Your Page Title

Some people love being told what to do. Others would much rather hear what not to do. If you fall into that second group, this guide is for you.

After years of running an ESP and helping senders recover from late-night incidents, list bombing attacks, and unexpected spam-folder detours, I have a deep list of mistakes that are 100% avoidable. What follows is the collection of “do not” rules I keep coming back to when someone asks why their deliverability fell off a cliff.

Infrastructure & Authentication

1. Do not skip adding your DNS records

SPF, DKIM, and DMARC are table stakes.
Missing records now trigger stricter filtering (Google requires them for senders above 5,000 messages per day).
Expect every domain change or DNS tweak to affect inbox placement.

Had a customer lose their DKIM keys and opens crashed to 3% overnight. Adding the records back brought them north of 20%. One missing record can tank your entire reputation.

2. Do not start sending on a brand-new domain

Reputation does not travel with you—new domains start from zero (or below zero).
Fix the reputation of your primary domain instead of trying to outrun problems.
Warm up slowly any time you truly must use a new domain.

3. Do not chase trendy top-level domains

Cheap novelty TLDs are widely abused and draw extra scrutiny from spam filters.
Stick with reputable domains that match your brand and build long-term trust.

4. Do not ignore sending infrastructure (IP pools)

Shared IPs inherit the behavior of every sender in the pool.
Work with providers who actively manage IP reputation and segregate good senders from risky ones.
Monitor your metrics and escalate if a pool starts misbehaving.

Curious about how IP pools work? We cover it in detail here: https://www.youtube.com/watch?v=t6qIi8AYt7I&ab_channel=Bento

5. Do not mix transactional and marketing traffic

Keep transactional emails (password resets, receipts) separate from marketing blasts.
Use different from-addresses, IPs, and ideally subdomains so critical system mail keeps landing.

6. Do not forget to warm up domains and IPs

Warm-up status does not carry over when you change providers.
Ramp volume intentionally when switching platforms and track bounces and complaints daily.

7. Do not forget link branding

Rewrite links and images to use your own domain before redirecting.
Inbox providers trust your domain far more than third-party redirectors.

Security & Form Protection

1. Do not forget form security

Rate-limit, add CAPTCHAs, and use honeypots to prevent list bombing.
An unsecured form lets attackers inject thousands of addresses in minutes.

4:30 AM page because of a list bombing attack. The fix? Rate limit forms and they go bother someone else.

2. Do not skip rate limiting

Every endpoint that fires an email (sign-ups, invites, password resets) needs a cap.
Start with something like three attempts per hour, then tune from there.

3. Do not ignore HTML injection

Treat every personalization token as untrusted input.
Strip < or sanitize aggressively, especially in transactional templates.

We once pulled personalization from invites entirely after an attacker injected spam content into the “name” field. Removing personalization was the fastest path to safety.

4. Do not personalize critical transactional emails

Password resets, verification links, and invites should stay plain.
Attackers abuse personalization to send phishing mail through your domain.

Paranoid task: remove personalization from account emails. Otherwise a bot can sign up, set the name to malicious HTML, then spam victims with believable phishing emails.

5. Do not skip blocking temporary email addresses

Disposable inboxes are the first stop for script kiddies probing your flows.
Block known disposable domains so they move to a softer target.

List Management & Hygiene

1. Do not buy email lists

Purchased lists are loaded with traps, outdated addresses, and unengaged contacts.
They ruin deliverability and often get you blocklisted.

2. Do not forget to clean your list

Remove unengaged, bounced, and invalid addresses on a schedule.
Set a sunset policy (6–12 months of inactivity is a good baseline).

3. Do not skip confirmed opt-in (COI)

COI guarantees subscribers actually want your messages.
It dramatically reduces spam complaints and fake sign-ups.

4. Do not ignore segmentation

Targeted messages outperform batch-and-blast.
Segment by lifecycle, interest, and engagement so everyone receives what they expect.

5. Do not ignore privacy regulations

GDPR, CCPA, and CAN-SPAM violations lead to fines and reputation damage.
Keep consent records, unsubscribe logic, and data-handling policies tight.

Honor unsubscribes immediately.
Never re-add someone unless they confirm a new opt-in.

Sending Practices

1. Do not spike volume without warning

Sudden bursts trigger filters, especially during busy seasons like Black Friday.
Increase volume gradually and monitor inbox placement.

2. Do not blast a giant list all at once

Batch large sends to avoid rate limits and catch issues early.
Phased sends give you time to react before 100% of users are impacted.

3. Do not wake up cold subscribers with a single blast

Re-engage dormant users with targeted, gradual campaigns.
Inbox providers treat large sends to dormant contacts as unsolicited mail.

4. Do not rely on third-party domains for links and assets

Proxy everything—links, images, and tracking—through your domain when possible.
One suspicious third-party domain can collapse inbox placement for a whole campaign.

5. Do not hide unsubscribe options

Make unsubscribe one-click and plainly visible.
Many clients now auto-process unsubscribes; hiding the link only drives up spam complaints.

Monitoring & Compliance

1. Do not ignore blacklist monitoring

Keep an eye on blocklists and remediate immediately.
Bento alerts you when issues show up; act before the blocks spread.

2. Do not shrug off complaint feedback loops

A few complaints can crater your sending reputation.
Remove complainers instantly and audit the campaign that triggered it.

3. Do not ignore engagement metrics

Inbox providers increasingly rank engagement above infrastructure.
Low opens and high ignores are red flags that must be addressed.

4. Do not skip content compliance checks

Every email needs the basics: physical address, unsubscribe link, and compliant copy.
Automate checks so nothing slips through.

5. Do not send from free webmail domains

Gmail, Yahoo, and similar domains lack the authentication signals businesses need.
Always send from a domain you control.

Deliverability rarely fails because of one catastrophic mistake. It erodes because of dozens of small “do not” moments that pile up. Treat this checklist as the guardrail you revisit every time you plan a campaign, wire an integration, or open up a new form.

'Do Not' Rules of Email Deliverability