E-postinfrastruktur som faktisk leverer
Your email infrastructure is the most underinvested piece of your marketing stack. Companies spend $200,000/year on content, $50,000 on paid ads, and $0 on making sure their emails actually reach the inbox. Then they wonder why their email campaigns show a 12% open rate when industry benchmarks suggest 25%.
Deliverability isn't luck. It's architecture. And the gap between emails that land in the inbox and emails that land in spam comes down to decisions you can control.
Why Emails Land in Spam
Email providers — Gmail, Outlook, Yahoo — use a multi-layered scoring system to decide whether your email reaches the inbox or gets filtered. The factors, in order of importance:
Authentication (pass/fail). Does the sending server have permission to send on behalf of your domain? This is binary — you either pass or you don't.
Domain reputation (0-100 scale). How have recipients interacted with previous emails from your domain? High complaint rates, low engagement, and spam trap hits all lower your score.
IP reputation (0-100 scale). The sending IP address has its own reputation, separate from your domain. Shared IPs inherit the behavior of every other sender on that IP.
Content signals. Spam trigger words, HTML-to-text ratio, link density, and image-to-text ratio. These matter less than authentication and reputation but can tip borderline emails into spam.
Engagement history. Does this specific recipient open and click your emails? Gmail in particular uses individual engagement to filter. If a recipient never opens your emails, future emails are more likely to go to spam — even if your domain reputation is excellent.
Most deliverability problems trace back to authentication failures or reputation damage. Content optimization matters, but it's a rounding error compared to getting the infrastructure right.
Authentication: SPF, DKIM, DMARC
These three protocols are the foundation. Without all three properly configured, you're fighting with one hand tied behind your back.
SPF (Sender Policy Framework)
SPF tells receiving servers which IP addresses are authorized to send email for your domain. It's a DNS TXT record that lists your legitimate sending sources.
v=spf1 include:_spf.google.com include:sendgrid.net include:mailgun.org -all
Common mistakes:
- Too many DNS lookups. SPF allows a maximum of 10 DNS lookups. Each
include:counts as one. Companies that use multiple email services (Google Workspace + SendGrid + Mailchimp + HubSpot) can exceed this limit, causing SPF to fail silently. - Using
~allinstead of-all. The tilde (~) is a soft fail — it tells receivers that unauthorized senders should be treated with suspicion but not rejected. The dash (-) is a hard fail — reject unauthorized senders. Use-all. - Forgetting to include all senders. If your support team sends from Zendesk and it's not in your SPF record, those emails fail authentication.
DKIM (DomainKeys Identified Mail)
DKIM cryptographically signs your emails so receiving servers can verify they weren't modified in transit. It requires a public key in your DNS and a private key on your sending server.
Every email service provides DKIM setup instructions. The common failure: generating the DKIM record but not publishing it in DNS, or publishing it with the wrong selector name.
Validate with: dig TXT selector._domainkey.yourdomain.com — if it returns your public key, DKIM is live.
DMARC (Domain-based Message Authentication, Reporting & Conformance)
DMARC ties SPF and DKIM together and tells receiving servers what to do when authentication fails. It also provides reporting so you can see who's sending email as your domain.
Start with a monitoring policy:
v=DMARC1; p=none; rua=mailto:[email protected]; pct=100
After 2-4 weeks of monitoring (review the reports to ensure legitimate senders pass), move to quarantine:
v=DMARC1; p=quarantine; rua=mailto:[email protected]; pct=100
Then to reject:
v=DMARC1; p=reject; rua=mailto:[email protected]; pct=100
The progression matters. Going straight to p=reject will block legitimate emails from services you forgot to authenticate. At Empirium, we configure full DMARC rollouts as part of our email infrastructure setup — the monitoring phase catches misconfigurations before they cause delivery failures.
IP and Domain Reputation
Authentication gets you past the first gate. Reputation determines whether you reach the inbox or the promotions tab.
Domain Reputation
Google Postmaster Tools provides your domain reputation on a four-tier scale: Bad, Low, Medium, High. Anything below "High" means a percentage of your emails are going to spam.
Behaviors that damage domain reputation:
- High complaint rates. More than 0.1% of recipients marking your email as spam is a red flag. Above 0.3% is critical.
- Spam trap hits. Sending to email addresses that exist solely to catch spammers. This happens when you buy email lists or don't clean your list regularly.
- Low engagement. If most recipients ignore your emails, providers interpret that as a signal that your content isn't wanted.
IP Warming
New IP addresses have no reputation — providers treat them with suspicion. IP warming is the process of gradually increasing sending volume so providers can establish a positive reputation.
| Week | Daily Volume | Focus |
|---|---|---|
| 1 | 50-100 | Send only to your most engaged contacts |
| 2 | 200-500 | Expand to contacts who opened in the last 30 days |
| 3 | 1,000-2,000 | Include contacts who opened in the last 90 days |
| 4 | 5,000-10,000 | Include all active subscribers |
| 5+ | Full volume | Monitor bounce rates and complaints |
Rushing this process is the most common mistake. Companies switch ESPs, get a new IP, and immediately blast their full list. The result: deliverability tanks for months.
Dedicated vs Shared IPs
| Factor | Shared IP | Dedicated IP |
|---|---|---|
| Cost | Included in ESP plan | $20-$50/month additional |
| Reputation control | Shared with other senders | Fully controlled by you |
| Warming required | No (already warmed) | Yes (4-8 weeks) |
| Best for | Low volume (<10K/month) | High volume (>50K/month) |
| Risk | Neighbor's bad behavior affects you | Your reputation depends solely on you |
For most B2B companies sending under 50,000 emails/month, a shared IP on a reputable ESP (SendGrid, Postmark, Mailgun) is sufficient. Dedicated IPs make sense when your volume justifies the warming investment and you want full control.
Transactional vs Marketing Email Architecture
This is the architectural decision that most companies get wrong, and it's the most impactful.
Transactional emails — password resets, order confirmations, invoice receipts — have near-100% open rates and zero complaint rates. They build reputation.
Marketing emails — newsletters, promotions, nurture sequences — have lower open rates and some complaint rate. They consume reputation.
Sending both from the same IP and domain means your marketing behavior drags down your transactional deliverability. When a marketing blast generates complaints, your password reset emails start landing in spam too.
The fix: separate infrastructure.
| Component | Transactional | Marketing |
|---|---|---|
| Subdomain | mail.yourdomain.com |
news.yourdomain.com |
| ESP | Postmark or AWS SES | SendGrid or Mailchimp |
| IP | Dedicated (if volume justifies) | Shared or dedicated |
| SPF/DKIM | Separate records per subdomain | Separate records per subdomain |
| DMARC | Aligned with main domain | Aligned with main domain |
This separation means marketing campaigns that generate complaints won't affect your critical transactional delivery. Each subdomain builds its own reputation independently.
Monitoring Deliverability
You can't fix what you don't measure. The monitoring stack:
Google Postmaster Tools. Free. Shows domain reputation, spam rate, authentication success rate, and delivery errors for Gmail recipients. Non-negotiable.
ESP dashboards. Your sending platform's built-in analytics show bounce rates, complaint rates, and delivery rates across all providers.
Seed testing. Tools like GlockApps or Mail-Tester send test emails to accounts at major providers and report whether they land in inbox, promotions, or spam. Run these before every major campaign.
DMARC reporting. Aggregate reports from your DMARC record show you every IP address that sends email as your domain. Review monthly to catch unauthorized senders.
The benchmark targets:
| Metric | Target | Red Flag |
|---|---|---|
| Bounce rate | < 2% | > 5% |
| Complaint rate | < 0.1% | > 0.3% |
| Inbox placement | > 90% | < 70% |
| SPF pass rate | > 99% | < 95% |
| DKIM pass rate | > 99% | < 95% |
FAQ
Should we use a dedicated IP or shared IP? If you send fewer than 50,000 emails/month, shared is fine on a reputable ESP. Above 50,000, dedicated gives you control. Between 10,000 and 50,000 is a gray area — shared is lower maintenance, dedicated is lower risk.
How do we recover from a damaged domain reputation? Stop all marketing sends. Clean your list aggressively — remove anyone who hasn't engaged in 6 months. Resume sending to your most engaged segment only. Gradually expand over 4-6 weeks. Recovery typically takes 30-60 days.
Which ESP should we choose? Postmark for transactional — highest deliverability, strictest policies. SendGrid for marketing — flexible, well-documented API, good analytics. AWS SES for high-volume, cost-sensitive sending — cheapest per-email but requires more self-management.
How often should we clean our email list? Every 90 days. Remove hard bounces immediately. Remove soft bounces after 3 consecutive failures. Remove unengaged contacts (no opens in 180 days) or move them to a re-engagement campaign.
Email infrastructure isn't glamorous, but it's the difference between a marketing machine that prints pipeline and one that shouts into the void. Get authentication right, separate your sending infrastructure, and monitor your reputation — the rest is optimization. Contact Empirium if you need help building email infrastructure that actually delivers.