Email Deliverability for Affiliates and Lenders: A Complete Guide

Google and Microsoft now reject non-compliant email. Learn the authentication, testing, warmup, and monitoring steps that keep your email campaigns in the inbox.

Cris Ravazzano

Email is still one of the highest-intent channels an affiliate or lender can use, but the rules for getting into the inbox changed a lot over the last two years. If your emails land in spam, or get rejected outright, it does not matter how good your offer is. This guide covers what actually determines whether your mail reaches the inbox: authentication, spam testing, domain warmup, and the monitoring tools at Google and Microsoft.

Why deliverability is now a hard gate, not a soft filter

For years, a poorly authenticated email might have quietly slipped into the spam folder. That era is over. In February 2024, Google and Yahoo introduced formal requirements for bulk senders. Microsoft followed with its own rules that took effect on May 5, 2025. Then in November 2025, Google moved from warnings to active enforcement, meaning non-compliant mail now gets temporary or permanent rejections at the server level rather than just being filtered.

A "bulk sender" is generally defined as anyone sending roughly 5,000 or more messages per day to personal inboxes at a given provider (Gmail for Google, Outlook.com, Hotmail.com, and Live.com for Microsoft). If you are below that threshold, you are not off the hook. Every provider now treats these standards as the baseline for all senders, and smaller senders who ignore them still see worse placement over time.

The three records that prove you are who you say you are

Authentication is the foundation. All three of the records below need to be published in your domain's DNS. Two of them (SPF and DKIM) prove your mail is legitimate, and the third (DMARC) tells receiving servers what to do when something fails.

SPF (Sender Policy Framework) is a list of the servers and services authorized to send email on behalf of your domain. When a receiving server gets your message, it checks whether the sending server appears on that list. One common trap: SPF allows a maximum of 10 DNS lookups, and stacking too many "include" statements (one for your ESP, one for your CRM, one for your invoicing tool, and so on) can quietly break it. If you use several sending platforms, watch that limit.

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to every message. That signature lets the receiving server confirm two things: the mail really came from your domain, and it was not altered in transit. DKIM is what turns "this claims to be from you" into "this is provably from you."

DMARC (Domain-based Message Authentication, Reporting, and Conformance) ties SPF and DKIM together and gives you a policy. At minimum you need a published DMARC record with a policy of p=none, which monitors without blocking anything. From there you can tighten to p=quarantine or p=reject once you are confident your legitimate mail is passing. DMARC also sends you reports showing who is sending mail using your domain, which is how you catch both broken configurations and people trying to spoof you.

The detail that trips up most senders is alignment. It is not enough for SPF or DKIM to pass. The domain they pass for has to match the domain in your visible "From" address. You can have valid authentication and still fail DMARC because the passing domain belongs to your sending platform rather than to you. If your mail is authenticated but DMARC still fails, alignment is almost always the reason. Getting DKIM aligned to your own domain is the most reliable way to satisfy this.

How to test for spam before you hit send

You do not want to learn about a deliverability problem from a bounced campaign. Test first. A practical pre-send routine looks like this:

  • Run an authentication check. Confirm SPF, DKIM, and DMARC all pass and are aligned to your From domain. Free lookup tools will show you each record and flag misconfigurations.
  • Run a spam score test. Services like mail-tester.com or GlockApps let you send a real email to a seed address and get back a score plus a breakdown of what is dragging you down. Treat the score as a diagnostic, not a guarantee.
  • Check the major blocklists. If your sending IP or domain shows up on a list like Spamhaus, delivery suffers everywhere. Check before a big send, not after.
  • Review the content itself. Heavy image-to-text ratios, link shorteners, misleading subject lines, and missing unsubscribe links all raise flags. In the credit and lending space, be especially careful with language that reads as a guarantee or an unrealistic promise.
  • Test your own unsubscribe. Subscribe to your own list, then click unsubscribe. It should work in one click and remove you promptly. If your opt-out is slow or manual, recipients will hit "report spam" instead, and that is far more damaging.

Email is one channel among many, and it works best when your list is engaged rather than large. That is the same principle that applies across the traffic channels affiliates rely on: relevance beats volume.

Warming up a new sending domain

A brand-new domain has no reputation, and providers are cautious with unknown senders. If you buy a domain today and blast 20,000 emails tomorrow, you will look exactly like a spammer, because that is what spammers do. Warmup is the process of building a sending history gradually so that providers learn to trust you.

The general approach:

  • Get authentication right before the first send. SPF, DKIM, and DMARC should all be in place on day one. There is no point warming up a domain that fails authentication.
  • Start small and ramp slowly. Begin with a low daily volume and increase it over several weeks. The exact pace depends on your target volume, but a steady, predictable climb matters more than the specific numbers.
  • Send to your most engaged recipients first. Opens, clicks, and replies are positive signals. Starting with people who actually want your mail builds reputation faster than starting with a cold list.
  • Watch your metrics as you go. If spam complaints or bounces rise, slow down before you push volume higher.

One honest caution: recovering a domain whose reputation is already damaged takes far longer than warming up a fresh one, often weeks or months of careful sending. It is much cheaper to warm up correctly than to repair a burned domain later.

Tracking your email health at Google and Microsoft

Both major providers give you free tools to see your sending exactly as they see it. If you send any meaningful volume, set both up. You cannot manage what you cannot measure.

Google Postmaster Tools. In October 2025, Google retired the old dashboard and launched Postmaster Tools v2. The previous High, Medium, and Low reputation scores are gone, replaced by a binary Compliance Status: you either pass or you fail, and the dashboard tells you exactly which requirement you are failing. The single most important number is your spam rate, which is based on how many recipients actively click "report spam." Keep it below 0.1 percent and never let it reach 0.3 percent. At 0.3 percent or above, you are in enforcement territory and should expect delivery problems.

Microsoft SNDS and JMRP. Microsoft offers Smart Network Data Services (SNDS), which shows data and reputation for your sending IPs, and the Junk Email Reporting Program (JMRP), a feedback loop that tells you when Outlook users mark your mail as junk so you can remove those recipients. Microsoft's authentication enforcement means non-compliant high-volume mail first goes to the Junk folder and can eventually be rejected with the error code 550 5.7.515, which explicitly states the sending domain does not meet the required authentication level.

What to know Google (Gmail) Microsoft (Outlook, Hotmail, Live)
Bulk threshold 5,000+ per day to personal Gmail 5,000+ per day to consumer inboxes
Required auth SPF, DKIM, DMARC (aligned) SPF, DKIM, DMARC (aligned)
Monitoring tool Postmaster Tools v2 SNDS and JMRP
Spam rate limit Under 0.1%, never reach 0.3% Monitor complaints via JMRP
Enforcement status Active rejections since Nov 2025 Enforcement since May 5, 2025

One point worth stressing: compliance gets you to the starting line, it does not win the race. Passing authentication and staying under the spam threshold is necessary, but providers still reward engagement. Mail that people open, click, and reply to lands better than mail that technically complies but nobody wants.

The Canadian layer: CASL

If you are sending commercial email in Canada, deliverability is not the only rulebook. Canada's Anti-Spam Legislation (CASL) governs consent, identification, and unsubscribe mechanics, and it carries real penalties. The technical standards above and the legal requirements under CASL overlap in useful ways: proper consent produces engaged recipients, which improves deliverability, and a clean unsubscribe flow satisfies both the providers and the law. For the specifics of consent and compliance in Canada, see our guide to CASL and email marketing in Canada.

A pre-send checklist

Before any campaign goes out, confirm:

  • SPF, DKIM, and DMARC are published and passing, and DKIM is aligned to your From domain
  • Your DMARC policy is at least p=none, with reports being collected
  • Your sending domain and IP are not on any major blocklist
  • Your spam complaint rate is under 0.1 percent in Postmaster Tools
  • One-click unsubscribe works and opt-outs are honored within 48 hours
  • A new domain has been warmed up gradually rather than blasted
  • Your list is built on genuine consent, in line with CASL

Get these right and the inbox stops being a gamble. Skip them and even your best offers will not be seen.

Cris Ravazzano

Cris Ravazzano

Head of Marketing & Technology at Loans Canada and CreditMarketing.ca