Gmail Spam Filter 2026: 35 Mail Failures

Revenue you cannot see on a dashboard

Return Path's 2024 deliverability benchmark (updated annually; 2025 edition showed similar ranges) found roughly 17% of permission-based commercial mail never reaches the inbox globally. For transactional mail (receipts, resets, shipping notices), even a 5% spam-folder rate on a $80 average order value adds up fast: 10,000 receipts/month × 5% lost × $80 = $40,000/month in customers who never saw the confirmation.

Compliance pressure in 2026

Google and Yahoo require SPF, DKIM, and DMARC for bulk senders (5,000+ messages/day to Gmail or Yahoo addresses) since February 2024. Spam complaint rates must stay below 0.3%. One-click unsubscribe is mandatory on marketing mail. PCI-DSS v4.0 (Requirement 4.2.1, effective March 2025) expects TLS for transmission of cardholder data, which ties directly to MTA-STS posture on inbound mail paths.

SPF answers one question: is this sending IP authorized to send for this domain? Gmail's filter asks a dozen more.

Alignment beats existence

You can publish a valid SPF record and still fail DMARC alignment when your From: header uses a different domain than the SPF-authenticated envelope (common with Mailchimp, HubSpot, and Shopify Email). Gmail treats that as spoofing risk even when SPF returns pass.

Reputation is not DNS

A clean DNS audit does not fix a 0.4% spam complaint rate or a list purchased in 2019. Google's Postmaster Tools domain reputation (Bad, Low, Medium, High) reflects user complaints and engagement, not TXT records.

We've seen teams skip PTR/FCrDNS checks entirely because "we use Google Workspace and don't control the IP." You still inherit whatever reputation and reverse-DNS match that shared pool carries.

Fix these first. Gmail's 2024 sender requirements treat SPF, DKIM, and DMARC as baseline, not optional.

1. Missing SPF record - Publish v=spf1 at the root domain. For Microsoft 365: v=spf1 include:spf.protection.outlook.com -all. For Google Workspace: v=spf1 include:_spf.google.com -all.
2. SPF permerror (too many DNS lookups) - Gmail and most receivers reject permerror as fail. Flatten includes or remove dead ESP entries. Stay under 10 DNS lookups (RFC 7208).
3. SPF softfail (~all) on a sending domain - Use -all (hardfail) on domains you actively send from. Softfail is a weak signal in 2026.
4. SPF present but not aligned with From: - Enable envelope-from alignment or configure your ESP to sign with your domain. Check aspf=s in DMARC if you rely on strict SPF alignment.
5. Missing DKIM signature - Enable DKIM in your ESP or mail server. Publish the public key as a TXT record at selector._domainkey.yourdomain.com.
6. DKIM fail after key rotation - Publish the new selector before retiring the old key. We've had teams rotate in Microsoft 365 admin and forget the DNS TXT for 48 hours.
7. DKIM body hash modified in transit - Mailing list managers, "forward this email" links, and some CRM footers rewrite HTML and break the body hash. Test with a raw send, not a template preview.
8. Missing DMARC record - Publish at _dmarc.yourdomain.com. Start with monitoring: v=DMARC1; p=none; rua=mailto:[email protected]
9. DMARC p=none forever - Monitoring-only policy gives Gmail no enforcement signal. Move to p=quarantine then p=reject on a staged rollout. Strict alignment is overrated for most SMBs; relaxed alignment with a real policy beats p=none with adkim=s.
10. DMARC alignment failed (SPF or DKIM not aligned) - Run a test send and inspect Authentication-Results headers. Fix the failing leg before touching policy.
11. Broken ARC chain on forwarded mail - Forwarding breaks SPF. ARC (Authenticated Received Chain) preserves auth results through forwarders. Enable ARC signing if you operate a forwarding gateway; otherwise use SRS or dedicated subdomains for forwards.
12. No BIMI record (trust signal gap) - BIMI does not fix spam by itself, but Gmail requires DMARC enforcement (quarantine or reject) plus a VMC for logo display. Missing BIMI means you leave brand trust on the table after you fix auth.

Gmail checks whether your domain looks like it is operated by someone who maintains infrastructure, not just marketing DNS.

1. Missing or wrong MX records - No MX means undefined mail routing. Single MX with no secondary means no failover during provider outages.
2. PTR / FCrDNS mismatch - Sending IP reverse DNS must resolve forward-confirmed rDNS. Shared pools on cheap ESP tiers often fail this on dedicated IP tiers only.
3. No MTA-STS policy - Without MTA-STS, inbound mail to your domain can downgrade to cleartext SMTP. Google recommends MTA-STS for senders handling sensitive mail. Publish DNS + HTTPS policy file.
4. Missing TLS-RPT - You cannot see when TLS fails on inbound delivery without _smtp._tls.yourdomain.com reporting. Blind spots become silent spam triggers on misconfigured relays.
5. Domain on DNS blocklist (RBL) - Check major lists (Spamhaus, Barracuda, SORBS). Delist before scaling volume. One blacklist listing can override perfect SPF.
6. Sending IP on blocklist - Dedicated IP users: check the IP separately from the domain. Shared IP: your neighbor's spam campaign is your problem.
7. Open DNS resolver exposed - Open resolvers on infrastructure tied to your domain signal poor ops hygiene. Not a direct Gmail rule, but correlates with abuse scoring.
8. Expired domain or SSL on mail-related hosts - MTA-STS policy files served over expired HTTPS certs fail validation. Domain expiry kills every record at once.
9. Subdomain takeover via dangling CNAME - An abandoned email.oldvendor.com CNAME lets an attacker host SPF-passing mail on your subdomain. Audit CNAME targets quarterly.
10. Weak DNSSEC or missing CAA - DNSSEC prevents DNS spoofing of your auth records. CAA restricts who can issue SSL certs for your domain. Both reduce takeover and MITM risk on mail infrastructure.

These failures live outside DNS. Gmail Postmaster Tools is where you see them.

1. Spam complaint rate above 0.3% - Google's bulk sender threshold (2024 guidelines). Above this, filtering tightens regardless of SPF pass. Scrub complainers immediately.
2. High hard-bounce rate - Sending to dead addresses signals purchased or stale lists. Keep hard bounces under 2% per campaign (industry norm cited by M3AAWG best practices).
3. Volume spike without IP/domain warm-up - Jumping from 500 to 50,000/day on a cold domain triggers rate limits. Ramp over 2-4 weeks.
4. Low engagement (no opens/clicks) - Gmail uses engagement as a relevance signal. Dead segments drag domain reputation down for active subscribers too.
5. Postmaster "Bad" or "Low" domain reputation - Fix auth and complaints first, then wait 2-4 weeks for reputation recovery. There is no DNS record for this.
6. New domain with no sending history - Greenfield domains get scrutinized harder. Send consistent low volume to engaged users before marketing blasts.
7. Shared IP pool with abusive neighbors - Budget ESP tiers put you on IPs with casino and pharma mail. Dedicated IP or a tier with stricter onboarding helps (not a guarantee).

Google's February 2024 bulk sender rules made several header requirements enforceable, not optional.

1. Missing List-Unsubscribe on bulk mail - Marketing and promotional mail needs List-Unsubscribe and one-click unsubscribe (RFC 8058). Gmail rejects or spam-folders non-compliant bulk senders.
2. From: domain mismatch with visible brand - Sending from mail.otherdomain.com while displaying Acme Corp confuses users and triggers phishing heuristics even when auth passes.
3. Broken or missing Reply-To on transactional mail - Password resets with noreply@ and no support path increase "report spam" clicks from frustrated users.
4. Spam-trigger HTML patterns - Image-only emails, excessive exclamation marks, red font on white, and URL shorteners in bulk mail still score in content filters (secondary to auth, but real).
5. Attachment types flagged by Gmail - .exe, macro-enabled Office files, and certain archive types get quarantined. Use hosted download links for software.
6. No suppression list hygiene - Continuing to mail unsubscribes and spam reporters guarantees complaint rate failure. Sync ESP suppressions with CRM nightly.

What a full audit covers vs. a quick check

The full checklist mapped to each audit point lives at zerohook.org/audit-checklist if you want to see what each check validates before you run one.