Email deliverability guides
In-depth guides to diagnosing and fixing email delivery problems across Gmail, Outlook, and the authentication stack.
Gmail
- Why Gmail rejects emails from your domainDiagnose Gmail rejections via SPF, DKIM, DMARC, alignment, blacklist, and TLS signals.
- Gmail 5.7.26 error: why Gmail says your email is unauthenticatedGmail 5.7.26 usually points to missing or failing sender authentication. Check SPF, DKIM, DMARC, and alignment before changing content or resending the same campaign.
- SPF, DKIM, and DMARC pass but Gmail sends email to spamPassing SPF, DKIM, and DMARC is necessary, but Gmail can still filter messages based on reputation, volume, content, engagement, and provider-specific signals.
- New domain emails going to Gmail spam: what is technical and what is reputationNew domains can pass SPF, DKIM, and DMARC and still land in Gmail spam. Check authentication, alignment, PTR/TLS basics, sending history, volume changes, and Postmaster Tools limits.
- Emails from my domain go to Gmail spam: what to check firstSpam-folder placement on Gmail can happen even with valid SPF, DKIM, and DMARC. Diagnose the visible From domain, sending path, recent changes, and reputation signals.
- Gmail Postmaster Tools vs public checks: what each signal meansPostmaster Tools and public DNS checks measure different layers. Public checks confirm SPF, DKIM, DMARC, PTR, and TLS posture; Postmaster Tools reflects what Gmail itself sees from your domain volume.
- Gmail 5.7.27 error: how to fix SPF failures Gmail rejects onGmail 5.7.27 is an SPF-specific authentication failure. Identify the envelope (return-path) domain, verify the real sending IP is authorized, and check for lookup-limit and syntax problems before resending.
- Gmail 5.7.30 error: how to fix DKIM failures Gmail rejects onGmail 5.7.30 is a DKIM-specific authentication failure. Check that the sending platform actually signs with your domain selector, that the DNS DKIM record exists and matches, and that forwarding or modification has not broken the signature.
- Gmail 5.7.25 error: how to fix PTR / reverse-DNS failures on the sending IPGmail 5.7.25 is about the sending IP's reverse DNS. Identify the actual SMTP sending IP from the bounce or header, then check that the PTR record exists and the PTR hostname resolves back to the same IP.
- Gmail 5.7.29 error: message was not sent over TLSGmail 5.7.29 means Gmail blocked the message because it was not sent over a TLS connection. Check the actual outbound SMTP path, TLS support, certificates, relays, and logs before resending.
Email authentication
- Email authentication explained: SPF, DKIM, DMARC, and PTREmail authentication is built on four DNS-based signals — SPF authorizes who can send, DKIM cryptographically signs messages, DMARC enforces alignment with the visible From, and PTR proves the sending IP identity.
- SPF too many DNS lookups: fix the PermError before it silently breaks deliveryExceeding the 10-lookup SPF limit returns PermError, which prevents SPF from passing and can silently break DMARC alignment on every affected message.
- Multiple SPF records on one domain: why it causes permerror and how to fix itTwo or more v=spf1 records at the same domain name force a permerror result, preventing SPF from passing for any message from that domain.
- DKIM record not found: why the public key is missing and how to fix itA missing DKIM public-key record at the selector DNS name prevents the verifier from confirming the signature, leaving DKIM with no pass result.
- No DMARC record: what it means and how to fix itA missing DMARC record leaves your domain without alignment enforcement and can trigger bulk-sender rejections at Gmail, Yahoo, and Microsoft.
- Moving DMARC from p=none to p=reject without breaking your own mailMoving DMARC from p=none to p=reject safely requires reading reports, fixing every unaligned sender, and advancing through p=quarantine before enforcing.
- MTA-STS explained: enforce TLS for inbound email (testing to enforce)MTA-STS lets a domain require authenticated TLS for inbound SMTP via a DNS record and an HTTPS policy file. Three modes (testing, enforce, none) and a safe rollout.
- TLS-RPT explained: how to read SMTP TLS reportsTLS-RPT publishes a DNS record asking senders for aggregate reports on TLS, MTA-STS, and DANE success and failure. It is the observability layer for MTA-STS.
- BIMI explained: brand logos in the inbox (DMARC, SVG, and VMC requirements)BIMI displays your brand logo on authenticated mail. It requires DMARC at enforcement, an SVG Tiny PS logo, and usually a VMC. An emerging standard, not yet an RFC.
Outlook & Microsoft 365
- Why Outlook blocks emails from your domainOutlook blocks emails when authentication, policy, reputation, content, or transport signals look unsafe. Check MX, SPF, DKIM, DMARC, blacklist, and TLS posture before blaming reputation alone.
- Outlook 5.7.23 SPF Failure: Fix the BounceAn Outlook 5.7.23 NDR means a Sender Policy Framework violation — the connecting IP is not authorized by your envelope sender domain SPF record. Here is why and how to fix it.
- Outlook 5.7.509 Fix: Domain Fails DMARC (policy reject)Outlook 5.7.509 means your sending domain does not pass DMARC and publishes a policy of reject. Align an SPF or DKIM result with your visible From domain. Here is how to fix it.
- Outlook 5.7.501 Fix: Access Denied, Spam Abuse DetectedOutlook 5.7.501 means the sending account was banned for detected spam activity. Reset credentials, fix the root cause, and use the Microsoft delisting path. Here is how.
- Outlook high SCL: why your mail is scored as spamA high Spam Confidence Level routes Outlook mail to Junk — there is no public 5.7.500 NDR code. It is reputation-driven, not an authentication bug. Here is what you can and cannot fix.
- Outlook 5.7.1 Fix: Delivery Not AuthorizedOutlook 5.7.1 means delivery was not authorized and the message was refused, usually by recipient policy or DMARC. Here is how to diagnose it.
- Outlook 5.7.511 Fix: Access Denied, Banned Sender (sending IP blocked)Outlook 5.7.511 means your sending IP was banned by Microsoft — a reputation block, not an authentication failure. Diagnose the IP, fix the cause, and request delisting.
- Outlook 5.7.800 Fix: Access Denied, Banned Sender (sending domain banned)Outlook 5.7.800 means your sending domain was banned by Microsoft for detected spam activity — a reputation block restored through Microsoft Support, not a self-service delist.
- Outlook 5.7.12 Fix: Sender Was Not Authenticated by OrganizationOutlook 5.7.12 means the recipient organization is set up to reject senders from outside it. Only the recipient admin can change it; confirm your auth and ask them to allow you.
- Outlook 5.7.25 Fix: Sending IPv6 Address Must Have a Reverse DNS RecordOutlook 5.7.25 means your sending IPv6 address has no reverse DNS (PTR) record. Microsoft requires a PTR plus SPF or DKIM over IPv6. Add the PTR or fall back to IPv4.
- Outlook 5.7.512 Fix: Message Must Be RFC 5322 Compliant (no valid From address)Outlook 5.7.512 means your message was sent without a valid RFC 5322 From header. It is a message-format problem, not authentication. Fix the sending app, script, or device.
- Outlook 5.7.510 Fix: Recipient Does Not Accept Email Over IPv6Outlook 5.7.510 means the recipient does not accept email over IPv6. Send over IPv4 instead. It is the mirror of 5.7.25 (your sending IPv6 missing a PTR).
- Outlook 5.7.134 Fix: Sender Was Not Authenticated for MailboxOutlook 5.7.134 means the recipient mailbox is set to reject senders from outside its organization. Only the recipient admin can change it; confirm your auth and ask them to allow you.
Sender requirements
- Gmail and Yahoo bulk sender requirements (2024)The February 2024 Gmail and Yahoo bulk-sender rules in one place — authentication and From-alignment, one-click unsubscribe, and a spam complaint rate under 0.3%.
- One-Click Unsubscribe (RFC 8058): the List-Unsubscribe Headers Gmail and Yahoo RequireBulk senders must support one-click unsubscribe via the List-Unsubscribe and List-Unsubscribe-Post headers (RFC 8058) — DKIM-signed, and honored within two days.
- Keep Your Spam Complaint Rate Below 0.3% (Gmail and Yahoo)Gmail and Yahoo require senders to keep the user-reported spam rate below 0.3% — keep it under 0.1%. How the rate is measured and how to lower it.