Deliverability 101
· 8 min read
The complete IP warm-up guide
A new sending IP has no history — and to inbox providers like Gmail and Outlook, "no history" looks suspiciously similar to "spammer." Warm-up is the process of building that history gradually so mailbox providers learn to trust you.
Why warm-up matters
Every receiving server (Gmail, Yahoo, Outlook, Zoho, Apple Mail) maintains an internal reputation score for each sending IP. The score is based on volume, engagement (opens, replies, marks-as-important), and complaint signals (spam reports, hard bounces, spam-trap hits). If you blast 100,000 emails from a fresh IP on day one, the receiver assumes you bought a list and quietly drops most of your mail into spam.
The standard 30-day ramp
A typical warm-up plan starts with very low daily volume and roughly doubles every 2–3 days, segmented per ISP:
- Days 1–3: 50 emails/day per ISP, only to your most-engaged users
- Days 4–7: 500 emails/day
- Days 8–14: 2,000 → 10,000 emails/day
- Days 15–21: 20,000 → 50,000 emails/day
- Days 22–30: Full production volume
Maildoot does this automatically. Our warm-up engine tracks per-ISP engagement in real time and accelerates or rolls back volume on its own. You don't write the calendar — you just turn the IP on.
Engagement-weighted sending
The single highest-leverage warm-up trick: send to your most-engaged users first. Recipients who opened your last campaign are far more likely to open the next one. Those opens are the signal that ISPs use to mark your IP as legitimate.
Common warm-up mistakes
- Sending to cold lists. Trap-hits and bounces on a fresh IP are catastrophic.
- Mixing transactional and marketing. Use separate IP pools — transactional engagement is higher, marketing engagement is more volatile.
- Doubling too fast. ISPs don't smooth — they cliff. A 4× jump can trigger throttling that takes weeks to recover from.
- Ignoring weekends. Warm-up is "consecutive days," not "active days." Skip a day and you reset receiver trust.
- Pausing for a week. Once warmed, an IP needs steady volume. A 7-day gap rolls reputation back to day one.
Signals to monitor during warm-up
- Inbox placement % per ISP (use seedlist tools)
- Open rate by ISP — Gmail openers vs Outlook openers behave differently
- Bounce rate — keep under 2%
- Complaint rate — keep under 0.1% (Gmail/Yahoo enforce 0.3% as a hard ceiling)
- SMTP rejection codes (4xx soft-fails are the early warning sign)
Deliverability 101
· 5 min read
Domain warm-up: the silent half of reputation
IP reputation gets all the attention, but in the post-2024 world, domain reputation matters more. Gmail explicitly states their reputation is tied to the From: domain, not the IP.
Why domain warm-up exists
If you set up a brand-new sending domain (say send.acme.com) and start blasting from a warmed shared IP pool, Gmail still doesn't know your domain. It will throttle your delivery and rate-limit based on the domain's lack of history — even if the IP is perfectly clean.
How to warm a domain
Treat the domain warm-up exactly like an IP warm-up — but the volumes don't reset when you change IPs:
- Week 1: Use the domain only for transactional (receipts, password resets) to highly engaged users.
- Week 2–3: Add lifecycle / onboarding messages.
- Week 4+: Begin marketing campaigns. Maintain consistent daily volume.
Best practice: use sub-domains by traffic type
Don't send from your bare apex domain. Use stream-specific subdomains so a marketing complaint never poisons your transactional reputation:
tx.yourbrand.com — OTPs, receipts, security alertsmail.yourbrand.com — marketing & promosnotify.yourbrand.com — product notificationsnews.yourbrand.com — newsletter
Why sub-domains? If your marketing list ages and complaint rates spike, the damage is contained to mail.yourbrand.com — your OTPs from tx.yourbrand.com keep arriving.
Core authentication
· 12 min read
SPF, DKIM & Return-path explained
These three records are the foundation of email authentication. Without them, you are virtually guaranteed to land in spam — and after Feb 2024, you may not be accepted at all.
SPF — Sender Policy Framework
SPF is a TXT record on your domain that lists which IP addresses (or "include" providers) are allowed to send mail "as" you. It's how a receiver answers: "Did this email really come from a server this domain authorized?"
Example SPF record
v=spf1 include:_spf.maildoot.net include:_spf.google.com ~all
v=spf1 — version (always this)include: — delegates to another domain's SPF (Maildoot, Google, etc.)~all — soft-fail unauthorized senders (recommended). Use -all for hard-fail once you're confident.
The 10-lookup limit. SPF allows a maximum of 10 DNS lookups per evaluation. If you chain too many include: statements, the record breaks silently. Use Maildoot's SPF flattening or Maildoot's macro to stay under the cap.
DKIM — DomainKeys Identified Mail
DKIM signs every outgoing email with a cryptographic signature in the headers. The receiver fetches your public key from DNS and verifies the signature. This answers: "Did this email's body and headers arrive unaltered, and is the sender who they claim to be?"
How DKIM works
- You publish a public key at
selector._domainkey.yourdomain.com as a TXT record.
- The sending server signs each message with the matching private key.
- The receiver fetches your public key and verifies the signature.
Example DKIM record
Host: md1._domainkey
Type: TXT
Value: v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA...
Maildoot generates a 2048-bit RSA key pair per domain on signup and publishes the public half for you. You never see the private key.
Return-path (the bounce address)
Also called the envelope sender or MAIL FROM. This is the address that receives bounce notifications — and it must be on your domain (not Maildoot's) for DMARC alignment.
How it's set up
You add a CNAME record like:
Host: bounce.yourdomain.com
Type: CNAME
Value: bounces.maildoot.net
Maildoot then sets the envelope sender to bounce-{msg_id}@bounce.yourdomain.com. Bounces hit our infrastructure but appear to come from your domain — satisfying DMARC alignment.
Why all three matter together: DMARC requires either SPF or DKIM to pass and align with the visible From: domain. Without aligned Return-path (SPF) or aligned DKIM signature, DMARC fails — and Gmail/Yahoo will reject your mail outright under the 2024 policy.
Authentication
· 10 min read
DMARC: from p=none to p=reject
DMARC (Domain-based Message Authentication, Reporting, and Conformance) tells receivers what to do when SPF or DKIM fail — and gives you visibility into who's spoofing your domain.
The three policy modes
p=none — Monitor only. Receivers send you reports but take no action. Use this for the first 2–4 weeks while you collect data.p=quarantine — Send to spam. Failing messages land in the recipient's spam folder. Use this once you've fixed all alignment issues.p=reject — Drop entirely. Failing messages are rejected at SMTP. This is the goal — and Gmail/Yahoo's 2024 policy requires it for senders > 5,000/day.
Example DMARC record
Host: _dmarc
Type: TXT
Value: v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com;
ruf=mailto:dmarc-forensic@yourdomain.com; fo=1; adkim=s; aspf=s
Tag reference
p= — policy (none, quarantine, reject)rua= — aggregate report mailbox (daily XML reports)ruf= — forensic report mailbox (per-message failures)pct= — percentage of failing mail to apply the policy to (use during rollout: pct=10, pct=50, pct=100)adkim= / aspf= — alignment mode: s = strict (exact match), r = relaxed (subdomain OK)fo= — forensic options (1 = report any failure)
The recommended rollout
- Week 1: publish
p=none, start collecting RUA reports.
- Week 2: parse reports — find every sending source. Authorise legit ones, ignore spoof attempts.
- Week 3: shift to
p=quarantine; pct=10.
- Week 4: ramp
pct to 50, then 100.
- Week 5+: move to
p=reject; pct=100.
Maildoot's DMARC report viewer parses your daily RUA mailbox into a human dashboard — no more wrangling XML manually. Available on all paid plans.
Compliance
· Updated 2024 · 7 min read
Gmail & Yahoo's 2024 bulk-sender requirements
On February 1, 2024, Gmail and Yahoo jointly raised the bar for any sender that delivers more than 5,000 messages per day to their inboxes. Failure to comply means rejected mail. Period.
The four hard requirements
1. Authenticate with SPF, DKIM, and DMARC
All three must be in place, and your DMARC policy must be at least p=none. The DMARC record must align with either SPF or DKIM (or both).
2. Send only wanted email — keep complaint rate < 0.3%
This is measured by Gmail Postmaster Tools. A complaint rate above 0.3% triggers throttling; above 0.5% may cause outright rejection. 0.1% should be your internal target.
3. Make unsubscribing trivial — one-click List-Unsubscribe
You must support RFC 8058 one-click unsubscribe via List-Unsubscribe headers. Both headers must be present:
List-Unsubscribe: <https://yourapp.com/u/abc123>, <mailto:unsub+abc123@yourapp.com>
List-Unsubscribe-Post: List-Unsubscribe=One-Click
The unsubscribe URL must process a single POST — no login screens, no "are you sure" pages.
4. Use TLS for transmission
Outgoing SMTP must use TLS 1.2 or higher. Maildoot enforces this by default; if you're running self-hosted relays, verify STARTTLS is mandatory.
What changes for your domain
- If you send < 5,000/day to Gmail+Yahoo combined, you have most of these requirements but not all.
- If you send > 5,000/day, all four are mandatory.
- The 5,000 threshold is aggregated across subdomains.
tx.acme.com + mail.acme.com = one bucket.
The most-missed item is List-Unsubscribe-Post. Senders often have the header but not the POST endpoint. Gmail will treat your domain as non-compliant the day they roll out enforcement on your traffic.
How Maildoot handles it
- SPF — auto-flattened to stay under the 10-lookup cap
- DKIM — 2048-bit RSA, rotated quarterly
- DMARC — guided wizard from p=none through p=reject
- List-Unsubscribe — injected automatically on marketing-tagged sends, with a one-click POST endpoint we host
- TLS — mandatory 1.2+ everywhere
Operations
· 6 min read
Setting up DNS records on any registrar
Maildoot generates exactly five records when you add a sending domain. Here's what each one does and how to paste them into the major registrars.
The five records Maildoot needs
| Purpose | Host | Type | Value |
|---|
| SPF | @ | TXT | v=spf1 include:_spf.maildoot.net ~all |
| DKIM | md1._domainkey | TXT | v=DKIM1; k=rsa; p=MIIBIjANBgkq... |
| DMARC | _dmarc | TXT | v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com |
| Return-path | bounce | CNAME | bounces.maildoot.net |
| Tracking (optional) | track | CNAME | track.maildoot.net |
GoDaddy
- Sign in → My Products → DNS next to your domain.
- Click Add, choose TXT (or CNAME).
- Paste Host and TXT Value from your Maildoot dashboard.
- Set TTL to 1 hour. Save.
Cloudflare
- Select your domain → DNS → Records → Add record.
- Choose type (TXT or CNAME), paste Name and Content.
- Important: Set proxy status to DNS only (grey cloud) for CNAMEs — orange-clouding the bounce/tracking CNAME breaks email.
- Save.
AWS Route 53
- Hosted zones → your zone → Create record.
- Set Record name (e.g.
_dmarc), Record type (TXT/CNAME), and Value.
- TTL 300. Create record.
Google Domains / Squarespace, Namecheap, BigRock
Similar — find the "DNS" or "Advanced DNS" section and add records with matching Host, Type, and Value fields.
Verification
DNS can take up to 48 hours to propagate, but most updates are visible in 5–15 minutes. Maildoot's verify button polls every 30 seconds — you'll see a green check the moment the records resolve. You can also verify manually:
dig TXT yourdomain.com +short
dig TXT md1._domainkey.yourdomain.com +short
dig CNAME bounce.yourdomain.com +short
Tip: Use
mxtoolbox.com for a free, public DNS lookup that mimics how a receiving server sees your domain. If MXToolbox can't see the record, neither can Gmail.
Brand trust
· 4 min read
BIMI: get your logo in the inbox
Brand Indicators for Message Identification (BIMI) lets compliant senders display their logo next to messages in Gmail, Yahoo, Apple Mail, and Fastmail. It's a trust signal — and a conversion lift.
Requirements
- DMARC at
p=quarantine or p=reject with pct=100
- An SVG Tiny PS logo at a publicly hosted URL
- For Gmail and Apple: a Verified Mark Certificate (VMC) from DigiCert or Entrust (~$1,500/year)
Example BIMI record
Host: default._bimi
Type: TXT
Value: v=BIMI1; l=https://yourdomain.com/logo.svg; a=https://yourdomain.com/vmc.pem
Reputation hygiene
· 5 min read
Feedback loops and suppression hygiene
A feedback loop (FBL) is a notification from an ISP that a recipient marked your mail as spam. Honouring FBLs immediately — by suppressing that recipient — is non-negotiable in 2024.
The major FBLs
- Yahoo! — open registration via Yahoo Sender Hub
- Microsoft (Outlook/Hotmail) — SNDS + JMRP
- Apple iCloud — registered per IP
- AOL — merged with Yahoo
- Gmail — no per-recipient FBL, but aggregate complaint data via Postmaster Tools
What Maildoot does automatically
Maildoot is registered for every major FBL on your behalf. Complaints are processed within seconds and the recipient is moved to your account's suppression list — never sent to again until you explicitly remove them. Your dashboard shows a per-domain, per-ISP complaint timeline.
Knowledge base curated by the Maildoot deliverability team. Last reviewed: April 2026
Suggest an edit →