'Do Not' Rules of Email Deliverability
Some people love being told what to do.
Others ... well, they prefer to be told what not to do. If that's you then this guide is for you!
After years of running an ESP (Email Service Provider) and watching customers navigate the wild west of email deliverability, I've learned one thing: most delivery problems come down to completely avoidable mistakes.
Being woken up at 4:30 AM to handle listbombing attacks, spending weekends cleaning up after holiday email campaigns gone wrong, and helping customers escape the spam folder has taught me what really matters for getting emails delivered. This isn't your typical "email best practices" guide - it's a collection of real gotchas that I see trip people up every single day.
Whether you're sending transactional emails for your SaaS or running full-scale marketing campaigns, these are the mistakes that'll have you speedrunning your way to delivery problems πββοΈπ¨. I've put together this guide based on actual incidents, real customer pain points, and those "fun" late-night incidents that make running an email service so exciting.
We'll cover everything from basic security that most people skip (and then regret!) to advanced deliverability techniques that keep you out of trouble. Every tip comes from a real "oh no" moment that I've helped customers through. Let's dive in and make sure your emails actually reach their destination! π―
Infrastructure & Authentication
(6 items)
- Skip Authentication Records
- Trendy Top-Level Domains
- Ignore Sending Infrastructure
- Mix Transactional & Marketing Traffic
- Assume Warmup Transfers
- Ignore Precedence Headers
Security & Form Protection
(5 items)
- Ignore Form Security
- Skip Rate Limiting
- Ignore HTML Injection
- Allow Personalization in System Emails
- Ignore Username Patterns
List Management & Hygiene
(6 items)
- Skip Batching
- Skip Holiday Prep
- Mix Domain Content
- Use Large Images
- Hide Business Identity
- Hide Unsubscribe Options
Sending Practices
(5 items)
- Sudden Volume Increases
- Skip Batching
- Skip Holiday Prep
- Mix Domain Content
- Hide Unsubscribe Options
Monitoring & Compliance
(6 items)
- Ignore Blacklist Monitoring
- Ignore Complaint Feedback
- Ignore Engagement Metrics
- Skip Content Compliance
- Use Free Email Providers
- Mix Domain Content
Infrastructure & Authentication
Don't send any volume of email without proper SPF, DKIM, and DMARC records.
Proper email authentication is no longer optional. Starting February 2024, Google requires senders of more than 5,000 emails per day to have these records. Even for smaller senders, missing authentication records significantly impact deliverability and can get your domain blacklisted.
Had a customer getting weirdly low opens one day. Our monitoring pinged me, so I jumped in to investigate. Turns out they'd accidentally nuked their DKIM keys π . We immediately paused their campaign, got them to add the records back, and boom - opens jumped from 3% to +20% (would've been even higher but they had some chunky images in there). Goes to show how one missing authentication piece can totally tank your deliverability.
Do not sign up and start sending on a brand new fresh domain.
People will sometimes try to create a new sending domain to avoid reputation blocks or previous issues. This is always a bad idea. Fix the reputation on your primary domain first.
All new domains start with negative reputation and take a long time to warm up.
Don't use trendy TLDs (like .xyz, .ai) for sending domains.
Many spam operations use these domains because they're cheap and readily available (especially for phishing campaigns). As a result, spam filtering systems often flag these TLDs more aggressively. Stick to established TLDs for your sending domain to maintain deliverability. Focus on building reputation on your main domain.
Never assume all email sending infrastructure is equal, especially with shared IPs.
Your email delivery success depends heavily on your sending infrastructure. When using shared IPs (IP pools), you're affected by the behavior of other senders on those IPs. Even top-tier providers can have "bad" IP pools. This is why it's crucial to monitor your delivery metrics closely and work with providers who actively manage their IP reputation and segregate good vs. problematic senders. Good providers, like Bento, will happily work with you to make sure you are sending amongst other good senders. If we do not deem you a good sender, you may be placed into a pool with other bad senders.
If you're interested, here's a video we did on IP pools: https://www.youtube.com/watch?v=t6qIi8AYt7I&ab_channel=Bento
Don't send transactional and marketing emails from the same from address, or IPs (if you can).
Mixing your transactional emails (like password resets, order confirmations) with marketing emails on the same sending patterns, such as sharing the same FROM address ([email protected]), can harm the delivery of your critical transactional messages as the inbox providers start classifying all emails as marketing. Consider using a different FROM address, IP address, and even subdomain for your transactional emails.
Never assume domain and IP warming status transfers between email service providers.
A common misconception is that if you've warmed up your domain and IP with one email service provider (ESP), you can immediately send high volumes when switching to a new ESP. This is false. Domain reputation is partially tied to the sending infrastructure. Once you switch platforms, start of sending slowly over a few days or weeks to warm up. Observe your bounce and complaint rates closely.
Always make sure all links and images in your emails are proxied through your main domain.
Link branding, also known as link proxying, is the process of rewriting all links and image URLs in your emails to point to your own domain before redirecting to the final destination. This is crucial for maintaining a consistent sender identity and improving deliverability. Inbox providers trust links from your main domain more than third-party domains. Most email service providers offer automatic link branding, so make sure to enable it.
Security & Form Protection
Never leave signup forms unprotected from list bombing attacks.
Unsecured forms allow attackers to automatically submit large numbers of email addresses, either for spam purposes or to damage your sender reputation. Implement rate limiting (e.g., 3 attempts per hour), CAPTCHA, and honeypot fields to prevent automated submissions. You CAN lock down your forms without impacting customer experience or opt-in rates.
4:30 saturday morning getting paged for a listbombing attack on one of my favourite customers π. Almost all email deliverability problems I see in the wild are due to an insecure form where someone can put as many emails as they want into a form and it'll spam the targets inbox. Easiest fix is to rate limit with Cloudflare or something similar. Trust me, you don't want to be dealing with this at 4:30AM!
Don't leave any email-generating actions without rate limits.
Every endpoint that can trigger an email (sign-ups, password resets, team invites, form submissions) must be rate limited. Without limits, attackers can abuse these endpoints to send spam or conduct denial of service attacks. Implement rate limits (typically 3 attempts per hour) on all email-triggering actions to prevent abuse while allowing legitimate use.
Never trust user input in email templates without proper sanitization.
Attackers can inject malicious HTML into email templates through user input fields (like names or custom fields). This creates both security and deliverability risks as malicious content sent from your domain damages your sending reputation. Implement proper input sanitization and consider removing personalization from critical templates such as password resets or sign up emails.
Got hit by an attack on monday morning where someone was abusing our invite emails to send emails with their name as some Chinese spam text. Ended up just removing all personalization in those emails and added rate limiter to the amount of invites you can send. Your app is probably vulnerable to html injection in your email templates. Best fix: remove all personalization inside your transactional templates (invite emails are the #1 attack vector). Lazy fix: raise an error if someone has "<" in their name.
Remove personalization from system emails like password resets, magic links, and invites. Yes, whilst there are people who say it's great to personalise emails a lot of the abuse we see is people gaming sign-up systems to send free phishing emails to victims. If you remove personalization, you can prevent your site becoming a target.
Including personalization in these automated emails creates a security vulnerability. Spammers can abuse these templates to send phishing emails by injecting malicious content into name fields. When these emails are sent from your trusted domain, they appear legitimate to recipients. Keep transactional emails simple and standardized.
Task for the (rightfully) paranoid: make sure to remove all personalization out of your account emails β password resets, magic links, invites, etc β to prevent spammers abusing them to send out unlimited phishing links. Summary of attack: hacker writes script that spams sign up with malicious content in name field, then triggers password resets to spam everyone. Not fun! π«
Don't skip blocking temporary email addresses.
Spammers often use temporary email addresses to test your site for vulnerabilities. Block them so they give up and move to the next target.
List Management & Hygiene
Never purchase email lists from third parties.
Purchased lists often contain outdated, invalid, or spam trap addresses. Sending to these lists can severely damage your sender reputation and lead to blocklisting. Focus on organically growing your list through legitimate opt-ins and engagement.
Regularly remove inactive, invalid, and bounced addresses from your list.
Continuing to send to unengaged or invalid addresses hurts your deliverability. Implement a sunset policy to remove subscribers who haven't opened or clicked in a set period (e.g., 6-12 months). Also, promptly remove hard bounces and complaints to maintain list hygiene.
Always use confirmed opt-in (COI) to ensure subscribers truly want your emails.
COI requires new subscribers to confirm their email address, usually by clicking a unique link. This prevents fake sign-ups, ensures consent, and keeps your list clean. While it may slightly reduce total sign-ups, COI dramatically improves engagement and deliverability in the long run.
Segment your email list based on subscriber preferences, behavior, and demographics.
Segmentation allows you to send targeted, relevant content to each group. This improves engagement, reduces complaints, and boosts deliverability. Examples include segmenting by interests, purchase history, or engagement level.
Comply with privacy laws like GDPR, CCPA, and CAN-SPAM.
These regulations govern consent, data handling, and unsubscribe requirements. Violations can result in hefty fines and reputational damage. Ensure your sign-up forms, privacy policy, and email practices align with applicable laws.
Never ignore unsubscribe requests or resubscribe users without explicit consent.
Promptly honor all unsubscribe requests, ideally with one-click functionality. Continuing to email unsubscribed users violates anti-spam laws and severely harms your sender reputation. Similarly, never re-add unsubscribed users without a new, confirmed opt-in.
Sending Practices
Don't suddenly increase your sending volume, especially during holidays.
Rapid increases in sending volume trigger spam filters and can damage your sender reputation. This is especially true during high-volume periods like Black Friday when spam filtering is more aggressive. Gradually increase volume and maintain consistent sending patterns.
Don't send large broadcasts all at once.
Sending large volumes simultaneously can trigger rate limits and spam filters. Instead, implement batch sending to spread deliveries over time. This also helps identify potential issues before affecting your entire list.
Never launch new email campaigns or attempt risky sends during high-volume periods.
Holiday periods (especially Black Friday/Cyber Monday) see dramatically increased email volume and stricter spam filtering. Many businesses damage their sender reputation by suddenly increasing volume or trying new marketing tactics during these periods. We see issues particularly with customers who email users that have not been contacted in a long time. ISPs see this as unsolicited email and will block your domain.
Don't load links, images or content from multiple domains in your emails.
Every third-party domain carries risk. Make sure that all links, images and content in your emails are proxied through your own domain AND that you trust them. We've seen days where including just a single YouTube link has impacted inbox placement.
Don't make it difficult to unsubscribe.
Clear, one-click unsubscribe options are now essential. Many email clients automatically process unsubscribe requests, and making this process difficult can result in more spam complaints. We recommend putting it in the header of your email, not just in the footer. If someone doesn't want your email make it easy for them to get off the list.
Monitoring & Compliance
Never ignore domain blacklist notifications.
Being listed on a domain blacklist can severely impact your deliverability across all inbox providers. Monitor your domain status regularly and address any listings immediately. Bento automatically monitors these for you and shows them in the dashboard.
Don't dismiss or ignore spam complaints.
Spam complaints are critical signals for email deliverability. Even a small percentage of complaints can significantly impact your ability to reach inboxes. Emailing users who have previously complained can cause substantial damage to your sender reputation, leading to complete blocking of your domain to large providers.
Never disregard your email engagement metrics when troubleshooting deliverability.
Modern inbox providers heavily weight user engagement in their delivery decisions. Low open rates, poor click-through rates, and high ignore rates can all lead to decreased inbox placement.
Never skip content review for regulatory compliance. Every email needs required elements like physical address and unsubscribe links.
Bento implemented automated checks for compliance elements before allowing sends. So you don't forget and end up in spam.
Don't use Gmail, Yahoo, or other free email provider domains for business email sending.
Free email domains lack the authentication and reputation metrics needed for reliable business email delivery. They're commonly used by spammers and scammers.