Email Deliverability in 2026: The Technical Guide for SaaS

In February 2024, Gmail and Yahoo enforced new bulk sender requirements. If you send more than 5,000 emails/day to Gmail users, you must authenticate with DKIM + SPF + DMARC, publish a one-click unsubscribe header, and maintain a spam complaint rate below 0.3%.

Two years later, the ecosystem has shaken out. Senders who adapted have higher deliverability than ever. Senders who didn't are in spam folders. Here's the technical playbook for 2026.

The authentication trio: DKIM, SPF, DMARC

These three work together. All three are required for modern deliverability.

SPF (Sender Policy Framework)

A DNS TXT record that lists which IP addresses are allowed to send on behalf of your domain.

Example: v=spf1 include:_spf.monfri.net ~all

Limits: SPF has a 10-DNS-lookup limit. If you include too many third-party services (Mailchimp + Postmark + SendGrid + HelpScout), you'll exceed it and all break. Use SPF macros or consolidate senders.

DKIM (DomainKeys Identified Mail)

A cryptographic signature in the email header proving the content wasn't tampered with. Uses a public key published in DNS.

Example header: DKIM-Signature: v=1; a=rsa-sha256; d=monfri.net; s=selector1; ...

DKIM is more robust than SPF because it survives email forwarding. If your platform supports rotating DKIM keys, rotate quarterly.

DMARC (Domain-based Message Authentication)

The enforcement layer. Tells receiving servers what to do when SPF or DKIM fails.

Example: v=DMARC1; p=reject; rua=mailto:[email protected]; pct=100

Policy levels: none (monitor only) → quarantine (spam folder) → reject (bounce). For production, move to reject after 30 days of monitoring.

BIMI and VMC: the logo play

BIMI (Brand Indicators for Message Identification) displays your brand logo in inboxes that support it (Gmail, Yahoo, Fastmail). Requires:

• DMARC policy at quarantine or reject
• SVG Tiny PS logo hosted on your domain
• Verified Mark Certificate (VMC) — ~€1,100/year from Entrust or DigiCert

Worth it? For B2C and e-commerce: yes, 10-20% lift in open rates documented. For B2B SaaS: marginal. We recommend VMC at €9K+/month email spend, skip before.

TLS-RPT: the new kid on the block

TLS-RPT (Transport Layer Security Reporting) lets you monitor TLS handshake failures during email delivery. Added as a requirement by Google in late 2024 for domains sending >100K/day.

DNS record: _smtp._tls.monfri.net. IN TXT "v=TLSRPTv1; rua=mailto:[email protected]"

Most email platforms handle this for you. Verify your vendor supports it.

The engagement signal

Gmail and Microsoft's 2024-2026 algorithms weight engagement more than any other signal. Specifically:

1. Opens don't count much anymore. Apple Mail Privacy Protection pre-fetches images, killing open tracking accuracy.
2. Clicks count a lot. Genuine click = strong positive signal.
3. Replies count most. If the recipient replies to your email, that's a top-tier trust signal.
4. Marking as spam is death. 0.3%+ spam rate and you're blocked.
5. Deleting without opening is negative. Aggregated over your domain.

Strategy: make emails reply-able (real sender addresses, personal tone, questions inviting response). Emails sent from noreply@ addresses are systematically discounted.

List hygiene: the non-sexy half

The fastest way to improve deliverability is to stop sending to bad addresses.

Types of bad addresses

• Hard bounces: permanent failures. Remove immediately.
• Soft bounces: temporary failures. Remove after 3-5 consecutive soft bounces.
• Complaints: marked as spam by recipient. Remove immediately; never email again.
• Spam traps: old abandoned addresses kept live by ISPs to catch bad senders. Remove entire segments if you hit one.
• Role accounts: info@, admin@, support@. Often auto-responded; lower engagement. Remove unless critical.
• Inactive for 90+ days: reduce frequency, then remove. Re-engagement campaigns help.

Validation at collection

Validate email addresses at the form level using a service like NeverBounce, Kickbox, or ZeroBounce. Rejects:

• Invalid syntax
• Non-existent domains
• Non-existent mailboxes
• Disposable email providers (10minutemail.com, etc.)
• Role-based addresses (optional reject)

Cost: €0.003-0.007 per validation (ex. VAT). Worth it above 100 signups/day.

IP warm-up: the art of reputation building

New sending IP addresses have zero reputation. If you suddenly send 100K emails from a new IP, you'll be rate-limited and spam-filtered.

Warm-up schedule for a new dedicated IP:

• Day 1-3: 50 emails/day, to your most engaged 50 contacts
• Day 4-7: 200/day, same segment
• Week 2: 1,000/day, expanding segment
• Week 3: 5,000/day
• Week 4: 20,000/day
• Month 2: full volume

Key rule: never double your daily volume in a single step. 2x jumps are where IPs get blocked.

If using shared IP pools (most SMBs should): the platform handles warm-up. Don't panic-switch to dedicated IP without volume justification (>100K emails/month).

Subdomain strategy

Use subdomains to isolate reputation:

• marketing.monfri.net — newsletters, promotions
• mail.monfri.net — transactional (receipts, password resets)
• monfri.net — corporate email (founder@, support@)

If marketing gets flagged, transactional and corporate are unaffected. DKIM + SPF + DMARC at subdomain level.

Rule: never send marketing from your corporate domain if you care about CEO emails reaching investors.

The unsubscribe requirements

Post-Gmail-2024 rules:

• List-Unsubscribe header: required for bulk senders. HTTP POST link, auto-processed by Gmail.
• One-click unsubscribe: must work without requiring login or confirmation.
• Processed within 2 days: unsubscribe requests must stop sending within 48 hours.

Most reputable platforms handle this automatically. Verify with this header in your raw email source: List-Unsubscribe-Post: List-Unsubscribe=One-Click

Monitoring: what to track

1. Delivery rate — target 99%+. Below 98% means hard bounces are a problem.
2. Inbox placement rate — what % lands in inbox vs spam/tabs. Test with Glock Apps, 250ok, or MailTester.
3. Open rate — 20-40% for B2B, higher for B2C. Trending down = list decay or content issue.
4. Click rate — 2-5% baseline. Low and flat = bad content or bad list.
5. Spam complaint rate — critical. Must stay under 0.3%.
6. Unsubscribe rate — 0.2-0.5% per send is normal.
7. DMARC reports — daily aggregate reports showing authentication status across all traffic. Tools: Postmark DMARC Digest, dmarcian.

Common deliverability mistakes

• Sending from a brand-new domain (no reputation) for marketing email. Warm up the domain for 30 days before scale.
• Mass-importing an old list and sending immediately. Expect 10-20% bounces and potential IP blacklisting. Always re-validate old lists.
• Using noreply@ as sender. Hurts engagement signals and some ISPs penalize outright.
• Too many images and too little text. Spam filters weight text-to-image ratio; aim for 60%+ text.
• Link shorteners (bit.ly, tinyurl). Often on spam lists. Use your own tracking domain.
• Subject lines in ALL CAPS or with excessive exclamation. Still a signal for ISPs.
• Hosting images on HTTP (not HTTPS). Modern clients block them.

Platform-side considerations

Your platform's infrastructure matters:

• Shared vs dedicated IP: shared is fine under 100K/month. Dedicated justified at high volume.
• MTA quality: KumoMTA (used by Monfri and several enterprise ESPs) handles traffic shaping, reputation management, and throttling automatically. Cheap SMTP relays don't.
• Feedback loops: the platform must process ISP feedback loops (Gmail Spam Report, Yahoo CFL) and auto-suppress complainers. If yours doesn't, switch.
• Bounce processing: soft vs hard classification, retry logic. Platforms vary widely here.

The bottom line

Email deliverability in 2026 is an infrastructure + hygiene + content problem. Get DKIM/SPF/DMARC right (one-time setup), maintain list hygiene (ongoing), write genuinely engaging emails (ongoing), and you'll beat 90% of senders.

Platforms matter less than you think. KumoMTA, SendGrid, Postmark, Monfri Push — all capable of 99% deliverability. The differentiator is what you send and who you send it to.