Resources / Reputation
Deliverability frameworks and industry guidance
Deliverability best practice is not owned by any single authority - it is a remarkably consistent consensus across standards bodies, blocklist operators, mailbox providers, and the ESPs. This page is the annotated map of who publishes what, which document is best for which question, and why they all say the same six things. For the actionable playbook those documents add up to, see our sending best-practices guide.
Last checked: June 22, 2026
There is no single rulebook for email deliverability. Instead there is a layered set of authorities, each writing from a different seat at the table: standards bodies that codify the consensus, blocklist operators who enforce it, mailbox providers who decide what reaches their users, ESP vendors who package it as operational advice, and regulators who set the legal floor. This page is the map of that landscape - who each authority is, what they publish, and which document to reach for when. It is deliberately not the playbook: the actionable, do-this checklist lives at the email sending best-practices guide. Here we answer the prior question - whose word is this, and how much weight does it carry?
The reassuring through-line, which this page exists to make obvious, is that the authorities agree. A French telco’s postmaster page, a German certification body’s criteria, an American standards group’s BCP, and a blocklist operator’s eBook describe the same handful of practices in different words. When sources this independent converge, you are not chasing one vendor’s opinion - you are looking at the actual shape of the system.
The 60-second version
- Standards bodies (M3AAWG, CSA, IETF) write the consensus and the protocols. Cite these when you need an authoritative, vendor-neutral answer.
- Blocklist authorities (Spamhaus, SURBL/URIBL) publish reputation and hygiene guidance - and run the lists that punish ignoring it.
- Mailbox providers (Google, Yahoo, Microsoft, Apple, Orange, GMX) publish the hard requirements to reach their users. These are not advice; they are admission criteria.
- ESP vendors (SendGrid, Mailgun, Postmark, AWS SES, Adobe, Validity) publish operational how-to and benchmarks. Useful and current, but vendor documents, not standards.
- Regulators (CAN-SPAM, GDPR/ePrivacy, CASL, and others) set the legal floor for consent, identification, and unsubscribe - see the compliance references.
- They all say the same six things: authenticate, get consent, stay relevant, honor unsubscribes, watch complaints, keep lists clean.
How to read this map (the five types)
The authorities differ in what kind of statement they are making, and that determines how you should treat each one:
| Type | What it is | How binding | Example |
|---|---|---|---|
| Standards body | Vendor-neutral consensus and protocol specs | Normative for the industry; not law | M3AAWG, IETF |
| Certification body | An auditable bar a sender can be certified against | Contractual once you opt in | Certified Senders Alliance (CSA) |
| Blocklist authority | Reputation guidance from the operators who list abusers | Advisory, but enforced by their lists | Spamhaus, SURBL, URIBL |
| Mailbox provider | The requirements to deliver to that provider’s users | Hard requirement for that destination | Google, Yahoo, Microsoft, Apple, Orange, GMX |
| ESP vendor | Operational guides, benchmarks, product docs | Informational; quality varies | SendGrid, Mailgun, Postmark, AWS SES, Adobe, Validity |
The mistake to avoid is treating a vendor blog as a standard, or a mailbox provider’s requirement as optional. A Spamhaus eBook and a Mailgun report can give the same advice, but only one of them also operates a blocklist that decides whether your mail is seen.
Standards bodies
M3AAWG - the definitive sender BCP
The Messaging, Malware and Mobile Anti-Abuse Working Group is where mailbox providers, ESPs, and senders jointly write down what they consider acceptable sending. Its Sender Best Common Practices (BCP), Version 3.0 is the single most useful description of what builds a sustainable reputation, because receivers’ filtering reflects it closely. The BCP frames the whole problem around transparency: when senders make themselves known and accountable, receivers can identify and trust them. From that follow its detailed sections on consent (confirmed opt-in is “Best”), identification and infrastructure naming (accurate WHOIS, forward-confirmed reverse DNS, resolvable HELO, TLS), authentication (SPF, DKIM, DMARC), complaint and feedback-loop handling, unsubscribe, bounce hygiene, and shared-versus-dedicated IP strategy. We walk the BCP theme by theme on the reputation overview and IP-vs-domain reputation pages.
M3AAWG also publishes two focused companions worth knowing by name:
- Best Practices for Sending Mandated Emails to Large Audiences - the playbook for reputation-hostile but obligatory sends (breach notifications, recalls, safety notices). Pre-notify each mailbox provider, isolate the stream, authenticate from the real branded domain, strip tracking to the minimum, throttle, and prioritize the audience (impacted, then active, then subscribed) while excluding known-dead addresses entirely.
- Help! I Hit a Spam Trap! - the document to read after a listing. Its core lesson is blunt: “The spam trap isn’t the problem; it is a sign of an underlying problem with the customer’s address acquisition and validation.” It defines the recycled / pristine / typo taxonomy and a required acquisition audit. See our DNSBL directory for where trap data ends up.
Best for: the authoritative, vendor-neutral answer to “what is acceptable sending, and why?”
Certified Senders Alliance (CSA) - an auditable bar
The CSA is a non-profit founded in 2004 by eco (the German Association of the Internet Industry) and the DDV (German Dialogue Marketing Association). It acts as a neutral interface between mailbox providers and commercial senders, and - unlike M3AAWG - it turns best practice into a certification a sender can be measured against. Its admission criteria combine legal requirements (active, separate opt-in consent; a clear unsubscribe; a legal notice and clear commercial identification in every message) with technical requirements (TLS-secured delivery, valid SPF and DKIM with DKIM alignment, PTR records that resolve to a recognizable FQDN, and List-Unsubscribe headers). It also sets concrete reputation ceilings: a hard-bounce rate below 1.0% per mailbox provider within a seven-day window, and a spam-complaint rate below 0.3%. Certification carries weight with participating mailbox providers, especially in Germany and the wider EU.
Best for: a defensible, certifiable checklist - “what does a body that providers trust require?” - particularly for senders targeting DACH/EU inboxes.
IETF - the protocol ground truth
Everything above sits on top of internet standards published by the IETF as RFCs. When you need the exact behavior of a mechanism rather than advice about it, the RFC is the source of truth: SMTP (RFC 5321) and the Internet Message Format (RFC 5322), SPF (RFC 7208), DKIM (RFC 6376), DMARC as re-issued in 2026 (RFC 9989 and companions - see DMARC in 2026), and List-Unsubscribe (RFC 2369) with one-click unsubscribe (RFC 8058). We maintain a categorized index in the RFC library and a mapping of which standards we implement in standards and implementations.
Best for: the precise, normative definition of a protocol - tags, syntax, and required behavior.
Reputation and blocklist authorities
Spamhaus - guidance from the people who run the lists
Spamhaus is unusual: it publishes deliverability guidance and operates the blocklists that enforce poor practice. That makes its advice carry operational weight the way no vendor blog can. Two resources are essential reading:
- The “Email Deliverability 101” eBook - a full guide to reputation, opt-in methods (it calls confirmed opt-in “the gold standard”), spam-trap taxonomy, bounce handling, complaint management, and the signals that “look like a spammer.” It states plainly that SPF and DKIM “should be considered a must,” and that email “should never be sent without” DKIM.
- The deliverability hub article “How do you ensure email deliverability?”, whose Top 8 is the most compact statement of the consensus anywhere: (1) authentication and encryption, (2) engagement, (3) “not doing what spammers do,” (4) address acquisition and data hygiene (confirmed opt-in; never buy lists), (5) frequency and predictability, (6) complaint management (make unsubscribing easy, honor it immediately), (7) spam traps (fix data collection, do not hunt the trap), and (8) bounce handling.
For how those listings actually work, see our Spamhaus blocklists page; for the wider blocklist ecosystem (including the URI-based lists below), see the DNSBL directory.
Best for: reputation and list-hygiene guidance you ignore at the cost of a listing.
SURBL and URIBL - domain and URI reputation
Where Spamhaus’s IP lists score where mail came from, SURBL and URIBL score the domains and links inside the message body. They catch actors who send from clean IPs but reuse abusive destination domains. They are scoring/tagging inputs to spam filters rather than direct block commands. Details and return codes are documented on the URI blocklists (SURBL/URIBL) page.
Best for: understanding why the content of your links matters to reputation, not just your sending IP.
Mailbox-provider guidance
Mailbox-provider documents are a different kind of authority: they are not advice, they are the admission criteria to deliver to that provider’s users. Their language (“must,” “required,” “will be rejected”) reflects that. We track each in depth and keep a side-by-side in the provider rule tracker.
- Google - the Gmail sender guidelines (support article 81126): SPF or DKIM for all senders; SPF and DKIM plus DMARC, one-click unsubscribe, and valid PTR for bulk senders (5,000+/day), with spam rates kept below 0.10% and never reaching 0.30%.
- Yahoo - senders.yahooinc.com: the same authentication baseline, a spam rate below 0.3%, one-click unsubscribe honored within two days, and feedback loops via Sender Hub.
- Microsoft - the consumer Outlook rules plus the Exchange team’s “Authenticate Outbound Email to Improve Deliverability” guidance: SPF, DKIM, and DMARC, and the explicit advice to send bulk mail from a dedicated subdomain rather than your primary domain. See our Microsoft page.
- Apple - iCloud Mail’s bulk-sender requirements: explicit opt-in only (no purchased or appended lists), SPF and DKIM, a published DMARC policy, ARC on forwarded mail, an unsubscribe link, reverse DNS, and separated marketing/transactional streams.
- Orange (postmaster.orange.fr) - France’s largest mailbox: SPF, DKIM, and DMARC all required to pass, ARC recommended for forwarded mail, a valid PTR and resolvable HELO, and a complaint-rate threshold being tightened toward the industry-standard 0.3%.
- GMX (postmaster.gmx.net, with WEB.DE and mail.com under 1&1 Mail & Media) - notably strict: a valid DKIM signature aligned to the From domain is mandatory (“SPF alone is not sufficient”), and these brands now reject inbound mail at the SMTP layer when the sending domain publishes DMARC
p=rejectand authentication fails.
The cross-provider consensus. Read together, the providers converge so tightly that one checklist satisfies all of them: authenticate with SPF, DKIM, and DMARC (with alignment); publish valid, meaningful reverse DNS; offer a working one-click unsubscribe and honor it fast; keep complaint rates well below ~0.3%; and send only mail recipients asked for. The differences are at the margins (exact thresholds, whether DKIM alone is enough, regional reporting tools), not the substance.
Best for: the concrete, destination-specific requirements you must meet to be delivered at all.
ESP operational guidance (vendor documents)
The following are vendor documents - produced by email-sending platforms and tooling companies. They are often the clearest, most current operational how-to available, and several publish useful industry benchmarks. Treat them as practitioner guidance and benchmarks, not as standards, and verify any load-bearing number against a primary source.
- Twilio SendGrid - the Email Deliverability Guide: a broad annual guide covering reputation, infrastructure, authentication, and engagement.
- Mailgun (Sinch) - the State of Email Deliverability report: survey-based industry research (the 2025 edition surveyed roughly 1,100 senders worldwide) on how senders are adapting to the provider requirements.
- Postmark - transactional email best practices: strong on transactional sending, plain-text bodies, avoiding no-reply addresses, and separating transactional from broadcast streams.
- Amazon SES - best practices for sending email: success metrics and maintaining a positive sender reputation from an infrastructure provider’s angle.
- Adobe - the Email Deliverability Best Practice Guide: enterprise-focused, with detailed IP-warming and stream-separation guidance.
- Validity - the Email Deliverability Benchmark Report: annual inbox-placement benchmarks drawn from its Everest seed-data network (the 2026 edition reports a global average inbox placement rate of 87.2% for 2025).
Best for: step-by-step operational how-to and current industry benchmarks - with the vendor caveat applied.
The comparison table
| Source | Type | Best for |
|---|---|---|
| M3AAWG | Standards body | The definitive sender BCP - consent, infrastructure, complaints, spam-trap remediation |
| Certified Senders Alliance (CSA) | Standards / certification body | An auditable legal + technical bar; certification that EU/DACH providers trust |
| IETF (RFCs) | Standards body | Exact protocol behavior - SMTP, SPF, DKIM, DMARC, List-Unsubscribe |
| Spamhaus | Blocklist authority | Reputation and hygiene guidance from the operators who run the lists |
| SURBL / URIBL | Blocklist authority | Domain/URI reputation - why your links matter, not just your IP |
| Google / Yahoo / Microsoft / Apple | Mailbox provider | Hard requirements to reach their users (the 2024+ sender rules) |
| Orange / GMX (WEB.DE, mail.com) | Mailbox provider | Regional EU requirements (France; DACH) - often stricter on DKIM/DMARC |
| SendGrid, Mailgun, Postmark, AWS SES, Adobe, Validity | ESP vendor | Operational how-to and benchmarks (vendor documents, not standards) |
| CAN-SPAM, GDPR/ePrivacy, CASL, and others | Regulator | The legal floor for consent, identification, and unsubscribe |
Why they all agree: the same six things
Strip away the house style and the documents above reduce to six practices. Each is stated by sources that do not coordinate, which is exactly why the consensus is trustworthy:
- Authenticate every message. SPF, DKIM, and DMARC with alignment. M3AAWG, the IETF specs, Spamhaus (“a must”), every mailbox provider, and CSA all require it; GMX makes aligned DKIM mandatory outright.
- Get real consent. Confirmed opt-in is the named “Best” / “gold standard” in both M3AAWG and Spamhaus; CSA requires active, separate opt-in; Apple requires explicit opt-in and forbids purchased lists. Permission is not transferable.
- Stay relevant. Engagement is the through-line of the Spamhaus Top 8 and of vendor benchmarks alike - send mail recipients actually want, at a predictable cadence.
- Honor unsubscribes instantly. List-Unsubscribe (and one-click) is required by Google and Yahoo, criteria for CSA, and a non-negotiable in the M3AAWG BCP - never behind a login.
- Watch complaints. A low complaint rate (around 0.3% or below across providers) is a published ceiling at Google, Yahoo, Orange, and CSA; M3AAWG and Spamhaus treat complaints as a top-weighted negative signal.
- Keep lists clean. Suppress hard bounces and complainers promptly, sunset the unengaged, and treat a spam-trap hit as an acquisition problem - the shared message of M3AAWG, Spamhaus, Apple, and CSA.
For the consent and suppression lifecycle in detail, see suppression and consent.
Where to go next, and what Egressif does
This page is the map; the territory - the single, ordered checklist that turns all of the above into actions - is the email sending best-practices guide. If you only read one of our pages before sending, read that one; come back here when you need to know whose authority a given rule rests on, or which document to cite in an investigation.
Egressif’s honest position: we did not invent any of this, and we are wary of anyone who claims to have a deliverability secret the bodies above somehow missed - Spamhaus is right that there is “no shortcut” and no “special deliverability elixir.” What we do is operate to the consensus as standing practice rather than one-time setup: full, aligned authentication on infrastructure with forward-confirmed reverse DNS and TLS; prompt suppression of bounces, complaints, and unsubscribes the way M3AAWG and Spamhaus prescribe; blocklist monitoring so a hygiene slip surfaces as an alert; and the mailbox-provider requirements tracked as they change. We don’t promise the inbox - no source on this page does either - we keep the measured inputs clean and consistent, which is the only thing that earns it.
Related references
- Sender Reputation - What It Actually Is Reputation is not a single score you own - it is each receiver's prediction, built from your sending history, of how their users will react to your next message. This page explains what feeds that prediction, why it lives on both your IP and your domain, and why it is far easier to damage than to rebuild.
- IP vs Domain Reputation Receivers score the sending IP and the sending domain as two different identities. This page draws the line precisely - what lives where, how shared and dedicated IPs differ, why domain reputation is overtaking IP reputation, and exactly what does and does not survive when you change IPs.
- Spamhaus Blocklists - SBL, XBL, PBL, CSS, DBL, ZEN A precise field guide to the Spamhaus blocklists - what each of SBL, CSS, XBL, PBL, DBL and the combined ZEN lists, the DROP/ASN-DROP and AuthBL datasets, the 127.0.0.x return codes, the RFC 5782 query mechanics and usage rules, and how listings and (always-free) delistings actually work.
- DNSBL Directory - Blocklists and How to Use Them DNS-based blocklists (DNSBLs) are the closest thing email has to a shared reputation signal. This page explains the standard query model from RFC 5782, the operational practices of RFC 6471, and gives a neutral, verified directory of the major lists - what each one lists, how to read its return codes, and how to get delisted - with strong guidance on using them as a score rather than a hard block.
- URI Blocklists - SURBL and URIBL URI blocklists judge the domains linked inside your message, not the IP you sent from. This page explains how SURBL and URIBL work, why a spotless sending IP gets filtered on one bad link, and how shorteners and tracking domains pull you onto someone else's reputation.
Tell us what you run today.
Domains, rough volume, current providers, and what hurts. You will get a straight answer on fit, and a real number, in one conversation.