How Email Spam Filters Work (And Why Most Problems Are Reputation, Not Content)

The first thing almost every customer tells me when their emails are landing in spam: "It must be something wrong with the platform. It works fine when I send to myself."

I understand why. You fire a test email, it hits your inbox, everything looks normal. The ESP becomes the obvious suspect.

But here is what is actually happening. When you send to your own address, you are sending from a domain the receiving server already trusts. That test tells you almost nothing about how Gmail, Yahoo, or Outlook will treat emails going to your actual users.

Spam filters do not just read your email. They read your history.

The pattern I see constantly: A founder spends a week rewriting subject lines, removing the word "free," shortening their preview text. Inbox placement does not improve. Then we check their authentication setup. DMARC is missing. DKIM is failing. We fix both in 20 minutes. Emails land in the inbox.

What a spam filter actually does

A spam filter is a scoring system. Every incoming email gets assigned a score based on dozens of signals. If the score crosses a threshold, the email goes to spam. If it does not, it lands in the inbox.

The signals fall into two categories: reputation signals and content signals.

Most people focus on content. Spam filters care far more about reputation.

Reputation signals

Reputation is the record of how your sending domain and IP have behaved over time. Spam filters check this before they look at a single word in your email.

Authentication

The first thing any modern spam filter checks is whether your email is authenticated. SPF, DKIM, and DMARC are the three records that tell receiving servers you are who you say you are.

If your DKIM signature fails, Gmail has no way to verify the email came from your domain. It will treat it with suspicion regardless of what the email says. If DMARC is missing or misconfigured, Yahoo applies its own policy. Since the February 2024 enforcement changes, that policy is aggressive.

Authentication is the floor. Without it, nothing else you fix will stick. We have a full setup guide for SPF, DKIM, and DMARC here.

Domain age and warmup

A brand new domain sending 5,000 emails on day one looks exactly like a spammer. Spam filters have seen this pattern millions of times.

If you recently set up a sending domain, you need to warm it up gradually. Start with your most engaged users. Build a track record. Give spam filters enough signal to establish that real people want your emails before you ramp to full volume.

Bounce rate

A high bounce rate tells spam filters your list is dirty. You are sending to addresses that do not exist or have been abandoned. That pattern correlates strongly with spam behavior.

If your email bounce rate is above 2%, spam filters will start treating your domain as lower quality. Gmail and Yahoo both factor bounce signals into inbox placement decisions. Hard bounces should be suppressed immediately. Sending to them again actively hurts your sender score.

Spam complaint rate

This is the most direct signal of all. When a recipient clicks "Report spam," they are casting a direct vote that your emails are unwanted. Google publishes a clear guideline: keep your complaint rate below 0.1%. Above 0.3% and you will see systematic inbox failures across the board.

AutoSend surfaces your spam complaint rate in the dashboard alongside bounce rate. If you see it climbing past 0.05%, investigate immediately. Do not wait until it hits even 0.1%.

Engagement history

Modern spam filters from Google and Yahoo use machine learning, not just rule-based scoring. One of the strongest signals they use is engagement: are recipients opening your emails, clicking links, replying? Low engagement over time signals that your emails are unwanted, even if nobody explicitly marks them as spam.

This is why list hygiene matters. Sending to contacts who have not engaged in six months drags down your engagement signals and pulls your inbox placement down with it.

Content signals

Content signals do matter. They are just secondary to reputation, and they only come into play once your reputation passes the basic threshold.

Trigger words

Words like "Free," "guaranteed," "click here," and "act now" appear so often in spam that filters assign them weight. But a single trigger word will not send you to spam on its own. It takes a combination: trigger words plus weak reputation plus suspicious structure.

If your authentication is solid and your complaint rate is low, writing "free trial" in your email will not get you filtered.

HTML structure

A wall of images with almost no text. A single giant image with the message baked into it. An HTML-to-text ratio that is wildly off-balance. These patterns look like spam because spammers use them to hide content from text-based filters.

A clean HTML email with a proper plain text fallback passes content checks without issue.

Link quality

Spam filters check the reputation of every domain you link to. A link to a blacklisted domain will hurt your score even if everything else is clean. If you use redirect URLs or third-party click tracking, verify those domains have clean reputations before sending.

How Google and Yahoo filter differently from SpamAssassin

SpamAssassin is the traditional open-source spam scoring system. It assigns numeric scores to content patterns and reputation signals, and many mail servers still run it as a base layer.

Google and Yahoo have moved well beyond it. Gmail uses machine learning models trained on billions of emails alongside explicit authentication checks. The February 2024 enforcement update made DMARC a hard requirement for bulk senders. Yahoo enforced the same standard simultaneously.

The practical difference: Google's filtering cannot be gamed through content tricks. Their models have seen every pattern spammers have tried. Reputation dominates. A well-authenticated, well-warmed domain with a low complaint rate will reach the inbox even with a promotional subject line. A poorly authenticated domain with a 0.2% complaint rate will hit spam even with immaculate copy.

Why your inbox test tells you nothing

When you send a test to your own address, you are testing against a server that already knows you. If you are using the same domain for sending and receiving, there is implicit trust built in.

You are also not replicating history. The receiving servers handling your actual user emails have a record of every email you have sent to their users. They have your complaint history, your bounce history, your engagement pattern. Your test inbox has none of that.

The right way to test is with a seed list tool that sends to addresses across Gmail, Yahoo, Outlook, and Apple Mail, then reports inbox versus spam placement by provider. Sending yourself a test email is not a deliverability check. For the full testing process, the email deliverability testing guide covers it step by step.

What to check first when emails hit spam

When a customer tells me emails are landing in spam, I look at three things in order:

1. Authentication. Are SPF, DKIM, and DMARC all passing? Run a send through mail-tester.com and look at the authentication section specifically. A failing DMARC policy is the most common root cause I find.

2. Spam complaint rate. Is the rate above 0.05% in your AutoSend dashboard? If yes, stop sending to your full list and identify which segment is generating complaints. Usually it is a list segment that was added without a clear opt-in.

3. Domain warmup status. Is the sending domain less than 60 days old with high volume from day one? If yes, warmup is almost certainly the issue. Drop volume immediately and rebuild gradually.

One more thing I check if those three are clean: spam traps. Spam trap addresses on your list are invisible to you but will tank your sender reputation fast.

Content is the last thing I look at. By the time I am reviewing subject lines for trigger words, I have already ruled out everything above.

A note on what we surface in AutoSend

AutoSend shows your spam complaint rate and bounce rate in the main dashboard because those are the two signals that move fastest when something goes wrong. Most deliverability problems show up in one of those two numbers before they become a full inbox placement failure.

If you are seeing spam placement problems and both metrics look clean, the next step is email authentication. Verify DMARC is set to at minimum p=none with reporting enabled, and confirm DKIM is signing correctly.

For every other pattern that causes emails to hit spam, the emails going to spam guide covers all 18 causes with fixes for each one.

---

Frequently asked questions

What do email spam filters check first?

Authentication. SPF, DKIM, and DMARC are verified before content scoring begins. A failed authentication check will send an email to spam regardless of what the email contains.

Does the word "free" in a subject line trigger spam filters?

It adds a small score in rule-based systems like SpamAssassin. On its own, it will not filter your email. Combined with poor authentication or a high complaint rate, it contributes to a failing overall score. Fix reputation first. Content is usually not the problem.

How does Google's spam filter differ from traditional filters?

Gmail uses machine learning models trained on billions of emails. It weights user behavior signals (complaints, engagement, unsubscribes) far more heavily than keyword patterns. You cannot optimize copy your way into Gmail's inbox if your reputation signals are weak.

What spam complaint rate is acceptable?

Google's published guideline is below 0.1%, with a strong push to stay under 0.08%. Above 0.3% and you will see systematic inbox failures. Watch it daily if you are sending at volume.

Can I fix a spam problem by rewriting my email copy?

Only if content is genuinely the issue, which is rare. If authentication is misconfigured, your domain is unwarmed, or your complaint rate is elevated, rewriting copy will not help. Diagnose reputation signals first.

What is the fastest way to check if my emails are landing in spam?

Use a seed list tool like GlockApps or mail-tester.com. These send to test addresses across Gmail, Yahoo, and Outlook and report back inbox versus spam placement per provider. Sending to your own inbox is not a reliable test.

How do spam filters treat a new sending domain?

With suspicion. A new domain has no sending history, and spam filters cannot distinguish it from a throwaway domain used for phishing. Warm up gradually: start with your most engaged users and increase volume over four to six weeks.