Email Spammer vs Legitimate Sender: How ISPs Tell the Difference

Every email you send is classified by the recipient's ISP as either legitimate or spam. The classification happens in milliseconds and uses dozens of signals. Most senders never see the criteria spelled out, and as a result they spend effort on things that don't matter (content tweaks, subject lines) while ignoring the signals that do (reputation, engagement, authentication).

This guide breaks down what ISPs actually use to make the spammer-vs-sender decision, from the engineering side. If you're seeing your mail filtered to spam and you're not sure why, this is the framework to investigate.

The classification stack

ISPs evaluate every message through layered checks. Each layer produces a score; the composite determines inbox placement.

Layer	What it checks	Weight in 2026
Authentication	SPF, DKIM, DMARC	High (table stakes)
Domain reputation	Long-term sending history of From domain	Very high
IP reputation	Sending IP history	Medium-high
Engagement	Opens, clicks, replies, deletions, "this is spam"	Highest
List hygiene	Bounce rate, trap hits, role address ratio	High
Content	SpamAssassin-style rules, URL reputation	Low-medium
Behavioral	Volume patterns, infrastructure changes	Medium
Per-recipient	Recipient's prior interaction with sender	Very high

Authentication is necessary but not sufficient. Engagement is the dominant 2026 signal.

Authentication: the table stakes

SPF, DKIM, and DMARC are no longer differentiators — they are minimum requirements. Since Gmail and Yahoo's bulk sender rules went into effect in 2024, mail without authentication is either rejected outright or aggressively filtered.

What ISPs actually want to see:

• SPF passing with alignment to the From domain
• DKIM passing with a signing domain aligned to the From domain
• DMARC published at p=quarantine or p=reject with active monitoring
• Authentication-Results header showing pass on every send

If you don't have all three configured correctly, see SPF setup, DKIM setup, and DMARC setup.

Domain reputation: the foundation

Every sending domain accumulates reputation over time. ISPs track:

• How long the domain has been sending
• Consistency of sending volume
• Complaint rate per send
• Bounce rate per send
• Spam trap hits
• Recipient engagement (positive: opens, clicks, replies; negative: deletes without reading, spam reports)

This data lives at the ISP and is not directly visible to senders. The closest you can see is Google Postmaster Tools' domain reputation field (Bad / Low / Medium / High) and Microsoft SNDS data for Hotmail/Outlook.com.

Practitioner note: Domain reputation is sticky. A clean domain with 2 years of good engagement can survive a temporary problem (one bad campaign, a brief volume spike) because the long-term history dominates. A new domain has no buffer — one bad send can crater placement for weeks. This is why warmup matters and why "burn-and-churn" domain strategies for cold outreach can work but require constant rebuilding.

IP reputation: still matters, but less than it used to

IP reputation was the dominant signal a decade ago. Today it matters but is subordinate to domain reputation, because:

• Most senders use shared IPs at major ESPs (SendGrid, Mailgun, Postmark)
• Domain-level signals are more attributable to the actual sender
• IPv6 sending and IP rotation make IP-level tracking less stable

Dedicated IPs still matter for high-volume senders (>500k/month typically). For most marketing senders on shared infrastructure, domain reputation dominates.

See sender reputation: domain vs IP for the full breakdown.

Engagement: the dominant signal in 2026

Modern ISPs (especially Gmail and Outlook) lean heavily on engagement data. The signals they read:

Positive:

• Opens (real opens, not Apple Mail Privacy preloads)
• Clicks
• Replies
• Marking as not-spam
• Moving from spam to inbox
• Long read time (some clients)

Negative:

• Marking as spam ("This is spam" button)
• Deleting without opening
• No interaction at all over time
• Bounces (especially hard)

The composite engagement rate per send and per cohort over time is the strongest predictor of where the next send lands.

For deeper coverage see email engagement signals and Gmail deliverability deep dive.

List hygiene: the gating signal

Bad list hygiene triggers ISP suspicion regardless of intent:

• Bounce rate > 2% on a send → flag
• Complaint rate > 0.3% → throttling at Gmail/Yahoo
• Hit on a recycled spam trap → reputation hit
• Hit on a pristine spam trap → Spamhaus listing risk
• Role address volume > 5% of list → flag

ISPs interpret poor hygiene as either incompetence or bad acquisition (purchased lists, scraping, no consent). Either way, the response is reduced inbox placement.

See spam traps explained, email list decay, and our list cleaning guide.

Content scanning: less important than it used to be

SpamAssassin-style content rules still exist and trigger on obvious patterns (free!!!, all caps, hidden text, suspicious links). But content scoring is now a smaller piece of the decision. Reputation and engagement dominate.

Practical implication: optimizing subject lines and HTML structure for "spam words" is mostly wasted effort if your reputation and engagement are strong. Conversely, perfect content cannot save bad reputation.

Practitioner note: I see senders obsess over content (subject line A/B tests, copy tweaks, "spam word" filters) when their actual problem is engagement (subscribers don't open) or list hygiene (bouncing addresses, traps). Content matters at the margins. Reputation and engagement matter at the foundation. Diagnose in order: authentication → reputation (Postmaster Tools) → engagement → list quality → content.

Behavioral patterns: the new-sender problem

ISPs flag sudden changes:

• Volume spike from previously-low-volume domain
• New sending IPs or infrastructure for an existing domain
• Sending from a brand new domain at any meaningful volume
• Sending from infrastructure associated with prior abuse

This is why warmup matters. A new sending IP or domain needs gradual volume ramp (often weeks) to establish baseline reputation. Skipping warmup looks identical to "spammer just turned on new infrastructure."

See cold email infrastructure complete guide for warmup specifics.

Per-recipient signals: the strongest filter

Gmail and Outlook now use per-recipient interaction history heavily. If a recipient has:

• Replied to you before → almost guaranteed inbox
• Marked your prior mail as spam → guaranteed spam
• Added you to contacts → inbox
• Never opened anything from you → likely spam over time
• Deletes your mail without reading → likely spam

This means the same email from the same sender lands in inbox for engaged recipients and spam for disengaged ones. Your aggregate engagement metric is the average of these individual decisions.

How to look more like a legitimate sender

Action	Impact
Implement SPF, DKIM, DMARC properly	Required minimum
Register Google Postmaster Tools	Required for diagnostic visibility
Send consistent volume (no spikes)	Maintains reputation
Maintain bounce rate < 2%	Avoids throttling
Maintain complaint rate < 0.3%	Required by Gmail/Yahoo
Honor unsubscribes immediately	Reduces complaints
Sunset inactive subscribers	Boosts engagement metrics
Use established sending infrastructure	Reduces behavioral red flags
Run re-engagement before sunsetting	Recovers some, drops the rest

For broader deliverability context see email deliverability guide.

If you need help diagnosing why ISPs are filtering your mail like spam or recovering from a reputation drop, book a consultation. I do reputation audits and run recovery plans for senders who've been miscategorized.

Sources

• RFC 7489 — DMARC
• Google Email Sender Guidelines
• Yahoo Sender Requirements
• Microsoft SNDS Documentation
• M3AAWG Sender Best Common Practices
• Spamhaus: Reputation Lists

---

v1.0 · May 2026