Getting email delivered to the inbox, not the spam folder, is not just about what you write. Mail servers make the decision to accept, reject, or filter your messages based on a chain of signals that starts before your email is even opened. Understanding that chain is the foundation of fixing deliverability problems. This guide walks through how email authentication works, why legitimate mail lands in spam, how to test what is happening, and how to structure your sending setup correctly from the start.
When a receiving mail server accepts a connection from your server, it runs through a sequence of checks before deciding what to do with the message. Each check contributes to a composite score, and that score determines whether the message reaches the inbox, lands in spam, or is rejected outright.
IP reputation is evaluated first. The sending IP address is checked against real-time blocklists (RBLs) such as Spamhaus and Barracuda. If your IP has been used to send spam, by you or by another user on the same shared server, it may be listed, and messages from that IP will be filtered or blocked regardless of their content.
Domain reputation is assessed separately. Google, Microsoft, and other large providers maintain domain-level reputation scores based on the history of mail sent from your domain. A new domain with no sending history is viewed with more suspicion than an established one. A domain that has previously generated spam complaints has a poor reputation that affects future deliverability even from a clean IP.
Authentication checks, SPF, DKIM, and DMARC, confirm that the message actually came from where it claims to have come from. Failed authentication is one of the most common causes of legitimate mail landing in spam.
Content filtering evaluates the message itself: subject line, body text, HTML structure, image-to-text ratio, presence of tracking pixels, links to known spam domains, and specific trigger words associated with phishing or spam campaigns.
Recipient engagement signals from the receiving provider's user base tell the mail server whether people who received similar mail from your domain in the past opened it, deleted it without reading, or marked it as spam. Low open rates and high delete rates hurt future deliverability.
SPF (Sender Policy Framework) is a DNS TXT record that lists the mail servers authorised to send email from your domain. When a receiving server gets a message claiming to be from you, it checks your SPF record to verify the sending server is on the approved list. A basic SPF record for a domain using only its cPanel hosting server looks like this:
v=spf1 include:yourhostingprovider.com ~all
The ~all at the end is a soft fail, meaning unauthorised senders are flagged but not outright rejected. Use -all (hard fail) only when you are certain all legitimate sending sources are covered in the record.
DKIM (DomainKeys Identified Mail) adds a cryptographic signature to outgoing messages. The receiving server retrieves your public key from DNS and uses it to verify the signature, confirming the message has not been altered in transit and was sent by a server with access to the corresponding private key. In cPanel, DKIM is enabled under Email → Email Deliverability. The DNS record looks like this:
default._domainkey.yourdomain.com TXT "v=DKIM1; k=rsa; p=MIIBIjAN..."
DMARC (Domain-based Message Authentication, Reporting and Conformance) sits on top of SPF and DKIM. It tells receiving servers what to do when a message fails authentication, and it sends you reports about what mail is being sent from your domain. A sensible starting DMARC record:
_dmarc.yourdomain.com TXT "v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com"
The p=none policy takes no action on failing messages, it just monitors and sends reports. Once you have confirmed all your legitimate sending sources pass authentication, move to p=quarantine (send failures to spam) and eventually p=reject (block failures entirely). Do not start at p=reject if you are not certain your SPF and DKIM records are complete, you will block legitimate mail.
Missing or broken authentication. No SPF, DKIM, or DMARC records, or records that are misconfigured, is the most common cause of deliverability problems for business email. Receiving servers are increasingly strict about authentication, and mail that fails SPF and has no DKIM signature is a significant spam signal.
Shared IP reputation issues. On shared hosting, your outgoing mail shares an IP address with potentially hundreds of other users. If any of those users send spam, the IP gets listed. Your deliverability suffers through no fault of your own. This is the most persuasive argument for using a dedicated email provider or a dedicated sending IP for high-volume outbound mail.
Content triggers. Heavily HTML-formatted email, excessive use of images with little text, all-uppercase subject lines, and specific word patterns associated with phishing or sales spam all increase spam scores. This applies even to legitimate transactional or marketing email. Test your content before sending to a large list.
Low engagement history. If you send to a large list and recipients consistently do not open, delete without reading, or mark as spam, Gmail and Outlook will start routing your future mail to spam proactively, even for users who have engaged with you before.
No reverse DNS (PTR record). The sending IP should have a PTR record that resolves to a hostname matching the mail server's HELO/EHLO identifier. Missing or mismatched reverse DNS is a spam signal for many mail servers. Your web host's IP will typically have this configured correctly; check under Email Deliverability in cPanel to confirm.
HostBible DNS Checker gives you dedicated tools for each part of your email configuration. Use the SPF Checker, DKIM Checker, and DMARC Checker to verify each record is correctly published and valid. Use the MX Checker to confirm your mail routing is set up correctly, and the Blacklist Checker to see if your domain or sending IP appears on any major spam blacklists.
GlockApps is the most comprehensive option for marketing or transactional email. It sends test messages to real inboxes at Gmail, Outlook, Yahoo, and other major providers and reports on where each one landed, inbox, spam, or missing. It also provides detailed spam score breakdowns. GlockApps is a paid tool, but worthwhile if deliverability is a persistent problem or you are managing high-volume campaigns.
A brand new domain with no sending history has no reputation, and to mail servers, no reputation looks similar to a suspicious sender. Sending a high volume of messages immediately from a new domain is a reliable way to get flagged as spam or get your IP listed.
The solution is a gradual warm-up: start by sending small volumes (20 to 50 messages per day) to engaged recipients who are likely to open your mail. Increase volume slowly over four to six weeks while monitoring bounce rates and spam complaints. Most email service providers (ESPs) like Mailchimp, Brevo, and Postmark handle IP warming automatically for their shared IP pools. If you are on a dedicated IP, you need to manage the warm-up yourself.
During warm-up, send only to your best contacts, people who have recently opted in or actively engaged with your emails. High open rates signal to receiving providers that your mail is wanted, which builds domain reputation faster.
Transactional email includes password resets, order confirmations, account notifications, and form submission receipts sent by your website or application. Marketing email includes newsletters, promotional campaigns, and any bulk email sent to a subscriber list. These two categories should use separate sending infrastructure.
The reason is reputation isolation. If a marketing campaign generates spam complaints or high bounce rates, it will damage the reputation of the sending IP and domain. If transactional email shares that infrastructure, your password reset emails and order confirmations start landing in spam, a serious problem for your users. By using a different sending IP (or a different subdomain) for each type, you protect transactional deliverability from the effects of marketing performance.
In practice, this means: send transactional email through a dedicated SMTP service such as Postmark, Mailgun, or Amazon SES, these are optimised for deliverability on time-sensitive single messages. Send marketing email through a platform like Mailchimp, Brevo, or Klaviyo, which handles list management, unsubscribes, and bounce processing automatically. Routing both through the same cPanel mail server is the most common deliverability mistake made by small businesses.
Every HostBible hosting plan includes custom domain email. No extra charge, no third-party account required.
View Hosting Plans