Deliverability academy episode 2 recap: New rules, same inbox
The inbox just got stricter. In our latest Deliverability Academy session, we unpacked evolving requirements with Microsoft joining the list of inbox providers cracking down on senders. Plus we’ve got the must-know best practices every sender should follow to stay out of spam.
PUBLISHED ON
If you're still treating deliverability like an afterthought, your emails probably aren't landing where you want them to. In the second episode of Mailgun’s Deliverability Academy, hosts Natalie Hayes and Alison Gootee bring their expertise, and plenty of candid commentary, to unpack what’s changed in the world of bulk sending. Spoiler: it’s sounds like a lot, but is it?
Table of contents
The foundation of modern email deliverability
SPF, DKIM, and DMARC might sound like alphabet soup, but they’re critical to getting email into inboxes. These three protocols authenticate who you are and protect against spoofing, phishing, and impersonation. In short, they prove you're not a bad actor, or at least that you’re not acting badly in email.
Learn more about the basics of email deliverability from our first episode of Deliverability Academy, check out the recap.
Even though these authentication protocols have been par for the course for ages, DMARC was much less adopted given that senders have to jump through a couple more hoops to get it. When Gmail and Yahoo released their sender requirements in 2023, DMARC stopped being optional. And now, Microsoft has hopped on the same train.
DMARC finally closes the loop that SPF and DKIM leave open. It checks whether the domain in your visible From address actually aligns with your authenticated domain. That alignment is what mailbox providers care about most now.
"DMARC actually fills in a gap that SPF and DKIM both kind of left behind… it closes that loophole and makes sure that you are who you say you are.”
Alison Gootee, Deliverability Advocacy Specialist Sinch Mailgun
And while p=none might be acceptable today, it’s a placeholder at best. Don��’t assume it will hold up under tomorrow’s policy shifts.
Hey! Did you know: There are three DMARC policy types
p=none— Monitor only, no action taken.p=quarantine— Messages that fail authentication get sent to the spam folder.p=reject— Messages that fail DMARC are blocked completely.
Our experts know that p=none is just a starting point. Without reporting, a DMARC record isn’t doing much. Reports are the “R” in DMARC and they provide crucial visibility into your domain’s email ecosystem. From unknown senders within your own organization to external threats, these reports shine a light on what’s really happening with your email.
Microsoft expands the playbook
When Microsoft came to the table they didn’t do it with quite the same gusto as Yahoogle. Instead of a strict list of thresholds and percentages they came with a list of recommendations, but they still do require DMARC like the other big inbox providers.
Their guidance includes expected hits like unsubscribe headers, list hygiene, and reply handling, but they aren’t as strict. Instead of requiring a one-click unsubscribe with RFC 8058 for example, Microsoft is just requiring a clear, functional unsubscribe process.
“Merely meeting the authentication standard is not the thing that’s going to guarantee inbox placement—it’s just a bare minimum.”
Alison Gootee, Deliverability Advocacy Specialist Sinch Mailgun
So why is Microsoft seemingly less strict? The truth, we think, is in the subtext. And the subtext here says, “You can follow all the technical rules and still be unwelcome if your emails feel spammy or careless.” Microsoft isn’t just looking at your authentications; it’s reading the room and has made it clear they will react based on how recipients manage your messages.
Why respectful sending is no longer optional
One of our favorite parts of Deliverability Academy are the gold nuggets of wisdom that we get from our panel of experts and Natalie Hays never disappoints.
Imagine you meet someone new, and you want to be friends. But instead of playing it cool, you text them 50 times in a row: “Hey.” “What’s up?” “Did you get my message?” “Why aren’t you answering?” It’s awkward. From an email perspective, some brands are doing that.”
Natalie Hays, Sr. Product Marketing Manager Sinch Mailgun
If you like analogies and witty banter, be sure to check out hot takes like this in the full recording posted at the end of this blog.
Natalie’s point? That’s how subscribers feel when they get email after email with no room to breathe. When the opt-out link is buried in a footer. When they can’t tell why they’re even on the list.
Tools like easy unsubscribe and preference centers aren’t a nice-to-have, they’re a sanity check. Let people choose how often they want to hear from you. Let them opt down before they opt out and don’t act surprised when high unsubscribe rates tank your sender reputation –especially if you weren’t really listening to your audience in the first place.
Getting started with Mailgun DMARC
One of the big questions our audience had was what should you do if you’re overwhelmed by DMARC reporting? If you're staring at XML files and pretending they make sense, you’re not alone.
That’s where solutions like Mailgun’s DMARC monitoring, powered by Red Sift, comes in. It simplifies DMARC deployment and makes the reports digestible. You’ll know who’s sending on your behalf, what’s failing, and how to fix it.
Wrapping Up
Of course, if your current solution is working and you’re confident in your enforcement posture, the advice was simple: “Don’t rock the boat unless it’s filling with water.” Mailgun isn’t the only solution to deliverability, but hey, we’re here if you need us.
Landing in the inbox isn’t just a technical problem. It’s a trust problem. Mailbox providers are looking at what you send, how you send it, and whether your subscribers even want it.
SPF, DKIM, and DMARC are non-negotiable, but what really keeps you out of spam is being a good sender. That means giving subscribers control, making it easy to opt out, sending content people actually expect, and responding like there’s a real person on the other end.
Authentication and meeting requirements gets you through the door. Respect keeps you in the room.
