Everything "passes" and the mail still lands in spam. Why?
"SPF, DKIM and DMARC all pass, Gmail Postmaster shows 0% spam, and your mail still lands in Junk. Here's why authentication is not placement, and what actually moves the needle."
Three green ticks. SPF passes, DKIM passes, DMARC passes. Google Postmaster Tools shows a spam rate of 0%. You have done everything the checkers told you to do, and Gmail still drops your mail in Junk. You open a support escalation. It gets rejected with a canned reply about "sender reputation."
This is the most common deliverability complaint there is, and it feels like the tool is lying to you. It isn't. The checkers are telling the truth about a different question than the one you're actually asking.
Short answer: SPF, DKIM and DMARC only prove identity. Whether the mail reaches the inbox is a separate decision, made on sender reputation, recipient engagement and complaint rate. None of it shows up as a red tick on a checker, which is exactly why a domain can pass every check and still sit in Junk.
What do the green ticks actually prove?
Authentication answers one question: is this mail really from who it claims to be from?
SPF checks that the sending IP is on your published list. DKIM checks a signature against your public key. DMARC checks that one of those two lines up with the domain in the From header. Pass all three and you have proven identity. Nothing more.
Here is the part nobody puts on the results page: a spammer's mail can pass all three too. Any competent bulk sender authenticates cleanly, because authentication is table stakes now, not a mark of trust. Gmail treats it that way. Passing SPF, DKIM and DMARC gets you to the door. It does not decide whether you're allowed in.
Our take: authentication is necessary and not sufficient. Green ticks mean "we know who you are." Placement is a separate decision about whether the receiver wants your mail. That decision runs on signals the checkers never look at.
So what decides placement?
Reputation and behaviour. Neither shows up in a DNS lookup.
Domain and IP reputation. Every mailbox provider keeps a running score for your sending domain and the IP it came from. A brand-new domain has no history, which reads as suspicious, not neutral. A VPS IP you just rented may be carrying the sins of whoever held it before you. Postmaster Tools grades your domain reputation as High, Medium, Low or Bad, and Low is enough to route you to Junk with every auth check green.
Engagement. Gmail watches what recipients do. Opens, replies, and someone dragging your mail out of Junk all push you toward the inbox. Deletes without opening, and being marked as spam, push the other way. A list full of addresses that never engage will sink a perfectly authenticated sender, because to Gmail "nobody wants this" looks the same whether you're a spammer or just boring.
Content and list hygiene. Spam-trigger phrasing, a wall of images with almost no text, link shorteners, and a mismatched or missing unsubscribe all count against you. So do the addresses you keep mailing that bounce, and the spam traps hiding in a list you bought or scraped. One spam-trap hit can tank a domain's reputation on its own.
Complaint rate. Gmail's bulk sender guidelines want you under a 0.3% spam-complaint rate, measured in Postmaster Tools (the threshold as of mid-2026). Your dashboard can read 0% on average and still have one bad campaign that spiked complaints, and that spike is what the filter remembers.
Postmaster says 0% spam though. Isn't that the answer?
Postmaster Tools reports a spam complaint rate, which is how often people who received your mail hit the "Report spam" button. It does not report how much of your mail Gmail filed in Junk before anyone saw it. That gap is the trap.
If your mail lands in Junk, nobody clicks "Report spam" on it, because it's already there. So a domain buried in the spam folder can show a beautiful 0% complaint rate while barely reaching a human. We have watched domains hold a spotless 0% complaint rate for months while nearly every campaign quietly filed to Junk. The number you want is domain reputation, not spam rate. A 0% spam rate next to a Low or Bad reputation is the whole story right there.
How do I actually see what's happening?
Stop guessing from the sender side and read what the receiver saw.
Read a real header. When a test message lands in spam, open it and look at the raw headers. The Authentication-Results line shows you exactly how the receiving server graded SPF, DKIM and DMARC on that specific message, and any spam-score header (X-Spam-Status, or a provider's own SCL) tells you how close to the line you were. TamingDNS's email header analyser puts the Received chain back in delivery order and surfaces those verdicts in plain English, so you're reading the receiver's decision instead of your own hopes.
Read your DMARC aggregate reports. A DMARC record at p=none is still worth having for one reason: it makes receivers mail you daily XML reports of every source sending as your domain, and how each one authenticated at scale. That's where you find the forgotten SaaS platform sending unaligned mail under your name, quietly dragging your reputation down. Paste one into the DMARC report reader and it becomes a readable table instead of a wall of XML. If you're still at p=none, our companion piece on moving from p=none to p=reject is the next step.
Check the blocklists. Auth passing does not mean you're not listed. A domain or IP listing on a blocklist that receivers actually consult (Spamhaus is the one that moves mail) will route you to spam or reject you outright, with every green tick intact. Run your domain and your sending IP through the blacklist checker. Which lists genuinely gate delivery, and which are vanity noise, is a topic on its own.
Authentication proves who you are. Reputation decides whether anyone wants to hear from you. The checkers measure the first and stay silent on the second.
How long does warming up a new domain take?
A fresh domain or IP has no sending history, so mailbox providers throttle it until you build one. Ramp the volume gradually instead of blasting your whole list on day one. Start with your most engaged recipients, a few hundred a day, and roughly double every few days for as long as the reputation holds. For a cold domain, expect two to four weeks before you can send at full volume without tripping filters. A thousand cold messages from a week-old domain reads as a spam run, because that is what a spam run looks like.
The same goes for a VPS IP. Many are recycled from a previous tenant who burned them, so check the IP against Spamhaus before you send a single message from it. If it is already listed, you are warming up from a hole.
So what do I actually do about it?
A practical order of operations when everything passes and mail still lands in spam:
- Pull your Postmaster Tools domain reputation, not the spam rate. If it's Low or Bad, that's your problem, and the rest of this list is how you climb out.
- Read the headers of a message that actually landed in Junk. Confirm the receiver graded auth the way you think it did, and see how close to the spam threshold you sat.
- Read your DMARC reports and hunt for sources sending as your domain that you didn't authorise or align. Fix or remove them.
- Check your domain and IP against Spamhaus. Delist if you're listed, and find out why you got listed before you do.
- Clean the list. Drop hard bounces and long-dormant addresses, and never mail a list you bought, because dead addresses and spam traps are exactly what tell a provider you are a careless sender.
- Warm up new domains and IPs slowly. Volume from a cold sender reads as a spam run.
- Watch the content. A real unsubscribe link, a sane text-to-image ratio and no link shorteners keep you out of the content-based filters.
None of that shows up as a red tick on a checker, because none of it is an authentication failure. It's the half of deliverability the green ticks were never measuring.
For the specific case where it's Microsoft rather than Gmail junking you, and the NDR codes that come with it, that's a post of its own, coming next. Until then, when a rejection comes back as a bounce rather than silent filing, paste it into the bounce decoder to work out whether it's you or them. And to trace a single message end to end, the email header analyser walks the whole Received chain for you.