Why Email Lists Decay — and the System to Keep Yours Clean and Deliverable

There is a quiet, compounding problem sitting inside almost every email list in the world, and most senders never see it until the damage is already done. It is not a bad subject line. It is not the wrong send time. It is the slow, invisible rot of the list itself — and because email providers like Gmail, Outlook, and Yahoo judge you by how your list behaves, that rot is the single biggest threat to your ability to reach the inbox at all.

At MailPerch, deliverability and sender reputation are the things we care about above all else, because they are the things that decide whether your message is read or quietly filtered into oblivion. So in this guide we are going to go deep: what list decay actually is, the mechanics of why it happens, how mailbox providers interpret it, exactly what it costs you, and — most importantly — the repeatable system you can run to keep your list clean, your reputation high, and your emails landing where they belong.

What "list decay" actually means

List decay is the steady degradation of the quality of the email addresses on your list over time. Every list, no matter how lovingly built, loses a measurable percentage of its usable addresses every single month. Industry studies have consistently put this figure at roughly 2% to 3% per month, which compounds to somewhere between 22% and 30% per year. That means if you collected a perfect, fully opted-in list of 10,000 subscribers today and did nothing to maintain it, somewhere around 2,500 to 3,000 of those addresses could be dead, dormant, or actively harmful within twelve months.

Decay happens through several mechanisms working at once:

• People change jobs. Work email addresses are abandoned constantly. When someone leaves a company, their name@company.com address is usually deactivated within weeks. Mail to it now hard-bounces.
• People abandon personal inboxes. Old Hotmail, Yahoo, and secondary Gmail accounts get forgotten. The mailbox may still technically exist but is never checked — or it has been recycled by the provider into a spam trap.
• Typos and fake signups. "gmial.com," "yaho.com," a fat-fingered username, or a deliberately fake address someone typed to grab a lead magnet. These never worked and never will.
• Disengagement. The address is valid and the person is real, but they stopped caring. They do not open, do not click, and increasingly, do not even see your mail because the provider has learned to bury it.
• Spam traps. The most dangerous category — addresses that exist solely to catch senders with poor hygiene. We will cover these in depth below.

Why mailbox providers punish you for a decaying list

Here is the core idea that every serious sender needs to internalize: Gmail, Outlook, and Yahoo do not owe you the inbox. Their job is to protect their users from unwanted mail, and they are extraordinarily good at it. To decide whether your mail is wanted, they watch how recipients react to it and how your sending behaves over time. That accumulated judgment is your sender reputation, and a decaying list quietly destroys it.

Consider what happens when you send to a decayed list. A chunk of your mail hits dead addresses and bounces. Another chunk lands in inboxes that are never opened, so your open rate craters. Some recipients, annoyed to still be hearing from you, hit "report spam." And a few addresses might be spam traps that flag you as a careless sender. Every one of those signals tells the provider the same story: this sender is mailing people who do not want their mail. The provider's rational response is to start filtering you — first to Promotions, then to Spam, then, for your worst-behaving recipients, to nowhere at all.

A clean list is not a "nice to have." It is the foundation of deliverability. You cannot out-write, out-design, or out-spend a reputation problem caused by mailing dead and disengaged addresses.

The two numbers that decide your fate: bounce rate and complaint rate

Mailbox providers and sending platforms watch two metrics more closely than any others, and both are driven by list quality.

Bounce rate

A hard bounce means the address does not exist or the mail server permanently rejected it. Hard bounces are pure signal: they prove you are mailing addresses you should not be. Reputable infrastructure providers expect hard-bounce rates well under 2–5%, and exceeding that repeatedly can get your sending throttled or suspended outright. A decaying list is a hard-bounce factory, because every dead address is a guaranteed bounce.

A soft bounce is temporary — a full mailbox, a server hiccup, a message too large. Soft bounces are less damaging individually, but an address that soft-bounces repeatedly over weeks is decaying toward a hard bounce and should be retired.

Complaint rate

A complaint is when a recipient clicks "report spam." This is the most expensive signal in all of email. The widely cited danger threshold is 0.1% — that is just one complaint per thousand emails. Cross it consistently and providers will aggressively filter or block you. Decayed lists drive complaints because disengaged recipients who barely remember signing up are far more likely to report you than to unsubscribe.

Spam traps: the landmines in a neglected list

Spam traps deserve their own section because they are the fastest way to torch a sender reputation. A spam trap is an email address that is monitored by mailbox providers and anti-spam organizations for one purpose: to catch senders who are not practicing good list hygiene. Nobody signs up for these addresses, so any mail arriving at one is, by definition, mail that should not have been sent.

There are two main kinds:

• Pristine traps are addresses created purely as traps and never used by a real person. Hitting one usually means you acquired addresses you should not have.
• Recycled traps are far more common and far more relevant to list decay. A provider takes an email address that was abandoned long ago, lets it hard-bounce for a while, and then reactivates it as a trap. If you are still mailing an address the original owner abandoned years ago, you will eventually hit it — and the provider now has proof that you are not removing dead addresses.

Recycled traps are the direct consequence of list decay. The only defense is to consistently remove addresses that bounce or that have shown no engagement for a long time, before they turn into traps.

What a dirty list actually costs you

It is tempting to think a big list is a strong list, even if parts of it are stale. The opposite is true. A bloated, decaying list costs you in four concrete ways:

1. Worse deliverability for everyone. Reputation is earned at the domain and IP level, not per-recipient. When dead addresses drag your reputation down, your good subscribers — the engaged, paying ones — stop reliably receiving your mail too. You are sabotaging your best relationships to keep mailing your worst.
2. Wasted money. Most sending plans charge by volume. Every dead address you pay to email is money lit on fire for a guaranteed bounce.
3. Distorted analytics. Open and click rates calculated against a list full of dead weight understate your true performance, leading you to "fix" things that were never broken.
4. Existential platform risk. Push bounce or complaint rates too high and your sending account can be suspended. The whole channel — your most valuable, owned audience — can go dark overnight.

The system: how to keep a list clean and deliverable

Good hygiene is not a one-time clean-up; it is a system you run continuously. Here is the framework we recommend and build for at MailPerch.

1. Verify at the point of entry

The cheapest address to clean is the one you never let in. Validate every new signup in real time: check that the syntax is correct, that the domain actually exists and has a working mail server (an MX record), and that it is not a disposable or obviously fake address. Catching "gmial.com" the moment someone types it — and prompting them to fix it — prevents a bounce you would otherwise pay for forever.

2. Use confirmed opt-in for risky sources

For any signup source where quality is uncertain, send a single confirmation email with a link the subscriber must click to join. Yes, it costs you a few signups up front. In exchange, it guarantees the address is real, the inbox is monitored, and the person genuinely wants your mail. Those three things are the entire basis of deliverability.

3. Clean your existing list on a schedule

Run your full list through verification before any major send, and at minimum quarterly. A good verification pass sorts every address into clear buckets — valid, risky, invalid, unknown — and gives each a deliverability score. Remove the invalids. Treat "risky" addresses with caution (slow them down or exclude them from important sends). This single habit prevents the bounce spikes that wreck reputations.

4. Watch engagement and sunset the dead weight

Valid is not the same as engaged. Track who has opened or clicked in the last 90, 180, and 365 days. Subscribers who have gone completely silent for six months or more are a reputation liability even if their address still works, because mailing people who never engage teaches providers that your mail is unwanted. Build a sunset policy: after a defined period of total inactivity, either move them to a low-frequency segment or remove them entirely.

5. Try to win them back before you let them go

Before removing a disengaged subscriber, send a short re-engagement sequence: a friendly "we miss you — do you still want to hear from us?" with one clear call to action. Whoever clicks stays. Whoever ignores it confirms they are dead weight, and you remove them with confidence. This protects your reputation and respects the recipient.

6. Honor unsubscribes and bounces instantly and permanently

Every email must carry a working one-click unsubscribe, and opt-outs must be suppressed immediately and forever — never emailed again, on any list. The same goes for hard bounces and complaints: suppress them automatically the moment they happen. Suppression is not a courtesy; it is the legal floor (CAN-SPAM, GDPR, and similar laws) and the deliverability floor at the same time.

7. Authenticate your domain

None of the above matters if providers cannot confirm the mail is genuinely from you. Set up SPF, DKIM, and DMARC so your domain is authenticated and your reputation actually accrues to you rather than being lost or spoofed. (We cover exactly how in our authentication guide.)

How MailPerch is built around this

We designed MailPerch so that good hygiene is the default, not a chore you have to remember:

• List cleaning verifies every address — syntax, mail server, disposable and role detection — and gives each a 0–100 deliverability score, so you know exactly what to remove before you send.
• Verified opt-in at the door: signups captured through MailPerch pages and forms are validated as they come in, so dead and fake addresses are caught before they ever pollute your list.
• Automatic suppression of unsubscribes, hard bounces, and complaints — permanently, across your whole account — with one-click unsubscribe and the correct headers on every send.
• Reputation monitoring that watches your bounce and complaint rates and warns you (and can pause sending) before you approach the thresholds that get accounts suspended.

Back to all articles

SPF, DKIM, and DMARC: The Complete Guide to Email Authentication

If list hygiene decides who you mail, email authentication decides whether mailbox providers will even believe the mail is really from you. Without it, your carefully cleaned list and beautifully written newsletter can still land in spam — or be impersonated by someone else using your name. Authentication is the part of deliverability that feels intimidating because it lives in DNS records and acronyms, so this guide demystifies it completely.

By the end you will understand what SPF, DKIM, and DMARC each do, how they work together, why mailbox providers increasingly require them, and exactly how to set them up and verify them. Because at MailPerch we treat reputation and deliverability as the whole game, authentication is something we build in and guide you through rather than leave you to figure out alone.

Why authentication exists at all

Email was designed in a more trusting era. The original protocol lets anyone claim to be sending from any address — there is nothing in plain SMTP that stops a stranger from sending mail that says it is "From: you@yourcompany.com." That openness is what spammers and phishers exploit. Authentication is the layer the industry bolted on to answer one question: "Is this message genuinely authorized by the domain it claims to come from?"

Three standards answer that question from different angles. SPF checks the sending server. DKIM checks the message's integrity and signature. DMARC ties the two together, enforces a policy, and tells you what is happening. You need all three.

SPF — Sender Policy Framework

SPF lets you publish, in your domain's DNS, a list of the servers and services that are allowed to send email on your behalf. When a receiving server gets a message claiming to be from your domain, it looks up your SPF record and checks whether the server that actually sent it is on the approved list.

An SPF record is a single TXT record on your domain that looks something like this:

v=spf1 include:amazonses.com include:_spf.yourprovider.com ~all

Breaking that down:

• v=spf1 declares this as an SPF record.
• include: entries authorize specific sending services (for example, the infrastructure your emails are sent through).
• ~all is the policy for everything else: ~all means "soft fail" (treat other servers as suspicious), while -all means "hard fail" (reject outright). Most senders start at ~all and tighten later.

Two critical SPF rules trip people up:

1. You may only have one SPF record per domain. If you use multiple sending services, you merge their include: entries into a single record. A second SPF record invalidates both.
2. SPF has a 10-DNS-lookup limit. Each include: can trigger further lookups; exceed ten total and SPF breaks (a "permerror"). Keep your record lean.

SPF's weakness is that it validates the technical sending path, not the visible "From" address your recipient sees — and it breaks when mail is forwarded. That is exactly why SPF alone is not enough, and why DKIM and DMARC exist.

DKIM — DomainKeys Identified Mail

DKIM is the strongest of the three because it cryptographically proves two things: that the message genuinely came from your domain, and that it was not altered in transit. It works with public-key cryptography.

Here is the mechanism, step by step:

1. You (or your sending platform) generate a key pair — a private key and a public key.
2. The public key is published in your DNS as a TXT record at a special location called a selector, like selector._domainkey.yourdomain.com.
3. The private key stays secret on the sending side. When you send a message, it is used to generate a unique cryptographic signature over the message's headers and body. That signature is attached as a DKIM-Signature header.
4. The receiving server reads the signature, fetches your public key from DNS, and verifies the math. If it checks out, the server knows the message truly came from your domain and was not tampered with on the way.

Because DKIM signs the message itself rather than checking the server, it survives forwarding far better than SPF, and it is the foundation that DMARC alignment leans on most heavily. A correctly DKIM-signed email is one of the strongest trust signals you can send.

DMARC — the policy and reporting layer

SPF and DKIM each produce a pass or fail. DMARC is the standard that decides what to do with those results and, crucially, requires alignment — the domain that passes SPF or DKIM must match the domain in the visible "From" address. This is what stops a spammer from passing SPF on their own throwaway domain while displaying your name in the "From" line.

A DMARC record is a TXT record at _dmarc.yourdomain.com:

v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

The key tag is the policy, p=:

• p=none — monitor only. Providers take no action but send you reports. This is where every domain should start.
• p=quarantine — send failing mail to spam.
• p=reject — block failing mail entirely. This is the end goal, and it is what fully protects your domain from being spoofed.

The rua= address receives aggregate reports — daily XML summaries of every source sending mail that claims to be your domain. These reports are how you discover misconfigurations and impersonation before you tighten your policy. The correct rollout is deliberate: start at p=none, read the reports until every legitimate sender is passing aligned SPF or DKIM, then move to quarantine, then to reject.

The 2024+ shift: authentication is now mandatory

This used to be optional best practice. It is not anymore. Gmail and Yahoo now require bulk senders to authenticate with SPF and DKIM, publish a DMARC policy, send from a properly configured domain, keep spam-complaint rates below 0.3% (and ideally under 0.1%), and include one-click unsubscribe. Senders who ignore these requirements are seeing their mail rejected or filtered en masse. If you are serious about reaching the inbox, full authentication is simply the cost of entry.

A quick word on BIMI

Once you have DMARC at quarantine or reject, you become eligible for BIMI (Brand Indicators for Message Identification) — the standard that displays your brand logo next to your emails in supporting inboxes. BIMI is a reward for doing authentication properly: it boosts recognition and trust, and it is impossible without a strong DMARC policy. Think of it as the visible payoff for the invisible work.

Setting it up, in order

1. Publish SPF. Add a single TXT record authorizing your sending infrastructure, ending in ~all.
2. Set up DKIM. Generate a key pair, publish the public key at your selector, and ensure your sending platform signs every message with the private key.
3. Publish DMARC at p=none with a rua reporting address. Watch the reports.
4. Verify alignment. Send test mail to accounts at Gmail, Outlook, and Yahoo and confirm SPF, DKIM, and DMARC all pass and align. Most providers let you view the authentication results directly in the message's "show original" / headers view.
5. Tighten gradually to quarantine and then reject once you are confident every legitimate source is aligned.

Troubleshooting the usual suspects

• SPF permerror: too many DNS lookups (over 10) or more than one SPF record. Consolidate.
• DKIM fails after forwarding lists modify the message: some mailing lists alter the body or headers, breaking the signature. DMARC alignment via DKIM is still your best bet; this is also why you keep p=none until you understand your mail streams.
• DMARC fails despite SPF/DKIM passing: almost always an alignment problem — the passing domain does not match the "From" domain. Check that you are signing and sending with your domain, not the platform's.
• DNS propagation: records can take anywhere from minutes to 48 hours to propagate. Do not panic if verification is not instant.

How MailPerch handles this for you

Authentication is exactly the kind of high-stakes, error-prone setup we built MailPerch to simplify. When you connect your own sending domain, MailPerch generates the DKIM key pair for you, gives you the precise SPF, DKIM, and DMARC records to paste into your DNS, and then verifies them live so you know the moment they are correct. From that point on, every message you send is DKIM-signed as your own domain — which is what earns the inbox and protects your name from being spoofed. You get the deliverability benefits of doing authentication properly without needing to become a DNS expert.

Back to all articles

How to Write Newsletters People Actually Open (and That Land in the Inbox)

You can have a perfectly clean list and flawless authentication and still fail — if the mail you send is mail people do not want to open. Engagement and deliverability are two sides of the same coin. Mailbox providers watch whether people open, read, reply to, and keep your messages, and they reward senders whose audiences clearly want to hear from them. So writing a great newsletter is not just a content skill; it is a deliverability strategy.

This guide covers the whole craft of permission-based email — from the moment someone joins your list to the subject line that earns the open to the cadence that keeps your reputation healthy. Throughout, the throughline is the thing MailPerch cares about most: protecting your sender reputation so your best subscribers reliably see your best work.

Rule 0: Permission is the whole foundation

Everything in this guide assumes one thing: the people you email actually asked to hear from you. Permission-based email — newsletters and broadcasts to subscribers who opted in through your forms, signed up as customers, or confirmed they want your updates — is the only kind of email that builds a durable channel. It is also the only kind reputable providers and infrastructure allow.

Permission is not a checkbox; it is an ongoing relationship. The clearer you are at signup about what people will receive and how often, the more they will open later — and the fewer will report you as spam. Set expectations honestly at the door and you have already won half the deliverability battle.

Rule 1: Earn the open with the subject line and sender name

The open happens in a fraction of a second, based on three things the reader sees in their inbox: who it is from, the subject line, and the preview (preheader) text. Get these right and everything downstream improves; get them wrong and your best content is never seen.

The "From" name

A recognizable, consistent sender name is one of the most underrated assets in email. People open mail from senders they recognize and trust. Use a real, stable name (a person, your brand, or "Person at Brand") — not a cryptic no-reply string. Consistency compounds: the more reliably your name appears, the more automatic the open becomes.

The subject line

Good subject lines are specific, honest, and curiosity-piquing without being clickbait. A few durable principles:

• Specific beats clever. "The 3 changes that cut our bounce rate in half" outperforms "You won't believe this."
• Front-load the value. Mobile inboxes truncate around 35–45 characters. Put the meaning first.
• Avoid the spam-filter tripwires. ALL CAPS, rows of exclamation marks, and "FREE!!! ACT NOW" patterns hurt both deliverability and trust.
• Never lie. A misleading subject buys one open and a lifetime of distrust — and distrust shows up as spam complaints, which is the single most damaging signal in email.

The preheader

The preview text is a second subject line and most senders waste it. Use it to extend the promise of the subject, not to repeat it. The subject and preheader should read like a one-two sentence that makes opening feel worth it.

Rule 2: Write for one reader, then segment so it is true

The best-performing emails read like they were written to a single person. The enemy of that feeling is the one-size-fits-all blast to your entire list. Segmentation is how you make "written just for you" actually true at scale — grouping subscribers by interest, behavior, signup source, or lifecycle stage and tailoring the message to each.

Segmentation is also a powerful deliverability tool. When you send relevant mail to people who care about it, open and click rates rise and complaints fall — and providers reward that with better inbox placement. Sending everything to everyone does the reverse: it trains your least-interested subscribers to ignore or report you, dragging down delivery for your most engaged ones.

Rule 3: Make the email easy to read and act on

Once opened, the email has seconds to deliver. Respect the reader's time:

• Lead with the point. Do not bury the value under three paragraphs of throat-clearing.
• Short paragraphs, real whitespace. Dense blocks of text get skimmed and abandoned.
• One primary call to action. Every email should want the reader to do exactly one thing. Multiple competing buttons split attention and lower clicks.
• Watch your link-to-text ratio. An email that is mostly links with little real content looks like spam to filters. Lead with substance.
• Design for mobile first. The majority of opens happen on phones. If it is not effortless to read on a small screen, it does not work.

A drag-and-drop email designer helps here, but restraint matters more than decoration: clean, scannable, single-purpose emails consistently beat busy ones.

Rule 4: Get the cadence right

Frequency is where many senders quietly destroy their reputation. Email too rarely and people forget they signed up — so when you finally appear, they report you as spam. Email too often without enough value and you exhaust goodwill and drive unsubscribes and complaints. The right cadence is the one you promised at signup and can sustain with genuine value every time.

Two practices keep cadence healthy:

• Be consistent. A predictable rhythm (weekly, biweekly, monthly) trains recipients to expect and welcome your mail, which lifts engagement.
• Warm up new sending gradually. If you are on a new domain or ramping volume, increase send size step by step rather than blasting your whole list on day one. Sudden spikes look suspicious to providers and can get you filtered before you have built any reputation.

Rule 5: Treat engagement as a deliverability feedback loop

Here is the connection that ties this whole blog together. Mailbox providers infer "wanted" from engagement. Opens, clicks, replies, and "move to inbox" actions are positive signals. Deletes-without-opening, "report spam," and total silence are negative signals. Your job is to systematically send more of what generates positive signals and stop sending what generates negative ones.

Concretely, that means:

• Mail your engaged subscribers more, your disengaged ones less. Your most active openers are your reputation's best friends; lean into them.
• Run re-engagement campaigns for subscribers going quiet, and remove the ones who never respond. (See our list-decay guide for the full sunset system.)
• Make unsubscribing easy. A frictionless one-click unsubscribe is not a loss — it is a recipient choosing to leave instead of reporting you as spam, which is far more damaging. Always prefer an unsubscribe to a complaint.
• Check your spam-score before you send. Catch shouting subjects, trigger words, image-heavy/text-light layouts, and missing unsubscribe links before they cost you placement.

Every send either builds or spends your reputation. Engaged audiences and relevant, well-crafted mail build it. Stale lists and irrelevant blasts spend it. There is no neutral send.

Rule 6: Measure what actually matters

Vanity metrics mislead. Track the numbers that reflect real health: deliverability (are you reaching the inbox, not just "sent"?), engagement rate among recent subscribers, complaint rate (stay far below 0.1%), bounce rate, and unsubscribe rate relative to complaints. A rising unsubscribe rate paired with a falling complaint rate can actually be good — it means dissatisfied people are leaving cleanly instead of reporting you. Read your metrics as a system, not in isolation.

Putting it together with MailPerch

MailPerch is built for exactly this kind of permission-based, reputation-first email marketing:

• Pages & funnels capture opted-in subscribers, with verification at the door so your list starts clean.
• Segments let you write for one reader and have it be true, targeting the right people with the right message.
• The email designer makes clean, mobile-ready, single-purpose emails without code.
• A spam-score check grades your subject and content before you send, so you fix deliverability risks in advance.
• Automatic unsubscribe, bounce, and complaint handling keeps your reputation protected on every single send.
• Analytics show open and click rates, growth, and deliverability so you can run the engagement feedback loop deliberately.

Write to people who want to hear from you, make every email worth their time, and let the system keep your reputation spotless. That is how newsletters get opened — and how they keep landing in the inbox.

Back to all articles