Email Deliverability: The Business Risk Nobody Owns
A client of mine runs a custom printing business producing conference swag, branded merchandise, t-shirts and more. In 2023, he needed to notify people about an upcoming event. In a rush, he mistakenly imported an outdated contact list into a self-hosted email application and blasted it through the company’s email system. Thousands of addresses. More than 20% bounced.
Within 24 hours, every major email provider had blacklisted his domain.
Invoices stopped arriving. Tickets to a conference his own team was attending never showed up. We had to register an alternate domain just to send mail. We posted a notice on his website asking customers to please believe the strange new address was really him. Even then, open rates ran 25% below normal.
It took six weeks to recover. He never could reliably quantify the lost revenue.
Here’s the part that matters: nothing about his invoicing changed.
One marketing mistake took down every kind of email the business sent — because all of it shared one domain and one reputation.
That was 2023, when the rules were looser.
Today, the same mistake meets a much less forgiving system. Most modern spam filtering doesn’t rely on a simple blacklist ; complex scoring rules, user feedback, and more all go into assigning your domain a sender reputation.
If you damage your reputation, your emails will never see the inbox.
Four Classes of Mail, One Truck
Think about the kinds of email your business actually sends.
Correspondence. Person-to-person mail. This is your people talking to clients, vendors, and each other. You probably use Microsoft 365 or Google Workspace — reliable platforms with strong protections. This is the highest-value email in your business. You are setting meetings, finalizing deals, and managing your team. You must protect this channel above all others.
Transactional. Invoices, receipts, notifications, password resets. Machine-generated and time-sensitive, typically sent through services like Amazon SES, SendGrid, Postmark, or Mailgun or, at smaller volumes, through the main email system. You need these to work, but they are not mission critical. The password and invoice can be resent.
Marketing. Newsletters, announcements, campaigns to opted-in lists. Many use platforms like Mailchimp, Brevo, Klaviyo, or ActiveCampaign. Higher volumes get higher complaint rates by nature. You don’t want to damage your high-value email with these marketing messages.
Cold outreach. Prospecting to people who never asked to hear from you. The highest-risk channel there is. So dangerous, there are vendors that specialize in this type of email. Instantly, Smartlead, Lemlist, and Apollo use sending domains and warmed inboxes to try to get around blacklists and spam filtering.
The postal service figured this out long ago. First-class letters, bulk flyers, and certified documents don’t travel the same way, and a problem with one doesn’t hold up the others. Most businesses run email the opposite way: everything on one truck.
Each channel builds — and potentially damages — your sending reputation differently. Put them all on one domain and your riskiest activity shares a fate with your most critical activity. That’s what happened to my printing client.
Don’t just take my word for it. Google’s sender guidelines recommend separate sending infrastructure for each message type. Yahoo’s Sender Hub is blunter: start sending commercial mail through the same infrastructure as your transactional mail, and your reputation pays for it.
Even the vendors enforce the boundaries. Mailchimp and Brevo suspend accounts that load cold lists. Postmark refuses cold-email use cases outright.
Today, cold outreach and marketing each need their own channel, separate from your primary domain. No exceptions.
Getting email moving again after a block is getting harder and harder. What used to take days takes weeks.
Do not risk high-value correspondence email by sending lower-value email on the same channel.
Transactional mail is more forgiving. If your volume is low, sending invoices, password resets, and similar email from a service address on your primary domain is fine.
The gap I see: most organizations do not put someone in charge of email delivery. Sales, marketing, IT, HR and more all ramp up email with no coordination. They may start sending email on an approved channel that doesn’t meet that channel’s criteria. You only find out when the bounces arrive.
Return to Sender
In 2024, Google and Yahoo set requirements for bulk senders — roughly 5,000 messages a day to their users. You now must authenticate with SPF, DKIM, and DMARC, keep spam complaints under 0.3%, and support one-click unsubscribe. Microsoft followed in May 2025.
The penalty escalated. In 2024, non-compliant mail got deferred or filtered to spam.
As of November 2025, Gmail rejects non-compliant bulk mail outright at the server. Microsoft does the same. The mail doesn’t land in spam. It doesn’t land anywhere.
The classification is permanent.
Google’s own FAQ says it plainly: cross the 5,000-message threshold even once and your domain is classified as a bulk sender with no expiration date. Changing your sending practices afterward doesn’t undo it.
Add up marketing, invoices, notifications, and outreach across every tool a 100-person company uses, and you cross that line without noticing. My printing client’s one bad blast would flip that switch today, permanently.
The Dead Letter Office
When I ask business owners how they know their email works, they point to a dashboard. Messages sent. Delivery rate near 100%. Everything good.
Another client of mine, a radio station, notifying contest winners about an upcoming event. Nobody replied. They resent the invitations. Still nothing. Eventually someone had to call about 40 people to find out what was going on.
The answer: a misconfiguration was routing all the bounce notifications to a defunct admin account nobody watched.
Every returned invitation was landing in a dead email box.
The failure signal existed the whole time. It was just arriving somewhere no one looked.
That’s the trap with email. “Sent” tells you your server did its job. What happened next, inbox, spam folder, or silent rejection, is a story your platform may not tell you.
I spent 20 years on the infrastructure side of this, running mail servers, tuning them, getting client IPs off every major blacklist. The lesson from all of it:
The gap between “sent” and “seen” is where businesses quietly lose money.
The adoption data says most mid-market businesses are still living in that gap. EasyDMARC’s 2026 report found that among Inc. 5000 companies, 76% have adopted DMARC but only 15% enforce it, and more than half sit in monitor-only mode.
To be fair, monitor-only (p=none) is often the right setting, unless you handle financial, health, or legal matters. But monitoring mode only works if someone actually watches for violations and correct them.
A DMARC policy with nobody watching protects nothing.
Someone’s Forging Your Letterhead
In 2024, a large New York personal injury firm came to me with mounting email problems. Clients weren’t receiving key case documents. New hires weren’t getting their HR packets.
Like most firms their size, they ran on outsourced services. Lead generation, case management, contracts, and HR all used independent services, each sending email on the firm’s behalf.
Their in-house IT person had set up SPF and DKIM but never implemented DMARC. The SPF record was too restrictive: the firm had legitimate mail originating from over a dozen sources, and the record didn’t cover them.
Legitimate emails were failing authentication and dying in transit due to incorrect SPF records.
DMARC monitoring revealed all of it. I identified every legitimate sender and setup DKIM and SPF so email was flowing again. It also revealed something nobody expected: spoofing.
Scammers were emailing the public on the firm’s letterhead, their logo, their name, claiming recipients were part of a class action lawsuit with settlement money waiting.
The catch, as always with this scam: a “processing fee” of $25 to $100 to release the funds. It’s a known con in the personal injury industry, and this firm’s identity was the bait.
We knew the email scam was working, because confused recipients were finding the firm’s actual website and asking about the settlement through the contact form.
With every legitimate source authenticated, we moved the firm’s DMARC policy to quarantine — legal work is exactly the category where enforcement is warranted. Spoofed mail using their exact domain stopped getting through to provides that enforce DMARC polices, most of the major email service providers do. The confused inquiries dried up.
One engagement, three findings: sprawl nobody had mapped, legitimate mail dying from misconfiguration, and criminals wearing the firm’s name. All invisible until someone looked.
Nobody Runs the Mailroom
It’s not a budget problem. Authentication and monitoring tooling are cheap relative to the revenue riding on email. The tools are cheap and deployment is easy.
The real gap is ownership.
Look at a typical mid-market org chart and find the person accountable for whether email reaches people. You won’t. IT watches uptime. Marketing watches open rates. Sales watches replies. Finance notices payments slowing and blames the market.
The responsibility is smeared across four departments, so it belongs to no one.
My recommendation: identify the person in your business best suited to liaise with every department that sends email, and make them run the mailroom.
All email delivery decisions funnel through them: the new marketing platform, the CRM change, the outreach tool sales wants to try. They assess and report the business impact of those changes.
The title matters less than the mandate. One person can see the all of the mail – from the marketing to the invoices to the HR notices about not stealing the tea bags.
Your correspondence channel is the most importat. This is the highest-value email you have. Make sure SPF, DKIM, and DMARC are working. Make sure someone is waching.
Don’t wait for problems to surface. Modern companies run on distributed apps, and every new tool someone signs up for is a fresh chance to quietly break authentication for everything else.
The law firm found a dozen senders it didn’t know it had. You probably have more than you think. Blacklist monitoring belongs in the same bucket: hear about problems before your customers do.
The Questions Worth Asking
As the business owner, you don’t need to read the RFC 7489 on Domain-based Message Authentication, Reporting, and Conformance.
Instead, get answers to these questions:
- Which domains and systems send email on our behalf, and for what? If nobody can produce that map, you have infrastructure risk hiding in plain sight.
- Are our channels separated? Is cold outreach on its own domain? Is marketing isolated from the mail that runs the business?
- Who is our source of truth for email delivery, and how do they report? One named person, consulted before new sending tools go live, not after.
- Do we meet the current Google, Yahoo, and Microsoft requirements and how do we know? “We think so” isn’t evidence.
- If deliverability broke tomorrow, what’s the playbook? My printing client needed an emergency domain and a notice on his website. What would you need?
If you can’t get clear answers, you already have your answer.
Neither snow nor rain nor heat nor gloom of night stays these couriers from the swift completion of their appointed rounds.
US Postal Service Unofficial Motto
I’ve called email the most essential, most ignored application in business. What’s changed is that ignoring it now has architecture-level consequences: permanent classifications, outright rejection, one channel’s mistake deciding another channel’s fate.
The businesses that get ahead of this won’t be the ones with the best tools. They’ll be the ones that finally gave email what it never had: an owner, and an architecture.
Jeff Huckaby · Founder, RackAID
How I use AI in my writing and editing process
25 years keeping systems running. Quoted in Forbes, Inc., and Entrepreneur. I help businesses find out if their recovery plans will actually work.