To stop password reset emails from landing in spam, you need to combine three things: technical authentication, content discipline and a sending reputation that mailbox providers actually trust. Each layer counts — skipping one is usually enough to ruin delivery.
Layer 1: authenticate every send
- SPF — lists the IPs allowed to send for your domain.
- DKIM — cryptographically signs each message.
- DMARC — tells receivers what to do with mail that fails the first two and reports back.
Layer 2: the email itself
- Send from your real domain (e.g. [email protected]), never a generic shared one.
- Subject: clear, brand-anchored, no clickbait. « Reset your <product> password » works.
- One main CTA, link visible above the fold.
- Avoid attachments, hidden text, excessive images.
- Mention link expiry and a « if you didn’t request this » line.
Layer 3: keep your reputation clean
- Send transactional and marketing mail from separate subdomains so a marketing complaint can’t hurt critical messages.
- Validate emails at signup — bounces erode reputation fast.
- Watch Postmaster Tools and SNDS for warnings.
- Throttle abuse but don’t throttle real users.
Authenticate your sender now
Configure SPF, DKIM and DMARC — and review what to put inside the password reset email itself.