Let’s skip the fluff.
You set up SPF, DKIM, and DMARC. You kept your complaint rate clean. You ran warmup for three weeks. You checked the boxes. And your emails are still showing up in spam for half your prospects.
Welcome to email deliverability in 2026, where the rules changed faster than most people noticed and doing the basics right is no longer enough.
This is not a guide for beginners. This is for people already doing outreach who are watching their inbox placement slowly die and can’t figure out why.
What Actually Changed in the Last 12 Months
Two things happened that broke a lot of sending setups that used to work fine.
Gmail got serious about enforcement.
February 2024 was the warning. Google told senders to get their authentication in order or face consequences. Most people updated their records, ticked the compliance box, and moved on. What they didn’t notice was that in November 2025, Google quietly escalated from soft deferrals to hard rejections. That means your emails don’t just land in spam anymore. They don’t land at all. A 5xx rejection from Gmail is permanent. The message is gone.
The gap between senders who sailed through and senders who got wrecked wasn’t just authentication. It was engagement history. Google’s AI-driven filtering now weighs how recipients have historically interacted with your domain. A clean SPF record means nothing if your last three campaigns generated low opens and zero replies.
Microsoft Outlook became a nightmare.
Outlook’s inbox placement dropped from 77.43% in early 2024 to 50.70% on Exchange and 26.77% on consumer Outlook by Q1 2025. Those are brutal numbers. One in four emails reaching consumer Outlook addresses is landing in junk even from senders with perfect authentication.
Why? Microsoft rolled out Exchange Online Protection updates that added tenant-level admin controls on top of their SmartScreen filter. Every enterprise IT department running Microsoft 365 can configure custom blocklists and content rules. The same email can land in the inbox at one company and get quarantined as “mass messaging” at another, from the same sending IP.
There is no single fix for M365. Every inbox is configured differently. What you can control is how you look going in.
The Thing Most People Still Get Wrong
The most common deliverability mistake in 2026 is treating authentication as a destination rather than a starting point.
You set up DMARC, you move on. But DMARC adoption has jumped massively over the last two years. Domains with valid DMARC records went from 523,000 in 2023 to nearly 938,000 by early 2026. The thing is, only about 412,000 of those records actually enforce anything. More than half are sitting on p=none, which is monitoring mode. You're watching the problem, not stopping it.
Enterprise spam filters know this. A p=none record tells their system you're still figuring it out. A p=quarantine or p=reject tells them you're serious about your domain. It's a trust signal, not just a technical setting.
The other thing people get wrong is thinking shared infrastructure is fine as long as their own campaigns are clean. It’s not.
When you send through a shared IP pool, your deliverability depends partly on what every other sender on that pool is doing. One neighbor with a dirty list or a spammy campaign raises complaint rates for everyone on the same IP range. You absorb that penalty even if your own setup is immaculate. Enterprise filters that query Spamhaus or Barracuda don’t care that you personally followed the rules. They see the IP.
What Enterprise Filters Are Actually Evaluating
Here’s a practical breakdown of how your email gets scored when it hits an enterprise inbox in 2026.
Authentication alignment, not just authentication passing. Your SPF needs to pass on the envelope-from domain, not just on Amazon’s domain. Your DKIM signature needs to be from your domain, not your ESP’s. DMARC alignment fails when those don’t match. This is the most common silent deliverability killer for people using sending tools without proper MAIL FROM configuration.
Sending behavior patterns. Consistent daily sends beat sporadic bursts every time. Microsoft’s filters flag domains that send 500 emails one day and nothing for a week. Enterprise filters learn the normal sending pattern for a domain over time. Deviations read as suspicious activity.
Content against enterprise filter models. Gmail’s consumer filters and Microsoft Defender use different scoring models. Something that passes Gmail’s content check can get quarantined by Defender. There’s no single spam word list you can avoid and be safe. Enterprise filters run ML models trained on behavior and sender history, not just word matching.
Engagement signals from prior sends. Your last 30–90 days of sending behavior with each provider affects how your next campaign gets scored. Low opens, high deletions without reading, and spam clicks build a negative prior that takes months to clear.
Recipient-level signals. Individual Outlook recipients who previously marked your domain as junk will not receive your mail regardless of your domain’s overall reputation. This is invisible to you. You can have a Sender Score of 90 and still hit junk for specific contacts at specific companies.
How to Actually Navigate Enterprise Inboxes
None of this is magic. It’s operational hygiene treated with the same seriousness as conversion rate optimization.
Stop sending before you’ve checked your authentication stack. Not “I set it up six months ago,” but actually run your domain through a live check right now. DMARC records can break silently. A SPF record can accumulate too many DNS lookups over time as you add new sending tools. A DKIM selector can expire or get misconfigured during an account migration. These things fail quietly while your campaign stats show normal bounce rates.
Before your next send, run a free check on your domain’s SPF record, DKIM signature, and DMARC alignment. Tools like EmailQo’s DMARC checker will show you exactly what enterprise filters see when they look up your domain. Not what you think is configured. What’s actually live in DNS right now.
Get off p=none. If your DMARC is still in monitoring mode, move it. The process is: check your aggregate reports for two weeks and confirm all legitimate sending sources are passing. Then move to p=quarantine. Two more weeks of reports confirming nothing legitimate is being caught. Then p=reject. This is a four-week process that most people never finish.
Build sending history on providers you own. If you’re sending cold outreach through shared pools, you’re building reputation on infrastructure you don’t control. When you leave the platform or the platform has a problem, that history is gone. Sending through your own Gmail, Outlook, or AWS SES account means the reputation you build belongs to your domain, not to whoever owns the sending pool.
Treat Outlook differently from Gmail. They use different scoring systems. An email that passes Gmail’s content filter can fail Defender’s ML model. The single most useful thing you can do for Outlook placement is end your outreach emails with a question. Getting a reply is one of the strongest positive signals you can send to Microsoft’s filters. A conversation is happening. That’s what they’re looking for.
Enroll in Microsoft’s SNDS and JMRP. Most people have never done this. SNDS shows you sending data for your IP addresses including spam trap hits and complaint rates as Microsoft sees them. JMRP sends you copies of emails Outlook.com users marked as junk. If you’re not enrolled, you’re flying blind on a provider that controls 25–30% of enterprise inboxes worldwide.
Watch your volume consistency. A domain that sends 40–50 emails per day, consistently, will outperform one that sends 500 on campaign launch day and nothing for the next two weeks. This is not intuition. Enterprise filters build expectation models for domain sending patterns. Consistency is a trust signal.
The Infrastructure Question Nobody Wants to Answer
Here’s the uncomfortable reality of 2026 deliverability.
The B2B SaaS sector sits at 92% median inbox placement. That’s 6 points above the overall average. The difference isn’t better copy or smarter subject lines. It’s structural. B2B SaaS senders tend to use opt-in friction, which means cleaner lists. They tend to run on dedicated or owned infrastructure. And they monitor deliverability as a first-class metric.
Most outreach teams don’t. They watch open rates. By the time open rates drop, the reputation damage is usually 2–4 weeks old.
The metric that tells you the problem is coming is complaint rate. AWS SES enforces a 0.1% complaint threshold. Google publicly flags domains generating elevated complaints. Microsoft’s filters respond faster than either. If your complaint rate is climbing, you have a week or two before it shows up in your inbox placement numbers.
You cannot watch this metric if you don’t have access to it. Most shared sending platforms don’t surface complaint rate per campaign. They show you the aggregate. That’s too late.
Owning your sending infrastructure, even at Gmail or Outlook level, gives you visibility into your own reputation signals. Sending through AWS SES and processing bounce and complaint SNS notifications gives you real-time complaint rate data per campaign. You know something is wrong on day one, not week three.
The Checklist Before Your Next Campaign
Here’s what a technically sound send looks like in 2026:
Authentication: SPF passes on your sending domain (not your ESP’s). DKIM signed with your domain. DMARC at p=quarantine minimum, with rua= set to an inbox you actually read. Run a live check before sending, not once at setup. EmailQo's free email infrastructure grader gives you a 100-point score across all four authentication signals in one place, no signup needed.
Domain health: Your sending domain is not listed on Spamhaus ZEN, Barracuda, or SURBL. Check this within 24 hours of sending, not once at setup. IP and domain reputation can change overnight.
Content: No spam trigger stacking in the subject line. One link maximum in cold outreach. Text-heavy over HTML-heavy. Specific CTA with a yes or no answer, not a vague “let me know your thoughts.”
List quality: Verified within 30 days. Suppression list applied from all previous campaigns. Hard bounces from prior sends excluded. Catch-all domains treated separately.
Volume: Daily send count per account within the established pattern for that account’s age and history. No burst sending.
Post-send monitoring: Bounce and complaint data processed within 24 hours. Hard bounces suppressed globally immediately.
One More Thing
The deliverability gap in 2026 is not closing. It’s widening.
Senders above Sender Score 90 are pulling further ahead every quarter. Senders below a certain threshold are staying there for 18 months or more. Reputation has become durable in both directions.
The teams that are winning inbox placement in enterprise accounts right now are not doing anything exotic. They’re doing the basics consistently and they’re treating deliverability as a metric they check before every campaign, not a problem they fix after something breaks.
That’s the whole game.
Nilesh M has 15+ years in B2B SaaS marketing. He built EmailQo to give senders pre-send deliverability checks on every campaign, free tools to diagnose authentication problems, and sending infrastructure they actually own.
Top comments (0)