Newsletter deliverability in 2026 — what actually works

If you set up SPF in 2022 and haven’t touched your email authentication since, you’re probably leaking inbox placement right now. The three largest mailbox providers — Gmail, Yahoo, and Outlook — have all enforced a mandatory authentication baseline since 2024–2025, and “just SPF” no longer satisfies any of them.

The short version: set up SPF + DKIM + DMARC at p=quarantine or p=reject, configure one-click unsubscribe, keep spam complaint rate under 0.10%, and send from a platform that handles cold-start IP warming automatically. On that last point, Beehiiv and Resend are the current winners for indie senders; Kit and Mailchimp have meaningful tradeoffs covered below.

Who this is for

Indie newsletter operators, developer tools companies running drip sequences, and SaaS founders sending transactional + marketing mail. If you’re using a managed sending platform and already seeing good inbox rates, this is a diagnostic tool for understanding why (or why not). If you’re starting from scratch in 2026, read the four-lever framework in section three first.

What changed in 2024–2025

Email delivery changed structurally in 2024. Not incrementally — the rules that governed acceptable authentication for a decade were replaced with hard enforcement.

February 1, 2024: Google + Yahoo set the floor

Google’s Email Sender Guidelines began enforcing a mandatory stack for bulk senders (5,000+ messages/day to Gmail):

SPF on the envelope-from/Return-Path domain
DKIM signing on the sending domain
DMARC at minimum p=none on the visible From: domain
One-click unsubscribe (RFC 8058) — List-Unsubscribe-Post: List-Unsubscribe=One-Click header + processing within 48 hours (promotional/marketing mail only, not transactional)
Aligned From header — the visible From: domain must align with the DKIM or SPF signing domain

Yahoo enforced the identical stack on the same date for bulk senders. The one-click unsubscribe requirement applies to promotional mail; Yahoo explicitly excludes transactional in its sender FAQ.

Google added spam-rate threshold enforcement in June 2024:

< 0.10%: the recommended operating target
≥ 0.30%: you become ineligible for Gmail delivery mitigation. Google’s guidelines note that improvements in spam rate take time to reflect positively on sender classification.

Google Postmaster Tools now surfaces 0.10% and 0.30% threshold lines in the spam rate visualization, so there’s no ambiguity about where you stand.

May 5, 2025: Microsoft closes the last loophole

Before May 2025, Microsoft’s consumer properties (outlook.com, hotmail.com, live.com) were a deliverability loophole. Senders who failed Gmail authentication requirements could still land in Outlook inboxes. That ended.

Bulk senders to Microsoft properties now need the same stack: SPF + DKIM + DMARC, one-click unsubscribe headers, spam complaint rate under 0.3%, and From/Reply-To addresses that accept replies. The enforcement error is 550; 5.7.515 Access denied, sending domain does not meet the required authentication level.

The GlockApps Q1 2025 benchmark data (see the numbers section below) shows inbox rates at Microsoft properties collapsed by 22–27 percentage points year-over-year in the anticipation period. That’s the cost of senders who hadn’t adapted yet.

What 2022-era advice is actively wrong

The advice circulating in 2022 — “add an SPF record, you’re covered” — is now harmful. Here’s why:

SPF alone does not protect the visible From: header. SPF (RFC 7208) authorizes the envelope-from/Return-Path domain — the technical sender address that mailbox providers use for bounce handling. It has no authority over the From: header that recipients actually see. A spoofed email using your brand’s domain in the From: header sails past SPF if your DMARC policy is absent or set to p=none.

DMARC at p=none produces zero enforcement. It satisfies Google’s compliance checkbox (the minimum is p=none), but p=none tells mailbox providers “monitor, don’t act.” Spoofed mail using your domain still gets delivered to recipients. The policy only becomes protective at p=quarantine (failing mail goes to spam) or p=reject (failing mail is rejected at the gateway).

SPF without DKIM breaks forwarding. When a recipient’s mail server forwards a message (email lists, corporate forwarding rules), the forwarding breaks SPF alignment because the envelope-from changes. DKIM signatures survive forwarding because they’re attached to the message headers and body, not the envelope. Senders relying on SPF-only for DMARC alignment see apparent failures on forwarded messages.

The correct baseline in 2026: SPF + DKIM + DMARC, with DMARC at p=quarantine or p=reject if you want meaningful protection (and BIMI eligibility — see below).

The four levers that move inbox placement

1. Authentication: SPF + DKIM + DMARC + BIMI

The stack is now a prerequisite, not a competitive advantage. Every serious sender needs it.

A few things worth knowing that most tutorials skip:

DMARC pct parameter. The pct tag controls what percentage of failing messages are subject to your policy. It defaults to 100 (absent = 100). During a gradual rollout from p=none → p=quarantine → p=reject, setting pct=25 is a common approach to test without full enforcement. Important: BIMI providers require pct=100 (or absent). Partial enforcement disqualifies you from BIMI logo display.

DMARC alignment. For DMARC to pass, at least one of SPF or DKIM must achieve alignment — meaning the signing domain matches (or is an organizational subdomain of) the visible From: domain. You don’t need both; either one passing alignment satisfies DMARC. In practice, DKIM alignment is more reliable because it survives forwarding.

DMARC rua tag. Add an rua tag pointing to an email address or reporting service. Without it you’re flying blind — no aggregate reports means no visibility into what’s failing alignment or what’s being spoofed on your domain.

2. List hygiene

Spam complaint rate is the most direct signal mailbox providers use for sender reputation. The 0.10% / 0.30% thresholds at Gmail are concrete — and equivalent thresholds exist at Yahoo and Microsoft.

In practice, keeping complaint rate below 0.10% requires:

Hard bounce suppression (remove bounced addresses immediately; don’t retry)
Engagement-based suppression (subscribers who haven’t opened in 6–12 months are a liability)
Preference centers that work — if the unsubscribe experience is broken or buried, recipients use “Mark as spam” instead

If you’re importing a list bought or scraped from anywhere, the complaint rate will likely exceed 0.30% within days. There’s no deliverability-first reason to do it.

3. Engagement signals

Mailbox providers infer sender quality from recipient behavior: opens, replies, moves out of spam, and unsubscribes. A high unsubscribe rate is not harmful — it’s preferable to a high complaint rate. Someone unsubscribing is telling the mailbox provider your content isn’t for them; someone marking it as spam is telling them you’re a bad actor.

Practical implication: segment before sending to the full list. Send re-engagement campaigns to inactive subscribers before your main send, and suppress non-responders. This keeps average engagement high and complaint rates low.

4. Sending infrastructure: shared pools vs dedicated IPs

Shared IP pools mean your sender reputation is influenced by every other sender on the same pool. Good pools (like Beehiiv’s SendGrid-backed pools) segment senders by engagement quality score. Bad pools (large shared ESPs with loose vetting) mean your inbox rate is at the mercy of whoever abused the pool last week.

Dedicated IPs start with zero reputation. You must warm them — gradually increasing send volume over 6–8 weeks so mailbox providers build a reputation baseline. Until warm, dedicated IPs can actually perform worse than a reputable shared pool.

Who needs a dedicated IP:

Senders above 700K messages/day (Beehiiv’s threshold for Enterprise)
Senders requiring strict reputation isolation from pool neighbors
High-volume transactional senders with consistent daily volume

Who doesn’t:

Indie newsletter senders under 100K subscribers — the warm shared pool at a reputable ESP outperforms a cold dedicated IP

Platform behavior in practice

Beehiiv

Beehiiv runs on Twilio SendGrid infrastructure. SendGrid’s Engagement Quality Score (EQS) routes senders to separate shared pools based on performance — good senders don’t share infrastructure with poor ones.

Cold-start is handled automatically via Smart Warming: triggers at 100 subscribers (or 200 if domain is configured first), runs 6–8 weeks for weekly+ senders (longer for monthly), and covers domain reputation, sender identity, and IP reputation simultaneously. During warm-up, some messages go out from Beehiiv’s domain while the sender’s custom domain builds reputation. No user configuration required.

Dedicated IPs are Enterprise-only (contact Customer Success), required only when sending over 700K messages/day per publication.

GlockApps Q1 2025 benchmarks place SendGrid infrastructure at 35.31% inbox rate — below the 56.97% Gmail average. That figure reflects the full SendGrid pool; Beehiiv’s EQS segmentation means high-engagement senders get routed to better sub-pools. The 35.31% figure should be read as a floor, not Beehiiv’s expected performance for a well-maintained list.

For indie newsletter operators, Beehiiv is the lowest-friction cold-start option. The automated warming removes the biggest operational hazard for new senders. (Beehiiv) For a direct comparison between Resend and the SendGrid infrastructure that Beehiiv runs on, see Resend vs SendGrid.

Kit (ConvertKit)

Kit uses shared pool infrastructure on its own convertkit.com sending domain by default. Kit’s Deliverability and Compliance team monitors the pool.

Custom domain authentication — SPF, DKIM via CNAME records, DMARC — is optional in the UI but required by Gmail/Yahoo at volume. The setup is manual DNS work with no auto-configure equivalent to Mailchimp’s Entri integration. Kit’s help center is explicit: “authentication via Verified Sending Domain is required by mailbox providers like Gmail and Yahoo.”

Cold-start friction is real. When switching to a Verified Sending Domain, expect a 2–3 week open-rate dip as providers re-evaluate domain reputation. Kit’s recommended approach: suppress inactive contacts two weeks before switching, then roll out to engaged subscribers first before sending to the full list.

Dedicated IPs are $250/month with a minimum of 150,000 messages/week. Below that volume, the shared pool is the only option.

For senders who care about authentication setup doing it right the first time, Kit’s lack of auto-configure is friction that Mailchimp eliminates. For established senders with clean lists who don’t mind the DNS work, Kit’s compliance team monitoring the shared pool provides reasonable quality assurance. (Kit)

Mailchimp

Mailchimp has the smoothest authentication onboarding of the four platforms. The Entri integration connects to major DNS providers and configures DKIM CNAMEs + DMARC TXT records with no manual DNS work. For non-technical founders who need to get compliant before Google/Yahoo enforcement kicks in on their list, this is meaningfully better than competitors.

Where Mailchimp loses: inbox placement benchmarks. GlockApps Q1 2025 data puts Mailchimp at 32.30% inbox rate — the second lowest in the ESP comparison, above only Mailgun (26.05%) and Brevo (24.93%), and well below the 56.97% Gmail average. This is a structural feature of large shared pools, not an authentication gap. Mailchimp’s pool quality at scale reflects the diversity of its senders, and that diversity skews deliverability downward.

The authentication onboarding story and the inbox placement story point in opposite directions. If you need to get compliant quickly and your list is under 10K, Mailchimp is fine. If inbox placement at scale is your primary concern, the 32.30% figure is a meaningful signal. (Mailchimp) For a deeper look at how Mailchimp and Beehiiv compare on price, monetization, and newsletter-native features, see Mailchimp vs Beehiiv.

Resend

Resend is the best option for developer-focused senders — teams shipping transactional email alongside newsletters, or solo developers who want infrastructure they understand.

Domain verification is required before any sending and is part of the onboarding flow. Dedicated IPs require 500 emails/day minimum and are fully managed: Resend migrates traffic from shared to dedicated automatically, scales IP count based on volume and provider feedback, and distributes across shared + dedicated pools during warm-up. “When you receive your dedicated IP from Resend, you can immediately start sending at scale” — no manual warming schedule to manage.

Resend also ships a DMARC Analyzer in-dashboard that parses incoming DMARC aggregate reports and surfaces alignment failures. For teams graduating from p=none to p=reject, this is a practical tool for catching problems before they affect inbox rates.

Contraindications: dedicated IPs require the Scale plan and consistent volume at or above the 500 emails/day floor. Senders with inconsistent send schedules or poor list hygiene are better served by the managed shared pool — the automated warm-up depends on sustained volume to build a positive reputation signal. (Resend) For a DX-vs-deliverability comparison between Resend and Postmark, see Resend vs Postmark.

The benchmark numbers

GlockApps uses seed-list methodology — test messages sent to known addresses across providers — so the numbers represent potential inbox placement, not a guarantee for any specific sender’s list. Read them as directional benchmarks.

Q1 2025: post-enforcement trough

Provider	Q1 2025	Q1 2024	Change
Gmail	53.70%	58.72%	−5.02 pp
Google Workspace	53.36%	63.85%	−10.49 pp
Outlook/Hotmail	26.77%	49.33%	−22.56 pp
Office 365	50.70%	77.43%	−26.73 pp
Yahoo/AOL	40.97%	43.32%	−2.35 pp

The Microsoft properties collapse — −22 to −27 percentage points year-over-year — is the headline in Q1 2025. This corresponds to senders who were compliant for Gmail/Yahoo but hadn’t yet adapted for Microsoft’s May 2025 enforcement deadline.

Q4 2025: recovery

Provider	Q4 2025	Q3 2025	QoQ change
Exchange/Office365	67.95%	60.61%	+7.34 pp
Yahoo	57.48%	50.78%	+6.70 pp
Gmail	56.97%	51.06%	+5.91 pp
Hotmail	46.79%	43.23%	+3.56 pp
Outlook	45.06%	41.84%	+3.22 pp

The recovery is real but uneven. High-volume senders (over 1M emails/month) gained +20.37% at Gmail and +19.42% at Office365 from Q3 to Q4 2025. Low-volume senders (1–10K emails/month) dropped −15.50% at Gmail over the same period. Smaller senders are still struggling, likely because they lack the tooling and dedicated deliverability resources to adapt fully.

ESP inbox placement (Q1 2025)

ESP	Q1 2025 inbox rate
Outlook (own infra)	46.94%
Amazon SES	40.30%
Klaviyo	43.66%
SendGrid	35.31%
Mailchimp	32.30%
Mailgun	26.05%
Brevo	24.93%

The pattern is consistent: major shared-pool ESPs underperform relative to own-infrastructure senders. Shared pools carry the aggregate reputation of all senders on the pool.

The one thing most senders skip: DMARC enforcement

Most senders who followed the 2024 enforcement guides set up DMARC at p=none and stopped. That’s compliance, not protection.

p=none means: “I acknowledge DMARC exists. Don’t do anything with failures.” A spoofed email using your domain sails through.

The path from p=none to p=reject looks like this:

Start at p=none with rua reporting. Watch DMARC aggregate reports for 2–4 weeks. You’ll see all legitimate sending sources (your ESP, CRM, transactional sending) and any spoofing attempts.
Move to p=quarantine with pct=25. Failing mail goes to spam for 25% of recipients. Monitor for legitimate sources you missed in step 1.
Increase pct to 100. Watch for breakage.
Move to p=reject. Failing mail is rejected at the gateway. This is where BIMI eligibility begins, and where you’re actually protected from spoofing.

The most common reason senders stay at p=none forever: they don’t know what’s sending email on their behalf. Every third-party service configured with your domain (CRMs, support ticketing, billing tools, form providers) needs to either be DKIM-signed under your domain or listed in your SPF record. DMARC aggregate reports surface these sources; Resend’s DMARC Analyzer and third-party tools like MXToolbox parse them into readable format.

BIMI: the logo trust signal

BIMI (Brand Indicators for Message Identification) displays your logo next to the sender name in the inbox. Gmail, Yahoo, and Outlook support it. The prerequisite: DMARC at p=quarantine or p=reject with pct=100.

As of September 24, 2024, Gmail added support for Common Mark Certificates (CMC) — the certificate type that doesn’t require a registered trademark. Before this, BIMI required a Verified Mark Certificate (VMC) at ~$1,200–$1,500/year plus an active trademark registration. CMC removes the trademark requirement and makes BIMI accessible to indie newsletter operators for the first time.

What CMC gets you: logo display in supporting clients. What it doesn’t get you: the verified checkmark trust indicator (that still requires VMC + trademark). The checkmark is for brands with the legal infrastructure to maintain a trademark; the logo display is for everyone else.

Apple Mail BIMI status: There are community claims that Apple added BIMI support in 2022. These were adversarially refuted in research for this article — there’s no confirmed primary source for Apple’s current BIMI status. Don’t plan BIMI rollout around Apple Mail until that’s confirmed.

Practical path for an indie newsletter operator:

Get to DMARC p=reject (the prerequisite — the four-week process above)
Create a valid SVG Tiny PS logo
Get a CMC from a certificate authority (costs and availability vary; check the BIMI Group’s list)
Publish the _bimi DNS TXT record pointing to your logo and certificate

BIMI logo display is “at each mailbox provider’s discretion” per the spec — CMC support is not universally mandatory for providers. But Gmail, Yahoo, and major enterprise clients have all committed to displaying CMC logos, which covers the audience that matters.

Open questions (don’t act on these without verifying)

Two claims circulating in the community deserve skepticism until you verify them against current primary sources:

Google November 2025 enforcement escalation: Community sources reference additional enforcement tightening beyond the February 2024 baseline. As of this article’s research date, no primary source document confirms this. Check the Google Email Sender Guidelines changelog before citing November 2025 enforcement changes as confirmed fact.

GlockApps accuracy: GlockApps methodology uses seed lists, not real recipient lists. Inbox placement rates in their reports reflect test messages to their network of known addresses, not your specific list’s actual inbox rate. Use the benchmark data for directional comparison across ESPs; don’t treat 56.97% as a number your campaign will hit.

Verdict + checklist

Indie newsletter operators (under 100K subscribers):

Use Beehiiv if you want automated cold-start handling with no ops work
Use Resend if you’re developer-comfortable and plan to mix transactional + newsletter sends
Avoid Mailchimp if inbox placement at scale matters; the 32.30% Q1 2025 figure reflects structural pool quality

Developer tools companies (transactional + marketing mix):

Resend wins on dedicated IP management and DMARC tooling
Kit is viable if your list is clean and you can handle manual DNS setup; the VSD dip is manageable

SaaS drip sequences:

Authentication is table stakes — get to DMARC p=reject before worrying about anything else
Send volume > 150K/week: evaluate dedicated IPs at Kit ($250/mo) or Resend (500/day min)
Spam rate ≥ 0.10%: suppress inactive contacts before the next send, not after

Authentication checklist:

SPF record on envelope-from domain
DKIM signing configured and aligned with header From: domain
DMARC record with rua tag pointing to aggregate report address
DMARC policy at p=quarantine or p=reject (not p=none)
pct=100 (or omit the tag entirely)
One-click unsubscribe header (List-Unsubscribe-Post: List-Unsubscribe=One-Click) for promotional mail
Unsubscribe requests processed within 48 hours
Spam complaint rate tracked via Google Postmaster Tools; operating below 0.10%
Inactive subscribers suppressed (no opens in 6–12 months)

Get to DMARC p=reject and you’ve done more for your deliverability than 90% of senders who went through the same authentication checklist and stopped at p=none.