Whether your email reaches the inbox is decided by a stack of seven layers, from your DNS at the bottom to continuous visibility at the top. Most teams only ever see one or two, which is why deliverability feels like luck. Learn all seven and it stops being luck.
A problem low in the stack drags down every layer above it. That is why rewriting a subject line almost never fixes a delivery problem that started in DNS.
We are trained to think of email as a channel: something you use. So when it breaks, we look at the message, the audience, the campaign. But you can have good data, opted-in readers, and well-written emails, and still land in spam. Because email is not just a channel you use, it is infrastructure you operate.
Inside your company, email is fragmented: marketing sends from one tool, support from another, product from a third, and IT owns the DNS underneath. But Gmail, Microsoft, and Yahoo do not see your org chart. They see one domain, one reputation, one footprint. A problem from any single team becomes a problem for everything you send.
SPF, check. DKIM, check. DMARC, check. Most teams tick the boxes once and assume they are covered. But deliverability is not pass or fail, and it is not a one-time setup. Every send is re-evaluated against your current behavior. The audit you ran last quarter describes a system that no longer exists.
This is the complete map of what decides whether your email arrives. Read it bottom to top, the way receivers evaluate you: a weak layer low in the stack undermines every layer above it, so the order matters as much as the parts. Each layer has a full field guide linked at the end.
Everything about your email begins in DNS: the MX records that route incoming mail, the TXT records that hold your authentication, DNSSEC, and the certificates that prove your domain is what it claims. It is the ground floor the other six layers are built on.
Silently, and expensively. One edited or expired record can break authentication, delivery, or an entire mail flow, and nobody is told until something visibly stops. Missing password resets and vanished invoices almost always trace back to here.
The three records that let a receiver verify your identity. SPF lists which servers may send for you, DKIM signs each message, and DMARC ties them together and tells receivers what to do with mail that fails. Together they are how you stop being an anonymous stranger at the door.
Misaligned SPF or DKIM, an SPF record that quietly exceeds its lookup limit, a sending stream nobody signed, or a DMARC policy left at monitoring for years. Each one means legitimate mail fails checks, and you start to look like the forgers you are trying to block.
Every system that sends email as your domain: your marketing platform, CRM, support desk, billing, product notifications, and the tools individual teams added over the years. On a healthy domain, all of them are known, authorized, and authenticated.
Ask most companies to name every system that sends on their behalf and they cannot. A forgotten vendor, a team that signed up for a new tool, a source that starts sending without review: these blind spots quietly shape the reputation of your whole domain, and they are where the biggest risks hide.
Domain and IP reputation, blocklist status, sender scores, and the receiver-side data in Google Postmaster Tools and Microsoft SNDS. It is the running record every mailbox provider keeps on how you behave, and they consult it before your subject line is ever read.
Slowly, in both directions, which is what makes it dangerous. Damage compounds quietly for weeks before mail visibly stops, and a single blocklist entry can throttle every email your company sends. The senders who only look when something breaks are always looking too late.
The layer everyone assumes is automatic once the lower ones are set. It is not. Placement is whether your legitimate mail reaches the inbox or the spam folder, and it varies receiver by receiver based on signals your ESP dashboard does not show you.
Everything is configured, everything is compliant, and mail still lands in spam at Gmail while it is fine at Outlook. “Sent” is not “delivered,” and “delivered” is not “inboxed.” Without placement visibility, you find out from a customer, not from a dashboard.
The layer almost every guide forgets. While you work on your own mail, attackers can spoof your exact domain, register lookalike domains a customer will never notice, and send phishing in your name. It is deliverability seen from the outside in.
It burns the reputation you built and puts your customers at risk, and you usually find out only when someone complains about an email you never sent. Impersonation attacks are also what makes enforcement at layer 2 urgent rather than optional.
The layer that holds the other six together. Deliverability is not a state you reach, it is a system that is constantly re-evaluated, so the only way to run it is to watch every layer continuously and in one view. This is the difference between operating your email and reacting to it.
The other six layers usually live in six different tools, owned by different teams, checked at different times, if at all. Each tool sees its own slice. Nobody sees the stack. So problems that begin in one layer and surface in another take days to trace, because the evidence is scattered across consoles.
A note on what is not in this stack: your list, your content, and whether people engage. They matter, and they are the parts most teams already obsess over. But they sit on top of these seven, and when email breaks and stays broken, the cause is almost always one of the seven layers below, because those are the ones nobody is watching.
Here is the single most expensive pattern in email. Six of the seven layers are observable. But they are scattered across separate tools and separate teams, while the people judging you see one thing. That gap is where deliverability quietly falls apart.
Six slices, six tools, different owners, checked at different times. No one sees the stack, so a problem that starts in one slice and shows up in another takes days to trace.
Gmail, Microsoft, and Yahoo do not care which team owns which layer. They evaluate the whole. Which means you have to see the whole too, or you are debugging blind while they judge in full.
Seeing all seven layers the way the receiver does is exactly where most teams need a second set of eyes. If that is you, a free consultation is a fast way to get one.
A symptom is not a mystery, it is an address: each one points back to the layer that produces it. Start where the symptom points, confirm or clear it, and move down the stack.
| The symptom you're seeing | Where in the stack it usually starts |
|---|---|
| Gmail or Outlook suddenly junking everything | L4 · REPUTATION first, then L2 · AUTHENTICATION. A sudden shift means the file on you moved: check reputation signals and recent authentication failures before touching a single word of content. |
| Landed on Spamhaus or another blocklist | L4 · REPUTATION and L3 · SENDING SOURCES. Listings follow behavior. The delisting form is step two; finding which source or signal earned the listing is step one. |
| Google or Yahoo rejecting bulk mail outright | L2 · AUTHENTICATION The sender requirements are mostly authentication requirements: missing DMARC, unaligned SPF or DKIM, an ignored complaint threshold. Fix the records and the rejections explain themselves. |
| Open rates slid over weeks, nothing changed on your side | L4 · REPUTATION or L5 · PLACEMENT. Slow declines are the file drifting: placement eroding or reputation slipping. Something did change; it changed in the receiver's records, not in yours. |
| Password resets and invoices not reaching customers | L1 · FOUNDATION Transactional mail fails quietly and it usually fails low: a DNS record edited, an expired record, a route that moved. Start at the bottom of the stack, not at the template. |
| Customers report emails "from you" that you never sent | L6 · THREAT Someone is spoofing your domain or running a lookalike. Your authentication data shows who is failing checks while pretending to be you, and enforcement plus monitoring is how you shut it down. |
| You genuinely cannot tell what's wrong | L7 · VISIBILITY If a problem is real but invisible, the gap is not the problem, it is the seeing. This is the layer to fix first, because without it every other diagnosis is a guess. |
Book a free 30-minute call with a deliverability specialist. No pitch and no obligation, just a clear read on what is actually wrong and the order to fix it.
Each layer of the stack has its own field guide, written the way a colleague would explain it. Start with the one closest to your problem.
Deliverability is whether your legitimate email reaches the inbox rather than the spam folder or a block. It is not one setting and it is not about “spammy words.” It is the outcome of the seven-layer system on this page. Get the layers right and deliverability follows; ignore them and no amount of copy will save you.
Sudden shifts almost always mean the receiver's file on you moved: your reputation dipped, an authentication record broke, or a blocklist picked you up. Your content did not suddenly change, so it is rarely the cause of a sudden change. Start at layers 4 and 2, check what changed in the past two weeks, and work down the trace table above.
Not directly, and it is worth being precise because a lot of advice gets this wrong. Moving DMARC to enforcement stops other people from sending as your exact domain. That protects your reputation and your customers, which supports deliverability over time, but enforcement itself is not a lever that lifts your legitimate mail into the inbox. It is an identity control, not a placement trick. Placement is layers 4 and 5.
Yes. The 30-minute consultation costs nothing and comes with no obligation. We will tell you what is wrong and how to fix it whether or not you ever work with us again. If your situation needs more than one call, we will be upfront about what that looks like. No pressure, no bait.