Why are emails sent via an HR system connected to Gmail landing in spam despite authentication passing?

Key findings

• Authentication passing: The primary issue is not with failed SPF, DKIM, or DMARC checks, as these are reported to be passing.
• System-specific issue: Emails sent directly by the recruiter are delivered successfully, while those sent through the HR system result in spam placement. This points to how the HR system processes or originates the email.
• Recipient domain sensitivity: The problem is primarily observed with Microsoft domains, suggesting specific filtering rules or reputation thresholds employed by Outlook.com or Microsoft 365. This is common, as Microsoft's filters are known to be quite stringent.
• IP reputation: The IP address used by the HR system's underlying infrastructure (e.g., AWS EC2 with generic rDNS) might have a poor reputation, even if Google's own sending IPs are clean. Poor IP reputation is a common reason for legitimate emails being flagged as spam, irrespective of authentication passing.
• Domain reputation history: A history of sending large volumes of emails from the primary domain, even if in the past, could still negatively impact its current sending reputation with major mail services.

Key considerations

• Investigate HR system's email practices: Understand how the HR system is configured to send emails via Gmail. Does it use a shared IP pool from a cloud provider (like AWS) that may have a poor default rDNS or a history of misuse?
• Content analysis: Examine the content of emails sent through the HR system. While no weird characters were noted, generic phrases, excessive links, or embedded tracking might contribute to spam flagging. Reviewing the content is a critical step in troubleshooting spam placement, as discussed in our guide on troubleshooting Gmail emails landing in spam despite passing authentication.
• IP and domain reputation monitoring: Regularly check the sending IP and domain against public blocklists and monitor your domain's reputation with services like Google Postmaster Tools. A single blocklist (or blacklist) listing, such as SORBS, might not be solely responsible but indicates broader reputation concerns. You can find more information about this type of issue, for example, on Quora.
• Shared IP versus individual recruiter IPs: The difference in deliverability between individual recruiter emails and system-sent emails using generic addresses suggests the HR system might be routing through different, less reputable IP addresses. If you're experiencing issues with personal emails going to spam from a custom domain, our related article provides solutions and troubleshooting steps.

Key opinions

• Initial checks: The first step should always be to review email headers to confirm that SPF, DKIM, and DMARC authentication are passing correctly. If they are, the problem lies elsewhere.
• Content matters: Content, including unusual characters, shared links (especially shortened ones like bit.ly), and generic phrasing, can trigger spam filters, even for legitimate emails.
• Shared IP reputation: If the HR system routes emails through shared IPs (common with cloud providers or certain email service providers), those IPs might have a poor reputation due to other senders' activities, impacting your deliverability.
• Sender behavior: Differences in sending patterns between individual recruiters and the automated HR system (e.g., volume, frequency, recipient engagement) could contribute to inconsistent spam placement.

Key considerations

• Header comparison: Carefully compare the full email headers of messages that land in the inbox versus those that go to spam. Look for subtle differences in routing paths, originating IPs, or added headers by the HR system.
• HR vendor responsibility: If the HR system is a third-party vendor, they may need to address their email sending configuration, especially regarding their IP reputation or how they handle sender identity. They might be collateral damage if they're using shared infrastructure with poor sending practices.
• Subdomain strategy: Consider if emails from the HR system could be sent from a dedicated subdomain (e.g., hr.yourdomain.com) to isolate its sending reputation from your main domain. For issues with deliverability to Gmail specifically, check our guide on why emails to Gmail experience delays and spam issues.
• Internal policies: Ensure that your IT team has strict policies on how third-party applications can connect and send emails through your G Suite account to prevent unauthorized or reputation-damaging sending.

Key opinions

• Generic rDNS: Sending emails from IPs with generic rDNS, especially those associated with cloud providers like AWS (e.g., *.compute.amazonaws.com), is highly problematic. Such IPs are often associated with spam and are likely to have a poor reputation.
• Outbound configuration: The way the HR provider configures its outbound mail, including setting up proper rDNS for its compute servers and ensuring the EHLO value matches, is critical for establishing trust with receiving mail servers.
• Google's IP handling: While Google switches around its sending IPs for internal mail, third-party services connecting to Gmail for SMTP relay might use IPs that Google itself does not manage or validate in the same way, leading to distinct reputation issues for those IPs.
• Blocklist indicators: A blocklist (or blacklist) listing, even on a less influential one like SORBS, is an indicator of past or ongoing issues, signaling broader reputation concerns that major mailbox providers will consider.

Key considerations

• Vendor collaboration: It is essential to engage with the HR system vendor to ensure their outbound mail configuration is optimized for deliverability, specifically regarding rDNS and EHLO settings. This is often the most direct path to resolution.
• IP and domain trust: Even with passing SPF, DKIM, and DMARC, a lack of trust in the sending IP or domain (due to poor rDNS, shared IP history, or past sending practices) can lead to spam placement. Building a strong email domain reputation is a continuous effort.
• Content and infrastructure alignment: Ensure that the content being sent aligns with typical conversational emails, and that the underlying infrastructure supporting the HR system (if it's a dedicated setup) is properly configured with appropriate reverse DNS records. For more on core authentication, refer to a simple guide to DMARC, SPF, and DKIM.
• Long-term reputation: Even if past problematic sending practices from your TLD occurred 12 months ago, the reputation hit can linger. It's a long road to recovery, and persistent monitoring is necessary, as discussed by experts on Word to the Wise.

Key findings

• Authentication as a prerequisite: Documentation consistently states that proper SPF, DKIM, and DMARC alignment are essential for legitimate email delivery. However, passing these checks does not automatically ensure inbox placement; it only verifies sender authenticity.
• IP and domain reputation: Mailbox providers heavily weigh the sending IP and domain reputation. Generic rDNS or IPs associated with known spam sources can lead to immediate filtering, regardless of authentication.
• Content quality: Spam filters analyze email content for indicators of suspicious activity, including certain keywords, formatting, image-to-text ratios, and URL shorteners. Content that resembles phishing or bulk mail can be flagged.
• Sender practices: Consistent sending volume, low complaint rates, and engagement from recipients are crucial for maintaining a positive sender reputation. Abrupt changes or high bounce rates can negatively impact deliverability.
• Feedback loops: Many providers offer feedback loops to inform senders when recipients mark their emails as spam. Monitoring these signals is vital for identifying and correcting problematic sending behavior.

Key considerations

• Proper rDNS configuration: For any server sending email, it is critical to have reverse DNS records that match the EHLO/HELO greeting. Generic rDNS is a strong indicator of potentially problematic mail, as detailed in various SMTP best practices guides.
• Dedicated sending infrastructure: For critical transactional emails, using dedicated IPs and subdomains can help isolate their reputation from bulk or marketing sends, minimizing the risk of shared IP issues.
• Adherence to provider guidelines: Always consult the specific postmaster guidelines for major mailbox providers (e.g., Gmail, Outlook.com). They often provide insights into their filtering criteria. For example, understanding Outlook's new sender requirements is crucial for Microsoft deliverability.
• Monitoring delivery status: While authentication passes, you should investigate message delivery status (e.g., X-Microsoft-Antispam headers or similar) within the email itself to understand why it was marked as spam. Hidden factors like Microsoft's SPF DNS timeout can contribute to deliverability issues.