Roughly nine in ten emails sent worldwide never reach a human being, and the deciding happens in milliseconds, before any person is involved. What sits between a sender and an inbox is not a single filter but a layered reputation economy, one that assigns every domain and every sending server a score and quietly trades on it. The machinery was built to kill the Nigerian prince. It now also decides whether a plumber's invoice from Stockport arrives, lands in junk, or vanishes without a bounce.

The first layer is authentication, and it runs on public DNS records rather than clever guesswork. SPF, the Sender Policy Framework, lets a domain owner publish a list of servers authorised to send mail on its behalf; a receiving server checks the connecting machine against that list. DKIM, DomainKeys Identified Mail, goes further by attaching a cryptographic signature to each message, generated with a private key and verifiable against a public key published in DNS, proving the message was not altered in transit and genuinely came from the signing domain. DMARC ties the two together: it tells receivers what to do when both checks fail — monitor, quarantine or reject outright — and sends the domain owner aggregate reports on who is impersonating them. A company that publishes a strict DMARC policy makes its own name almost impossible to forge, which is why HMRC, one of the most impersonated brands in Britain, moved early to a reject policy and cut the spoofed refund emails reaching taxpayers by hundreds of millions.

Authentication only proves who you are. The second layer judges whether you are wanted, and this is where machine learning took over from the keyword lists of the early 2000s. Paul Graham's 2002 essay "A Plan for Spam" popularised Bayesian filtering, which scored words by how often they appeared in spam versus legitimate mail. Modern systems at Gmail and Microsoft descend from that idea but train deep models on trillions of messages, weighing URL patterns, sending cadence, attachment types, the ratio of images to text and, crucially, how recipients behave. Every "report spam" click is a training signal. So is the opposite: opening, replying, dragging a message out of junk. Gmail has said its filters block more than 99.9% of spam, phishing and malware, and the residue you still see is the arms race's moving front line.

Between those layers sit the blocklists, the oldest institutions in the trade. Spamhaus, a nonprofit founded in London in 1998, publishes real-time lists of IP addresses and domains observed sending spam or hosting malware, and most of the world's mail servers consult them on every connection. Landing on a Spamhaus list can stop a company's outbound mail dead within hours; getting off requires demonstrating the underlying problem — a compromised account, a purchased marketing list, an open relay — has actually been fixed.

The reputation economy nobody signed up for

The consequential shift of the last few years is that the big receivers formalised the rules. From February 2024, Google and Yahoo began requiring anyone sending more than 5,000 messages a day to their users to authenticate with SPF and DKIM, publish a DMARC record, support one-click unsubscribe and keep the rate of user spam complaints below 0.3%. Microsoft followed with equivalent requirements for Outlook in 2025. These are not laws — the UK's actual law on unsolicited marketing is the Privacy and Electronic Communications Regulations, enforced by the Information Commissioner's Office — but in practice the platform rules bite harder and faster than any regulator.

For large firms this is routine compliance. For small ones it is a minefield they rarely know exists. A sole trader on shared hosting sends from an IP address whose reputation is set by every other tenant on the box; one compromised WordPress site next door and the whole neighbourhood's invoices start going to junk. A firm that never set up DKIM because email "just worked" finds its quotes silently quarantined once a client's IT department tightens DMARC handling. And because rejection increasingly happens without a bounce message, the failure mode is invisible: the sender believes the invoice went, the customer never saw it, and thirty days later there is an awkward phone call about payment.

How spam filters decide what you never see
Photo: Simon Edwards Esq / Wikimedia Commons (Public domain)

The fix is unglamorous and mostly free: publish SPF, sign with DKIM, add a DMARC record even in monitoring mode, and check your domain against the major blocklists. The filters are not going to get more forgiving. The reputation economy grades everyone now, and the only real choice is whether you know your own score.