Spam filtering is a multi-layer pipeline of authentication, reputation, policy, content, and engagement signals. Auth and reputation matter more than copy.

Cold emails do not go to spam because of subject lines. Spam filtering is a layered pipeline of authentication, reputation, policy, content, and engagement signals applied at every hop, and most cold senders fail at the upstream layers. By the time a Gmail or Outlook filter looks at your copy, the verdict has usually already been written by your SPF record, DKIM signature, DMARC alignment, domain age, IP pool, and historical complaint rate. Fix the protocol layer and content becomes a rounding error.

TL;DR

Inbox placement is a five-layer pipeline. Authentication and reputation account for the vast majority of "went to spam" outcomes, not subject-line content.
Since February 2024, any sender shipping more than 5,000 messages per day to Gmail or Yahoo must pass SPF, DKIM, DMARC alignment, plus keep the Postmaster Tools spam rate below 0.30%, per Google's official sender guidelines.
Microsoft enforced equivalent rules on May 5, 2025 for Outlook, Hotmail, and Live.com, with non-compliant mail returning a permanent 550 5.7.515 rejection, per the Microsoft Outlook bulk-sender announcement.
Engagement signals (replies, stars, archive without read) feed back into algorithmic reputation. A sender with weak engagement decays into the spam folder regardless of authentication.
Content filtering is the least important layer. Spammy phrases get caught by reputation and pattern systems first; clean copy on a poisoned domain still lands in spam.

The five-layer inbox-placement pipeline

When an SMTP transaction completes, the receiving mailbox provider runs a pipeline of independent checks. Each layer can reject, quarantine, or downgrade a message before any other layer runs. The order matters because failing layer one usually skips evaluation of every later layer.

Layer	What it checks	Where it runs	Primary references
1. Authentication	SPF, DKIM, DMARC alignment, ARC, BIMI	Edge MTA	RFC 7208, RFC 6376, RFC 7489
2. Reputation	IP reputation, domain reputation, sender history	Edge filter	Sender Score, Postmaster Tools, SNDS
3. Policy	Bulk-sender rules, blocklists, rate limits	Provider policy engine	Spamhaus DBL, Gmail/Yahoo/Microsoft policies
4. Content	Body, headers, links, attachments, images	Spam classifier	Bayesian + ML scoring
5. Engagement feedback	Opens, replies, stars, archives, complaints	Per-recipient model	Gmail algorithmic reputation

Layers 1 to 3 are deterministic protocol checks. Layers 4 and 5 are probabilistic. Cold email senders fail almost exclusively at layers 1, 2, and 3.

Authentication: SPF, DKIM, DMARC, BIMI

SPF (RFC 7208)

Sender Policy Framework is a DNS TXT record that lists IPs authorized to send mail for a domain. The receiving MTA looks up the SPF record for the MAIL FROM envelope domain, compares the connecting IP, and produces pass, fail, softfail, neutral, or none. SPF is path-based: it authenticates the connection, not the message. SPF breaks on forwarding because the connecting IP changes mid-flight, which is why DMARC requires DKIM or aligned SPF, not SPF alone.

DKIM (RFC 6376)

DomainKeys Identified Mail places a cryptographic signature in the message header. The signing domain publishes its public key in DNS at selector._domainkey.example.com. The receiver fetches the key, verifies the signature against the canonicalized body and selected headers, and gets pass or fail. Unlike SPF, DKIM survives forwarding because the signature travels with the message. Infrastructure that rotates sending domains must publish a DKIM selector for every active domain or signatures break silently.

DMARC (RFC 7489)

DMARC ties SPF and DKIM to the visible From: header. A receiver checks two things: did SPF or DKIM pass, and is the passing identifier aligned with the From: domain? Alignment is the part most cold senders miss. SPF can pass for the bounce domain, DKIM can pass for the signing domain, and DMARC can still fail because neither matches the From: header. The DMARC record then tells the receiver what to do: p=none (monitor), p=quarantine (spam folder), or p=reject (bounce). Gmail and Yahoo require at least p=none for bulk senders; Microsoft enforces the same since May 2025.

BIMI

Brand Indicators for Message Identification is a DNS record that points to an SVG logo, displayed next to authenticated mail in Gmail and Yahoo. BIMI requires p=quarantine or p=reject DMARC. Gmail also requires a Verified Mark Certificate (VMC) or Common Mark Certificate (CMC) that proves trademark ownership. BIMI is not a deliverability mechanism per se, but it forces the discipline of a strict DMARC policy and signals brand legitimacy at the inbox.

Sender reputation: how it's actually measured

Reputation is the second filter, and for cold email it is usually the decisive one. There are three public reputation surfaces worth monitoring.

Validity Sender Score

Sender Score is a 0-to-100 percentile rating for sending IPs, calculated on a rolling 30-day average from the Validity Data Network of 80-plus mailbox and security providers. A score of 85 means the IP outperforms 85% of tracked senders. Inputs include complaint rate, bounce rate, blocklist appearances, spam-trap hits, and volume stability.

Google Postmaster Tools

Google Postmaster Tools reports domain and IP reputation for traffic to Gmail in five buckets: High, Medium, Low, Bad, and No data. It also reports the spam rate (the metric Gmail enforces against the 0.30% bulk-sender threshold), authentication pass rates for SPF, DKIM, and DMARC, and delivery errors. The dashboard is the single source of truth for "are my emails landing in Gmail?" because it reports actual user complaints, not engagement-derived guesses.

Microsoft SNDS

Smart Network Data Services gives Outlook.com sending IPs a Green / Yellow / Red status, plus complaint rate, trap hits, and message counts. It only works for IPs you can prove ownership of, so cold-email tools on shared infrastructure usually cannot register. Microsoft's separate JMRP feedback loop reports user "Mark as Junk" actions back to the sender.

Tool	Coverage	Granularity	Free	What it actually measures
Sender Score	Cross-provider	IP only	Yes	Aggregated complaint, bounce, blocklist, trap signals
Postmaster Tools	Gmail	IP and domain	Yes	Gmail-specific reputation, spam rate, auth rates
Microsoft SNDS	Outlook.com, Hotmail, Live	IP only	Yes	Microsoft complaint rate, filter results, trap hits
Spamhaus DBL	Cross-provider	Domain	Yes (lookup)	Domain blocklist status

Reputation is also about what your neighbors do. Shared sending pools at low-cost ESPs frequently include domains running affiliate or warmup spam. The Spamhaus DBL defaults unknown domains to "poor" because new domains correlate with new spam. This is why Gaidme provisions dedicated sending infrastructure per client rather than mixing volumes in a shared pool.

Why content filtering is the LEAST important layer

This is counter-intuitive. Most cold-email advice obsesses over "spam words" and subject-line tricks, but content is the lowest-leverage layer in the modern pipeline.

Three reasons:

Authentication and reputation gate everything before the classifier sees the body. A message that fails DMARC alignment from a domain on the DBL never reaches the Bayesian filter; it is rejected or quarantined at the policy stage.
Modern classifiers are ML-based, not keyword-based. Pre-2010 spam filters used regex blocklists for words like "free" and "viagra." Modern filters at Gmail and Outlook use deep models trained on billions of labeled messages and weight the model output far less than reputation features. As Google's own sender guidelines FAQ notes, the spam-rate threshold (a complaint metric) is the explicit enforcement bar, not content scoring.
The same email body lands inbox from a clean sender and lands spam from a dirty sender. Practitioners and research from M3AAWG (Sender Best Common Practices v3) consistently find that authentication, complaint rate, and engagement dominate placement variance.

This does not mean content is free. Image-only emails, link shorteners, attachments, and tracking pixels still raise scores. But "remove the word 'free'" is not a deliverability strategy. Fix authentication first.

How engagement signals feed back into placement

Once a message clears authentication, reputation, policy, and content scoring, Gmail in particular runs a per-recipient model that adjusts placement based on how that recipient and others like them have engaged with prior mail from the sender. Per Google's own documentation and engineering blog, Gmail tracks opens, replies, stars, archives, deletes-without-reading, and "Mark as spam" actions, and feeds these into algorithmic reputation per sender domain.

The hierarchy of engagement signals (strongest to weakest):

Reply with substantive text
Star or label
Move from Promotions to Primary
Click on an in-message link
Open with images loaded
Open without engagement
Archive without read
Delete without read
Mark as spam (this is a strong negative)

Reply rate is the highest-value positive signal. This is the structural reason cold email that gets replies, even rejecting ones, performs better over time than cold email that nobody answers. It is also the reason warmup tools that simulate replies between sender domains can move the needle, though Gmail and Microsoft both invest heavily in detecting synthetic engagement loops. For more on what real reply rates look like in practice, see our cold email reply rate research.

What changed in 2024: Gmail/Yahoo bulk sender requirements

In October 2023, Google announced new requirements for bulk senders, enforced starting February 1, 2024. Yahoo announced parallel requirements in the same window. The requirements apply to senders shipping more than 5,000 messages per day to Gmail or Yahoo recipients.

The mandatory technical floor:

Requirement	Detail	Source
SPF	Valid SPF record, aligned or partially aligned with `From:`	Gmail sender guidelines
DKIM	Message-level DKIM signature, aligned with `From:`	Same
DMARC	Policy of at least `p=none` published in DNS	Same
One-click unsubscribe	RFC 8058 List-Unsubscribe-Post header, honored within 2 days	Same
Spam rate	Postmaster Tools spam rate below 0.30%; recommended below 0.10%	Same
Forward and reverse DNS	Valid PTR records for sending IPs	Same
TLS in transit	Opportunistic TLS for SMTP	Same
Yahoo parity	Yahoo enforced the same baseline	Yahoo Sender Hub

Microsoft followed on May 5, 2025 with the same baseline for Outlook.com, Hotmail, and Live.com domains, with non-compliant bulk mail rejected with 550 5.7.515 per the Microsoft Tech Community announcement.

The Feb 2024 enforcement broke a generation of cold-email infrastructure relying on missing DKIM, DMARC misalignment, or shared IP pools above the 0.30% threshold. Tools that had been "working" saw deliverability collapse inside a week. Senders without daily inbox-placement monitoring had no idea why.

Practical checklist for cold-email senders

A field-tested pre-flight checklist before a single cold email goes out:

Domain and DNS

Sending domain age at least 30 days, ideally 90 days
MX record published and resolving
SPF record published and lint-clean (no more than 10 DNS lookups)
DKIM 2048-bit key published with selector
DMARC record published, minimum p=none, with rua reporting address
PTR (reverse DNS) record matches forward DNS for sending IP
MTA-STS and TLS-RPT records published

Reputation surfaces

Postmaster Tools verified for sending domain
Microsoft SNDS registered if you control sending IPs
Sender Score baseline above 80 before scaling
Spamhaus and Barracuda blocklist status checked

Sending behavior

Warmup ramp from 20 messages per mailbox per day, +10 per day
Per-mailbox daily cap below 50 in production
Hard bounces remove from list immediately
Soft bounces tracked for re-validation, not retry-loop forever
Reply detection routes responses out of the sending mailbox
One-click unsubscribe header set per RFC 8058
List-Unsubscribe header honored within 48 hours

Content

Plain text alternative for every HTML message
No URL shorteners; full domain links only
Tracking pixels off by default for cold mail
No attachments on first touch
Sending domain matches the visible brand or has a clear "powered by" relationship

If any of these boxes is unchecked, fix it before optimizing copy. This is also the operational floor Gaidme maintains for every client, which is why our deliverability FAQ commits to monitoring inbox placement daily and pausing sending if reputation drops.

Frequently Asked Questions

Why does my cold email go to spam even though my SPF and DKIM pass?

SPF and DKIM passing is necessary but not sufficient. Receivers also check DMARC alignment between the authenticated identifier and the visible From: header, plus domain reputation, IP reputation, complaint rate, blocklist status, and engagement history. A pristine SPF record on a 14-day-old domain with no engagement history will still land in spam at Gmail because the reputation layer treats unknown domains as suspicious by default.

What is the most important factor in inbox placement?

Sender reputation, measured per domain and per IP, is the single most important factor for any sender past the first few hundred messages. Reputation is built from authentication pass rates, complaint rate, bounce rate, engagement, and blocklist status over a rolling window. Gmail's Postmaster Tools dashboard exposes this directly; Microsoft's SNDS does the same for Outlook.com.

Does the content of my cold email matter for deliverability?

Yes, but less than most senders think. Content scoring is the fourth of five layers in the placement pipeline, and modern ML classifiers care more about structural signals (HTML quality, link ratio, image-to-text ratio, attachments) than keyword matching. The same body lands inbox from a clean sender and spam from a dirty one. Authentication and reputation account for far more variance than copy.

What is the Gmail 0.30% spam rate threshold?

Per Google's bulk sender guidelines, any sender of more than 5,000 messages per day to Gmail addresses must keep the user-reported spam rate (visible in Postmaster Tools) below 0.30%. Google recommends staying below 0.10%. Exceeding 0.30% triggers throttling and eventual rejection. Bulk senders become eligible for mitigation only after their spam rate stays below 0.30% for 7 consecutive days.

What does a permanent `550 5.7.515` rejection from Microsoft mean?

Since May 5, 2025, Microsoft Outlook returns 550 5.7.515 Access denied, sending domain [domain] does not meet the required authentication level for high-volume senders that fail SPF, DKIM, or DMARC alignment. This is a permanent rejection, not a deferral, so the message is never delivered. The fix is to publish properly aligned SPF, DKIM, and DMARC records and re-send.

How is sender reputation actually calculated?

Each major mailbox provider runs its own model, but the public proxies converge on the same inputs: authentication pass rate, user complaint rate, hard-bounce rate, spam-trap hits, blocklist appearances, sending volume stability, and engagement signals (opens, replies, archives, deletes). Validity Sender Score reports a 0-to-100 percentile, Gmail Postmaster Tools reports five buckets, and Microsoft SNDS reports a Green/Yellow/Red status. None of them publish the exact weights, deliberately.

Do warmup services actually fix deliverability?

Warmup services raise engagement signals on a new sending domain by exchanging mail between participating accounts, simulating opens and replies. They help establish baseline reputation faster than cold sending, but Gmail and Microsoft both detect coordinated warmup networks and discount the signal. Warmup is a complement to fundamentals (correct DNS, slow ramp, real engagement on real recipients), not a substitute. A warmed domain that sends to bad lists still lands in spam.

Should I send cold email from my main domain or a separate domain?

Always a separate domain. Cold email exposes the sending domain to complaints and blocklist risk that would damage transactional and corporate mail if shared. The standard pattern is to register a lookalike domain (often a .io, .co, or hyphenated variant of the brand), warm it for 4 to 8 weeks, and treat it as disposable. For a deeper comparison of the operational tradeoffs, see in-house SDR vs outsourced cold email.

Last updated: May 2026.

If you would rather not run a deliverability operations function in-house, Gaidme provides done-for-you cold email outreach with per-engaged-lead pricing: we provision the sending infrastructure, monitor inbox placement daily, and pause sending if reputation drops.

Inbox placement: the technical reasons cold emails go to spam