MailHog
← All posts

Why Your Transactional Emails Land in Spam (and How to Fix It)

A
Admin
·

Your users are filing support tickets: "I never got the reset email." You check the logs — the email was sent. SMTP returned 250 OK. So where did it go?

It went to spam. And unless you test for this before shipping, you won't know until your users tell you — or worse, leave.

The Five Reasons Transactional Emails Hit Spam

1. Missing or Broken Email Authentication

If your domain doesn't publish SPF, DKIM, and DMARC records — or they're misconfigured — every major inbox provider treats your email as suspicious. Gmail's documentation is explicit: messages failing DMARC alignment are significantly more likely to be classified as spam.

A missing SPF record means any server can claim to send on your behalf. A broken DKIM signature means the message was altered in transit (or your key is wrong). No DMARC policy means you haven't told receivers what to do about failures.

If you're unsure whether your setup is correct, send a test email through an SMTP testing sandbox and inspect the authentication headers directly.

2. Content-Based Spam Triggers

Spam filters score your email content against hundreds of rules. Common triggers that catch developers off guard:

  • ALL CAPS subject lines — even "RESET YOUR PASSWORD" can trigger ALL_CAPS_SUBJ
  • URL shortenersbit.ly and t.co links in transactional email are a red flag
  • Mismatched From/Reply-To domains — sends a phishing signal
  • Image-heavy, text-light — email bodies that are mostly images with little text
  • Suspicious TLDs in links — links pointing to newly registered or uncommon TLDs

The fix: run your email through a spam scoring tool before shipping. You'll see exactly which rules fired and what weight each carries.

3. Sending IP Reputation

If you're on a shared IP (most SaaS email APIs use shared pools), someone else's bad behavior drags your deliverability down. If you're on a dedicated IP, you need to warm it up gradually — sending 50,000 emails on day one from a cold IP is a guaranteed trip to the spam folder.

4. Recipient-Side Rules

Corporate email admins set aggressive filters. A company using Microsoft 365 with "strict" preset policies will quarantine anything scoring above their threshold, regardless of your authentication. You can't control this — but you can make sure everything else is perfect.

5. Low Engagement Signals

Gmail explicitly uses engagement as a ranking signal. If recipients consistently ignore (don't open, don't click) your emails, Gmail learns that your messages aren't wanted and starts routing them to spam — even for other recipients.

How to Test Deliverability Before Shipping

The reliable approach: point your app's SMTP config at a testing server, trigger the email flow, and inspect the captured message. You need to check:

  1. SPF, DKIM, and DMARC headers pass authentication
  2. The spam score is below threshold (under 5.0 is safe)
  3. No content rules are firing unexpectedly
  4. The HTML renders correctly across clients

With MailHog, every captured email gets an automatic spam analysis with a full rules breakdown — you see exactly what a real spam filter would flag.

The Pre-Ship Checklist

Before deploying any transactional email to production, verify these eight things:

  1. ✅ SPF record published and includes your sending service
  2. ✅ DKIM key pair generated and DNS record published
  3. ✅ DMARC policy set (start with p=none, advance to quarantine)
  4. ✅ From address uses your domain, not noreply@gmail.com
  5. ✅ Subject line is sentence case, no ALL CAPS
  6. ✅ Plain-text fallback included alongside HTML
  7. ✅ Spam score tested and below 5.0
  8. HTML compatibility verified across Gmail, Outlook, Apple Mail

FAQ

Why do my emails go to spam even with SPF and DKIM configured?

SPF and DKIM alone aren't enough. You also need DMARC alignment — the domain in your From: header must match the domains used in SPF and DKIM checks. Without alignment, authentication technically passes but DMARC fails, and many providers treat that as suspicious.

Can I test spam scoring without sending to a real inbox?

Yes. Use an SMTP sandbox like MailHog.site that captures emails and runs spam analysis automatically. You'll see the score and every rule that fired without any email reaching a real recipient.

What spam score is considered safe?

Most spam filters use a threshold of 5.0. Anything below 3.0 is excellent. Between 3.0 and 5.0 is acceptable but worth optimizing. Above 5.0 means your email will likely be filtered by at least some providers.

Does email content matter more than authentication?

Both matter, but authentication is the foundation. A perfectly written email from an unauthenticated domain will still land in spam. Fix authentication first, then optimize content.

← Back to all posts