DKIM, and DMARC, sending from your own domain over an encrypted connection, removing bounced and unsubscribed addresses immediately, and isolating bulk or marketing email on a separate subdomain so a bad campaign can't damage the domain your day-to-day business email depends on. Since 2024, Gmail, Yahoo, Outlook, and Apple iCloud have converged on these as requirements rather than suggestions for anyone sending at volume — and the technical basics now apply to every sender, not just the big ones.

What Inbox Providers Now Require From Every Sender

In February 2024, Gmail and Yahoo changed the rules for sending email; in May 2025 Microsoft applied the same standard to Outlook, Hotmail, and Live; and Apple's iCloud Mail now asks senders for the same baseline. Four of the biggest inbox providers have converged on one set of requirements. The change matters because it moved a long list of "good ideas" into the column of "do this or your mail gets filtered or blocked." It's the most consequential shift in email delivery in years, and most small businesses still haven't caught up to it.

The requirements split into two tiers — one that applies to absolutely everyone, and a stricter one for anyone sending in volume.

Every sender now needs the basics. Regardless of how little you send, Gmail's guidelines now expect SPF or DKIM authentication, a TLS-encrypted connection, valid forward and reverse DNS (a PTR record on the sending IP), messages formatted to the email standard (RFC 5322), and a spam complaint rate below 0.3%. These used to be the kind of thing only deliverability specialists worried about. Now they're the floor for a one-person business sending from a contact form.

Bulk senders face the full list. If you send around 5,000 or more messages a day to a single provider — Google's wording is "close to 5,000 or more" to personal inboxes — you're classified as a bulk sender, permanently, even if your volume later drops. Bulk senders must have both SPF and DKIM, a DMARC policy with domain alignment, working one-click unsubscribe, a clearly visible unsubscribe link, and that same spam rate kept under 0.3%.

Apple iCloud now expects the same — plus ARC. Apple is the fourth major inbox in the mix, and its iCloud Mail guidance asks senders for SPF, DKIM, and a published DMARC policy too. Apple also tells senders to add ARC headers to forwarded mail. ARC preserves the original authentication result when a message is forwarded — exactly the situation where plain SPF and DKIM otherwise break — so it matters most if your mail gets auto-forwarded on to other inboxes.

The enforcement has teeth. Since May 2025, Microsoft routes non-compliant bulk mail to the junk folder, and it has said the final step is outright rejection with a permanent 550 5.7.515 error — mail that's refused and never reaches the recipient at all. Gmail, in parallel, moved from quietly filtering toward actively rejecting or delaying non-compliant bulk mail through late 2025. The direction is one-way: authenticate, or don't arrive.

Requirement	Every sender	Bulk sender (≈5,000+ a day to one provider)
Email authentication (SPF / DKIM)	At least one — both recommended	Both required
DMARC policy with alignment	Recommended	Required
Encrypted (TLS) connection	Required	Required
Reverse DNS (PTR record)	Required	Required
One-click unsubscribe	Not required	Required
Spam complaint rate under 0.3%	Required	Required

Gmail/Yahoo requirements effective February 2024; Microsoft Outlook enforcement from May 5, 2025.

What Affects Whether Your Email Is Trusted

Three DNS records do the work of proving your mail is really yours. They're the same three I check first when a contact form's emails go missing — covered in why contact form emails go to spam — but for sending at scale, how you configure them matters as much as whether they exist.

SPF lists who's allowed to send for you. It's a TXT record naming every service permitted to send mail from your domain — your inbox provider, your form handler, your email platform. SPF has a hard limit of 10 DNS lookups; stacking too many services into one record breaks the whole record with a permanent error (PermError), which is a common problem once a small business adds a second or third sending tool.

DKIM cryptographically signs each message. It proves the message wasn't altered in transit and genuinely came from your domain. Use a 2048-bit key where your provider allows it (1024-bit is the documented minimum), and rotate keys periodically rather than setting them once and forgetting them.

DMARC ties it together and gives you reports. DMARC tells receiving servers what to do when a message fails SPF and DKIM, and — critically — sends you reports of everyone sending mail as your domain, including spoofers. The "alignment" part is what bulk senders trip over: the domain in your visible From address has to match the domain that passed SPF or DKIM. Mail sent through a platform that signs with its domain instead of yours can pass authentication and still fail DMARC alignment.

Why this matters: authentication isn't only about getting into the inbox. A domain with no DMARC record is one anyone can impersonate — and spoofed mail "from" your business erodes the exact reputation you're trying to build.

Moving DMARC From Monitoring to Enforcement

Publishing a DMARC record is step one; making it actually protect you is a gradual process, and rushing it is how businesses accidentally block their own invoices.

A DMARC policy has three settings. p=none monitors and reports but takes no action — this is where you start. p=quarantine sends failing mail to spam. p=reject blocks it entirely. The mistake is jumping straight to reject before you know every legitimate place your mail comes from.

Start at p=none and read the reports. Run it for at least a few weeks and use the aggregate reports to find every service sending as your domain — your email host, your form, your accounting tool, your booking system. Most businesses are surprised by how many there are. But don't mistake p=none for protection: it only monitors and reports — it blocks no spoofing at all. The whole point of starting there is to reach quarantine or reject safely, because that's the setting that actually stops someone sending mail as your domain, and the major providers increasingly expect you to get there rather than park at none.

Tighten only once your real mail passes cleanly. Aim for nearly all of your legitimate traffic authenticating correctly before you move to quarantine, then later to reject. One common way to ramp is the pct tag — quarantining a slice of failing mail, then more — so a misconfiguration shows up as a trickle rather than a flood. Done properly, the full journey from monitoring to full rejection is usually measured in months, not days. The slow path is the safe path. Reaching enforcement has an upside beyond security, too: it's the prerequisite for BIMI, the standard that can display your verified logo beside your messages in Gmail and Apple Mail — a nice payoff, not a reason to rush.

Watch forwarding and mailing lists. Forwarded mail and discussion lists routinely break SPF and DKIM alignment. Identify those sources before you enforce, or you'll quarantine mail you actually wanted delivered.

What One-Click Unsubscribe Actually Requires

For any list or marketing mail, the unsubscribe link is no longer a courtesy — it's a technical requirement with a specific implementation. Getting it wrong is now a deliverability problem, not just a compliance one.

The standard (RFC 8058) requires two headers working together: a List-Unsubscribe header containing an HTTPS link, and a List-Unsubscribe-Post: List-Unsubscribe=One-Click header that tells the provider the unsubscribe completes in a single action with no extra clicks. Those headers must be covered by your DKIM signature. When they're set correctly, Gmail and Outlook show a native "Unsubscribe" button right next to your sender name.

Honor the request within two days. The rules require acting on an unsubscribe within 48 hours. Someone who opts out Monday should not get another promotional message by Wednesday. In practice, suppress them immediately — there's no upside to the delay.

Make unsubscribing easy on purpose. It feels backwards, but a hard-to-find unsubscribe link costs you far more than the unsubscribe would. When people can't find the link, they hit "report spam" instead — and a spam complaint damages your domain reputation in a way a quiet unsubscribe never does. The visible unsubscribe link in the message body is required too; the header is in addition to it, not a replacement.

How to Reduce Bounces and Keep Your List Clean

Bounces are the fastest way to wreck a sending reputation, and they're the part most small businesses ignore until it's too late. A provider reads continued sending to dead addresses as proof you don't maintain your list — which is exactly the signal spammers give off.

Remove hard bounces immediately — and permanently. A hard bounce means the address is invalid, the mailbox doesn't exist, or the domain is gone. There is no second attempt that succeeds. Suppress the address the moment it hard-bounces and never send to it again. Every additional send to a known-bad address actively lowers your standing with that provider.

Let soft bounces retry, then cut them. A soft bounce is temporary — a full mailbox, a server briefly down, a message too large. Sending services retry these for around 72 hours. If an address soft-bounces several times in a row across a couple of weeks, treat it as dead and suppress it too.

Keep your overall bounce rate low. Under roughly 2% is the working target. A spike in bounces almost always means a stale list or addresses collected without confirmation — both of which are reputation problems before they're delivery problems. This is one of the strongest arguments for confirming addresses at signup, and for capturing every lead into a database from the start, so the list you send to is a clean, current record rather than an old spreadsheet of contacts you haven't emailed in three years.

Never buy or scrape a list. Purchased lists are full of dead addresses and spam traps — addresses that exist only to catch senders who didn't earn their list. Hitting a few traps can get your domain blocklisted outright. The cheapest list is the most expensive mistake in email.

Why Bulk Email Should Come From a Subdomain

Here's the piece that protects everything else: don't send your marketing or mass email from your root domain. Send it from a dedicated subdomain.

Reputation is tracked largely at the domain level, and the major providers are increasingly weighting domain reputation over the IP address. That cuts both ways. It means a clean sending history helps you — and it means one bad campaign can poison the well for every email your business sends, including the quote you send a customer an hour later.

Isolate the risky stream. Marketing and bulk email generate more complaints and more unsubscribes than transactional mail by their nature. Send them from something like news.yourdomain.com or mail.yourdomain.com, and keep your transactional and personal business mail on a different sender. If a campaign goes sideways, the damage is contained to the subdomain — your root domain, the one your replies and invoices ride on, stays clean.

Cold outreach especially never touches your main domain. If you're emailing people who haven't opted in, the elevated complaint risk makes a separate subdomain (some send from a separate domain entirely) non-negotiable. This is the layer Lightly Coded builds on top of a prospecting system: the outreach reputation lives somewhere it can't hurt the brand's primary domain.

Each subdomain is its own sender. A subdomain needs its own SPF, DKIM, and DMARC records, and its own warm-up. The upside: a subdomain inherits some trust from an established parent domain, so it warms faster than a brand-new domain would.

What Makes a Sending Domain Healthy

A domain's reputation is built slowly and lost quickly. Keeping it healthy is ongoing maintenance, not a one-time setup.

Warm up gradually. A new domain or subdomain that suddenly sends thousands of messages looks exactly like a compromised account. Ramp volume over 4–8 weeks, starting with your most engaged recipients — the people most likely to open and least likely to complain. Sudden spikes are what scorch deliverability.

Send mail people actually want. Engagement is the signal underneath everything else. Opens, replies, and clicks tell providers your mail belongs in the inbox; deletions-without-reading and spam reports tell them the opposite. A small, engaged list outperforms a large, indifferent one every time.

Monitor what the providers see. Google Postmaster Tools is free and shows you your domain reputation, spam complaint rate, authentication pass rates, and the share of your mail sent over TLS. Watch the spam rate especially: 0.3% is where enforcement begins, but treat 0.1% as your real ceiling so a bad day doesn't tip you over. If you can't see your numbers, you're flying blind.

Use a real sending service. Routing mail through the PHP mail() function on cheap shared hosting puts you on an IP with a reputation built by every other site on that server. A dedicated transactional service (Resend, Postmark, SendGrid, Mailgun and the like) handles authentication, TLS, bounce suppression, and unsubscribe headers as part of the product.

Mistakes That Quietly Poison Your Sending Domain

The failures below rarely announce themselves. The mail still seems to send; the damage shows up weeks later as a slow slide into the spam folder.

Mixing marketing and transactional mail on one domain. The classic unforced error. A few bad campaigns drag down the deliverability of the order confirmations and password resets that absolutely must arrive.

Ignoring bounces because "the tool handles it." Some tools do; many cheap ones don't suppress aggressively enough. If your bounce rate is climbing, the tool isn't handling it.

Importing an old contact list and blasting it. A list you haven't emailed in two years is full of dead addresses and people who've forgotten you. Sending to it cold spikes both bounces and complaints at once — the worst possible combination for a domain's reputation.

Setting DMARC to p=reject on day one. Without first finding every legitimate sender, you'll block your own mail and won't know why.

Sending as the visitor instead of from your domain. A contact form that puts the visitor's address in the From field fails authentication outright. Send from your own domain and put the visitor's address in Reply-To — the same rule that keeps form mail out of spam in the first place.

Sources: Google email sender guidelines, Microsoft: Outlook's requirements for high-volume senders, Apple iCloud Mail postmaster guidance, RFC 8058 (one-click unsubscribe), RFC 6376 (DKIM), RFC 7208 (SPF), and Google Postmaster Tools. Bounce-handling, list-hygiene, and subdomain warm-up specifics reflect established deliverability practice rather than published provider rules. Observations through June 2026.

Where to Start

If you send any meaningful volume of email — newsletters, promotions, outreach, or even just a steady stream of quotes and invoices — start by confirming the four things that matter most: SPF, DKIM, and DMARC are set on the domain you send from; your bounces and unsubscribes are being suppressed immediately; your bulk mail is isolated on a subdomain; and you can actually see your domain's reputation in Postmaster Tools. Most small businesses are missing at least two of those.

Our free email deliverability check reads your SPF, DKIM, and DMARC records against your live domain and grades whether your mail is set up to land — and if you'd rather not untangle DNS records yourself, a human review will fix it for you. For the bigger picture on turning a working inbox into a system that never loses a lead, the lead capture page covers the full path from form to follow-up.