Here's a number that should bother every small business owner sending marketing emails: one in six emails never reaches the inbox. They don't bounce. They don't get returned. They just quietly disappear into spam folders and promotions tabs where nobody will ever see them.
Gmail, the world's largest email provider, has an inbox placement rate between 73% and 78%. That means even under the best conditions, roughly one in four emails sent to Gmail addresses doesn't make it to the primary inbox. Across all providers globally, the average inbox placement sits around 84%. Better, but still not great — especially when you're a small business and every customer relationship matters.
If you've been sending emails and wondering why nobody seems to respond — this might be the reason. Your content could be perfect. Your offers could be irresistible. But none of that matters if your emails are landing in spam before a single customer gets the chance to read them. The good news: most of what determines deliverability is technical infrastructure that your email platform should handle for you. This article explains what's happening behind the scenes — and why choosing the right platform matters more than any individual fix you could make yourself.
Why Your Emails Go to Spam
There are four things that consistently kill email deliverability for small businesses. Understanding them is the first step to fixing them.
Poor authentication is the number one killer. Since February 2024, Google and Yahoo have required all email senders to properly authenticate their messages using SPF, DKIM, and DMARC. Before that, these were best practices. Now they're mandatory. If your emails aren't authenticated, major email providers will either route them straight to spam or reject them entirely. This single issue accounts for more deliverability problems than everything else combined, and most small business owners don't even know it exists.
High bounce rates damage your reputation fast. A bounce happens when you send an email to an address that doesn't exist or can't receive mail. If your bounce rate climbs above 2%, email providers start treating your domain as untrustworthy. It makes sense from their perspective — legitimate senders maintain clean lists. Senders with lots of bad addresses look like they scraped contacts from somewhere shady. Every bounced email is a small mark against your domain's reputation, and those marks add up quickly.
Spam complaints are the most damaging signal. When a recipient clicks "Report Spam" on your email, that's a direct signal to the email provider that your messages are unwanted. The threshold is shockingly low — anything above 0.1% complaint rate starts triggering problems, and top-performing senders maintain rates around 0.02%. To put that in perspective, if you send to 1,000 people and just two of them hit the spam button, you're already at the danger threshold. Google's hard ceiling is 0.3%, and exceeding that consistently will bury your domain.
Purchased lists are poison for your domain. Buying an email list is the fastest way to destroy your deliverability. Those lists are full of invalid addresses that bounce, spam traps set up specifically to catch senders who don't use permission-based lists, and people who never asked to hear from you and will immediately hit the spam button. One blast to a purchased list can damage your domain reputation so severely that it takes months to recover — if you can recover at all. There's no shortcut here. Every address on your list needs to belong to someone who actually opted in.
SPF, DKIM, and DMARC: The Plain English Version
These three acronyms sound intimidating, but the concepts behind them are surprisingly simple. Think of them as three layers of trust that prove to email providers like Gmail that your emails are really from you.
SPF — The Guest List
Sender Policy Framework is essentially a guest list for your domain. It's a DNS record that says "these specific servers are allowed to send email on behalf of my domain." When Gmail receives an email claiming to be from your business, it checks your SPF record to see if the sending server is on the list. If it's not, the email gets flagged. Think of it like a bouncer at a private event — if your name's not on the list, you're not getting in. Without SPF, anyone could send emails pretending to be your business, and email providers have no way to tell the difference.
DKIM — The Wax Seal
DomainKeys Identified Mail works like a wax seal on an old-fashioned letter. When your email server sends a message, it stamps it with a cryptographic signature that's unique to your domain. The receiving server then checks this signature against a public key published in your DNS. If the signature matches, the email is authentic and hasn't been tampered with in transit. If someone intercepted or modified the message along the way, the seal would be broken. DKIM doesn't stop someone from sending email as you — that's SPF's job — but it proves that the emails you did send arrived exactly as you wrote them.
DMARC — The Policy
Domain-based Message Authentication, Reporting, and Conformance ties SPF and DKIM together with a policy. It tells email providers what to do when an email fails authentication checks. You have three options: do nothing and just report it, quarantine it (send to spam), or reject it outright. DMARC also sends you reports about who's trying to send email using your domain, which is how you catch spoofing attempts. Think of it as the instruction card you leave for a house sitter — "if someone shows up and they're not on the list and they don't have a key, here's what I want you to do."
All three of these became effectively mandatory in February 2024 when Google and Yahoo announced new sender requirements. As of April 2024, Google began actively rejecting email traffic that didn't comply. If you haven't set these up, you're not playing by the rules that every major email provider now enforces — and your inbox placement is suffering because of it.
Google and Yahoo's 2024 Rules Changed Everything
In October 2023, Google and Yahoo jointly announced new requirements for email senders that went into effect in February 2024. These weren't suggestions or best practices. They were hard requirements, and they fundamentally changed the email deliverability landscape for every business.
For all senders, the minimum requirement is now SPF or DKIM authentication on every message. That's the baseline just to get your foot in the door. If you send more than 5,000 emails per day to Google addresses — which qualifies you as a bulk sender — the requirements get stricter. Bulk senders need SPF and DKIM authentication plus a published DMARC policy. They also need to support one-click unsubscribe in every marketing email, and they need to keep their spam complaint rate below 0.3%.
The one-click unsubscribe requirement deserves special attention. Every marketing email you send must include a way for recipients to unsubscribe with a single click — no login required, no multi-step process, no "enter your email to confirm" nonsense. If you make it hard for people to unsubscribe, they'll hit the spam button instead, and that's far more damaging to your deliverability than losing a subscriber.
This is not optional. Google started rejecting non-compliant traffic in April 2024 and has been ramping up enforcement since. If you haven't adapted to these rules, you're likely already seeing the effects in your deliverability numbers — you just might not have connected the dots yet.
List Hygiene: The Boring Thing That Matters Most
Email list hygiene is the unglamorous foundation of good deliverability. Nobody wants to talk about it because it means making your subscriber count go down, and that feels like going backward. But a clean list of 500 engaged subscribers will outperform a dirty list of 5,000 every single time.
The hard rule is keeping your bounce rate below 2%. Every time you send a campaign, any address that hard bounces — meaning the address doesn't exist or the server permanently rejected your message — needs to be removed immediately. Not next week. Not when you get around to it. Immediately. Every subsequent send to a known-bad address compounds the damage to your sender reputation.
Beyond bounces, you need to regularly clean subscribers who've gone inactive. If someone hasn't engaged with a single email from you in six months or more, they're either not seeing your emails (because they're already in spam) or they've lost interest. Either way, continuing to send to them hurts you. Inactive subscribers signal to email providers that your content isn't wanted, which pushes more of your emails into spam. It's a downward spiral. Cherub automatically sunsets subscribers who haven't engaged in 180 days — removing them from future sends so they stop dragging down your deliverability. It's the kind of thing no business owner would remember to do manually, but it makes a real difference in whether your emails reach the people who actually want them.
Here's a number that puts this in perspective: roughly 22.5% of email addresses become invalid every year. People change jobs, switch providers, and abandon old accounts constantly. If you built your email list two years ago and haven't cleaned it since, nearly half those addresses could be dead weight — or worse, converted into spam traps by email providers looking to catch senders who don't maintain their lists.
This is another area where your email platform should be doing the heavy lifting. Cherub automatically removes hard bounces after every send, tracks spam complaints in real time, and requires double opt-in for every new email subscriber -- meaning every email address on your list was verified by the actual person who owns it. SMS subscribers opt in by texting JOIN to your number, which is direct consent by definition. You shouldn't need to manually scrub your list. If you're doing that, your platform is making you do its job.
Domain Warm-Up: Why You Can't Just Start Blasting
If you're setting up email marketing for the first time — or switching to a new sending domain — you can't just send thousands of emails on day one. Email providers don't trust new domains, and for good reason. Most brand-new domains that start sending large volumes of email immediately are spammers. To prove you're not one of them, you need to go through a process called domain warm-up.
Domain warm-up takes a minimum of 2 to 4 weeks, with full reputation establishment happening around day 45. The process is straightforward but requires patience. On days one and two, you send a small volume — somewhere between 100 and 500 messages — to your most engaged subscribers, the people most likely to open and interact with your emails. Then you roughly double your sending volume every day or two. By the end of the second week, you should be sending to a few thousand. By day 45, you're fully warmed and can send at your normal volume.
The reason you start with your most engaged subscribers is strategic. Those early opens, clicks, and replies send positive signals to email providers. Gmail and Yahoo are watching how recipients interact with your emails from a new domain. If those first few hundred emails get strong engagement, the providers start building a positive reputation for your domain. If those first emails get ignored or marked as spam, you're digging yourself into a hole that gets harder to climb out of with every send.
Skipping warm-up is one of the most common mistakes small businesses make, and it's one of the hardest to undo. A domain that gets flagged during its first week of sending can take months to rehabilitate. The good news for small businesses is that if you're starting with a few dozen subscribers and growing organically, warm-up happens naturally — your volume ramps up at exactly the pace providers want to see. Cherub Email sends through established delivery infrastructure with authenticated subdomains (SPF, DKIM, DMARC configured automatically), which means your emails benefit from a trusted sending reputation from day one. You don't need to manage a warm-up schedule because your sending volume and the platform's reputation do the work for you.
Monitoring: How to Know If You Have a Problem
You can't fix what you can't see. The most important free tool for monitoring your email deliverability is Google Postmaster Tools. It's free, it takes about ten minutes to set up, and it gives you direct visibility into how Google views your domain. You can see your domain reputation (rated from bad to high), your spam rate, your authentication pass rates, and whether your emails are being encrypted in transit.
The key benchmarks to track are straightforward. Your bounce rate should stay below 2% on every send. Your spam complaint rate should stay below 0.1%, with top performers sitting around 0.02%. Your authentication pass rate — meaning the percentage of your emails that successfully pass SPF, DKIM, and DMARC checks — should be above 95%. If any of these numbers slip, you need to investigate immediately rather than hoping the problem resolves itself.
Here's the honest truth, though: most small business owners shouldn't have to monitor any of this themselves. This is plumbing — essential, but not something you should be thinking about when you have a business to run. A good email platform monitors these metrics behind the scenes, flags problems before they become crises, and handles the technical remediation automatically. Cherub monitors your domain reputation, bounce rates, and complaint rates continuously. If something slips, we adjust before it becomes a deliverability crisis. You focus on your business; we make sure your emails actually arrive.
If you're managing email yourself or using a basic tool, Google Postmaster Tools is worth the ten-minute setup. But if you're using a platform that takes deliverability seriously — one that handles authentication, list hygiene, and reputation monitoring as part of the service — you shouldn't need to check these dashboards at all.
Frequently Asked Questions
Why are my emails going to spam even though I'm not a spammer?
Most legitimate businesses land in spam because of missing email authentication (SPF, DKIM, DMARC), not because of their content. Since February 2024, Google and Yahoo require proper authentication for all senders. Without it, your emails get filtered regardless of how good your content is. High bounce rates, spam complaints, and sending to purchased lists also trigger spam filters.
What are SPF, DKIM, and DMARC and do I really need them?
SPF tells email providers which servers are allowed to send on your behalf (like a guest list). DKIM adds a cryptographic signature proving the email hasn't been tampered with (like a wax seal). DMARC tells providers what to do with emails that fail those checks (quarantine, reject, or allow). Since February 2024, all three are effectively mandatory. Google began rejecting non-compliant email traffic in April 2024.
How long does it take to warm up a new email domain?
A proper domain warm-up takes 2 to 4 weeks minimum, with full reputation establishment around 45 days. For small businesses starting with a few dozen subscribers and growing organically, warm-up happens naturally — your volume ramps at exactly the pace providers want to see. Platforms like Cherub that send through established delivery infrastructure with proper SPF/DKIM/DMARC authentication benefit from a trusted sending reputation from day one, so you don't need to manage a warm-up schedule yourself.
What is a good email bounce rate and spam complaint rate?
Keep your bounce rate below 2% and your spam complaint rate below 0.1%. Top-performing senders maintain complaint rates around 0.02%. Google's hard ceiling is 0.3% for spam complaints — exceed that consistently and you'll see serious deliverability damage. Remove hard bounces immediately after every send and clean inactive subscribers who haven't opened in 90 or more days.