In 2024, providers ran two checks on every email — technical authentication and basic sender reputation. In 2026 they run four.

Passing the first two is the minimum to get into the game, and passing all four is what actually lands you in Primary. I see this every single day on customer audit calls. A team tells me everything is broken, we dig into it together, and the breadcrumb trail almost always leads to one of the last two checks, not the first two.

The four checks below run in order. An inbox has to pass every single one, on every single send.

CHECK 1: Technical Authentication

Providers start by validating that you're authorised to send. SPF, DKIM and DMARC have to be configured correctly on every sending domain. You have to be on official Google Workspace or Microsoft 365 accounts, not SMTP wrappers dressed up as the real thing. Your DNS has to be clean with no legacy records pointing at dead providers, and your reverse DNS and MX records have to be aligned.

If you fail this check, the email is flagged before the subject line is even parsed. This is table stakes. Getting it right doesn't make you special. Getting it wrong disqualifies you from everything that follows.

CHECK 2: AI Pattern Matching

Providers now run AI models trained on phishing and malware databases against the content of your email. This is statistical pattern analysis, not a human reading your copy. If your email structure, link pattern, or content fingerprint looks similar enough to known threat patterns, you get filtered regardless of your domain reputation.

This is the check most people don't even know exists.

Four things typically trigger it. Elaborate hooks and engineered openings that don't read like a real person wrote them. Links in the first email, especially Calendly or case study links. Content footprint that matches patterns already in the threat database. And templates that look structurally identical across thousands of inboxes across the industry.

The fix for Check 2 is straightforward. Write the first email for clarity above all else. Keep it completely link-free. Make it read like a normal email from a real person, because that's exactly what the model is looking for.

CHECK 3: Behavioural Fingerprinting

This is the big one most teams get wrong. Every inbox gets a behavioural profile assigned to it, and not just at the domain or IP level. The profile tracks the specific inbox itself, watching sending windows (what hours you send during), volume per day and how it ramps, template structure consistency, reply engagement patterns, bounce rates, and unsubscribe signals.

Two inboxes with identical technical setups get evaluated completely differently based on this fingerprint. Too much behavioural consistency across your accounts becomes a signal on its own. Thirty inboxes all sending during the same hours, following the same ramp shape, using the same template structure, all of that reads as automated, and provider detection has got much better at identifying it.

CHECK 4: Sender History

Established history is one of the strongest signals that a sender is legitimate. Brand new inboxes with no history that suddenly send 100+ emails get crushed. Inboxes with months of consistent real sending behaviour behind them get trusted.

This is why the 8-12 month lifespans are possible on our infrastructure. Not because we've found some magic bypass, but because the inboxes have enough history behind them for the AI layer to keep giving them the benefit of the doubt on every send.

THE CHECK PRIORITY MATRIX

Use this to diagnose any deliverability problem you're hitting right now.