The hidden email crisis that costs companies billions

This article was featured in the Think newsletter. Get it in your inbox.

Radek Kaczyński was waiting for an email. It should have arrived; he’d sent it to himself minutes ago. But it still hadn’t made it to his inbox.

Kaczyński is an expert at getting email into inboxes. He’s the CEO of Bouncer, a startup that manages mailing lists for thousands of business customers. Like its clients, Bouncer relies on email campaigns for much of its sales. But the company was going through an unexpected rough patch. During the lead-up to Cyber Week, its busiest time of year, Bouncer had run its largest-ever email sales campaign. But revenue had mysteriously flatlined. 

This put a lot of pressure on Bouncer’s next campaign. So Kaczyński was not encouraged when he finally found his test email in the worst place imaginable: his spam folder.

As Kaczyński dug into the data, he discovered why the last campaign had failed and confirmed his marketing team’s suspicions: for months, thousands of Bouncer’s marketing emails, the backbone of its communication strategy, had landed in clients’ spam folders.  

“We have this Polish saying, that the shoemaker walks in shoes with holes,” Kaczyński told IBM Think in an interview. If this could happen to Bouncer—a company that helps clients stay out of spam folders—it could happen to anyone. And indeed, it does: in the US alone, undelivered emails may account for USD 60 billion in potential losses each year, while one in six legitimate marketing emails never make it to recipients’ inboxes. Even when senders follow all the rules, they can end up in spam. And once they’re there, getting out can be a nightmare.   

That’s because maintaining strong deliverability—mastering the opaque algorithms, filters and technical standards that determine which emails land in our inboxes—is more of an art than a science. Google has different rules than Yahoo or Microsoft, and each provider’s policies can change with little warning. Domain blocklists hosted by independent activists can tank a sender’s deliverability overnight. And when desperate companies search for solutions, gray market address lists, pay-to-play schemes and other snake oil strategies can drown out legitimate advice.

The problem is tough enough for companies like Bouncer to troubleshoot; it’s much harder for organizations outside the email industry, who rarely have the resources to respond. For Issa Diao, cofounder of the freelancer payment platform OutVoice, it was Kafkaesque. Last year, OutVoice acquired Study Hall, a newsletter that shares journalism opportunities with some 50,000 subscribers (this reporter among them). A few months after the purchase, Diao watched in horror as the newsletter’s open rate crashed from around 80% to 10%. Not only were its emails landing in spam; some were accompanied by phishing alerts. OutVoice’s four employees had no idea where to turn for help. “Everyone would just ask me, ‘What can we do?’” Diao said. “And I would say, ‘I don’t know.’” His only option, as far as he was aware, was “filling out a Google form and literally just screaming into the void.”

OutVoice’s predicament is becoming more common. The number of emails flagged as spam nearly doubled between Q1 and Q4 2024, according to a report by data integrity platform Validity. And in a 2024 survey by Mailgun, 48% of senders said they struggle to stay out of spam. Meanwhile, email providers keep ratcheting up the pressure: this April, Microsoft Outlook issued new requirements for large senders to avoid the “Junk” folder. And just last month, Gmail, which serves three-quarters of American email users, announced it was “ramping up its enforcement on non-compliant traffic,” potentially relegating a new wave of well-meaning organizations to recipients’ spam folders. 

Everyone wants less spam. But IT leaders, marketers and small business owners say they’re getting caught in the crossfire. As a company’s emails languish in spam, sales teams lose leads, marketers miss ROI targets and newsletters watch their engagement evaporate. Employees might even struggle to get their private emails to land in colleagues’ inboxes.

Given this backdrop, Kaczyński knew Bouncer needed to move fast, or risk enduring another painful holiday season. With the reputation of his business on the line, and with Black Friday 2025 already looming, Kaczyński and his team started searching for answers. Before they could repair their poor deliverability, they needed to nail down the cause.

From the days of dial-up to the AI era, one corner of the internet has remained remarkably reliable: the humble inbox. An estimated 376 billion emails are sent to some 4.6 billion people each day. Supposed email killers, including instant messaging apps, project management platforms and chatbots, have hardly made a dent in the technology’s dominance, even among tech-savvy IT leaders: nearly half say they still rely on email more than any other channel for both internal and external communication. 

But this reliability is hard-won. A war against spammers has raged for decades. 

In the early 2000s, an email inbox was a dangerous place. In a 2003 Pew poll, respondents described a barrage of stomach-turning links and pictures. “It was just this cacophony of eye-blisteringly horrible imagery,” Al Iverson, editor of the influential Spam Resource blog since 2001, told IBM Think in an interview.

Iverson and his contemporaries fought back by creating some of the first anti-spam repositories (lists of compromised servers and their corresponding IP addresses), which they used to silence the most egregious spammers. These informal, volunteer-operated lists gradually evolved into established organizations, most notably Spamhaus, which today claims to protect some 4.5 billion inboxes. But as anti-spam algorithms grew more sophisticated, the lines between well-intentioned senders and malicious spammers started to blur.

Founded in 1998, Spamhaus uses real-time data and a global network of volunteers to spot bad actors, using techniques such as spam traps—email addresses that, if added to a sender’s subscriber list, suggest the sender purchased them or obtained them without permission. In just the past few years, the organization has helped both the FBI and Europol respond to cyberthreats, further cementing its reputation. Spamhaus’ blocklists are so comprehensive that Apple, Microsoft and Yahoo (which, along with Gmail, dominate the US market) are thought to incorporate them into their own anti-spam filters, according to Iverson. This means that inclusion on one of Spamhaus’ lists can spell doom for senders, making inbox placement all but impossible.

Cybercriminals, unsurprisingly, want Spamhaus dismantled. But even legitimate critics, such as the researchers behind a 2021 analysis, have argued that open source blocklists including Spamhaus can act as blunt tools, punishing well-intentioned senders alongside malicious ones. Dozens of Trust Pilot reviews bear this out, with one reviewer claiming in July that Spamhaus had singlehandedly “destroyed the work I’ve done over the past eight years and discredited 30 of my domains.” In a 2025 paper, meanwhile, researchers managed to trick Spamhaus into listing a legitimate mail server by sending just three emails to the spam traps it monitors.

For its part, Spamhaus gives companies the chance to appeal its decisions and offers resources to help organizations improve their standing. It also boasts a false-positive rate of 0.02%—a figure that, while difficult to independently verify, would be exceptionally low considering the volume of spam that passes through modern mail servers. Iverson said that, while imperfect, the organization plays a key role in ensuring that our inboxes remain usable and relatively free of junk. 

But there are dozens of lesser-known blocklists on the web, and at least a few of them have come to resemble the unsavory senders they claim to combat. Repositories might add IP addresses arbitrarily, then demand ransom fees for prioritized de-listing. For example, the UCEPROTECT Network in Switzerland charges fees of 89-449 CHF (roughly USD 110-557) for each IP address a sender wants fast-tracked. Cybersecurity companies like Suped and TitanHQ argue that these tactics erode the legitimacy of good-faith anti-spam organizations. While few major mailbox providers are thought to use UCEPROTECT to help filter emails, the prospect of a quick fix can be enough to lure vulnerable senders. 

Alongside independent blocklists, major email providers have started using their own machine learning-powered filters, which often draw on vast collections of proprietary data. In 2023, for example, Google introduced a new text vectorizer that can catch hidden characters and text manipulations, boosting its spam detection rate by 38% compared to previous models. But these systems aren’t foolproof. Earlier this year, Microsoft’s Exchange Online flagged many emails from Gmail as spam, while in 2024, Gmail accidentally blocked some Outlook addresses.

Senders are largely at the mercy of spam filters, and they have few mechanisms to monitor their own domain health. Gmail and Yahoo’s algorithms are intentionally opaque so that it’s harder for spammers to exploit them. But as Bouncer and OutVoice learned, this also makes it harder for legitimate senders to get out of “spam jail.”

Efforts to improve transparency have been a mixed bag. In one major win for senders, Yahoo’s Sender Hub, which helps organizations track their campaign performance, announced in October that it would start displaying spam and delivered message rates, two key deliverability signals. But Gmail’s equivalent, Google Postmaster, recently stopped sharing domain and IP reputation (possibly to protect itself from claims that it uses politically biased spam filters), taking away one of the primary tools that organizations use to track their email health.

Google lets bulk senders fill out a form to ask for a second chance, and other email platforms have similar appeal processes. Beyond that, organizations are left to troubleshoot deliverability problems on their own. Forums abound with posts from bewildered marketers and IT staffers trying to piece together what landed them in spam—and how to get back on providers’ good sides. Some unfortunate souls are still waiting for a reply, more than a year later. 

Last December, while most companies were winding down for the holidays, the Bouncer team was busy hatching a plan. They began by retracing their steps, analyzing their emailing behavior in the months leading up to the deliverability struggles. A few clues started to emerge. 

The first problem was not sending enough email. Earlier that year, the company had switched to a new customer relationship management (CRM) platform. By the summer, they were so busy integrating the new system that they didn’t have the bandwidth to send emails at their usual frequency. Then, in September 2024, Bouncer ramped up sending to promote their blockbuster holiday sale—the one they’d pinned their Q4 revenue on. “We started to send to everyone because we really wanted them to take advantage of something that was extraordinary in our niche,” Kaczyński said.

Anti-spam algorithms look for consistency, so the sudden shift could have been enough to raise mailbox providers’ suspicions. Meanwhile, judging by a small but noticeable rise in spam reports, some subscribers who hadn’t heard from Bouncer since its summer slowdown didn’t recognize its emails and had flagged them as spam. 

Lastly, said Kaczyński, because Bouncer was using a new CRM, it had sent the new holiday emails from a fresh batch of IP addresses, ones that mailbox services didn’t recognize. This added to the impression that Bouncer was up to something nefarious. 

There was a simple explanation for all of this: integrating a new CRM platform proved tougher than Bouncer had imagined. But anti-spam algorithms couldn’t account for these misalignments.

As an email verification service, Bouncer had a head start in its detective work. Companies outside the space often have a much harder time diagnosing their spam problems. OutVoice, the payment platform, struggled for three or four months without ever identifying what went wrong. Cofounder Diao had some theories: perhaps plugging a partner’s contest or experimenting with affiliate marketing links had been Study Hall’s downfall. “But honestly, we have no way of knowing,” Diao said. “We just kind of have to guess.” 

Diao gave himself a crash course in deliverability. But he says most of the solutions he’d read about—like temporarily switching to an alternative, pre-configured domain—would have required a ludicrous amount of pre-planning.

He filled out an appeal form with Google but said he never got a clear response. (Google didn’t respond to a request for comment.) He needed just a minute or two with a human—any reasonable person could see that Study Hall was a reliable and trustworthy sender with a good track record, he said—but there was no one to talk to about his company’s predicament. 

Some subscribers, who hadn’t heard from Study Hall in weeks, likely assumed that the newsletter had been compromised, or that it had shut down altogether. In each of its sends, Study Hall asked subscribers to mark its emails as safe, hoping that anti-spam algorithms would realize they’d made a mistake. But because few emails were making it to readers’ inboxes, many subscribers literally never got the memo. 

Bouncer had gotten trapped in a similar feedback loop: the more a sender lands in spam, the harder it is to escape. After all, when subscribers can’t see their mail, they can’t open or click on it. Providers’ algorithms interpret this as further proof that subscribers aren’t interested anymore. “In the disaster recovery phase,” said Kaczyński, “you don’t know whether [subscribers] are not engaged because they don’t resonate with us and our business, and they don’t need our services anymore—or because we’re landing in spam, so they’re not able to see our emails.” 

While Bouncer now knew the likely cause of its problems—a perfect storm of technical changes and sending strategies that resulted in fewer readers opening and clicking on its mail—it needed to revamp its sending strategy before the next holiday season. Kaczyński knew deliverability isn’t something you can fix overnight. It was time to call in backup.

As black-box spam algorithms grow more impenetrable, the once-obscure deliverability industry has exploded, with the market for deliverability tools alone expected to reach USD 1.9 billion by 2030. Andrew Bonar, the cofounder of several major deliverability summits across the UK and Europe, recalls a time 20 years ago when he and only a handful of others specialized in deliverability. That’s no longer the case: “Everyone is a deliverability expert these days,” Bonar told IBM Think. 

But for all the deliverability influencers now dotting LinkedIn, it can be surprisingly difficult to separate gimmicks from sensible advice. So-called “warmup services,” for example, promise to simulate sends and opens, complete with realistic replies from fake subscribers, to convince mailbox providers’ algorithms that a sender’s emails are frequently opened and read. Other platforms sell “verified” email lists—such as a list of supposed Fortune 500 CEOs’ email addresses—to give senders an instant subscriber boost. 

These dubious tactics might yield short-term success, but they’re often a fast track to readers’ spam folders (and potential legal trouble), especially as algorithms become more discerning, according to industry leaders like Kickbox and Validity. Industry veteran Iverson advises focusing instead on a few basic principles, including technical health, content and engagement. 

To improve their technical health, senders can use three cryptographic techniques that help mailbox providers verify their identity. Sender policy framework (SPF) checks that a sender’s IP address matches a pre-approved list of servers. DomainKeys identified mail (DKIM) is a digital signature that authorizes that an email came from a particular domain. Finally, domain-based message authentication, reporting and conformance (DMARC) tells receiving servers how to respond if SPF or DKIM records can’t be verified. Organizations publish all three records in their DNS system to help protect against phishing, spoofing and spam. 

Deliverability problems can arise when mailbox providers are unable to access or verify these records—for example, if a sender forgets to update them after a major rollout. Incomplete DNS records can also expose organizations to email-based hacks and phishing schemes. According to a 2025 Exclaimer report, only a third of organizations have implemented SPF, DKIM and DMARC, even though Google, Yahoo and Microsoft now require it for bulk senders. Adoption is rising, though, as some organizations embrace automated, AI-powered DNS maintenance tools, which can reduce the risk of misalignments.

Domains matter too. Email service providers like Beehiiv, SendGrid and Mailchimp generally kick out bad actors, and many let clients customize their own subdomain, or even create a standalone domain, to isolate their reputation from other clients. But as media journalist Simon Owens recently pointed out, creators who send newsletters through a shared domain—like the “patreon.com” address used for Patreon newsletters—risk inadvertently influencing each other’s deliverability, with malicious senders potentially hurting the entire network’s reputation.

Content problems—for example, using “free” in a subject line, or adding too many high-res photos, links or emojis—can hurt deliverability, but to a lesser extent than in email’s early days, said Yanna-Torry Aspraki, a deliverability specialist who has worked with Bouncer, in an interview with IBM Think. Instead, engagement—measured through open rates, unsubscribes and clicks—now plays arguably the biggest role in determining which senders get premium inbox placement. In some ways, our inboxes have come to resemble a social media feed, where the emails we want to see rise to the top, and those we never read are hidden away.

Thanks to the dominance of engagement-focused algorithms, it can feel harder than ever to master anti-spam filters, Aspraki said. Instead of simply tweaking a subject line or removing some links, organizations now must ask fundamental questions about whether readers want their emails, whether they’re targeting the right audience and why certain messages aren’t resonating. This, Aspraki said, helps explain why industries historically associated with spam, like casinos and sports betting platforms, often have rock-solid deliverability today: they’re especially good at getting subscribers to open their mail, and engagement-based algorithms reward them accordingly.

Advanced deliverability tactics (depending on the sender) include regularly retiring inactive subscribers, segmenting readers by both interest and engagement level, incorporating interactive elements (such as a survey or poll) to boost engagement and sending on a consistent basis, so recipients and email providers know what to expect. Prompting new subscribers to confirm their subscription and including an easy-to-use opt-out button can also improve deliverability.

But Clinton Wilmott, a Senior Email Marketing Manager at the domain repository Namecheap, said that for larger organizations like his, these strategies are only effective if upper management is on board. In 2020, Wilmott said, he managed to boost Namecheap’s annual email marketing revenue by 70% using some of the techniques mentioned above. The biggest hurdle wasn’t technical limitations, budget or a lack of knowledge. It was convincing executives that making these changes was the right move.

For instance, higher-ups tend to believe that more emails lead to more sales. But past a point, sending at higher frequencies can make deliverability worse, by driving readers to unsubscribe. “A lot of the leadership, they [are] very skeptical,” Wilmott said. “They also, in many cases, believe they have an understanding of email because they can send an email. It’s like, ‘Yeah, I can send an email to my mom, so I know all about it. It’s easy.’”

But there’s a code that even Wilmott can’t always crack. Once you land in spam, there’s no one-size-fits-all solution for getting out. Email platforms are constantly reworking and fine-tuning their filters to keep up with the latest spamming schemes, so what works one day might be ineffective the next. “They don’t teach this stuff in school,” Wilmott told IBM Think in an interview. “It’s like trial and error trying to figure these things out.” 

Around the start of the new year, Kaczyński convened a meeting with his colleagues. They knew how they’d fallen out of client inboxes, but not how to get back in. With another holiday season over the horizon, Kaczyński’s team agreed it was time to ask a third-party deliverability agency for help. The agency performed an audit, then recommended some tough but necessary changes.

Bouncer would need to turn loose subscribers who had stopped engaging. They would create separate subdomains for marketing, transactional and corporate emails so that spam issues in one communication channel couldn’t cascade to others. And instead of blasting out mass emails, they would drip-feed non-time-sensitive sends across multiple days.

Within two or three weeks, the company was able to start communicating with its audience again, and after a few months, it was back to sending at its usual volume. The real test would come in the leadup to Black Friday 2025, when it finally had a chance to recover the sales it had missed out on the previous year.

OutVoice, on the other hand, never got the closure it had hoped for. Instead, like many organizations facing deliverability issues, the company simply weathered the storm and waited for anti-spam algorithms to move on to another unsuspecting victim. 

After a few months, Study Hall miraculously began appearing in subscribers’ inboxes again—without the phishing warnings that had haunted its previous sends. Diao was relieved that subscribers had stuck around through the rough patch, but he felt unsatisfied with how the process had unfolded. “I’m hoping it doesn’t happen again,” he said. “I don’t know that we’re any more prepared for it than we were before.”

Diao understands that mailbox providers err on the side of caution because they want to protect their users from harm. But he thinks there should be more mechanisms for well-intentioned companies to talk to those services during deliverability emergencies. Ideally, he said, senders would have more avenues—a helpline, for example—to make their case and compel mailbox providers to listen. “If they had the power to just destroy businesses like that, there should really be an appeals process that happens quickly,” he said. 

Still, separating well-meaning senders from bad actors is complicated, Iverson said. Independent anti-spam blocklists and email giants alike are struggling to keep up with spammers, who increasingly use AI and other emerging technologies to evade algorithms. While anti-spam filters sometimes overcorrect and block well-intentioned senders, the alternative might be a return to the early 2000s, when inboxes were flooded with junk. “It does take a lot of work to keep email usable as a good communication ecosystem,” he said. “Even though you can’t see the underside of the duck, there is furious paddling happening to keep this ecosystem working.”

Besides, anti-spam filters might be the wakeup call some organizations need to rethink their sending strategy. “Sometimes I find that they’ve actually done you a service by ringing the alarm,” said Bonar, the deliverability summit cofounder. “Each of those spam complaints or unsubscribes, because you’re doing something wrong, is actually cutting into your bottom line.”

In the crucial weeks ahead of this year’s holiday season, Kaczyński’s spam folder remained refreshingly empty. After cutting its subscriber list by almost half and promoting a sale nearly identical to last year’s—and with the holiday season only half over—the startup had already registered 35% year-over-year growth, compared to 5% the year before. All told, it took nearly a year of scrappy experimentation to get back on track.

“In 2024, we just missed the wave,” Kaczyński said. It’s a completely different picture this time. “All the knowledge, experience, safeguards and routines that we have right now, plus really good, stable base deliverability, will let us ride the wave during the busiest time of the year.”