Let’s start with a hard truth: You can have a squeaky-clean list, permission-based sending practices, and gorgeous, on-brand creative — and still end up in the spam folder.
Why?
Because deliverability isn’t just about compliance anymore. It’s about trust. Specifically, the trust signals mailbox providers are looking for behind the scenes.
And those signals? They’re mostly technical. (Sigh.)
One of the biggest is authentication. The behind-the-curtain DNS records that prove you are who you say you are and that your emails aren’t spoofed, phished, or faked.
Below is a table on the four major email authentication protocols, SPF, DKIM, DMARC, and BIMI — and how the four big inbox providers (Apple, Google, Microsoft, and Yahoo) treat them. If you’re sending marketing email in 2025, it’s worth knowing where each of these companies stands, because if you’re not playing by their rules, you’re probably not getting in their inboxes.
Let’s break it down.
The Table: What the Big Four Require for Authentication
SPF, DKIM, and DMARC: The Non-Negotiables
These three are the authentication minimum viable product (MVP). If any of them are missing or misconfigured, your email might not even make it to the inbox for a filter to scan the content. Here’s what each one does and why all the majors require them.
SPF (Sender Policy Framework)
Think of SPF as your email bouncer. It’s a TXT record in your domain’s DNS that says, “These are the IP addresses allowed to send email on my behalf.”
If an email comes in from your domain but it’s not from one of those IPs, it’s suspect. A properly configured SPF record includes all your sending platforms (ESP, CRM, even customer support systems) to make sure nothing gets left out.
Want to learn more? Here’s an article from Cloudflare.
DKIM (DomainKeys Identified Mail)
DKIM is like a tamper-evident seal. It uses cryptographic signatures to prove that the message wasn’t altered in transit and that it really came from the sending domain.
You publish your public key in DNS, and your ESP signs outbound messages with a private key. The receiving server checks the match. If it doesn’t pass? That’s a trust signal lost.
Here’s information from Google on how to set up DKIM.
DMARC (Domain-based Message Authentication, Reporting, and Conformance)
DMARC is the policy layer. It tells mailbox providers what to do if SPF or DKIM fails. You set it to one of three levels:
- p=none: Monitor only (no enforcement).
- p=quarantine: Send suspicious mail to spam.
- p=reject: Block the message entirely.
In August 2025, Google and Yahoo both require a ‘p=none’ DMARC policy; if you want to implement BIMI, a ‘p=quarantine’ or ‘p=reject’ policy is required.
Here’s more information on DMARC.
BIMI: Branding Meets Deliverability
I celebrated when I first learned about BIMI (Brand Indicators for Message Identification); I loved the fact that the backend authentication was paired with inbox visual trust. BIMI displays your brand’s logo next to your email in supported inboxes.
This is all good, but BIMI is the most complex authentication technology to set up:
- You must have a valid BIMI DNS record.
- Your logo must be in SVG Tiny PS format, hosted at a publicly accessible HTTPS URL.
- Your domain must have DMARC enforcement (p=quarantine or p=reject).
- Google and Yahoo require a Verified Mark Certificate (VMC), verified proof that you own your logo trademark. (And yes, these cost money.)
Apple supports BIMI in iOS/macOS Mail apps without a VMC but doesn’t guarantee consistent display.
Microsoft, as of now, doesn’t support BIMI at all.
This is a good resource for BIMI information.
So Why Are Emails Still Missing the Inbox?
Even when you’ve got these technical basics in place, you might still struggle with inbox placement. Why? Because authentication is only part of the puzzle.
Here are a few other trust signals mailbox providers are watching:
- Engagement: Are people opening, clicking, replying? Or ignoring. Or worse, marking you as spam? High engagement tells providers your messages are wanted.
- Complaint rate: If your unsubscribe is hard to find (or worse, if people didn’t opt in in the first place) expect trouble. One spam complaint per 1,000 messages (0.1% spam complaint rate) sent is enough to trigger deliverability issues. Above 0.3%? You’re almost guaranteed not to reach the inbox.
- Bounce rate: Too many undeliverable addresses (hard or soft bounces) signal list quality problems. Be sure to remove hard bounces right away and soft bounces after three consecutive sends.
- Infrastructure: Are you sending via a dedicated or shared IP? Is your ESP reputable?
Authentication doesn’t guarantee inbox placement. But it does keep you from being disqualified at the starting line.
The Bottom Line
Deliverability in 2025 is about more than just not breaking the rules. It’s about actively proving you’re a legitimate, trustworthy sender.
That means:
- Get SPF, DKIM, and DMARC configured correctly.
- Move to enforced DMARC (quarantine or reject) as soon as you can.
- Set up BIMI if your brand and budget allow—and get a VMC if you’re targeting Gmail or Yahoo inboxes.
- Watch your engagement and complaint rates like a hawk.
Because inbox placement isn’t just about avoiding mistakes anymore, it’s about building trust.
Until next time,
jj
Jeanne Jennings is the Founder and Chief Strategist at Email Optimization Shop, a boutique consultancy and training organization where she helps clients craft more effective and more profitable email programs.
Learn more at www.EmailOpShop.com
Photo by Hannes Johnson on Unsplash
