Email deliverability in 2026: the operator's guide

Authentication is now the floor

If your SPF, DKIM, and DMARC are not configured correctly, nothing else matters. The Gmail/Yahoo sender requirements that took effect in February 2024 — expanded by Microsoft in 2025 — made authentication a hard floor: any domain sending 5,000 or more messages per day to Gmail or Yahoo must have these in place and aligned. Non-compliant senders see volume blocked outright.

SPF, DKIM, and DMARC

SPF

SPF authorizes which servers may send for your domain. Keep one SPF record per domain and keep the DNS lookup count under 10 — beyond that the record can be truncated and the check can fail. Avoid permissive mechanisms like +all.

DKIM

DKIM cryptographically signs your mail. Use a 2048-bit key in 2026 — 1024-bit keys still work but are deprecated and soft-failed by several enterprise filters. DKIM is per-domain and per-selector, and you can run multiple selectors to rotate keys without downtime. Each platform you send from (your ESP, Google Workspace) needs its own DKIM record.

DMARC

DMARC ties SPF and DKIM together and tells receivers what to do on failure: monitor (p=none), p=quarantine, or p=reject. Publishing p=none is the minimum requirement, but it is a monitoring policy, not enforcement — senders on none still land in spam. Move to quarantine, then toward reject as your authentication stabilizes. Crucially, the DKIM signing domain (d=) must align with your From-header domain.

One-click unsubscribe (RFC 8058)

Bulk senders of marketing email must support one-click unsubscribe, defined by RFC 8058. That means a recipient can unsubscribe in a single click, without logging in. Two headers are required:

• List-Unsubscribe: <https://example.com/unsub?...> (an https and/or mailto option)
• List-Unsubscribe-Post: List-Unsubscribe=One-Click

Your DKIM signature's h= tag must cover both headers, and the HTTPS endpoint must accept a POST with body List-Unsubscribe=One-Click and process the removal immediately. Gmail surfaces this as a native unsubscribe button next to the sender name. You must honor unsubscribes within two days.

Spam-complaint thresholds

Keep your spam-complaint rate below 0.10%. Reaching 0.30% triggers temporary rejection or filtering. These are enforced thresholds, not guidelines, and Gmail and Yahoo measure them independently. Monitor Gmail Postmaster Tools and watch for sudden spikes after a list change or a new campaign type.

The operator's checklist

1. SPF published, under 10 lookups, no +all.
2. DKIM 2048-bit, selector matches, signs the List-Unsubscribe headers.
3. DMARC published; alignment passing; on a path from none → quarantine → reject.
4. One-click unsubscribe (RFC 8058) live; unsubscribes honored within two days.
5. From address on a real business domain (never a free Gmail/Yahoo address).
6. New IPs/domains warmed; volume ramp under ~2x per week post-warmup.
7. Engagement-based segmentation and a maintained suppression list.
8. Hard bounces removed; never resend to them.
9. Valid forward and reverse DNS (PTR); TLS in transit.
10. Quarterly authentication audit scheduled.

Most ESPs automate the authentication setup. Brew, for instance, includes DKIM/SPF/DMARC and a custom sending domain out of the box; Resend adds managed dedicated IPs with auto-warmup and DNSBL monitoring; Klaviyo walks you through dedicated sending domains. The rules, though, are yours to uphold.