How opens are impacted
Open rate is a health signal now, not a success metric.
Two things hollowed out the open rate. Apple Mail Privacy Protection pre-loads tracking pixels on the sender's behalf whether or not a person ever views the message, and Apple Mail is a large share of all opens. Apple privacy now accounts for close to half of all tracked opens, about 49%, so for a typical campaign roughly half of recorded opens are machine-generated. The number inflates and stops reflecting attention.
The second is bot and scanner traffic. Through 2025, automated link scanners (security tools and AI agents) generated large volumes of phantom opens and clicks, hitting security-sensitive B2B, government, and education domains hardest. As of late 2025 the major ESPs began filtering known bot clicks, so a small dip in click-through during that window is usually cleaner data, not weaker performance.
What open data can and cannot do now
| Still useful for | No longer reliable for |
|---|---|
| Deliverability alarms. A sudden 10+ point drop flags an inbox-placement problem worth chasing. | A/B test scoring. Both variants are inflated by the same proxies, so opens cannot pick a winner. |
| Same-day relative comparison between two campaigns to similar audiences. | Segmentation and triggers. "Opened" no longer means a person saw it. |
| Long-run trend lines inside your own program. | Industry benchmarking. Every dataset filters Apple opens differently, so cross-source numbers do not compare. |
Measure these instead
Move primary measurement to actions: clicks (after bot filtering), conversions and revenue per email, reply rate where it applies, list growth against churn, and spam-complaint rate. Treat clicks as directional, not absolute. Conversions are the one metric that survives every privacy change.
Stop optimizing to opens. Keep them on the dashboard as a smoke detector.
If a subject-line test still reports on opens, move that decision to clicks or conversions. Opens earn their place only by catching a placement cliff early.
The current baseline
Authentication gets you to the gate. Engagement gets you through it.
The 2024 Google and Yahoo bulk-sender rules turned former best practices into hard requirements. Microsoft brought its high-volume senders onto the same footing in May 2025, so the major consumer providers now share one baseline. The grace periods are over. A "needs work" status on Gmail's compliance dashboard behaves as a delivery problem, not a warning.
The bigger shift is that engagement is now the dominant placement signal, not a tiebreaker. A sender can be fully authenticated and compliant and still land in spam if people do not open, click, or reply. Filtering leans on sender history and recipient behavior. Content scanning is a smaller share of the decision than it was a decade ago, so spam placement on a previously healthy sender almost always means reputation degraded, not that the content changed.
The direction is one-way: more authentication, lower spam tolerance, harder enforcement. The 0.3% complaint ceiling is widely expected to tighten toward 0.1% as the enforced number rather than the recommendation, and Apple iCloud Mail has not published formal bulk-sender rules yet but is the obvious next provider to follow. Build to the stricter end now and you do not have to re-engineer later.
The hard numbers
Placement runs in two tiers
Two years into enforcement, the field has split between senders who did the work and senders who did not. Gmail placement for disciplined senders sits well above Microsoft and Outlook, and B2B programs face a structurally harder environment because corporate filters are more aggressive and strip tracking more often.
| Lever | Current expectation | Why it matters |
|---|---|---|
| Authentication | SPF, DKIM, DMARC, all aligned | Unauthenticated mail is filtered or rejected. Non-negotiable at any volume. |
| Engagement | Active, opted-in, segmented lists | The primary driver of placement. Send less to people who do not engage, not more. |
| List hygiene | Verify at capture, re-validate on a ~90-day cycle | Drives bounces, complaints, and trap hits, which all feed reputation. |
| Complaints | Under 0.1%, never sustain 0.3% | The fastest way to wreck a sending reputation. |
| Frequency | Matched to demonstrated engagement | Over-sending raises complaints and unsubscribes. The reputation cost usually beats the extra revenue. |
| Dedicated IP | Only above ~100K/month, steadily | A low-volume dedicated IP has no reputation to stand on. Stay on a reputable shared pool until you outgrow it. |
What must be tied to your domain
Four things, published in DNS, aligned to the From: domain a recipient actually sees.
These records prove that mail claiming to come from your domain is authorized by you. The three core records are expected for bulk send today, and they have to align to the visible From: domain, not just exist somewhere.
Sender Policy Framework. A DNS record listing every service authorized to send for your domain.
include: entries. Cross 10 and SPF returns PermError and your mail is treated as unauthenticated, at any volume. Audit and flatten the record whenever you add a sending service.DomainKeys Identified Mail. A cryptographic signature proving the message was not altered in transit.
Ties SPF and DKIM to a policy that tells receivers what to do on failure, and sends you reports.
p=none (monitor only) meets the bulk-sender minimum but gives zero spoofing protection. The standard is moving to p=quarantine or p=reject, and enforcement is the gateway to a verified logo (section 04). Move to enforcement once your reports confirm every legitimate source passes.Not DNS, but a mandated header pair on bulk mail (RFC 8058). One click to opt out, honored promptly.
BIMI
Optional, the most visible trust signal, and the most work.
BIMI (Brand Indicators for Message Identification) shows your verified logo beside authenticated mail in supporting inboxes. It is a reputation reward, not a deliverability requirement, and it sits on top of DMARC. The hard prerequisite is DMARC at p=quarantine or p=reject with pct=100. A p=none domain cannot qualify, and no provider reads your BIMI record without enforcement in place.
Logo must be SVG Tiny PS. The optional a= tag points to your mark certificate.
VMC vs CMC, which certificate
| VMC | CMC | Self-asserted | |
|---|---|---|---|
| Proves | Registered trademark of the logo | Logo shown on your domain 12+ months, archive-verified | Nothing, just the record |
| Gmail | Logo plus blue checkmark | Logo, no checkmark | Not displayed |
| Yahoo / AOL | Logo | Logo | Logo, DMARC enforcement still required |
| Apple Mail | Logo | Logo | Provider-dependent |
| Outlook | No BIMI support yet | ||
| Cost / issuer | ~$1,000 to $1,500/yr · Entrust or DigiCert | ~$650 to $1,100/yr · same CAs | Free |
| Lead time | 2 to 6 weeks, trademark check is the long pole | 1 to 4 weeks | Immediate |
CMC arrived to widen eligibility for brands without a registered trademark. Only a VMC triggers Gmail's checkmark. Some setups also require DMARC to have been at enforcement for about 30 consecutive days before a logo displays. Apple's "Branded Mail" via Apple Business Connect is a separate, free program from BIMI for Apple surfaces. Outlook remains the gap: Microsoft has cycled a consumer Outlook.com preview on and off since 2023 and has repeatedly delayed its Microsoft 365 rollout, with no general availability and no committed date, so treat all Outlook and Microsoft 365 inboxes as non-displaying when you weigh the cost. Even with everything correct, display stays at each provider's discretion based on your reputation.
Compliance and list quality
The unglamorous work that protects everything above.
| Practice | Status | Detail |
|---|---|---|
| One-click unsubscribe | Required | RFC 8058 headers on every bulk message, honored within about two days. Mechanics in section 03. |
| Verify at point of capture | Required | Block disposable, role-based (info@, sales@), and mistyped addresses at signup, before they enter the list. |
| Periodic re-validation | Advised | Re-verify on roughly a 90-day cycle to clear decayed addresses and cut bounces and trap hits. |
| Sunset inactive subscribers | Advised | A smaller engaged list outperforms a large indifferent one. Suppress or win back non-engagers on a schedule. |
| Consent records | Required | Keep provable opt-in. It underpins CAN-SPAM, GDPR, and provider trust alike. |
| Quarterly DNS audit | Advised | Re-check SPF lookups, DKIM key validity and rotation, and DMARC alignment whenever tooling changes. |
Where to register, verify, and watch
No single tool covers every provider. You need a small stack.
Each major provider exposes its own view of how it sees you. Register your sending domain with all of them, then check on a cadence. Dashboards usually lag sending by 24 to 48 hours and most send no alerts, so the checking has to be a habit.
| Destination | Covers | What you get | Cost |
|---|---|---|---|
| Google Postmaster Tools | Gmail / Workspace | Domain and IP reputation, spam rate, authentication pass rates, delivery errors. Ground truth for Gmail. Needs ~100+/day to show data. | Free |
| Microsoft SNDS + JMRP | Outlook / Hotmail | SNDS shows IP data and complaint rates. JMRP is Microsoft's complaint feedback loop. | Free |
| Yahoo Complaint Feedback Loop | Yahoo / AOL | Complaint reporting for your DKIM domain so you can suppress complainers. | Free |
| DMARC aggregate (rua) reports | All compliant receivers | Daily XML of who sends as your domain and whether they pass. Use a parser, not raw XML. | Free + tooling |
| Validity Sender Score | Cross-provider | A 0 to 100 reputation score for your sending IPs. A quick external sanity check. | Free |
| Blocklist checks (Spamhaus) | Industry-wide | Confirm your domain and IPs are not listed. A Spamhaus DBL listing has near-global impact. | Free |
| Seed / placement testing | Cross-provider | GlockApps or Validity Everest show actual inbox-vs-spam placement, filling Postmaster Tools' blind spots. | Paid |
| BIMI certificate (VMC/CMC) | Logo display | Issued only by Entrust or DigiCert. Required for Gmail and Apple logo display. See section 04. | ~$650 to $1,500/yr |
- Daily, per send: watch bounce and complaint rate in the ESP, glance at Postmaster Tools spam rate after large sends.
- Weekly: review Postmaster Tools and SNDS reputation trend, check for sudden open or click cliffs.
- Monthly: read DMARC aggregate reports for unexpected sources, review Sender Score and blocklist status.
- Quarterly: full DNS audit (SPF lookups, DKIM rotation, DMARC policy strength), re-validate the list.
Notes for this stack
Where the general rules meet the platform.
- SPF lookup budget. Marketo's
include:mktomail.complus your CRM, workspace, and helpdesk includes add up fast. Audit against the 10-lookup limit, flatten, or send Marketo mail from a dedicated subdomain if you are close. - Branded sending domain and DKIM. Configure DKIM for your domain in Marketo's Admin so signing aligns to your visible From: domain, not Marketo's default. Alignment is what DMARC actually checks.
- Subdomain strategy. Many programs send from a dedicated subdomain (e.g.
email.yourdomain.com) to isolate marketing reputation from corporate mail and keep SPF clean. - One-click unsubscribe. Verify Marketo emits the RFC 8058 header pair, not only an in-body link, and that opt-outs sync back promptly.
- Open-rate reporting. Marketo opens are inflated by Apple like everyone's. Re-point program KPIs and any open-based smart-campaign triggers toward clicks and conversions.
- BIMI. If you pursue a logo, the DMARC enforcement prerequisite must cover the exact domain or subdomain Marketo sends from, including any other sources on it.
The audit script
A read-only check of the records in section 03, runnable from the command line.
The companion file email-domain-audit.mjs queries DNS for your SPF, DKIM, DMARC, and BIMI records and flags the things that quietly break delivery. It is plain Node, no dependencies, Node 18 or newer. It recursively counts SPF lookups against the limit of 10, reports the DMARC policy and whether it is at enforcement, checks DKIM when you pass a selector, and notes BIMI readiness.
It exits non-zero when a check fails, so you can drop it into a cron job or a CI step and have it fail the build when SPF drifts past 10 lookups or DMARC slips back to p=none. It never sends or changes anything.
Wire it into the quarterly DNS audit.
Run it against your root domain and your Marketo sending subdomain on the same schedule as the section 06 quarterly check. The SPF lookup count is the one that creeps up on you as tools get added, and it is the one most likely to take SPF down without warning.