Email Deliverability Best Practices - The Playbook

This is the synthesis page. It pulls together what the standards bodies (M3AAWG, the IETF), the mailbox providers (Gmail, Yahoo, Microsoft, Apple, Orange, GMX), the dominant blocklist (Spamhaus), and the major sending platforms (Adobe, Amazon SES, SendGrid, Postmark, Mailgun) independently agree on - and, just as importantly, where they stay silent. The shape of modern deliverability is simple to state and hard to execute: authenticate every message, run clean and consistent infrastructure, send only to people who asked for relevant mail, honor every “stop” signal instantly, and watch the few metrics providers actually publish. Nothing here guarantees the inbox - no one can promise that - but every item removes a concrete, common reason mail gets filtered, deferred, or blocked.

A note on numbers: across this entire page we cite only thresholds a provider or standards body has published. Where the industry uses round figures that no provider actually commits to (warmup “day 1 = N” tables, universal spam-score cutoffs, “good deliverability is 98%”), we say so rather than repeat them as fact.

The 60-second version

• Reputation is a prediction. Spamhaus defines it plainly: “how recipients reacted to mail you’ve sent in the past predicts how they will react to mail you send in the future.” Permission, relevance, and consistency are the inputs.
• Authenticate and align. SPF + DKIM aligned to your From: domain, DMARC published, ARC on anything you forward, TLS in transit. Most “we have SPF and DKIM” failures are really alignment failures.
• Run clean, consistent infrastructure. Static IP, matching forward-and-reverse DNS, a real FQDN HELO, honest WHOIS, sensible subdomain strategy, no no-reply dead-ends.
• Permission first. Confirmed (double) opt-in is the gold standard every source names. Never buy, rent, or append lists - consent is not transferable.
• Keep the list clean and sunset the disengaged. Suppress hard bounces, complaints, and unsubscribes immediately.
• Watch the published complaint thresholds: Gmail below 0.10% (never reach 0.30%), Yahoo below 0.3%, Orange 0.6% today and moving to 0.3%.
• Warm by demand, not by calendar. No provider publishes a fixed ramp schedule. Ramp on acceptance and engagement.

1. Foundations: the mental model

Before any tactic, get the model right, because every rule below is downstream of it.

Reputation is a prediction, not a score you set. Spamhaus states it directly: reputation is “a shorthand way of saying ‘how recipients reacted to mail you’ve sent in the past predicts how they will react to mail you send in the future.’” Good reputation means recipients want your mail. Reputation systems are deliberately asymmetric - in Spamhaus’s words, “it is much, much easier to drive reputation down than it is to fix a damaged one.” There is no override and no allow list to buy your way back: Spamhaus notes “the days of ‘whitelisting’ are long gone,” and GMX, Apple, and Gmail all confirm they offer no allow list that bypasses their filters.

The three inputs you actually control:

• Permission - did the recipient ask for this, provably? Every source ranks confirmed opt-in highest and purchased/appended lists lowest. Permission is not transferable.
• Relevance - is this mail wanted now? Adobe is blunt that “engagement has become the single most important factor impacting inbox placement decisions,” as providers shifted from content filters to a behavioral model.
• Consistency - do your volume, cadence, content, and identity stay predictable? Spamhaus warns that “‘bursty’ email streams will degrade even well-established reputation”; Adobe calls steady sending “sender permanence.”

What this model implies, and what trips people up:

• Authentication is necessary but not sufficient. A DMARC pass proves authorized domain use, nothing about whether mail is wanted (see DMARC in 2026).
• Both IP and domain reputation exist and behave differently; the reputation overview is the deep page.
• The inbox is never guaranteed. Be suspicious of anyone selling a “deliverability elixir” - Spamhaus’s exact warning.

2. Authentication and encryption (the price of admission)

Get all three aligned before optimizing anything else. Spamhaus calls SPF and DKIM “a must… required in any modern email marketing infrastructure.” Start with the email authentication overview.

Mechanism	What it proves	The catch	Deep page
SPF	The sending IP is authorized for the envelope MAIL FROM domain	Hard 10 DNS-lookup limit; exceeding it is permerror, which silently disables SPF’s half of DMARC. SPF breaks on forwarding.	SPF
DKIM	The signed parts of the message were not altered and come from the signing domain	Sign with a key of at least 1024 bits (2048 recommended by Gmail and Yahoo). Include From: and your unsubscribe headers in the signed h=.	DKIM
DMARC	The From: domain owner’s policy for unauthenticated mail	Passes when either aligned SPF or aligned DKIM passes - not both. p=none is a floor, not a goal.	DMARC in 2026
ARC	The authentication results an intermediary saw before it forwarded	Advisory, not a pass. Apple requires it on forwarded bulk mail; Yahoo, Microsoft, and Orange recommend it.	ARC
BIMI	Brand logo in the inbox	A consequence of authentication, not a substitute - requires DMARC at quarantine or reject.	BIMI

Alignment is the part everyone misses. A bare “SPF pass” or “DKIM pass” is not enough; the passing identifier’s domain must align with your visible From: domain. Spamhaus spells out the rule: DKIM alignment means the signing d= matches the friendly From:; SPF alignment means the return-path matches the From: domain. This is the single most common reason “we have SPF and DKIM” still produces DMARC failures.

Where providers now stand: GMX makes DKIM mandatory (alignment in at least relaxed mode) and says plainly “SPF alone is not sufficient.” Orange now requires SPF, DKIM, and DMARC to pass. Gmail, Yahoo, Microsoft, and Apple all require authentication for bulk senders - see the provider rule tracker.

Encryption in transit. Serve and use STARTTLS - Gmail has required TLS for transmission since December 2023. Layer on MTA-STS to require it, TLS-RPT to monitor it, and DANE if you run DNSSEC. See encryption in transit.

3. Infrastructure and identity

The connection is judged before any content is read. Providers agree on the basics with surprising precision.

• Static IP, not dynamic. GMX rejects dial-up or dynamically assigned ranges outright and requires a static IP. Spamhaus warns against snowshoeing - “most brands do not need 100s of IPs scattered across multiple networks.” Use contiguous IPs and no more than you need.
• Forward-confirmed reverse DNS (FCrDNS). Every sending IP needs a valid PTR resolving to an FQDN, and that hostname must resolve back (A/AAAA) to the same IP. Gmail requires the sending IP to match the PTR hostname’s IP. Yahoo wants “meaningful, non-generic” rDNS that reflects your domain. GMX rejects generic provider defaults like 123-123-123-123-static.isp.tld. Orange returns error code 107 for a missing PTR.
• Valid HELO/EHLO. Announce a real FQDN that matches your rDNS. RFC 5321/5322 compliance is universal; Orange (20x errors) and GMX both reject a non-FQDN HELO.
• Honest WHOIS. Spamhaus says do not use anonymized WHOIS - “legitimate businesses should have no reason to hide their online identity.” Amazon SES agrees: accurate WHOIS “demonstrates that you value transparency.” Orange goes further for senders above ~1000/day, requiring a real website behind the From: domain with company identity, a consent explanation, and legal notices.
• Subdomain strategy. Send from your own domain, never a freemail address (Amazon SES and Validity both call sending bulk from sender@hotmail.com a red flag). Spamhaus’s preferred delegation order: email.yourbrand.com (subdomain you control), then yourbrand.espdomain.com, with a separate cousin domain as a last resort. Amazon SES recommends distinct subdomains per stream (marketing.example.com, orders.example.com) so each builds its own reputation.
• Dedicated vs shared IPs. M3AAWG’s rule of thumb: isolate to a dedicated environment when your quality is unknown or below average (to avoid contaminating others), when it is above average (to avoid being contaminated), or when volume control is critical. Shared pools dilute both mistakes and merits; DKIM lets a receiver still tell the individual senders apart. Postmark’s dedicated vs shared trade-off: dedicated IPs need enough consistent volume to hold a reputation.
• No no-reply dead-ends. Amazon SES: avoid no-reply@ as From:/Reply-To: - it tells recipients “you’re not interested in their feedback.” Microsoft expects valid, reply-able addresses.

4. List building and consent

The cheapest reputation protection is never adding the wrong address in the first place. Every source ranks the same hierarchy.

Consent level	Verdict	Source consensus
Confirmed / double opt-in (COI)	The gold standard	”Best” (M3AAWG); “the gold standard” (Spamhaus); “considered the best deliverability practice by most email experts” (Adobe); recommended by GMX, Amazon SES, SendGrid
Single opt-in with notification	Acceptable with care	”Better” (M3AAWG) - welcome message, no confirmation
Single opt-in	Minimum, risky	”Least desirable” (Spamhaus); admits typos, traps, bots
Implied consent	Poor	”Not considered a best practice” (M3AAWG); needs close monitoring and a permission pass
Opt-out / no consent	Unacceptable	”Avoid at all costs” (Spamhaus); guaranteed complaints and blocklistings
Purchased / rented / appended	Prohibited	”Consent is not transferable” (Spamhaus, SendGrid); “a direct violation of core M3AAWG values”; Apple rejects “list purchases, list rentals, or email appends”

Practical rules:

• Validate at the point of capture. M3AAWG: “validate the email address as it is entered, and prompt the subscriber to re-enter if validation fails.” Amazon SES recommends checking the address is well-formed and the domain has valid MX records. Double opt-in is what stops typo and pristine spam traps from ever entering the list.
• Record proof of consent. Spamhaus and M3AAWG both say capture the sign-up timestamp (UTC), the source/channel, and the submitting IP, kept accessible for an ISP, blocklist operator, or regulator.
• No pre-checked boxes. “Generally viewed as dishonest and is actively illegal in some countries” (Spamhaus); Gmail says avoid default-checked opt-in forms.
• Protect forms from bots. Use CAPTCHA - Spamhaus dates the form-abuse problem to August 2016. SendGrid warns that user-generated forms are a spammer vector.
• Never mail role accounts. postmaster@, abuse@, admin@, noc@, sales@ are watchdog/role addresses, frequently harvested and sometimes maliciously planted as sabotage (Spamhaus, Amazon SES). They are a class of live spam trap.

See suppression and consent and the email-marketing laws overview.

5. List hygiene and sunsetting

A clean list is the difference between hitting spam traps and not. Spamhaus is emphatic: treat spam traps “as proof of a data collection or hygiene issue and not be misled into conducting a hunt for spamtraps.”

The trap taxonomy you are defending against (synthesized from M3AAWG, Spamhaus, and Adobe):

Trap type	What it is	What hitting it signals	Prevented by
Pristine / pure	Never a real user; created to catch spam	Harvesting, purchased lists, dictionary attacks	Double opt-in
Recycled / dead	Once-valid, retired, then reactivated as a trap (M3AAWG suggests 12 months minimum inactivity)	Old lists, poor bounce handling, no sunsetting	Bounce suppression + engagement pruning
Typo	Common domain misspelling (gmial.com, homail.com)	No validation, single opt-in	Validation at capture, double opt-in
Seeded	Deliberately scattered online to catch scrapers	Web harvesting	Don’t harvest; double opt-in
Live / role	A real, monitored address (incl. WHOIS/role accounts)	Harvesting, purchased lists	Don’t mail role accounts

Sunsetting - the discipline every source endorses, with no universal number:

• Apple states it as a requirement: “periodically remove inactive subscribers.” GMX warns that sending to inactive or unknown addresses can get the whole sending system suspended.
• Spamhaus offers an example engagement cadence (downgrade weekly to monthly after no opens; send a re-permission “do you wish to continue?” email; suppress if no response) and an example sunset starting point of one year, then six, then three months - explicitly “depending on results,” not a fixed rule.
• Run re-engagement on your current platform, not a fresh IP (Adobe). Mailgun calls a sunset policy a “game changer” for a clean list.

6. Engagement: send wanted mail

Because providers grade on behavior, engagement is now a primary lever, not a vanity metric. Adobe: positive signals are opens, clicks, forwards, replies; negative signals are deleting unread, ignoring, unsubscribing, and marking spam.

• Segment and personalize. Mailgun, Validity, and Adobe all tie relevance to inbox placement; segment by engagement so your best recipients carry the reputation and the disengaged don’t drag it down.
• Find the right frequency and keep it. Spamhaus’s reputation factor #5 is “frequency and predictability - find the sweet spot… set the expectation for frequency, stick to it.” Validity warns that over-mailing drives unsubscribes and complaints.
• Use the positive-signal asks - they work. SendGrid recommends putting plain-language prompts in your mail and sign-up flow: “add us to your address book,” “mark this message as important,” and “if you don’t see our email, check spam and mark not spam.” Gmail confirms “messages sent from an address in the recipient’s contacts are less likely to be marked as spam,” and a recipient marking “not spam” trains the filter in your favor. M3AAWG suggests welcome/confirmation mail use the same From: so recipients can add it to their address book.
• Build recognizable identity. Consistent From: name and address, consistent branding; Apple requires “a consistent From: name and address to clearly identify your brand.”

7. Complaints and feedback loops

The complaint rate is the one metric with published hard limits - and it is calculated on the receiver’s side, so you can only see it in their tools.

Provider	Published complaint threshold	Where you see it
Gmail	Keep below 0.10%; never reach 0.30%	Google Postmaster Tools
Yahoo	Keep below 0.3%	Yahoo Sender Hub (CFL)
Orange	0.6% triggers protection today; moving to 0.3% to align with industry standards	SignalSpam FBL (members only)
Microsoft	No complaint number published in the rule	SNDS / JMRP
Apple	No threshold published; no FBL offered	Act on SMTP errors + your own data

Adobe independently recommends keeping complaints “less than 0.1 percent overall.” Spamhaus notes most ISPs deliberately keep their exact thresholds secret (“part of their spam filtering recipe”), so treat the published numbers as ceilings to stay well under, not targets to approach.

Feedback loops and one-click unsubscribe:

• Enroll in every FBL you can. Yahoo’s Complaint Feedback Loop is enrolled by DKIM domain via the Sender Hub (no IP-based FBL anymore). Microsoft has SNDS/JMRP. Orange’s FBL is available only through SignalSpam membership. Gmail and Apple offer no traditional FBL - you use Postmaster Tools / SMTP errors instead.
• Suppress complainers on receipt. Spamhaus and M3AAWG: process FBL reports and remove complainants “immediately.”
• Wire one-click unsubscribe correctly (RFC 8058). It is a specific header pair plus DKIM coverage, not just a body link:

List-Unsubscribe: <https://example.com/u/abc>, <mailto:unsub@example.com>
List-Unsubscribe-Post: List-Unsubscribe=One-Click

Gmail requires this for bulk marketing/subscribed mail; Yahoo requires honoring unsubscribes within 2 days; GMX wants RFC 8058 ideally (with a valid reply address as the fallback). Never require a login to unsubscribe - Spamhaus notes it “is illegal in some places and makes subscribers angry everywhere.” The easier you make leaving, the fewer “report spam” hits you take. Detail in suppression and consent.

8. Bounce handling and suppression

A suppression list is the memory of every “do not send” signal; it is consulted before every send and entries are slow to remove.

• Hard bounces (5.x.x): suppress immediately, never retry. Spamhaus, M3AAWG, and Adobe agree. Continuing to mail dead addresses is itself treated as spam and is how recycled traps get hit. Parse DSNs - see bounces and DSN and reading SMTP replies.
• Soft bounces (4.x.x): retry, don’t suppress prematurely. Quarantine only after retries are exhausted (Adobe). M3AAWG’s concrete removal rule: drop an address that bounces “consecutively at least two times over two weeks or more.” Adobe’s escalation flag: a soft-bounce rate above 30% for a single ISP that doesn’t clear within 24 hours warrants expert review.
• Why it matters to reputation. M3AAWG: “large volumes of hard-bounces are too often indicative of a poorly managed registration process or an old or misapplied mailing list” and “can subtract points from an IP’s reputation score.” Decode the codes with enhanced status codes.
• Suppress unsubscribes and complaints too, defaulting an unsubscribe to “all mail” absent a preference center (M3AAWG).

9. Stream separation: transactional vs marketing

Mix the streams and a marketing complaint spike can sink your password-reset deliverability.

• Separate by subdomain and/or IP. Apple explicitly advises segmenting marketing and transactional streams. Adobe: “you don’t want [transactional] messages to be impacted by the reputation of your marketing subdomain.” SendGrid’s worked example - one recipient marking every “Daily Knitting Update” as spam shouldn’t be allowed to block that person’s receipts and password resets - argues for a separate sub-account and dedicated IP for marketing.
• Gmail’s per-type guidance: “If you must send from multiple IP addresses, use a different IP address for each message type,” and keep one From: per category (receipts@, deals@, alerts@). Never mix content types (“don’t include promotions in sales receipt messages”).
• Transactional mail warms differently. Adobe notes transactional volume is demand-driven and often needs no formal warmup plan; sender permanence matters less when volume is low but steady.
• High-risk / mandated sends (breach notices, recalls) are a special case: M3AAWG recommends pre-notifying mailbox-provider postmasters, using a dedicated IP range, authenticating from the branded domain (never a new cousin domain), stripping tracking, throttling, and prioritizing impacted before active before subscribed recipients.

10. Content and links

Content is judged after the connection and authentication, but it still matters. Frame it defensively - the goal is to avoid false positives, never to evade filters (see the spam-filtering overview and false positives / ham protection).

• Well-formed MIME. A text/plain alternative alongside HTML, correct Content-Type/charset, valid Message-ID, proper RFC 2047 encoding for non-ASCII. Gmail requires single-instance headers (From:, Subject:) appear once. See headers and the envelope.
• Honest subjects and display names. Gmail prohibits deceptive Re:/Fwd:, emoji-as-graphics, hidden HTML/CSS content, and display names that carry subject content or imply a threaded reply. Validity’s filter triggers: all-caps subjects, exclamation-mark pile-ups, and “spammy” word stuffing.
• Descriptive link text, not raw tracking URLs. SendGrid warns that click-tracking rewrites a visible raw URL into a long redirect, which “may resemble phishing”; use human-readable anchor text (Click to visit Example) instead of pasting the link as its own label. Gmail: links “should be visible and easy to understand.”
• Link and image hygiene. Host images on a public-facing server (SendGrid) and use alt text (Validity). Keep links few and on domains with their own clean reputation; avoid shorteners that share reputation with abuse - they are tracked by URI blocklists.
• Link to files, don’t attach. SendGrid and Validity both advise linking to hosted files rather than attaching them, to avoid receiver-side blocking. Orange caps message size at 45 MB regardless.

11. Monitoring: the metrics that matter

Deliverability is an operational loop, not a one-time setup. Mailgun found most senders don’t monitor at all - 70% don’t use free tools like Postmaster Tools and 53% don’t do blocklist monitoring - which is exactly the edge available to those who do. Start at the postmaster tools overview.

• Provider postmaster dashboards. Google Postmaster Tools is the only place to see your Gmail spam rate, plus domain/IP reputation and authentication. Yahoo Sender Hub and Microsoft SNDS/JMRP cover their networks. (Note Gmail does not report open rates and warns third-party open rates are not a reliable deliverability signal.)
• DMARC aggregate reports (rua). Your cross-provider view of which sources pass or fail alignment - a new unaligned source shows up here before it tanks delivery. See DMARC in 2026.
• Blocklist monitoring. Track your IPs and domains against the major lists so a listing is something you detect and remediate, not discover from a delivery cliff. Orange and GMX both point senders at Spamhaus and Abusix before contacting support. See Spamhaus blocklists, URI blocklists, and the DNSBL directory.
• Seed / inbox-placement testing. Mailgun: inbox placement testing (used by only ~13% of senders) tells you where delivered mail actually lands - inbox vs spam - before you send to the whole list. It complements, but does not replace, the providers’ own data.
• The metrics, ranked: spam complaint rate (published limits), authentication pass/alignment rate, bounce rate, and reputation/deferral trends - sudden 4xx deferrals or spam-foldering are the early-warning system.

12. Warming: demand-gated, not a calendar

This is where the most fabricated “best practice” lives. The honest version:

• No major provider publishes a warmup schedule. There is no official “day 1 = N messages” table. Treat any source quoting a precise universal ramp curve as a guess. What the sources actually describe is a discipline.
• Warm by acceptance and engagement. Spamhaus: start with a carefully selected set of “highly engaged recipients,” then increase “rates of volume and speed… depend[ing] on the results of each previous deployment.” Adobe: target only your most highly engaged users early, because a new IP has no reputation and providers “need to be cautious.” Gmail’s own guidance: “start with a low sending volume to engaged users, and slowly increase,” and “if messages start bouncing or being deferred, reduce the sending volume until the SMTP error rate decreases.”
• First impressions stick. Spamhaus: “it is very much like going on a first date: first impressions matter a great deal and linger.” Sending a large volume from a cold IP looks like a compromised host.
• Provider-specific reality. Adobe notes Microsoft is especially strict during early warming (“guilty until you prove yourself innocent”) and Gmail watches engagement closely. Gmail and M3AAWG both stress increasing volume consistently and avoiding sudden spikes.
• Domain vs IP. Domain reputation is portable and durable - it follows you across IPs, so protect it. IP reputation matters most on dedicated IPs and during warming. See IP vs domain reputation and M3AAWG sending best practices.

13. Compliance is a floor, not the strategy

Permission and honesty are legal obligations on top of deliverability ones. Consent regimes (GDPR/ePrivacy, PECR, CASL, Australia’s Spam Act, Turkey’s KVKK/ETK) and content rules (CAN-SPAM) overlap heavily with everything above: provable opt-in, accurate headers, a working unsubscribe, and a real physical identity. Amazon SES’s stance is the right framing - “you’re responsible for ensuring that the email you send complies with these laws… always consult an attorney.” Use the email-marketing laws overview and the per-jurisdiction pages (e.g. CAN-SPAM) as the map. If you receive abusive mail or need to report a sender, see how to report email abuse.

Common confusion

• “SPF and DKIM are set up, so DMARC passes.” Only if a passing identifier aligns with your From: domain. Alignment, not mere existence, is what counts.
• “p=none satisfies the providers, so I’m done.” It satisfies the minimum and provides zero enforcement. It is a starting point.
• “One-click unsubscribe is just a link.” It is the List-Unsubscribe + List-Unsubscribe-Post header pair plus DKIM coverage (RFC 8058). A body link alone does not meet the bulk-sender requirement.
• “Warming has a fixed schedule.” No provider publishes one. Warming is a responsive ramp keyed to acceptance and engagement.
• “A good deliverability rate is 98%.” Providers publish complaint and authentication thresholds, not a target inbox-placement percentage; round “good rate” figures come from vendors, not mailbox providers.
• “A low spam rate means I’m safe.” Necessary, not sufficient - authentication, hygiene, consistency, and engagement all still apply, and the inbox is never guaranteed.

The one-screen checklist

AUTH & ENCRYPTION
[ ] SPF published, under 10 DNS lookups, aligned to From:
[ ] DKIM signing (>=1024 bit, 2048 recommended), signs From: + unsubscribe headers, aligned
[ ] DMARC published; move toward p=reject only where you control the whole path
[ ] ARC on all forwarded mail (required by Apple; recommended by Yahoo/Microsoft/Orange)
[ ] STARTTLS in use; MTA-STS + TLS-RPT considered

INFRASTRUCTURE & IDENTITY
[ ] Static IP, FCrDNS (PTR <-> A/AAAA match), real FQDN HELO
[ ] Honest, non-anonymized WHOIS; real website behind the From: domain
[ ] Subdomain strategy set; streams separated by subdomain/IP
[ ] No no-reply From:/Reply-To:

CONSENT & LIST
[ ] Confirmed (double) opt-in; never buy/rent/append
[ ] Validate at capture; record timestamp + source + IP
[ ] No pre-checked boxes; bot protection on forms
[ ] Never mail role accounts (postmaster@, abuse@, admin@...)
[ ] Sunset policy for the disengaged (cadence by results, not a fixed number)

SIGNALS & SUPPRESSION
[ ] Suppress hard bounces immediately; retry soft bounces, drop after ~2 in 2+ weeks
[ ] Suppress complaints + unsubscribes on receipt
[ ] One-click unsubscribe wired (RFC 8058); honor within 2 days (Yahoo)
[ ] Enrolled in every available FBL (Yahoo CFL, MS JMRP, Orange/SignalSpam)

MONITORING (published thresholds)
[ ] Gmail spam rate below 0.10% (never reach 0.30%)
[ ] Yahoo spam rate below 0.3%
[ ] Orange complaints below 0.6% today (plan for 0.3%)
[ ] Postmaster Tools + DMARC rua + blocklist + inbox-placement testing watched

WARMING
[ ] Ramp on acceptance/engagement, starting with most-engaged recipients
[ ] No fixed day-count; reduce volume on deferrals, then climb again

What Egressif does

Egressif operates the whole checklist above as the default, not as add-ons. Authentication is published and aligned (SPF under the lookup limit, DKIM signing From: and the unsubscribe headers, DMARC at p=reject on the domains we control end to end, ARC on forwarded mail); infrastructure is clean and consistent (static IPs with matching PTR/HELO, TLS with MTA-STS, honest identity, separated streams); consent is provable and lists are sunset on engagement; suppression honors bounces, complaints, and unsubscribes immediately with one-click wired correctly; and we watch the providers’ own postmaster tools, DMARC aggregate reports, blocklists, and inbox-placement signals so a drifting complaint rate or a new unaligned source surfaces as something we act on, not a silent delivery drop. We are honest about the ceiling: every item here removes a self-inflicted reason mail gets filtered, but none of them - individually or together - guarantees inbox placement, because reputation, content, and recipient engagement still decide that, and they always will.