Email deliverability guide for business email

Email deliverability is often discussed as if it were a marketing problem. In the real world, it’s an operations and cyber security problem. So how to stop missing important messages (and block the dangerous ones)

If invoices are “randomly” not arriving, password resets never show up, suppliers insist they emailed you, or your own messages keep landing in clients’ junk folders, you’re dealing with the same underlying system: a stack of automated trust decisions made by mailbox providers, security filters, and your email service provider.

If you are reading this because you have just experienced a ransomware incident and are unsure how to deal with it, contact Zensec immediately.

This guide is written for businesses that either:

1. Need a legitimate email to reliably reach their business inboxes, improve inbox placement rates, and ensure emails consistently land in the primary inbox, or
2. Want to tighten inbound security so unwanted email does not get delivered in the first place (without breaking day-to-day comms).

Remember, cyber attackers already treat your email domain like critical infrastructure, so you need to do the same.

What “deliverability” actually means (and why businesses get confused)

Two terms get mixed up:

1. Delivery means the receiving mail server accepted the message (it didn’t bounce).
2. True deliverability is about successful email delivery into the recipient’s inbox, not just server acceptance.

A lot of business pain sits in the gap between those two. Something can be “delivered” and still never reach a user’s inbox because a filter diverted it into the spam folder, triggered spam filters, rewrote it, or flagged it based on spam filter behaviour.

The hidden journey of an email into your business mailbox

Most emails hit multiple layers of filtering, and each layer can make a different decision.

A useful mental model is three gates:

1. Mailbox provider filtering (Gmail, Microsoft 365, Yahoo, etc.). These systems judge the sender’s reputation, authentication, complaint rates, and “does this look like phishing, while evaluating broader spam filter behaviour.”
2. Corporate or gateway filtering (Microsoft Defender for Office 365, Proofpoint, Mimecast, Barracuda, secure email gateways). These are often more aggressive because they are trying to prevent organisational compromise, not just spam. They may rely on sender authentication protocols.
3. Endpoint and user layer (mail client rules, local junk filters, user-created rules, “focused inbox” style sorting based on user preference).

From a security standpoint, that middle layer (corporate filtering) is both your best friend and your biggest source of “where did that email go?” – especially when investigating deliverability issues.

Two sides of the same problem: inbound reliability and outbound trust

Most discussions around email marketing efforts focus on outbound marketing. Businesses need a holistic approach:

Inbound: “We’re not receiving important emails.”

Common deliverability issues include: missing supplier mail, missing leads, missing MFA codes, missing calendar invites, and missing invoices.

This is usually caused by one of these categories:

• Overly aggressive filtering that triggers spam trigger words detection
• The sender is failing SPF, DKIM, and DMARC alignment
• Forwarding setups that break domain-based message authentication
• Messages sent from IP addresses with a poor reputation
• Mail routed through unknown internet service providers
• Misconfigured DNS records

Outbound: “Our emails to customers keep going to spam”

When your email campaigns underperform or constantly land in junk folders, it’s usually caused by:

• Weak or inconsistent sender authentication
• A damaged deliverability reputation
• Poor sending practices
• Overreliance on shared IP addresses
• Not using a dedicated IP or dedicated IP address when volume justifies it
• Sending to large numbers of inactive subscribers

If your business runs marketing emails, protecting your deliverability reputation revolves around maintaining clean lists and monitoring compliance.

The foundation: authenticate your domain properly (SPF, DKIM, DMARC)

If you do nothing else, do this.

SPF: Who is allowed to send for your domain

SPF (Sender Policy Framework) works via DNS and the Internet Protocol to define which IP addresses can send on your behalf.

What breaks SPF in the real world:

• You use multiple platforms (CRM, ticketing system, email marketing tool, invoicing tool) and forget to include all of them in your TXT record.
• You exceed DNS lookup limits because your SPF record syntax becomes a monster.
• You forward mail in ways that change the authorised IP addresses but keep your domain visible.

DKIM: prove the message was not altered and came from an authorised sender

DKIM signs outgoing email with a cryptographic signature. Receivers verify it using a public key in the domain’s DNS settings. What breaks the domainkeys-identified mail:

What breaks DKIM:

• A sending service isn’t signing at all (still common).
• A gateway modifies messages in transit in a way that invalidates signatures (some footers, some list systems).
• You rotate keys poorly or leave old selectors dangling.

DMARC: tell receivers what to do when authentication fails

DMARC ties SPF and DKIM together and adds a policy: do nothing, quarantine, or reject.

Domain-Based Message Authentication is not optional if you care about inbound security.

It’s one of the few controls that directly reduce email spoofing, which is the root of many business email compromise incidents.

DMARC policy: none vs quarantine vs reject (and why “p=none” is not the end goal)

DMARC policies come in three levels:

p=none means “monitor, but don’t enforce.”

p=quarantine means “treat failures as suspicious (often spam or soft fail).”

p=reject means “do not deliver failed messages at all.”

A lot of organisations stop at p=none because it feels “safer.” It is safer in one way (less risk of blocking legitimate third-party mail you forgot about), but it has weaker security. Attackers can still spoof you, and recipient servers are less likely to consistently block it.

A healthier progression for most businesses looks like this:

• Start with p=none to learn who is sending as you using DMARC reporting.
• Fix alignment for legitimate senders (your CRM, your billing system, your support desk).
• Move to quarantine.
• Then move to reject once you have confidence.

If you want fewer impersonation attempts reaching customers and staff, p=reject is where you eventually want to land, with sensible exceptions for edge cases.

Modern reality: mailbox providers now enforce “baseline hygiene”

If you send at any kind of scale, you are operating under stricter rules from major mailbox providers. Google Workspace and other providers now have valid record requirements that matter a lot more:

Key expectations that now matter a lot more:

• Authenticate properly (V SPF1 and DKIM for all senders; DMARC for bulk sending).
• Keep spam complaint rates low (mailbox providers have published thresholds).
• Support one-click unsubscribe for bulk promotional email (this is not just a footer link; it is specific headers aligned with RFC 8058).
• Responsible sending practices from your email marketing team.

Even if you are not a “marketing-heavy” organisation, these requirements still matter because a compromised account that sends spam can quickly damage your deliverability reputation, leading to poor sender reputation across platforms.

How to reduce unwanted email without losing legitimate email

Email delivery best practices don’t mean blocking everything. This is where most businesses get hurt: they crank security up, and suddenly the CEO stops receiving supplier invoices.

The goal is not “block everything.” The goal is “block the right things, consistently, with a clear recovery process.

1) Quarantine should be a workflow, not a black hole

If quarantine exists, someone must own it. Decide:

• Who reviews quarantined mail?
• How quickly is it reviewed?
• How releases are handled and whether releases train the filter.

If nobody owns it, your business will slowly bleed legitimate mail.

2) Avoid blind allowlisting

Allowlisting entire domains or IP ranges is a tempting shortcut. It is also a common way attackers bypass controls, especially if they compromise a trusted vendor.

Prefer safer patterns:

• Allowlist specific sending mail servers that are authenticated and stable.
• Require alignment (SPF/DKIM/DMARC) where possible.
• Allowlist by envelope and header combinations rather than “anything from this domain.”

3) Control impersonation properly

Most “urgent invoice” scams succeed because they look internal or vendor-like.

Controls that help without crushing deliverability:

• Enforce DMARC.
• Turn on impersonation protection (internal name spoofing is a big one).
• Use banners or warnings for external mail that uses internal display names.
• Require stronger verification for payment change requests.

If you suspect an impersonation led to an actual incident, treat it as such and respond like you would to any security event. If you need help containing and investigating that kind of situation, this is exactly what our business email compromise response service is for.

List hygiene and reputation: not glamorous, but it stops weird problems later

Even businesses that “don’t do marketing” often have lists somewhere: customers, leads, partners, event attendees. These lists support some level of email marketing efforts.

The deliverability impact of poor hygiene is real:

• Sending to outdated or invalid email addresses.
• Accumulating bounced email addresses erodes trust signals.
• Typos create dead mail that looks like sloppy sending.
• Low engagement teaches providers that your mail is unwanted.
• Allowing inactive subscribers to remain on email lists.

If you send campaigns, a simple rule that keeps you out of trouble is: quality beats quantity. A smaller list that actually wants your mail will outperform a large list that ignores you, and it will protect your domain’s trust.

IPs, domains, and warming up (only matters for some businesses, but when it matters, it really matters)

If you switch email providers, move to a new sending domain, or start sending higher volumes, expect a trust ramp. That’s why it’s essential to monitor your IP reputation carefully.

A sudden jump in volume is one of the easiest ways to trigger filtering. Gradual ramping, starting with your most engaged recipients, is consistently safer.

If you use a shared IP (common with ESPs), your deliverability can be influenced by others’ behaviour on that pool. Dedicated IPs give more control, but they also mean you fully own the reputation, including the responsibility to warm and maintain it.

Monitoring that actually helps (without turning your team into deliverability hobbyists)

You do not need dozens of email deliverability tools, but you do need visibility in a few places:

1. Use appropriate email deliverability tools.
2. Monitor authentication reports.
3. Track inbox placement rates across providers.
4. Use controlled test email addresses or seed email addresses to measure placement.
5. Regularly monitor email deliverability to catch early warning signs.

This is one of those areas where security and deliverability overlap nicely: DMARC reports serve both as deliverability and threat visibility tools.

Troubleshooting playbook: “Where did that email go?”

When someone says, “We never got it,” you need a consistent method. Here’s a pragmatic order of operations:

Step 1: Confirm whether it bounced or was accepted

Ask the sender for:

• The sending time (with timezone)
• Recipient address
• Any bounce message or delivery status notification

If there was a bounce, you are dealing with delivery, not deliverability.

Step 2: Check quarantine and junk at the platform level

Do not rely solely on the user’s mailbox search. Admin-level quarantine often catches things the user never sees.

Step 3: run a message trace

Both Microsoft 365 and Google Workspace can trace a message’s path if you have the right permissions. This typically tells you whether it was:

• Rejected at the edge
• Accepted then quarantined
• Delivered, then moved by a rule

Step 4: inspect authentication results (SPF, DKIM, DMARC)

If the sender is failing DMARC and your policies are strict, the filtering may be correct. In that case, the “fix” is often on the sender side, not yours.

Step 5: decide whether you are looking at a security event

If the missing email relates to payments, credentials, supplier banking changes, or urgent requests, assume malicious intent until proven otherwise.

Closing thought: Email authentication and deliverability are a trust system

Email deliverability is not magic, and it is not just “spam filters being annoying.” It’s a trust-scoring system heavily influenced by security signals.

Strong authentication, clean lists, responsible infrastructure, and alignment with modern email deliverability best practices reduce both operational disruption and security risk — while improving inbox placement and minimising the chance that spam filters can unintentionally filter your mail.