Email Deliverability Glossary

The complete email deliverability reference for e-commerce store owners and email marketers. Understand why your emails land in spam, how authentication works, and how to protect your revenue — from beginner concepts to advanced terms. 85+ full entries (with explanation, why it matters, technical details, examples, related terms, category, and edge cases) plus 45+ additional concise terms for 130+ concepts. See also Bot Finder and bot detection setup.

A · B · C · D · E · F · G · H · I · J · K · L · M · N · O · P · Q · R · S · T · U · V · W · X · Y · Z

| A | B | C | D | E | F | G | H | | I | J | K | L | M | N | O | P | | Q | R | S | T | U | V | W | X | | Y | Z |

A

Alignment

Short Definition: DMARC and BIMI require that the domain in the From header matches (aligns with) the domain used in SPF/DKIM.

Detailed Explanation: In DMARC, alignment can be “strict” (exact match) or “relaxed” (organizational domain match). For example, mail.example.com aligns relaxed with example.com but not strict. DKIM alignment checks the d= tag in the signature against the From domain.

Why It Matters: Misalignment causes DMARC to fail even when SPF and DKIM pass individually, meaning your emails can still land in spam or be rejected. If your Shopify store sends through Klaviyo, the signing domain must align with your From address — misalignment is a common setup mistake. Proper alignment is also required for BIMI.

Technical Details: RFC 7489 (DMARC), RFC 8601 (BIMI). Headers: From, Return-Path; DKIM d= tag.

Example: A Shopify brand sends from newsletter@mail.yourbrand.com with DKIM signed as d=yourbrand.com; this gives relaxed DMARC alignment and passes. If their ESP signs with a mismatched domain, DMARC fails and campaigns start landing in spam.

Related Terms: DMARC, SPF, DKIM, BIMI, Policy enforcement, Subdomain delegation

Category: Authentication

Edge Cases: Forwarding can break alignment when the forwarder rewrites Return-Path or adds headers. Mailing lists and some gateways may break strict alignment.

ARC (Authenticated Received Chain)

Short Definition: A protocol that preserves authentication results across forwarding and middleboxes so downstream receivers can trust earlier SPF/DKIM/DMARC results.

Detailed Explanation: When an email is forwarded or processed by an intermediary, original authentication may fail (e.g., new Return-Path). ARC adds a chain of seals (AR-Seal) and message signatures (AR-Message) so the last hop can verify the chain and decide to trust the original auth.

Why It Matters: Forwarding and mailing lists often break SPF/DKIM authentication, which can cause legitimate emails to land in spam at the destination. ARC helps preserve your sender’s good reputation through those hops — reducing false spam classification for forwarded mail.

Technical Details: RFC 8617. Headers: ARC-Authentication-Results, ARC-Message-Signature, ARC-Seal. Chain is validated in order; one broken link can invalidate the chain.

Example: A customer forwards your promotional email from their Gmail account to a Yahoo account; Yahoo sees failed SPF but a valid ARC chain from Gmail confirming the original authentication — Yahoo accepts the message instead of sending it to spam.

Related Terms: DMARC, DKIM, Forwarding, Policy enforcement

Category: Authentication

Edge Cases: Long chains (many hops) increase validation cost; some providers cap chain length. Malicious actors could attempt to forge ARC seals if validation is weak.

Apple Mail Privacy Protection (MPP)

Short Definition: Apple’s feature that preloads images and links in emails in the background, generating opens and sometimes clicks before the user views the message.

Detailed Explanation: When MPP is enabled (default for many Apple Mail users), Apple’s proxy servers fetch remote content (images, links) when the email is received. This triggers open pixels and can trigger link prefetches, which appear as opens/clicks in analytics but are not human engagement.

Why It Matters: MPP makes open rates unreliable for e-commerce brands. If you use open rates to trigger flows in Klaviyo, measure campaign success, or suppress unengaged subscribers, MPP means your data is likely inflated 2–3x for Apple Mail users. Bot Finder separates MPP-triggered events from real human engagement so your metrics and automations reflect actual subscriber behavior.

Technical Details: Requests come from Apple IP ranges; user-agent and timing patterns differ from real Mail.app opens. Image proxying and link prefetching; some links may be rewritten or scanned.

Example: A Shopify store sees 60% open rate in Klaviyo; after filtering MPP and bot traffic via InboxEagle Bot Finder, true human opens are 22% — revealing the real performance of their campaigns and enabling more accurate flow triggers.

Related Terms: Open tracking, Prefetching, Bot Finder, Image proxying, Link wrapping

Category: Analytics · Bot Detection

Edge Cases: MPP behavior can change with iOS/macOS updates. Combined with corporate proxies or security scanners, traffic can be hard to attribute. Time-to-click and IP clustering help distinguish.

Authentication

Short Definition: The set of mechanisms (SPF, DKIM, DMARC, BIMI, ARC) that prove an email is from the claimed sender and has not been altered.

Detailed Explanation: Authentication uses DNS records and cryptographic signatures so receiving systems can verify the sending domain and message integrity. It is the foundation of modern deliverability; most major providers require at least SPF and DKIM, and many recommend DMARC.

Why It Matters: Missing or misconfigured authentication leads to emails landing in spam, your domain being spoofed by phishers, and lower inbox placement. For store owners, most ESPs (Klaviyo, Omnisend) handle DKIM for you — but SPF and DMARC usually require manual DNS setup, which many brands skip.

Technical Details: DNS (TXT records for SPF, DKIM selector records), SMTP (EHLO, MAIL FROM), message headers (From, Reply-To, DKIM-Signature, etc.).

Example: A Shopify brand sets up SPF (including their Klaviyo ESP), activates DKIM via their sending domain settings, and publishes DMARC at p=quarantine; Gmail and Yahoo validate all three and place emails in the inbox consistently — while phishers spoofing their domain get rejected.

Related Terms: SPF, DKIM, DMARC, BIMI, Alignment, DNS propagation

Category: Authentication

Edge Cases: Third-party senders (ESP, CRM) require correct SPF includes and DKIM delegation. Forwarding and mailing lists can break auth without ARC.

Automated link scanner

Short Definition: Software that automatically follows links in emails to check for malware, phishing, or policy violations before delivering to the user.

Detailed Explanation: Corporate gateways (Proofpoint, Mimecast, Barracuda, Microsoft Safe Links, etc.) and some consumer providers rewrite links or fetch them in a sandbox. The request appears as a “click” in the sender’s analytics but is not a human action.

Why It Matters: Link scanners inflate your click rates and can trigger Klaviyo flows for subscribers who never actually clicked. If you use click events to trigger abandoned cart or post-purchase automations, scanner-generated clicks cause those flows to fire for the wrong people. Bot Finder filters scanner traffic so your automations trigger on real engagement.

Technical Details: Often use headless browsers or HTTP clients; IPs belong to vendor ranges; user-agent and timing (e.g., click within seconds of delivery) are typical signals.

Example: A B2B promotional email is delivered to a corporate recipient behind Proofpoint; Proofpoint fetches every link 2 minutes after delivery; InboxEagle Bot Finder flags these as scanner clicks, keeping your Klaviyo click metrics clean.

Category: Bot Detection · Security

Edge Cases: Some scanners run only on certain link types or domains. Rate of scanning can vary by vendor and policy. False positives can occur when real users share the same corporate network as the scanner.

B

Barracuda filtering

Short Definition: Barracuda Networks’ email security gateways filter spam, malware, and phishing and may rewrite links or prefetch them, generating non-human click events.

Detailed Explanation: Barracuda appliances sit at the edge of corporate networks and scan incoming mail. They may follow links for security checks and rewrite URLs, which triggers tracking pixels and click redirects. Those requests appear as opens/clicks in sender analytics.

Why It Matters: Barracuda, like other corporate security gateways, inflates your click metrics with scanner-generated events. If you send to any B2B subscribers (work emails), Barracuda traffic can skew your reported CTR and trigger automations incorrectly. Bot Finder identifies Barracuda traffic so you measure real engagement.

Technical Details: Requests from Barracuda IP ranges; link rewriting and prefetch behavior vary by product and policy. Often used in B2B environments.

Example: A DTC brand’s email reaches a corporate buyer whose company uses Barracuda; Barracuda prefetches all links within seconds of delivery; InboxEagle Bot Finder classifies these as bot clicks, preventing them from skewing campaign stats.

Category: Security · Bot Detection

Edge Cases: Configuration varies by organization. Some deployments only scan attachments or specific link types.

Bayesian filtering

Short Definition: A statistical spam filter that classifies messages by learning from tokens (words, phrases) and their probability of appearing in spam vs. ham.

Detailed Explanation: The filter builds a model from labeled training data: token frequencies in spam and in legitimate mail. For each incoming message it computes a combined probability and compares to a threshold. It adapts as users mark messages spam/not spam.

Why It Matters: Bayesian filters learn from past spam to detect new spam — meaning your subject lines and copy choices directly affect whether you land in the inbox. Promotional language like “FREE,” “Act now,” “Click here,” or excessive exclamation marks trains the filter against you. Clean, specific, value-driven copy is the fix.

Technical Details: Typically applied to subject and body text; some implementations use headers or metadata. Requires sufficient training data; can be fooled by tokenization tricks (e.g., obfuscation).

Example: A Shopify brand’s flash sale email uses “FREE GIFT — Act Now!!!” in the subject; Bayesian filters score it as likely spam and route it to the junk folder; rewriting to “Your exclusive gift with orders over $75” dramatically improves inbox placement.

Related Terms: Content filtering, Heuristic filtering, SpamAssassin, Anti-Spam

Category: Anti-Spam

Edge Cases: Legitimate marketing language can overlap with spam tokens; false positives occur. Multilingual and HTML-heavy content may be tokenized differently across implementations.

BIMI (Brand Indicators for Message Identification)

Short Definition: A DNS-based standard that allows verified senders to display a logo in supporting mailbox providers’ inboxes, contingent on DMARC policy and VMC.

Detailed Explanation: BIMI uses a TXT record at default._bimi.<domain> pointing to the logo URL and optionally a Verified Mark Certificate (VMC). Receivers that support BIMI (e.g., Gmail, Yahoo) display the logo when DMARC passes and policy is enforced.

Why It Matters: BIMI displays your brand logo next to your emails in Gmail and Apple Mail — increasing recognition and open rates for promotional campaigns. For e-commerce brands, a visible logo in the inbox builds the trust that drives clicks. Achieving BIMI also forces you to implement strong DMARC enforcement, which protects your domain from phishing.

Technical Details: RFC 8601. DNS: default._bimi.<domain>. Requires DMARC policy of at least quarantine; many providers require VMC from approved certification authorities.

Example: A Shopify brand sets DMARC to p=reject, obtains a Verified Mark Certificate (VMC), and publishes a BIMI DNS record; Gmail and Apple Mail now show their logo next to every email — increasing brand recognition and open rates.

Related Terms: DMARC, Alignment, VMC, Authentication

Category: Authentication

Edge Cases: Not all providers support BIMI; VMC is expensive and not all brands qualify. Logo format and size are specified by the standard.

Blocklist

Short Definition: A list of IP addresses or domains considered untrustworthy; mail from listed entities may be rejected, throttled, or deprioritized by receivers.

Detailed Explanation: Blocklists are maintained by third parties (e.g., Spamhaus, SORBS) or privately by mailbox providers. Listings can be automatic (e.g., spam traps, honeypots) or manual (abuse reports). Delisting usually requires remediation and a request process.

Why It Matters: Being on a major blocklist like Spamhaus can cause Gmail, Yahoo, and other providers to reject or bulk all your emails overnight — immediately stopping your abandoned cart flows, post-purchase sequences, and promotional campaigns. InboxEagle monitors your sending IPs against blocklists so you find out before your revenue does.

Technical Details: DNSBL (DNS-based blocklist) lookups; RBL (Real-time Blackhole List). Receivers query list zones with sender IP or domain; positive result triggers policy.

Example: A Shopify store purchases a third-party email list; it contains a Spamhaus spam trap address; after sending, their IP is listed on Spamhaus and Gmail starts rejecting all their emails — halting every automation and campaign until they get delisted.

Related Terms: Reputation, IP reputation, Spam trap, Greylisting, Delist

Category: Anti-Spam · Reputation

Edge Cases: False positives occur (e.g., shared IP, compromised server). Some lists are more aggressive than others; B2B and corporate gateways may use different lists.

Bounce processing

Short Definition: The handling of non-delivery reports (hard bounces, soft bounces) by the sender or ESP to update lists, suppress bad addresses, and comply with receiver expectations.

Detailed Explanation: When a message bounces, the receiving MTA may send a DSN (Delivery Status Notification). Senders parse bounce type (hard = permanent, soft = temporary), update suppression lists, and may retry soft bounces with backoff. Continuous sending to hard bounces harms reputation.

Why It Matters: High bounce rates tell Gmail and Yahoo your list is unclean, triggering spam filtering or outright blocks. Most ESPs (Klaviyo, Omnisend) handle hard bounce suppression automatically — but if your bounce rate spikes after a campaign, you need to investigate your list quality before the next send.

Technical Details: RFC 3461–3464 (DSN). SMTP response codes (5xx = permanent, 4xx = temporary); Content-Type multipart/report; enhancement codes (e.g., 5.1.1 user unknown).

Example: A Klaviyo campaign returns a 5.1.1 “address not found” bounce for an old subscriber email; Klaviyo automatically marks it as a hard bounce and suppresses it from all future sends, protecting your sender reputation.

Related Terms: Hard bounce, Soft bounce, Suppression list, MTA, Feedback loop

Category: Infrastructure · Deliverability

Edge Cases: Some bounces are misclassified (e.g., greylisting 4xx vs. real 5xx). Gray mail and full mailboxes may generate different DSNs. Feedback loops complement bounces for abuse reporting.

Bot Finder

Short Definition: A click on an email link that is generated by automated software (e.g., security scanner, Apple MPP, crawler) rather than a human subscriber.

Detailed Explanation: Bot clicks come from link prefetchers, malware/phishing scanners, privacy proxies, and other automated systems. They are indistinguishable from human clicks in raw analytics without additional signals (IP, user-agent, timing, behavioral patterns).

Why It Matters: Inflated click rates cause automation platforms like Klaviyo to trigger flows for subscribers who never actually clicked, skew A/B test results, and produce unreliable segmentation. For Shopify brands using click-based abandoned cart or post-purchase flows, bot clicks can fire sequences for the wrong people. Bot Finder separates automated clicks from genuine human engagement.

Technical Details: Signals include IP (vendor ranges), user-agent, time-to-click (very fast after delivery), lack of subsequent conversion, and clustering. Machine learning or rule-based scoring classifies events as bot vs. human.

Example: 40% of “clicks” in a Black Friday campaign come from Proofpoint link scanners and Apple MPP proxies; after filtering with InboxEagle Bot Finder, true human CTR is 2.1% — giving accurate data for future campaign and flow decisions.

Category: Bot Detection · Analytics

Edge Cases: Some corporate users click immediately after a scanner prefetches; deduplication and time-to-click help. Mobile and VPN can complicate IP-based rules.

Bot filtering

Short Definition: The process of excluding or flagging automated (bot) open and click events from engagement metrics and reports so that analytics reflect real subscriber behavior.

Detailed Explanation: Bot filtering uses signals such as IP, user-agent, timing, and behavioral patterns to score each event and classify it as bot, suspicious, or human. Filtered data is then used for reporting, segmentation, and deliverability decisions.

Why It Matters: Without bot filtering, your open and click rates are inflated by security scanners and Apple MPP — leading to poor list segmentation, automation triggers for the wrong subscribers, and inaccurate A/B test results. For Shopify brands relying on Klaviyo engagement data, bot filtering is essential for making decisions on real subscriber behavior.

Technical Details: Implemented in analytics pipelines (e.g., InboxEagle Bot Finder/Lens); outputs include verdict (BOT/SUSPICIOUS/HUMAN) and confidence. Can be applied in real time or in batch.

Example: A Shopify brand connects Bot Finder to their Amazon SES account; InboxEagle filters bot events from Apple MPP and Proofpoint scanners; their Klaviyo dashboard now shows true human open and click rates — dropping apparent open rate from 55% to 24%, but reflecting actual engagement.

Category: Bot Detection · Analytics

Edge Cases: Aggressive filtering may remove some real engagement; conservative filtering leaves noise. Tuning by campaign or segment can improve accuracy.

Bot detection

Short Definition: The process of identifying whether an email open or click event was generated by a human or by automated software (e.g., scanners, privacy proxies, crawlers).

Detailed Explanation: Bot detection uses signals such as IP address, user-agent, time-to-click, request patterns, and sometimes behavioral or device fingerprinting. Results are used to filter analytics, segment “human” engagement, and improve deliverability decisions. InboxEagle’s Bot Finder provides bot detection for Amazon SES data.

Why It Matters: Without bot detection, inflated open and click rates lead to bad decisions — over-estimating campaign performance, triggering automations for subscribers who never engaged, and suppressing active subscribers based on false inactivity signals. For e-commerce brands, accurate engagement data directly affects revenue from email automation.

Technical Details: Rule-based or ML classification; output is typically verdict (BOT/SUSPICIOUS/HUMAN) and confidence. Applied in pipeline before reporting.

Example: A DTC brand using Amazon SES connects InboxEagle Bot Finder; every SES event gets a verdict (BOT / SUSPICIOUS / HUMAN); the brand’s dashboard now shows true engagement, enabling accurate segment building and flow optimization in Klaviyo.

Category: Bot Detection

Edge Cases: New scanner or proxy types may not be in the model initially. Cross-device and VPN usage can complicate IP-based rules.

Bounce rate

Short Definition: The percentage of sent emails that result in a bounce (hard or soft) as reported by the receiving system.

Detailed Explanation: Bounce rate is computed as bounces / sent (or similar). High bounce rate indicates bad list hygiene, invalid addresses, or receiver-side issues. ESPs and mailbox providers use it as a reputation signal.

Why It Matters: Sustained high bounce rates signal list hygiene problems and trigger spam filtering or blocks. For e-commerce brands, sending to old or purchased lists is a common cause. Most ESPs (Klaviyo, Omnisend) automatically suppress hard bounces — but if your bounce rate spikes, you need to investigate and clean your list quickly.

Technical Details: Measured via DSN (bounce messages) or SMTP responses. Hard bounces should be suppressed immediately; soft bounces may be retried with backoff.

Example: A Shopify brand sends a re-engagement campaign to their full 200k list including 2-year-old subscribers; 4k hard bounces result in a 2% bounce rate; the following week’s promotional campaigns land in spam at Gmail until reputation recovers.

Related Terms: Bounce processing, Hard bounce, Soft bounce, Suppression list

Category: Deliverability · Infrastructure

Edge Cases: Greylisting and temporary failures can inflate soft bounces. Some receivers don’t send DSNs, so measured bounce rate may be understated.

C

Complaint rate

Short Definition: The percentage of delivered emails that recipients report as spam (e.g., via “Report spam” in the mailbox provider UI).

Detailed Explanation: Complaint rate = complaints / delivered (or similar). Mailbox providers track it per sender and use it as a strong reputation signal. High complaint rate leads to throttling, spam folding, or blocking.

Why It Matters: Gmail starts filtering your emails to spam around 0.1% complaint rate and may block you above 0.3%. One badly-timed campaign to an unengaged or purchased list can damage your deliverability for weeks, hurting all your automated flows in Klaviyo or Omnisend.

Technical Details: Measured via FBL (ARF) reports and provider-side aggregation. Gmail Postmaster Tools and others surface complaint or spam rate in sender dashboards.

Example: A store sends a broad re-engagement campaign without segmenting inactive subscribers; complaint rate spikes to 0.35%; abandoned cart and welcome emails land in spam for Gmail users for the next two weeks until reputation recovers.

Related Terms: Feedback loop, Reputation, Suppression list, Domain reputation

Category: Reputation · Deliverability

Edge Cases: Complaints are voluntary; not all users report. Some providers use “not interested” or “unsubscribe” as softer signals. B2B vs. consumer complaint behavior differs.

Competitive intelligence

Short Definition: The practice of monitoring competitor brands’ inbox placement rates, sending domain data, and authentication practices to benchmark your own email program.

Detailed Explanation: Email competitive intelligence involves tracking the observed inbox, promotions, and spam placement rates of competitor brands using a panel of seed mailboxes. By comparing your placement rates against a direct competitor at the same providers, you can identify gaps in authentication, sending frequency, or list hygiene that explain performance differences.

Why It Matters: If a competitor consistently achieves 89% inbox placement at Gmail while you are at 72%, the root cause is usually discoverable — different DMARC enforcement levels, different complaint rates, or different IP strategies. InboxEagle’s competitive intelligence dashboard shows head-to-head and industry benchmark comparisons.

Technical Details: Based on panel/seed observation data; not private ESP data. Placement rates are calculated from the same seed panel used for your own program, so comparisons are on identical measurement basis.

Example: A DTC clothing brand tracks three direct competitors in InboxEagle; two of the three are at p=reject DMARC while the brand is still at p=none; after enforcing DMARC, their Gmail inbox rate rises from 74% to 86% — closing the gap with competitors.

Related Terms: Inbox placement, Domain reputation, Seed list, DMARC

Category: Analytics · Deliverability

Edge Cases: Panel observation captures only what the seed mailboxes see; low-volume senders may have sparse competitive data. Brand tracking requires the competitor’s sending domain to be observed through the panel.

Content filtering

Short Definition: Spam and security filtering based on the content of the email (subject, body, attachments) rather than solely on reputation or authentication.

Detailed Explanation: Content filters scan text and attachments for patterns associated with spam, phishing, or malware. They may use keyword lists, Bayesian models, heuristics, and ML. Content filtering runs alongside reputation and authentication checks.

Why It Matters: Even with perfect SPF, DKIM, and DMARC, spammy subject lines, aggressive promotional language, or suspicious links can trigger content filters and send your campaigns to spam. For Shopify stores, this is often the difference between a flash sale that reaches the inbox and one that doesn’t.

Technical Details: Applied to MIME parts (text/plain, text/html); attachment scanning (type, extension, sandbox). Headers (Subject, From display name) are often included.

Example: A Shopify store’s promotional email uses “You WON!!! Claim your free gift 🎁🎁🎁” in the subject with a bit.ly shortlink in the body; Gmail’s content filter routes it to spam; rewriting to “Your complimentary gift is waiting — expires Sunday” with a clean tracked link improves inbox placement.

Category: Anti-Spam

Edge Cases: Legitimate marketing and transactional content can trigger false positives. Localization and encoding affect tokenization. Image-based spam bypasses text filters unless OCR or URL analysis is used.

Click tracking

Short Definition: The practice of replacing links in emails with tracking URLs that redirect to the final destination and record a click event for analytics.

Detailed Explanation: Each link is rewritten to point to a tracking domain (e.g., click.example.com/xxx). When the user (or a bot) clicks, the redirect server logs the event and then sends the user to the real URL. This enables per-link and per-recipient click metrics.

Why It Matters: Click tracking powers CTR reporting, Klaviyo flow triggers, and conversion attribution in your email campaigns. However, the same mechanism that tracks real clicks also captures bot clicks from security scanners and Apple MPP — meaning your reported CTR is inflated without bot filtering.

Technical Details: HTTP 302/301 redirects; tracking domain must be configured (DNS, SSL). Query params or path encode campaign/recipient/link IDs. Link wrapping is the implementation pattern.

Example: A link to your Shopify store’s sale page (https://yourbrand.com/sale) is wrapped by Klaviyo as a tracking URL; every real customer click is logged and reported in Klaviyo analytics, but so are security scanner prefetches — which is why bot filtering matters.

Related Terms: Link wrapping, Open tracking, Bot Finder, Pixel tracking

Category: Analytics

Edge Cases: Some clients block redirects or strip tracking params. Corporate proxies may prefetch all links, inflating clicks. Privacy regulations may limit tracking scope.

Cost optimization

Short Definition: The practice of identifying and suppressing unengaged contacts to reduce per-contact or per-email ESP costs while improving deliverability by sending only to active subscribers.

Detailed Explanation: Most ESPs charge based on contact count or email volume. A significant portion of any mature list — typically 20–50% — consists of contacts who have not genuinely engaged in months or whose “engagement” was generated by bots (Apple Mail Privacy Protection, security scanners). Suppressing these contacts reduces costs without reducing real revenue, since they were not converting anyway. InboxEagle’s cost optimization tool uses Bot Finder-filtered engagement data to make suppression decisions on confirmed human activity rather than raw open rates.

Why It Matters: Average cost reduction for programs that have never cleaned their list is 40%. Sending to unengaged contacts also degrades inbox placement over time — mailbox providers treat low engagement as a negative reputation signal. Suppressing non-engagers improves both your budget and your deliverability in parallel.

Technical Details: Requires engagement data filtered for bot opens (see Bot Finder). Suppression lists are uploaded to your ESP or synced via Klaviyo. Apple Mail Privacy Protection means open-based suppression alone is unreliable; click signals are more reliable for confirming disengagement.

Example: A Shopify brand with 120k contacts in Klaviyo uses InboxEagle cost optimization to identify 48k contacts with no confirmed human open in 180 days; after suppressing them, their monthly Klaviyo cost drops by 38% and their Gmail inbox rate improves from 79% to 88% due to higher engagement ratios.

Category: List Management · Deliverability

Edge Cases: Apple Mail users will appear disengaged if only opens are tracked. Consider click-based confirmation before suppressing. Re-engagement campaigns before final suppression can recover some contacts.

Corporate email gateway

Short Definition: An intermediary system (e.g., Proofpoint, Mimecast, Barracuda) that filters, scans, and often rewrites email before delivering it to the end user’s mailbox.

Detailed Explanation: Corporate gateways sit between the internet and the organization’s mail server. They perform spam filtering, antivirus scanning, link rewriting (Safe Links), attachment sandboxing, and DLP. They may also fetch links and images, generating bot-like opens and clicks.

Why It Matters: Corporate email gateways affect both deliverability and your engagement metrics. If you sell to business buyers or B2B customers, gateway-generated clicks can dominate your CTR data. InboxEagle Bot Finder identifies gateway traffic so your analytics reflect real buyer behavior, not scanner activity.

Technical Details: Typically deployed as an MTA or proxy; may change headers, rewrite URLs, and add ARC or other headers. Receiving IP and reputation are often the gateway’s, not the original sender’s.

Example: A brand sends a B2B campaign; Gmail accepts it, but a corporate Proofpoint gateway blocks it before reaching the employee’s inbox — the brand sees “delivered” in their ESP but the buyer never received it. Proofpoint also prefetches all links, creating apparent click events that Bot Finder flags as bots.

Category: Infrastructure · Bot Detection

Edge Cases: Policies vary by organization; same content may pass one gateway and fail another. B2B senders see a mix of direct and gateway-mediated delivery.

Deliverability

Short Definition: The measure of whether emails reach the intended folder (inbox, promotions) versus spam, bounce, or block, and the practice of improving that outcome.

Detailed Explanation: Deliverability encompasses authentication, reputation, content, list hygiene, and infrastructure. It is monitored per domain, IP, and provider. InboxEagle provides deliverability dashboards by brand and sending domain, including placement and Google Postmaster data.

Why It Matters: Poor deliverability means your abandoned cart reminders, welcome series, and promotional campaigns never reach customers — directly cutting revenue. For e-commerce brands, every improvement in inbox placement translates to more orders seen and more email revenue recovered.

Technical Details: No single metric; combines inbox placement, bounce rate, complaint rate, authentication status, and reputation. Measured via seed testing, provider APIs (e.g., Postmaster), and bounce/FBL processing.

Example: A Shopify brand fixes their SPF, DKIM, and DMARC setup, cleans inactive subscribers from their list, and reduces spam complaints; inbox placement improves from 60% to 88% across Gmail and Yahoo — recovering significant monthly email revenue.

Category: Deliverability

Edge Cases: Deliverability varies by provider, segment, and time. B2B gateways add another layer. Engagement (opens/clicks) affects Gmail placement.

D

DKIM (DomainKeys Identified Mail)

Short Definition: An email authentication method that uses a digital signature in the message header to verify that the message was sent by an authorized server and has not been modified.

Detailed Explanation: The sending MTA signs the message (or selected headers/body) with a private key; the signature is added in the DKIM-Signature header. The receiving system fetches the public key from DNS (selector._domainkey.) and verifies the signature. Alignment links the signing domain to the From domain for DMARC.

Why It Matters: DKIM is required by Gmail, Yahoo, and most major mailbox providers and is a component of DMARC. Broken or missing DKIM frequently causes emails to land in spam. Your ESP (Klaviyo, Omnisend, Shopify Email) signs emails with DKIM — but you must add the provided public key record to your domain’s DNS to activate it.

Technical Details: RFC 6376. Header: DKIM-Signature (v=1; a=; d=; s=; h=; b=). DNS: <selector>._domainkey.<domain> TXT with public key. Signing algorithm (e.g., rsa-sha256).

Example: A brand sets up DKIM in Klaviyo by adding the selector DNS record they provide; emails from newsletter@yourbrand.com now pass DKIM at Gmail and Yahoo, improving inbox placement for all campaigns and flows.

Related Terms: SPF, DMARC, Alignment, Key rotation, DKIM replay attack

Category: Authentication

Edge Cases: Forwarding and mailing lists can break DKIM if they modify the message. Multiple signatures (e.g., ESP + sender) are allowed; DMARC evaluates alignment. Key rotation must be coordinated with DNS.

DKIM replay attack

Short Definition: An attack where a valid DKIM-signed message is replayed (resent) to other recipients or at a later time to abuse the original signature.

Detailed Explanation: Because DKIM does not bind the signature to the recipient or a nonce, a captured signed message could be replayed. Receivers may mitigate by checking other signals (e.g., SMTP recipient, timestamp, ARC chain) or by treating replay as suspicious.

Why It Matters: DKIM replay attacks can allow bad actors to reuse legitimate signed emails from your brand to reach inboxes or lend credibility to phishing. Strong DMARC enforcement at p=reject, combined with BIMI, helps protect your brand’s identity and signals to mailbox providers that you take security seriously.

Technical Details: DKIM only attests to domain and integrity at sign time. No standard mechanism in DKIM for replay prevention; ARC and DMARC policy can help when the replay path differs.

Example: An attacker intercepts a signed promotional email from a Shopify brand and resends it to a different list; DKIM still passes since the signature is valid; DMARC reporting helps the brand detect the misuse, and recipient-level checks may eventually flag the replayed messages.

Related Terms: DKIM, DMARC, Phishing detection, Spoofing

Category: Security · Authentication

Edge Cases: Mailing list forwards and “resend” features can look like replay. Some providers use heuristics (e.g., same message to many new recipients) to detect abuse.

DMARC (Domain-based Message Authentication, Reporting and Conformance)

Short Definition: A DNS-based policy and reporting framework that tells receivers what to do when SPF/DKIM fail or don’t align, and how to send back aggregate and forensic reports.

Detailed Explanation: Domain owners publish a DMARC TXT record at _dmarc. with policy (none, quarantine, reject), alignment requirements, and report URIs. Receivers evaluate SPF and DKIM against the From domain; if policy fails, they apply the requested action and may send XML reports to the domain owner.

Why It Matters: Without DMARC, phishers can send emails impersonating your brand, damaging customer trust and hurting your domain reputation with mailbox providers. DMARC at p=quarantine or p=reject is required for BIMI (brand logo in inbox) and is a strong trust signal to Gmail and Yahoo that you are a legitimate sender.

Technical Details: RFC 7489. DNS: _dmarc.<domain> TXT. Tags: p= (policy), rua= (aggregate reports), ruf= (forensic), adkim/saspf= (alignment), pct= (percentage). Reports are XML (aggregate) or email (forensic).

Example: A DTC brand sets DMARC to p=quarantine; a phisher attempting to spoof their domain has messages quarantined by Gmail and Yahoo; the brand also receives daily DMARC reports showing authentication pass/fail rates across their Klaviyo and transactional email infrastructure.

Related Terms: SPF, DKIM, Alignment, Policy enforcement, BIMI

Category: Authentication

Edge Cases: Third-party senders need to be in SPF and sign with aligned domain. Forwarding can break alignment; ARC helps. Gradual rollout (pct=) is common.

DMARC aggregate report

Short Definition: An XML report sent daily by mailbox providers to the rua address in a DMARC record, showing authentication pass/fail data for all mail claiming your domain, broken down by sending source and IP.

Detailed Explanation: When a domain has a DMARC record with a rua= URI, participating mailbox providers (Gmail, Yahoo, Outlook, and others) send a daily XML report covering every IP that sent mail claiming your domain during that period. Each row shows the source IP, SPF result, DKIM result, DMARC disposition, and message count. InboxEagle parses these reports automatically and surfaces the data in the DMARC monitoring dashboard.

Why It Matters: Without a rua address, you are blind to unauthorized senders — phishers, forgotten marketing tools, or misconfigured services sending on your domain’s behalf. Aggregate reports are the primary data source for discovering unauthorized senders before they damage your domain reputation. Even if you have p=none (no enforcement), you need rua data to understand what is happening and build toward enforcement.

Technical Details: RFC 7489 Section 7.2. Format: gzipped XML. Delivered via email to rua address within 24 hours of the reporting period. Reports cover a 24-hour period. Multiple providers send separate reports; InboxEagle consolidates them.

Example: A Shopify brand adds rua=mailto:dmarc@inboxeagle.com to their DMARC record; InboxEagle begins receiving daily reports from Gmail, Yahoo, and Outlook; after one week, the brand discovers three unknown IP addresses sending mail claiming their domain — two are forgotten transactional services, one is a phishing attempt — and takes action.

Related Terms: DMARC, Alignment, Unauthorized sender, Policy enforcement

Category: Authentication

Edge Cases: Not all providers send DMARC reports; smaller providers may not participate. Reports have a 24-hour inherent delay. Forensic reports (ruf) provide individual message data but are less widely supported.

DNS propagation

Short Definition: The time it takes for new or updated DNS records to propagate globally so that resolvers worldwide return the new values.

Detailed Explanation: When you add or change a DNS record (e.g., SPF, DKIM, DMARC), authoritative servers update immediately, but recursive resolvers and caches may still serve old data until TTL expires. Propagation can take minutes to 48+ hours depending on TTL and topology.

Why It Matters: After updating your SPF, DKIM, or DMARC DNS records, it can take minutes to 48 hours before all mailbox providers see the change. Testing authentication too soon after a DNS change will give false failures. Plan DNS updates at least 48 hours before a major send, and lower your TTL beforehand to speed up propagation.

Technical Details: TTL (Time To Live) in seconds on DNS records controls cache duration. Global propagation depends on each resolver’s cache. Tools (e.g., DNS checker) query from multiple locations.

Example: A Shopify brand updates their DKIM selector before a Black Friday campaign; Gmail sees the new record within 30 minutes, but Yahoo still returns NXDOMAIN for 6 hours; they should have made the change 48 hours earlier to avoid authentication failures during the campaign.

Related Terms: SPF, DKIM, DMARC, Subdomain delegation

Category: Infrastructure · Authentication

Edge Cases: Some networks use very long caches or stale data. DNSSEC can add validation delay. Geographic and provider differences cause uneven propagation.

Domain age signals

Short Definition: The use of domain registration age or history as a factor in spam and reputation scoring by filters and mailbox providers.

Detailed Explanation: Newly registered domains (e.g., days or weeks old) may be treated with more suspicion than domains that have been active for years. Age can be combined with other signals (volume, authentication, content) to reduce risk from throwaway or phishing domains.

Why It Matters: New sending domains (or subdomains) need time to build trust with mailbox providers. If you launch a new Shopify store or rebrand and switch sending domains, expect inbox placement to be lower initially. Combine domain age with strong authentication and a proper warmup strategy to build reputation faster.

Technical Details: WHOIS or RDAP for registration date; some providers use internal history. No standard; used heuristically.

Example: A new DTC brand launches and starts sending from a freshly registered mail.newbrand.com; Gmail treats the subdomain with caution and routes some emails to Promotions initially; after 4–6 weeks of consistent sending, low complaints, and strong authentication, inbox placement improves.

Related Terms: Domain reputation, Warmup, Phishing detection

Category: Reputation · Security

Edge Cases: Domains can change ownership; age alone is not sufficient. Subdomains may inherit or not inherit parent age signals.

Domain impersonation

Short Definition: The practice of sending email that appears to be from a trusted brand or entity (e.g., similar-looking domain or display name) to deceive recipients.

Detailed Explanation: Impersonation can use lookalike domains (e.g., paypa1.com), homographs, or spoofed display names. Receivers use authentication (DMARC, SPF, DKIM), domain reputation, and content analysis to detect and block impersonation.

Why It Matters: Phishers impersonating your brand damage customer trust, increase spam complaints against your domain, and can harm your sender reputation. Setting DMARC to p=reject prevents phishers from spoofing your exact domain in the From address, and BIMI provides a visual trust signal that distinguishes your legitimate emails from fakes.

Technical Details: DMARC fails for unauthorized use of your domain. Display-name spoofing is not fully solved by DMARC (From header can show fake name). BIMI plus VMC shows verified logo.

Example: A scammer sends emails with the display name “YourBrand Support” from a lookalike domain; customers are tricked into giving credentials; DMARC can’t stop the lookalike domain but p=reject on your real domain prevents spoofing your actual address. Phishing reports can also hurt your domain’s reputation indirectly.

Related Terms: Spoofing, Phishing detection, DMARC, BIMI

Category: Security

Edge Cases: Internationalized domain names (IDN) can look identical to ASCII. Display name spoofing remains a problem. Brand monitoring and takedown complement technical controls.

Domain reputation

Short Definition: The reputation score or tier assigned to a sending domain by mailbox providers and filters, based on historical engagement, complaints, bounces, and authentication.

Detailed Explanation: Receivers track domains (often the visible From domain or the organizational domain) and assign reputation from signals such as spam complaints, bounces, engagement (opens/clicks), list hygiene, and authentication. High reputation improves inbox placement; low reputation leads to spam or blocks.

Why It Matters: Domain reputation is often more important than IP reputation for Gmail and Yahoo. For Shopify brands, your sending domain (e.g., mail.yourbrand.com) builds trust with each mailbox provider based on engagement, complaint rate, and authentication. Poor domain reputation means even well-crafted campaigns land in spam.

Technical Details: Proprietary algorithms per provider (e.g., Gmail Postmaster Tools shows domain reputation). Signals include authentication, volume, complaint rate, bounce rate, and engagement. Google Postmaster Tools and InboxEagle help monitor it.

Example: A DTC brand moves their promotional sends to a new subdomain promo.yourbrand.com; Gmail treats it with caution initially — Promotions or Spam placement — until positive engagement signals (opens, clicks, low complaints) build reputation over several weeks.

Category: Reputation

Edge Cases: Subdomains can have different reputation than parent. Brand new domains start neutral or negative. Reputation can be segment-specific (e.g., B2B vs. consumer).

E

Feedback loop (FBL)

Short Definition: A mechanism by which mailbox providers notify senders when users mark their mail as spam, so senders can suppress complainers and improve practices.

Detailed Explanation: FBLs are typically automated: when a user clicks “spam,” the provider sends a message (often ARF format) to the sender’s registered FBL address. The sender parses it and adds the recipient to a suppression list or reduces sending to that segment.

Why It Matters: FBLs are how Yahoo and other providers tell you when subscribers mark your email as spam. Processing these reports and suppressing complainers is essential — sustained high complaint rates lead to your emails being filtered at the provider level, killing the deliverability of your entire email program. Most ESPs handle FBL enrollment automatically.

Technical Details: ARF (Abuse Reporting Format), RFC 5965. FBL registration is per domain (e.g., via provider’s postmaster page). Message contains original headers and recipient; sender must identify the user and suppress.

Example: A Shopify brand’s Yahoo subscribers mark a re-engagement campaign as spam; Yahoo sends FBL complaint reports to the brand’s ESP; Klaviyo automatically suppresses those contacts from future sends, protecting the brand’s complaint rate and deliverability.

Related Terms: Complaint rate, Suppression list, Reputation, Bounce processing

Category: Infrastructure · Reputation

Edge Cases: Not all providers offer FBLs; some require whitelisting. Multiple complaints from same user may generate multiple FBL messages. Parsing and matching to internal IDs can be complex.

Forwarding

Short Definition: Delivering an email to a different address than the original recipient (e.g., user forwards from Gmail to Yahoo, or uses an alias).

Detailed Explanation: When mail is forwarded, the next hop may see a different envelope sender (Return-Path) or modified headers. SPF can fail (forwarder’s IP), and DKIM may still pass. ARC was designed to preserve authentication across forwards.

Why It Matters: When customers forward your emails, the original authentication can break — potentially causing your brand’s message to land in the recipient’s spam. ARC helps preserve trust through forwarding hops, reducing false spam classification of legitimately forwarded email.

Technical Details: SMTP forwarding changes MAIL FROM; SRS (Sender Rewriting Scheme) preserves original sender in Return-Path. DKIM is unchanged unless the forwarder modifies the body or signed headers.

Example: A customer forwards your promotional email from their Gmail to a colleague’s Yahoo account; Yahoo sees SPF fail because Gmail’s IPs sent the message, but Gmail included an ARC seal; Yahoo accepts the email based on the ARC chain rather than rejecting it.

Related Terms: ARC, SPF, DKIM, Alignment

Category: Infrastructure · Authentication

Edge Cases: Multiple hops compound the problem. Mailing lists often break both SPF and DKIM. Some forwarders strip or modify content.

F

False click

Short Definition: A click event recorded in email analytics that is not a genuine human click (e.g., from a scanner, prefetcher, or bot).

Detailed Explanation: False clicks are generated by Apple MPP, corporate link scanners, security sandboxes, crawlers, and other automated systems that follow tracking links. They inflate CTR and can mislead optimization and conversion attribution.

Why It Matters: False clicks inflate your CTR and trigger Klaviyo flows for subscribers who never actually clicked — misfiring abandoned cart sequences, post-purchase upsells, and re-engagement campaigns. Accurate click data is foundational to email attribution and revenue measurement for e-commerce brands.

Technical Details: Detected by IP (vendor ranges), user-agent, time-to-click (e.g., within seconds of delivery), and behavioral clustering. Machine learning or rule-based classifiers assign bot/suspicious/human verdicts.

Example: A Shopify brand’s Black Friday campaign shows 8% CTR in Klaviyo; after InboxEagle Bot Finder filtering, 6% of those clicks are from Proofpoint scanners and Apple MPP proxies; true human CTR is 2% — changing how they evaluate campaign success and optimise future sends.

Related Terms: Bot Finder, Sandbox click, Prefetching, Human click verification

Category: Bot Detection · Analytics

Edge Cases: Some real users are behind the same IP as a scanner (e.g., corporate). Time-to-click and conversion follow-through help separate human from bot.

G

Gmail Postmaster Tools

Short Definition: Google’s free service that provides senders with domain and IP reputation, spam rate, authentication results, and delivery errors for mail sent to Gmail.

Detailed Explanation: Senders verify domain ownership and add DNS records; Google then surfaces dashboards for reputation (High/Medium/Low/Bad), user-reported spam rate, domain and IP authentication, encryption (TLS), and delivery errors. Data is aggregated and delayed (e.g., daily).

Why It Matters: Gmail is typically the largest mailbox provider for any e-commerce brand. Postmaster Tools gives you Gmail’s view of your domain reputation, spam rate, and authentication pass rates — the signals Gmail actually uses to decide inbox vs. spam. InboxEagle surfaces this data alongside your other deliverability metrics so you can act on it without switching tools.

Technical Details: Verification via DNS (TXT or CNAME) or HTML file. API and UI show time-series and breakdowns. Reputation is per domain; IP reputation is also shown where applicable.

Example: A Shopify brand sees “Low” domain reputation in Google Postmaster after a broad re-engagement campaign; they clean their list, strengthen DMARC, and reduce complaint rate; over 6 weeks, Gmail domain reputation rises to “High” and inbox placement for their abandoned cart flows improves significantly.

Related Terms: Domain reputation, IP reputation, Spam rate, Authentication

Category: Reputation · Deliverability

Edge Cases: Data is aggregated and not real-time. Some senders use multiple domains; each must be verified. International and consumer vs. workspace data may differ.

Greylisting

Short Definition: A technique where a receiver temporarily rejects mail (4xx) with a “try again later” response, expecting legitimate MTAs to retry and thus filtering out many spam bots that don’t retry.

Detailed Explanation: The receiver stores the triplet (sender IP, envelope from, recipient) and rejects the first attempt. On retry (typically minutes later), the receiver accepts. Many spam sources do not retry; legitimate MTAs do, so greylisting reduces spam with minimal false positives.

Why It Matters: Greylisting causes a short delay in email delivery — typically a few minutes — on first contact. For e-commerce brands, this is rarely a problem since major ESPs (Klaviyo, Omnisend) automatically retry. However, time-sensitive emails (order confirmations, abandoned cart triggers) may arrive slightly later than expected due to greylisting.

Technical Details: SMTP 4xx (e.g., 451) on first attempt; 2xx on retry. Retry window varies (minutes to hours). Some receivers use greylisting only for unknown senders.

Example: A transactional order confirmation email from a new sending IP hits a greylisting server; the first attempt returns a 451 temporary error; Klaviyo’s MTA retries after 5 minutes; the second attempt is accepted and the customer receives their order confirmation slightly delayed.

Related Terms: Retry logic, MTA, Soft bounce, Queueing

Category: Anti-Spam · Infrastructure

Edge Cases: Greylisting can delay time-sensitive mail. Some implementations whitelist after first successful delivery. Not all receivers use greylisting.

Hard bounce

Short Definition: A permanent delivery failure (e.g., recipient address does not exist, domain does not exist) that should result in the address being removed from the list.

Detailed Explanation: Hard bounces are indicated by SMTP 5xx responses or DSN with permanent failure codes (e.g., 5.1.1 user unknown). The address is invalid and should be suppressed immediately to protect reputation and avoid wasting sends.

Why It Matters: Sending repeatedly to hard-bounced addresses tells Gmail and Yahoo your list is dirty — leading to reputation damage and spam filtering across your whole program. Most ESPs (Klaviyo, Omnisend) auto-suppress hard bounces, but if you import external lists or have old segments, check for bounced addresses before sending.

Technical Details: RFC 3463 enhancement codes: 5.1.1 (bad destination mailbox), 5.1.2 (mailbox disabled), 5.2.1 (mailbox full can be soft in some systems). DSN with Action=failed.

Example: A Shopify brand imports an old customer list from a previous platform; several addresses bounce with 5.1.1 “address not found” errors; Klaviyo suppresses them automatically, but the spike in bounce rate on the first send signals the need to warm up more gradually with a new or re-imported list.

Related Terms: Soft bounce, Bounce processing, Suppression list, Bounce rate

Category: Infrastructure · Deliverability

Edge Cases: Some receivers use 4xx for temporary failures that look like hard bounces. Greylisting sends 4xx; retry later. Misconfigured DSN can misclassify.

H

Heuristic filtering

Short Definition: Spam filtering based on rules and weighted signals (e.g., keywords, header patterns, structure) rather than pure statistical or ML models.

Detailed Explanation: Heuristic filters use a set of rules that assign positive or negative scores to features (e.g., “FREE” in subject, suspicious URL pattern, missing Reply-To). The total score is compared to a threshold. Rules are often hand-tuned and updated in response to new spam trends.

Why It Matters: Heuristic filters score your emails based on detectable patterns — subject line words, link structures, HTML formatting. For Shopify brands, this means your promotional copy choices and email template design directly affect spam scores. Testing emails with tools like Mail-Tester before major campaigns helps catch high-scoring patterns.

Technical Details: Implemented in filters like SpamAssassin (rules in config); each rule has a score. Combined score above threshold = spam. Rules can target headers, body, MIME structure.

Example: A store’s promotional email uses “FREE” in the subject and “Click Here” in the body CTA button; heuristic rules add +2 and +1.5 to the spam score; replacing “FREE” with “Complimentary” and “Click Here” with “Shop the sale” reduces the score and keeps the email below the spam threshold.

Category: Anti-Spam

Edge Cases: Legitimate marketing can trigger heuristic rules. Rule sets vary by vendor; one provider’s pass can be another’s fail. Evasion (obfuscation) can reduce heuristic scores but may trigger other filters.

Human click verification

Short Definition: The process or technology used to confirm that a click (or open) was initiated by a human rather than a bot, scanner, or proxy.

Detailed Explanation: Human verification uses signals such as time-to-click, IP reputation, user-agent, behavioral patterns, and sometimes conversion follow-through. Bot Finder scores each event and labels it BOT, SUSPICIOUS, or HUMAN.

Why It Matters: Human-verified click data is the foundation of accurate email ROI for e-commerce brands. When you base Klaviyo segment logic, A/B test results, and flow triggers on verified human clicks rather than scanner traffic, your decisions are grounded in real subscriber behavior — improving campaign performance and automation accuracy.

Technical Details: Implemented in analytics or deliverability pipelines. Combines time-to-click analysis, user-agent fingerprinting, IP allow/block lists, and optional ML.

Example: InboxEagle Bot Finder analyses each click event: a click arriving 4 minutes after delivery from a residential IP with a Chrome user-agent is classified HUMAN; a click arriving 3 seconds after delivery from a Proofpoint IP is classified BOT — keeping your Klaviyo click data clean.

Category: Bot Detection · Analytics

Edge Cases: Power users may click very fast; some humans share IP with scanners. Verification is probabilistic, not absolute.

I

Image proxying

Short Definition: The practice of a mailbox provider or privacy service fetching images in emails through their own servers and serving them to the user, often to hide the user’s IP and load images in a controlled way.

Detailed Explanation: When an email contains an image (e.g., tracking pixel), the client or provider may request the image via a proxy URL. The request comes from the provider’s IP, not the user’s, and may occur when the message is received (e.g., Apple MPP) or when the user opens. This affects open tracking and privacy.

Why It Matters: Image proxying is the mechanism behind inflated open rates. Apple MPP, Gmail Image Proxy, and corporate security tools all load your tracking pixel through a proxy — triggering an “open” before the subscriber has seen your email. For Shopify brands, this means open-rate-based Klaviyo segments and flow triggers are working off inflated numbers without bot filtering.

Technical Details: HTTP request to image URL from proxy IP; user-agent may identify the proxy (e.g., Apple). Tracking pixels are 1x1 images; load = “open” in sender analytics.

Example: A Shopify brand sends a new collection email to 50k subscribers; Apple MPP immediately loads images for all Apple Mail recipients, firing the open pixel for each one; the apparent open rate jumps to 61%, but InboxEagle Bot Finder shows only 26% are real human opens.

Category: Analytics · Bot Detection

Edge Cases: Some proxies strip or modify images; some clients block images by default. Multiple proxies (e.g., corporate + Apple) can cause multiple “opens” per recipient.

Inbox placement

Short Definition: The folder or tab where an email lands (inbox, promotions, social, spam, or block) at a given mailbox provider.

Detailed Explanation: Inbox placement is the outcome of filtering and reputation: the same message may go to inbox for one provider and spam for another. Placement is often measured by seed testing or provider-reported metrics (e.g., Gmail Postmaster). InboxEagle helps monitor placement by brand and domain.

Why It Matters: If your abandoned cart flows or promotional campaigns land in the Promotions tab or spam folder instead of the inbox, most customers never see them. Every percentage point of inbox placement improvement is direct revenue. InboxEagle monitors placement per domain and mailbox provider so you can spot and fix issues before they compound.

Technical Details: No single protocol; measured via panel/seed tests or provider APIs. Gmail has Primary, Promotions, Social; others use inbox vs. junk vs. block.

Example: After fixing DMARC and reducing complaint rate, a Shopify store’s Gmail placement shifts from 70% Promotions / 20% Spam to 85% Primary / 15% Promotions — dramatically improving open and click rates across all automated flows.

Related Terms: Deliverability, Domain reputation, Spam folder, Seed testing

Category: Deliverability

Edge Cases: Placement can vary by user (engagement, filters). B2B and consumer receivers behave differently. B2B gateways may block before inbox.

Inbox placement test

Short Definition: An on-demand test that sends a campaign to a panel of seed mailboxes and reports where it landed — inbox, promotions, or spam — at each mailbox provider, usually within minutes.

Detailed Explanation: Also called seed list testing. The tester sends their email using their normal sending infrastructure to a set of real mailboxes maintained by a deliverability monitoring service (the seed list). The service checks each mailbox and reports placement per provider. Unlike ongoing monitoring (which uses real subscriber data over time), seed testing is triggered on demand and returns results quickly — typically under 5 minutes. InboxEagle’s inbox placement testing tool covers 20+ email providers including Gmail, Outlook, and Yahoo.

Why It Matters: Seed testing lets you catch a spam folder problem before your real subscribers encounter it. Running a seed test before a major campaign — a flash sale, a Black Friday promotion, a re-engagement series — gives you the chance to fix authentication or content issues before revenue is on the line.

Technical Details: Results depend on the seed panel composition and the sending infrastructure used. Must send from the same IP, domain, and configuration as production sends. Results are point-in-time; ongoing placement may vary from a single test.

Example: Before a Black Friday campaign, a Shopify brand runs an InboxEagle placement test; results show 94% Gmail inbox, 82% Yahoo inbox, and 68% Outlook inbox; the lower Outlook rate prompts them to check IP reputation for Outlook, finding a soft reputation signal they address before sending to their full list.

Related Terms: Inbox placement, Seed list, Deliverability, Domain reputation

Category: Deliverability Testing

Edge Cases: A clean seed test does not guarantee clean placement for your real list — reputation signals from real subscriber behavior may differ from the seed panel. Test from the exact same sending infrastructure as production sends.

IP reputation

Short Definition: The reputation score or tier assigned to a sending IP address by mailbox providers and blocklists, based on sending history, complaints, bounces, and list quality.

Detailed Explanation: Receivers track sending IPs and assign reputation from signals such as volume, complaint rate, bounce rate, authentication, and blocklist status. Shared IPs pool reputation with other senders; dedicated IPs isolate your reputation but require warmup.

Why It Matters: Poor IP reputation leads to throttling, spam folding, or blocking by mailbox providers. Stores on shared IPs (as with most ESPs) share reputation with other senders on the same pool. Dedicated IPs isolate your reputation but require a gradual warmup period before sending at full volume.

Technical Details: Proprietary per provider. Gmail Postmaster Tools and Microsoft SNDS show IP reputation where available. Blocklists (e.g., Spamhaus) also affect IP reputation.

Example: A Shopify brand moves to a dedicated sending IP; after a six-week warmup at increasing volumes — starting with their most engaged recent buyers — IP reputation rises from neutral to high and Gmail inbox placement improves from 65% to 91%.

Related Terms: Domain reputation, Warmup, Blocklist, Dedicated IP

Category: Reputation

Edge Cases: Shared IPs can be hurt by one bad sender. NAT and pools may share reputation across many internal IPs. IPv6 reputation may be separate from IPv4.

Key rotation

Short Definition: The practice of periodically changing DKIM signing keys (and updating DNS) to limit the impact of key compromise and align with security best practices.

Detailed Explanation: DKIM private keys are stored on the MTA or signing service; if compromised, an attacker could sign mail as the domain. Rotating to a new key pair and publishing the new public key in DNS (often with a new selector) limits the window of abuse. Old selector can be kept for a transition period.

Why It Matters: Rotating DKIM keys reduces the risk of key compromise and keeps your authentication secure. For most Shopify brands this is handled by your ESP — but if you manage your own DKIM keys, coordinate key rotation with DNS propagation carefully. A badly timed rotation can break DKIM and cause emails to land in spam during the transition window.

Technical Details: Generate new key pair; publish new selector._domainkey. TXT; start signing with new key; optionally keep old selector for overlap; remove old selector when traffic has shifted.

Example: A brand rotates their DKIM key: they publish the new selector (s2) in DNS, wait 48 hours for propagation, then update their ESP to sign with s2; after confirming the new key works, they remove the old s1 selector — avoiding any authentication gap during the transition.

Related Terms: DKIM, DNS propagation, Authentication

Category: Authentication · Security

Edge Cases: Too-short overlap can cause verification failures for in-flight mail. Some receivers cache keys; TTL affects how quickly they see the new key.

L

Link wrapping

Short Definition: The technique of replacing original URLs in an email with tracking redirect URLs that log the click and then send the user to the final destination.

Detailed Explanation: Each link is rewritten to point to a tracking server (e.g., click.esp.com/xxx). When the link is requested (by human or bot), the server records the event and issues an HTTP redirect to the real URL. This enables click analytics and per-link reporting.

Why It Matters: Link wrapping enables click tracking in all your Klaviyo campaigns and flows — it’s how open, click, and conversion data is captured. The same mechanism also captures bot scanner clicks, inflating your CTR. Using InboxEagle Bot Finder alongside your ESP’s click tracking gives you both: full tracking capability and accurate human-only engagement data.

Technical Details: Typically 302 redirect; tracking domain must resolve and support HTTPS. Original URL encoded in path or query. Link wrapping is synonymous with click-tracking URL rewriting.

Example: A Shopify product link (https://yourbrand.com/products/summer-tee) is wrapped by Klaviyo as a tracking URL; every click (human or bot) is logged and attributed; InboxEagle Bot Finder then classifies each click event so your Klaviyo reports reflect real customer clicks.

Category: Analytics · Infrastructure

Edge Cases: Some clients or proxies don’t follow redirects. Corporate link scanners fetch wrapped links and generate bot clicks. Privacy tools may strip or alter redirects.

List hygiene

Short Definition: The practice of keeping the email list clean by removing bounces, complainers, inactive addresses, and invalid or risky entries to protect reputation and deliverability.

Detailed Explanation: List hygiene includes processing bounces (hard and soft), FBL complaints, and unsubscribes; removing role addresses and traps where appropriate; and periodically re-engaging or pruning inactive subscribers. Clean lists have lower bounce and complaint rates.

Why It Matters: Poor list hygiene is the most common cause of deliverability problems for e-commerce brands. Sending to old, purchased, or unengaged lists leads to high bounce rates, spam complaints, and spam trap hits — all of which damage your domain reputation and reduce inbox placement across your entire email program, including automated flows.

Technical Details: Suppression lists (do not mail); bounce and FBL parsing; engagement scoring; sunset policies. Implemented in ESP or CRM.

Example: A Shopify brand runs quarterly list hygiene: suppresses all hard bounces, removes subscribers with no engagement in 12 months (or runs a sunset campaign first), and switches new signups to double opt-in; bounce rate drops from 3.1% to 0.8% and complaint rate improves noticeably.

Related Terms: Suppression list, Bounce processing, Spam trap, Double opt-in

Category: Deliverability · Email Marketing

Edge Cases: Over-aggressive pruning can shrink list; balance with re-engagement. Different segments may need different rules.

M

MTA (Mail Transfer Agent)

Short Definition: Software or service that sends and receives email by speaking SMTP; it queues messages, retries, and hands off to the next hop or final delivery agent.

Detailed Explanation: An MTA accepts mail from users or other MTAs, applies policy (relay, filter), and delivers to the next MTA or to a mailbox (MDA). Examples include Postfix, SendGrid, Amazon SES. MTAs implement queueing, retry logic, and bounce handling.

Why It Matters: For most Shopify brands, the MTA is managed by your ESP (Klaviyo, Omnisend, Mailgun) — you don’t configure it directly. But understanding MTA behavior helps you interpret bounce error codes, diagnose delivery delays, and understand why some emails retry while others are permanently rejected.

Technical Details: SMTP (RFC 5321); queue directories or cloud queues; DSN for bounces. MTA-STS and TLS ensure encryption in transit.

Example: A Klaviyo campaign sends 100k emails; Klaviyo’s MTA resolves each recipient’s MX record, connects with TLS, and delivers; for Gmail addresses that return a 421 (too many connections), the MTA retries after a few minutes automatically — no action needed from the store owner.

Related Terms: SMTP, Queueing, Retry logic, Bounce processing, MTA-STS

Category: Infrastructure

Edge Cases: Greylisting requires MTA retry. Rate limiting may trigger 4xx; backoff must be appropriate. Multiple MTAs in a path (e.g., gateway) complicate debugging.

MTA-STS (Mail Transfer Agent Strict Transport Security)

Short Definition: A standard that allows domain owners to declare that MTAs must use TLS when delivering mail to their servers, and to specify MX hostnames that support TLS.

Detailed Explanation: Domain owners publish a policy (via HTTPS at mta-sts./.well-known/mta-sts.txt) and a DNS TXT record pointing to it. Sending MTAs fetch the policy and only connect to the domain’s MX over TLS, aborting if TLS fails or if the MX is not in the policy.

Why It Matters: MTA-STS ensures emails sent to your domain are always encrypted in transit, protecting your customers’ data. For most e-commerce brands, this is configured by your email host or IT team — but awareness matters since some providers reject mail that fails MTA-STS enforcement.

Technical Details: RFC 8461. HTTPS: mta-sts./.well-known/mta-sts.txt. DNS: _mta-sts. TXT “v=STSv1; id=…”. Policy lists MX hosts and mode (enforce/testing).

Example: A customer’s email server has MTA-STS enabled; when your ESP tries to deliver to that address, it checks the MTA-STS policy, verifies TLS, and delivers securely — or fails delivery if TLS cannot be established, rather than falling back to an unencrypted connection.

Related Terms: TLS, SMTP, MX record, Infrastructure

Category: Infrastructure · Security

Edge Cases: Policy fetch failure can block mail if mode is enforce. Certificate validity and hostname matching are required. Testing mode allows monitoring without enforcing.

Mimecast link rewriting

Short Definition: Mimecast’s security feature that rewrites URLs in incoming email to route clicks through Mimecast’s infrastructure for threat checking before redirecting the user.

Detailed Explanation: Like Microsoft Safe Links and Proofpoint, Mimecast rewrites links so that when the user clicks, the request goes to Mimecast first. Mimecast may check the destination for malware or phishing and then redirect. The initial request is logged by the sender as a “click” but is not a direct human click to the final URL.

Why It Matters: If you send to B2B subscribers protected by Mimecast, their security system rewrites and prefetches your tracked links — generating apparent clicks in Klaviyo that are scanner activity, not real customer interest. InboxEagle Bot Finder identifies Mimecast traffic so your click and conversion data reflects real buyer engagement.

Technical Details: Links rewritten at delivery; click goes to Mimecast domain; redirect after check. Requests from Mimecast IP ranges; identifiable by URL pattern and timing.

Example: A DTC brand sends a B2B wholesale offer to corporate buyers; Mimecast rewrites their Klaviyo tracking links and prefetches them; the brand sees a spike in “clicks” seconds after delivery; Bot Finder classifies these as Mimecast scanner traffic, leaving only genuine buyer clicks in the stats.

Category: Security · Bot Detection

Edge Cases: Policy may vary by organization. Some links may not be rewritten (e.g., whitelisted domains).

Microsoft Safe Links

Short Definition: A Microsoft 365 feature that rewrites URLs in emails to point through Microsoft’s proxy; when the user clicks, Microsoft checks the target URL for threats before redirecting.

Detailed Explanation: Safe Links replaces links in incoming mail with URLs that point to Microsoft’s service. On click, Microsoft evaluates the destination (e.g., malware, phishing) and may block or allow. The click request comes from Microsoft’s infrastructure, so it appears as a “click” in the sender’s analytics but is not necessarily a human click.

Why It Matters: Microsoft Safe Links generates click events on your tracked links for every email delivered to Outlook/Microsoft 365 users — instantly inflating your CTR with scanner activity. For Shopify brands with B2B customers or customers on Microsoft email, Safe Links can be a significant source of false clicks.

Technical Details: Link rewriting at delivery time; click goes to Microsoft; redirect to final URL after check. Requests from Microsoft IP ranges; identifiable by URL pattern or user-agent in some flows.

Example: A Shopify brand sends a campaign to 20k subscribers, many on Microsoft 365; Safe Links scans every link immediately after delivery; the brand sees hundreds of near-instant “clicks” from Microsoft IP ranges; Bot Finder classifies these as bot activity, revealing the true human CTR.

Category: Security · Bot Detection

Edge Cases: Different Microsoft products (O365, Defender) may apply Safe Links differently. Time-to-click and IP can help distinguish from human clicks.

O

Open tracking

Short Definition: The practice of embedding a tracking pixel (typically a 1x1 image) in emails so that when the image is loaded, the sender records an “open” event for that recipient.

Detailed Explanation: The tracking server hosts a unique image URL per recipient/campaign. When the client (or a proxy) loads the image, the HTTP request is logged as an open. Opens are not reliable as a proxy for “read” because many clients block images, and privacy features (e.g., Apple MPP) preload images.

Why It Matters: Open rate is heavily inflated by Apple MPP and corporate security scanners — for e-commerce brands using Klaviyo or Omnisend, your reported open rate may significantly overstate real engagement, especially for Apple Mail users. Bot Finder separates automated opens from real ones so your metrics and segments reflect actual subscriber behavior.

Technical Details: <img src="https://track.domain.com/o/xxx" />; server logs request; may set cookie. Image often 1x1 transparent GIF. Load can come from user or proxy (e.g., Apple).

Example: A Shopify store’s Klaviyo dashboard shows 58% open rate for a campaign; after filtering MPP and bot-triggered opens via InboxEagle Bot Finder, true human open rate is 21% — revealing which segments are genuinely engaged versus inflated by proxy traffic.

Category: Analytics

Edge Cases: Image blocking prevents opens. Multiple loads (e.g., re-open, forward) can overcount. Prefetch and proxy create bot opens.

Pixel tracking

Short Definition: The use of a small, typically invisible image (tracking pixel) loaded when the recipient views an email, to record an “open” event.

Detailed Explanation: A 1x1 pixel image is embedded with a unique URL per recipient or campaign. When the email client or a proxy (e.g., Apple MPP) loads the image, the HTTP request is logged as an open. Image proxying and prefetch mean that not every load is a human open.

Why It Matters: Pixel tracking is how all email platforms (Klaviyo, Omnisend, Mailchimp) measure open rates. Since Apple MPP and Gmail Image Proxy now preload images for privacy, your open rate is significantly inflated — making open-based segment logic, flow triggers, and performance benchmarks unreliable without bot filtering.

Technical Details: <img src="https://track.domain.com/pixel/xxx" width="1" height="1" />. Server logs GET request. Often transparent GIF. Load can come from user’s client or from a proxy.

Example: A Shopify store’s Klaviyo campaign shows 52% open rate; InboxEagle Bot Finder analysis shows 50% of those “opens” fired from Apple proxy IPs within 2 minutes of delivery — before subscribers could have read the email; true human open rate is 22%.

Category: Analytics

Edge Cases: Image blocking prevents pixel load. Multiple loads (re-open, forward) can overcount. Proxies create bot opens.

P

Phishing detection

Short Definition: Systems and rules that identify emails designed to trick recipients into revealing credentials or taking harmful actions, often by impersonating trusted entities.

Detailed Explanation: Phishing detection uses content analysis (urgent language, credential harvesters), link reputation (known phishing URLs), authentication (failed DMARC, spoofed From), and behavioral signals. Mailbox providers and gateways run multiple layers to protect users.

Why It Matters: Phishing emails impersonating your brand damage customer trust and, if widespread, can hurt your domain reputation with mailbox providers as spam reports pile up. Setting DMARC to p=reject prevents phishers from spoofing your exact From domain, and BIMI provides a visible trust signal that helps customers identify genuine emails from your store.

Technical Details: URL reputation feeds, sandboxing, ML models on content and headers. DMARC and SPF/DKIM alignment block unauthorized use of your domain. BIMI and VMC add brand verification.

Example: Scammers send fake “account security” emails impersonating a Shopify brand; because the brand has DMARC at p=reject, Gmail and Yahoo reject any emails that fail DMARC alignment — protecting customers from the phishing attempt and the brand’s reputation from associated spam complaints.

Related Terms: Spoofing, DMARC, Domain impersonation, URL reputation

Category: Security · Anti-Spam

Edge Cases: Legitimate marketing (e.g., “Confirm your account”) can trigger heuristic phishing filters. New phishing domains and techniques require constant updates to detection.

Policy enforcement

Short Definition: The act of applying a domain’s DMARC policy (none, quarantine, reject) when authentication fails or does not align, so that receivers reject or quarantine non-compliant mail.

Detailed Explanation: When a receiver evaluates DMARC and the result is “fail” (e.g., no aligned SPF/DKIM), it applies the policy from the DMARC record: p=none (monitor only), p=quarantine (e.g., send to spam), or p=reject (reject at SMTP). Enforcement reduces spoofing and phishing using the domain.

Why It Matters: A DMARC policy of p=none means you’re monitoring but not protecting — phishers can still impersonate your brand’s domain and reach inboxes. For Shopify brands, moving to p=quarantine and then p=reject is essential for brand protection and a prerequisite for BIMI. Use the pct= parameter to roll out enforcement gradually and catch any authentication gaps.

Technical Details: RFC 7489. Receiver fetches _dmarc., evaluates alignment, applies p= policy. pct= limits the fraction of failing messages that get the policy; rest get p=none behavior until full enforcement.

Example: A DTC brand moves from DMARC p=none to p=quarantine at pct=10 (10% of failing mail quarantined); after reviewing DMARC reports to confirm all legitimate sending is authenticated, they increase to pct=100; then move to p=reject — completely blocking spoofed emails from reaching any inbox.

Related Terms: DMARC, Alignment, BIMI, Quarantine

Category: Authentication

Edge Cases: Third-party senders must be in SPF and sign with aligned domain or they will fail. Forwarding can break alignment; ARC helps. Testing with pct=10 allows monitoring before full enforcement.

Prefetching

Short Definition: The loading of links or images in an email before the user explicitly opens or clicks, often by a privacy service or security scanner, which triggers tracking events.

Detailed Explanation: Apple MPP, some security scanners, and other systems fetch links and images when the message is received or when the user opens the message, before the user has clicked. These requests are logged as “clicks” or “opens” by the sender but are not user-initiated.

Why It Matters: Prefetching by Apple MPP, Gmail Image Proxy, and corporate security tools is the primary source of inflated open and click rates for e-commerce brands. If you’re using Klaviyo open or click data to trigger flows, build segments, or measure campaign performance, unfiltered prefetch traffic skews everything. Bot Finder separates prefetch events from real subscriber engagement.

Technical Details: HTTP GET to tracking or destination URL from proxy/scanner IP; often within seconds of delivery. User-agent and IP identify the prefetcher. No subsequent conversion (e.g., purchase) typically associated.

Example: A Shopify brand’s email is delivered to 30k Apple Mail users; Apple MPP prefetches all images and links within 2 minutes of delivery; the brand sees a spike of 30k apparent opens and thousands of “clicks” instantly; Bot Finder flags all prefetch events as bot activity.

Category: Bot Detection · Analytics

Edge Cases: Some prefetchers only hit certain link types. Delayed prefetch (hours later) can look like real clicks; conversion and session data help distinguish.

Proofpoint click scanning

Short Definition: Proofpoint’s security feature that follows links in emails (often at delivery time) to check for malware or phishing, generating non-human click and sometimes open events in sender analytics.

Detailed Explanation: Proofpoint email gateways may prefetch or rewrite links. When they follow a link to scan the destination, the request hits the sender’s tracking server and is logged as a click. These events cluster by IP (Proofpoint) and time (shortly after delivery).

Why It Matters: If your Shopify brand sells to enterprise customers or businesses, a large portion of your click data may be Proofpoint scanner activity — not real buyer interest. Proofpoint-inflated CTR makes B2B email performance look better than it is and can trigger Klaviyo flows for buyers who never clicked.

Technical Details: Requests from Proofpoint IP ranges; often within minutes of delivery. Link rewriting may change URL to Proofpoint proxy. Identifiable for filtering.

Example: A DTC brand sends a wholesale invitation to 10k B2B prospects; 2k are behind Proofpoint; Proofpoint prefetches all links and the brand sees 2k apparent “clicks” within seconds of delivery from a handful of Proofpoint IPs; Bot Finder flags them all as bots, revealing 340 real human clicks.

Category: Security · Bot Detection

Edge Cases: Configuration varies; some organizations only scan certain link types. Time-to-click and IP clustering help distinguish from human clicks.

Q

Quarantine

Short Definition: Holding email in a separate folder (e.g., “Junk,” “Spam,” or “Quarantine”) instead of delivering to inbox or rejecting, often when DMARC or other checks fail.

Detailed Explanation: Receivers may quarantine when DMARC policy is p=quarantine or when content or reputation triggers a “suspicious” classification. Users can often review quarantined mail and release false positives. For senders, quarantine means the message did not reach the primary inbox.

Why It Matters: When DMARC policy quarantines a message, it lands in the spam or junk folder instead of the inbox — effectively invisible to most customers. For Shopify brands, quarantined emails mean lost revenue from promotions and automations. Fix authentication, reputation, and list hygiene to recover inbox placement.

Technical Details: DMARC p=quarantine; content/reputation filters. Implementation is provider-specific. Some gateways allow admins to whitelist senders.

Example: A Shopify brand’s DMARC policy is p=quarantine; a phisher spoofing their domain has their message quarantined to the spam folder by Gmail rather than rejected — better than reaching inboxes, but upgrading to p=reject prevents spoofed emails entirely.

Related Terms: DMARC, Policy enforcement, Spam folder, Inbox placement

Category: Deliverability · Authentication

Edge Cases: User may never check quarantine. Some systems use “bulk” or “promotions” as a form of soft quarantine. Corporate quarantine policies vary.

R

Reputation filtering

Short Definition: The use of sender reputation (domain, IP, or both) as a primary or major factor in deciding whether to accept, throttle, or reject email.

Detailed Explanation: Receivers maintain reputation scores for domains and IPs. Mail from high-reputation senders is more likely to be accepted and placed in the inbox; mail from low-reputation senders may be throttled, bulked, or blocked. Reputation is built from authentication, complaints, bounces, engagement, and volume over time.

Why It Matters: Reputation filtering is how Gmail and Yahoo decide whether to deliver your emails to the inbox or spam — and it’s cumulative. Every campaign you send affects your reputation. For Shopify brands, protecting reputation means keeping complaint rates low, maintaining good list hygiene, and sending to engaged subscribers rather than broad unsegmented blasts.

Technical Details: Proprietary algorithms; Gmail Postmaster Tools and Microsoft SNDS expose some reputation data. Signals include complaint rate, bounce rate, authentication, and engagement (opens/clicks). InboxEagle helps monitor reputation and placement.

Example: A Shopify brand consistently sends to engaged subscribers with sub-0.05% complaint rates and full authentication; Gmail places their campaigns in Primary. When they send a one-off blast to their full unengaged list, complaint rate spikes and Gmail starts filtering subsequent campaigns to spam.

Category: Reputation

Edge Cases: Reputation can be segment-specific (e.g., B2B vs. consumer). Sudden volume or content change can trigger reputation drop. Blocklists override reputation at some receivers.

Retry logic

Short Definition: The MTA behavior of resending a message after a temporary failure (4xx) with increasing delay (backoff) until success or permanent failure.

Detailed Explanation: When the receiving MTA returns 4xx (e.g., 451 greylisting, 421 rate limit), the sending MTA does not give up immediately. It queues the message and retries after a delay (e.g., 5 min, 15 min, 1 hour). This is required to cope with greylisting and temporary overload.

Why It Matters: Retry logic is what your ESP (Klaviyo, Omnisend) uses to handle temporary delivery failures — so greylisting and temporary server errors result in delayed delivery rather than bounces. For store owners, this works automatically in the background; the key is knowing that some transactional emails (order confirmations, shipping notifications) may have a short delay due to retries.

Technical Details: Queue state machine; retry schedule (e.g., exponential backoff); max retries or TTL; DSN on final failure. RFC 5321 recommends retry.

Example: A Shopify order confirmation email hits a greylisting server on first attempt and receives a 451 temporary error; Klaviyo’s MTA retries 5 minutes later; the second attempt is accepted and the customer receives their confirmation email — slightly delayed but not lost.

Related Terms: Greylisting, Queueing, MTA, Soft bounce

Category: Infrastructure

Edge Cases: Too-aggressive retry can trigger rate limiting. Too many retries can delay delivery. Permanent vs. temporary classification can be wrong.

Rate limiting

Short Definition: A receiver or MTA limiting the number of messages or connections accepted from a sender per time window (e.g., per minute per IP).

Detailed Explanation: Rate limits protect receivers from overload and abuse. When a sender exceeds the limit, the receiver may return 4xx (try again later) or drop the connection. Limits can be per IP, per domain, or per authenticated identity. New or low-reputation senders often face stricter limits.

Why It Matters: If you send too many emails too fast to a mailbox provider — especially from a new or low-reputation IP — they will rate limit you, deferring delivery or rejecting the excess. For Shopify brands planning large campaigns (like Black Friday sends to 500k+), warming up properly and spreading sends over time avoids rate limit issues.

Technical Details: SMTP 421 or 450; connection limits; message-per-minute caps. Implementation is receiver-specific. Gmail Postmaster and delivery errors can indicate rate-limit issues.

Example: A Shopify brand sends a 100k Black Friday campaign in one burst from a new dedicated IP; Gmail rate-limits them after the first 5k, returning 421 errors for the remainder; Klaviyo retries over the next few hours, but the campaign’s time-sensitivity is lost. A proper warmup would have established sufficient sending rate for the volume.

Related Terms: Throttling, Warmup, Retry logic, MTA

Category: Infrastructure · Deliverability

Edge Cases: Limits may be burst vs. sustained. Authenticated or whitelisted senders may have higher limits. Limits can change with reputation.

Risk zone

Short Definition: Yahoo’s classification of a sending program’s complaint rate standing — Normal, Warning, or Enforcement — used in Yahoo Sender Hub to indicate how close the sender is to throttling or blocking.

Detailed Explanation: Yahoo assigns a risk zone to each sending domain based on its complaint rate among Yahoo and AOL users. The three zones are: Normal (complaint rate below 0.10%, program in good standing), Warning (complaint rate at or above 0.10%, action required), and Enforcement (complaint rate approaching or exceeding the enforcement threshold, where Yahoo may throttle, bulk, or block mail). Zone data is available via Yahoo Sender Hub and surfaced in InboxEagle when the integration is connected.

Why It Matters: Yahoo’s risk zone is the earliest warning sign before complaint rates affect delivery. For Shopify brands with significant Yahoo or AOL subscriber bases, moving from Normal to Warning typically precedes inbox placement degradation by 24–72 hours. Monitoring zone changes allows you to act before customers stop receiving emails.

Technical Details: Data available via Yahoo Sender Hub (sender.yahoo.com). Complaint rate is computed as spam-marked messages divided by delivered messages to Yahoo/AOL. Threshold values: 0.10% = warning threshold; higher thresholds apply to enforcement actions (not publicly disclosed).

Example: A brand’s Yahoo Sender Hub risk zone changes from Normal to Warning on a Monday; InboxEagle fires an alert; the brand pauses sends to unengaged Yahoo/AOL segments and suppresses 12k low-engagement contacts; by Thursday, complaint rate drops below 0.10% and the zone returns to Normal — without any delivery disruption.

Related Terms: Yahoo Sender Hub, Complaint rate, Feedback loop

Category: Reputation

Edge Cases: Yahoo’s exact enforcement thresholds are not publicly disclosed. The zone can change within 24 hours of a high-complaint campaign. Low-volume senders may see less frequent zone updates due to data thresholds.

Queueing

Short Definition: The MTA practice of storing messages in a queue when they cannot be delivered immediately, then attempting delivery later (with retries).

Detailed Explanation: When the next hop is unavailable, returns 4xx, or the sender is rate-limited, the MTA queues the message. A queue manager periodically retries delivery according to retry logic. Messages may be queued for seconds to days depending on policy and final failure handling.

Why It Matters: Your ESP’s message queue is the safety net that ensures emails are eventually delivered even when there are temporary failures. For Shopify brands, this is largely invisible — but it means time-sensitive emails like abandoned cart sequences may arrive a few minutes later than expected if the recipient’s mail server is temporarily busy.

Technical Details: On-disk or in-memory queue; retry schedule; max age or hop count; DSN on permanent failure. RFC 5321 describes deferred delivery.

Example: Klaviyo sends an abandoned cart email; the recipient’s mail server returns a 451 temporary error; Klaviyo queues the message and retries 10 minutes later; the second attempt succeeds and the subscriber receives the cart reminder — slightly delayed but delivered.

Related Terms: Retry logic, MTA, Greylisting, Bounce processing

Category: Infrastructure

Edge Cases: Long queues can delay time-sensitive mail. Queue buildup can indicate reputation or configuration issues. Dead-letter queues hold permanently failed messages.

S

SPF (Sender Policy Framework)

Short Definition: A DNS-based method that allows a domain to publish which IP addresses (or other hosts) are authorized to send mail for that domain.

Detailed Explanation: The domain publishes an SPF TXT record that lists mechanisms (e.g., ip4:, include:, a:, mx:). Receivers check the envelope sender (Return-Path) domain and compare the connecting IP to the SPF record. Pass means the IP is authorized; fail means it is not.

Why It Matters: SPF is a foundational authentication method required by DMARC. Missing or incorrect SPF leads to emails landing in spam or being rejected outright. If you send through Klaviyo, Omnisend, or Shopify Email, you must include their mail servers in your SPF record for authentication to pass.

Technical Details: RFC 7208. DNS: TXT at the domain (or subdomain). Syntax: v=spf1 mechanisms. Common: include: for ESPs, ip4:/ip6: for dedicated IPs. Lookup limit (10 DNS lookups) must not be exceeded.

Example: A Shopify store using Klaviyo adds include:email.klaviyo.com to their SPF DNS record; emails sent via Klaviyo now pass SPF, reducing spam folder placement at Gmail and Yahoo.

Related Terms: DKIM, DMARC, Alignment, Subdomain delegation

Category: Authentication

Edge Cases: Forwarding changes Return-Path and can break SPF unless the forwarder uses SRS or the receiver uses ARC. Multiple includes and macros can hit the 10-lookup limit.

SMTP (Simple Mail Transfer Protocol)

Short Definition: The standard protocol used for sending and relaying email between servers (MTAs) and for client-to-server submission.

Detailed Explanation: SMTP runs over TCP (port 25 for server-to-server, 587 or 465 for submission). The sender connects, issues EHLO, MAIL FROM, RCPT TO, DATA, and the receiver responds with status codes (2xx success, 4xx temporary failure, 5xx permanent failure). TLS (STARTTLS) encrypts the connection. MTA-STS can require TLS for delivery.

Why It Matters: SMTP is the protocol your ESP uses to deliver every email you send. For Shopify brands, SMTP works invisibly in the background via Klaviyo or Omnisend — but understanding it helps when interpreting bounce error codes, diagnosing delivery failures, and understanding why some emails retry while others are permanently rejected.

Technical Details: RFC 5321 (SMTP), RFC 3207 (STARTTLS). Commands: EHLO, MAIL FROM, RCPT TO, DATA, RSET, QUIT. Response codes 2xx, 4xx, 5xx. SPF checks MAIL FROM domain.

Example: When Klaviyo sends a campaign email for your Shopify store, it uses SMTP to connect to Gmail’s mail servers, negotiates TLS encryption, sends the message, and receives a 250 OK confirmation — all automatically, with bounce codes returned for any addresses that fail.

Related Terms: MTA, TLS, MTA-STS, SPF, Bounce processing

Category: Infrastructure

Edge Cases: Port 25 may be blocked by some ISPs; submission ports 587/465 are used for client send. Authentication (SMTP AUTH) is for submission, not relay. Rate limits apply per connection or IP.

Sandbox click

Short Definition: A click event generated when a security product or sandbox loads a link in an isolated environment to check for malware or phishing, not by a human user.

Detailed Explanation: Corporate gateways and some cloud security services execute links in a sandbox (headless browser or HTTP client). The request is logged by the sender as a click but is not from a real user. Sandbox clicks often have characteristic IPs, user-agents, and timing.

Why It Matters: Sandbox clicks from security systems like Proofpoint inflate your click-through rates, making campaigns appear more successful than they are. For e-commerce brands using click data for A/B testing, attribution, or Klaviyo flow triggers, sandbox traffic distorts results and leads to poor decisions.

Technical Details: Request from vendor IP; user-agent may indicate automation; often within seconds of delivery; no cookies or session consistent with human flow.

Example: A campaign email is delivered to a corporate recipient; Proofpoint’s sandbox loads all 8 tracked links within 90 seconds of delivery; InboxEagle Bot Finder classifies all 8 as bot clicks from a known Proofpoint IP range — keeping click attribution clean.

Category: Bot Detection · Security

Edge Cases: Some sandboxes run only on certain link types. Delayed sandbox runs can look more like human clicks; conversion data helps.

Seed list

Short Definition: A set of real mailboxes across multiple email providers maintained by a deliverability monitoring service, used to test where emails land (inbox, promotions, or spam) before or after sending.

Detailed Explanation: A seed list consists of actual email accounts at providers including Gmail, Outlook, Yahoo, AOL, Apple Mail, and others. When a sender sends their campaign to the seed addresses using the same sending infrastructure as production, the monitoring service checks each mailbox and reports the placement per provider. Results typically return in under 5 minutes. InboxEagle’s seed list covers 20+ providers for comprehensive placement testing.

Why It Matters: Seed list testing is the only way to check inbox placement before a campaign reaches real subscribers. For e-commerce brands, running a seed test before Black Friday or a major product launch means catching a spam folder problem when you still have time to fix it — not after 100,000 emails have already landed in spam. It is also useful after any authentication change (new DKIM key, updated DMARC policy) to confirm the change improved placement.

Technical Details: Seed mailboxes are real accounts, not simulated environments. Test results are only as accurate as the sending infrastructure used — always send to seeds using the same IP, domain, and configuration set as production. Volume sent to seeds is small (one email per seed address), so it does not affect reputation.

Example: A Shopify brand runs a seed test before their summer sale campaign; InboxEagle reports 91% Gmail inbox, 87% Yahoo inbox, 0% spam across both providers; the test also shows 100% DKIM and DMARC pass at every provider — confirming the campaign is ready to send to the full list.

Category: Deliverability Testing

Edge Cases: A passing seed test does not guarantee passing placement for all real subscribers — domain/IP reputation from past sends still matters. Seed results represent a single point in time; ongoing placement data captures trends.

Security scanner

Short Definition: Software that automatically fetches links or attachments in email to check for malware, phishing, or policy violations before or after delivery to the user.

Detailed Explanation: Corporate and cloud email security products (Proofpoint, Mimecast, Barracuda, Microsoft Defender, etc.) scan links and sometimes images. The HTTP requests they generate are recorded as opens and clicks by the sender but are not from the recipient. Bot Finder helps flag and filter this traffic.

Why It Matters: Security scanners are a major source of inflated email metrics, especially if you send to business email addresses. For Shopify brands with wholesale, B2B, or DTC customers on corporate email, scanner-generated clicks can dwarf real customer engagement — making your reported CTR meaningless without filtering.

Technical Details: Requests from known vendor IP ranges; user-agent and timing patterns. Often all links in a message are requested in a short window. No downstream conversion typically.

Example: A DTC brand runs a wholesale offer campaign to 5k B2B buyers; 40% are behind corporate security scanners; the scanners generate 2k “clicks” within seconds of delivery; after InboxEagle Bot Finder filtering, the true human CTR is 1.8% — still a meaningful result, but very different from the raw 42% reported.

Category: Security · Bot Detection

Edge Cases: New scanner vendors or regions may not be in filter lists. Some scanners run only on first open or on specific link patterns.

Soft bounce

Short Definition: A temporary delivery failure (e.g., mailbox full, server busy) that may succeed on a later retry, as opposed to a permanent hard bounce.

Detailed Explanation: Soft bounces are indicated by SMTP 4xx or DSN with temporary failure. The MTA should retry with retry logic. If retries are exhausted, the address may be suppressed or flagged for review. Some “soft” conditions (e.g., mailbox full for weeks) are treated as hard in practice.

Why It Matters: Soft bounces represent temporary delivery failures and usually resolve on retry — so most ESPs (Klaviyo, Omnisend) automatically retry soft bounced emails. However, an unusually high soft bounce rate can signal sending volume problems, IP reputation issues, or a bloated list with many inactive addresses worth investigating.

Technical Details: SMTP 4xx (e.g., 421, 450, 451); DSN Action=delayed. Enhancement codes 4.2.1 (mailbox full), 4.7.1 (greylisting). Retry with backoff.

Example: A Shopify brand’s cart recovery email soft bounces for a subscriber whose inbox is full (452 error); Klaviyo retries for up to 3 days; if the mailbox stays full, the address is treated as a long-term soft bounce and deprioritised — protecting sender reputation while still attempting delivery.

Related Terms: Hard bounce, Bounce processing, Retry logic, Greylisting

Category: Infrastructure · Deliverability

Edge Cases: Some receivers use 4xx for policy (e.g., rate limit) that may not resolve quickly. Misconfigured DSN can misclassify.

Spam rate

Short Definition: The percentage of delivered emails that recipients report as spam (user-reported spam rate), often surfaced in provider tools like Gmail Postmaster Tools.

Detailed Explanation: Spam rate = complaints (or spam reports) / delivered. It is a key reputation signal for mailbox providers. High spam rate leads to throttling, bulk folding, or blocking. Target is typically well below 0.1%.

Why It Matters: Spam rate is one of the most powerful levers on your deliverability. For Shopify brands, Google Postmaster Tools reports your spam rate at Gmail — the metric Google actually uses to decide inbox vs. spam. Keeping it below 0.1% is the target; above 0.3% risks your entire email program being filtered at Gmail.

Technical Details: Measured by providers from user “Report spam” actions. Gmail Postmaster shows spam rate in UI. FBL reports give per-message complaint data for processing.

Example: A Shopify brand’s Gmail spam rate stays at 0.02% with well-segmented sends; after sending a broad discount campaign to their entire inactive list, spam rate spikes to 0.22%; the following week’s abandoned cart and promotional emails are throttled by Gmail until the rate recovers over several sends.

Category: Reputation · Deliverability

Edge Cases: Spam rate can be segment-specific. Some providers use “not interested” or similar as a softer signal. B2B complaint behavior differs from consumer.

SpamAssassin

Short Definition: An open-source, rule-based and heuristic spam filter that scores messages and is used by many MTAs and hosting providers.

Detailed Explanation: SpamAssassin uses a large set of rules (headers, body, URIs) that add or subtract points. The total score is compared to a threshold (e.g., 5.0 = spam). Rules can be customized. It can also use Bayesian filtering and other plugins.

Why It Matters: Many smaller mailbox providers and hosting companies use SpamAssassin or similar rule-based scoring. For Shopify brands, this means your promotional copy, HTML structure, and link patterns contribute to a spam score that determines inbox or spam placement. Testing campaigns with tools like Mail-Tester before sending can catch high-scoring patterns.

Technical Details: Perl-based; rules in config; score per rule; header X-Spam-Score added. Can integrate with DKIM/SPF. Bayesian and other modules optional.

Example: A Shopify brand tests their sale email on Mail-Tester; “FREE” in the subject scores +2, “Click Here” button text scores +1.5, but valid DKIM gives -1; total score is 2.5 out of 5.0 — inbox safe. Adding “Limited time!” and a shortened URL would push the score over the threshold.

Category: Anti-Spam

Edge Cases: Rule sets vary by deployment. Custom rules can reduce false positives. Evasion (obfuscation) may trigger other rules.

Spam folder

Short Definition: The folder (e.g., Junk, Spam) where mailbox providers place messages that fail authentication, reputation, or content checks instead of the primary inbox.

Detailed Explanation: When a message is classified as spam or suspicious, it is typically delivered to the spam folder rather than rejected. Users can review and move messages; senders see this as poor inbox placement. Improving authentication and reputation moves mail to inbox.

Why It Matters: When your welcome series, abandoned cart flows, or flash sale promotions land in spam, customers don’t see them and you lose that revenue. Monitoring placement by mailbox provider — via InboxEagle or Google Postmaster Tools — is the first step to diagnosing and fixing the problem.

Technical Details: Provider-specific; no standard. Often tied to DMARC quarantine, blocklists, content score, and complaint rate. Gmail Postmaster and InboxEagle help track placement.

Example: A Shopify brand’s DMARC is set to p=none with no enforcement; spoofed messages from phishers and some legitimate marketing mail both land in Gmail Spam; after tightening DMARC to p=quarantine and cleaning their list, the majority of emails move to Primary.

Category: Deliverability

Edge Cases: User habits (e.g., “Not spam”) affect future placement. Promotions tab is different from spam but still secondary. B2B gateways may block before any folder.

Spam trap

Short Definition: An email address that is not used by a real user but is maintained by a blocklist operator or mailbox provider to catch senders who mail to invalid or harvested addresses.

Detailed Explanation: Spam traps can be “pure” (never used, only found by scraping) or “recycled” (formerly valid, now abandoned). Sending to them signals poor list hygiene or list acquisition practices. Trap hits often result in listing or reputation damage.

Why It Matters: Hitting a spam trap is one of the fastest ways to destroy your sender reputation and land on a blocklist like Spamhaus. For Shopify brands, the most common cause is importing old customer lists, purchased contacts, or scraped email addresses. Double opt-in and regular list hygiene are the best defences.

Technical Details: Traps are secret; senders discover them indirectly (listing, reputation drop). Recycled traps appear in old lists; pure traps appear when addresses are harvested. No way to “remove” a trap from your list except to stop mailing and clean data.

Example: A Shopify brand purchases a list of “potential customers” from a data broker; the list contains a Spamhaus recycled spam trap; after sending a welcome campaign, the brand’s sending IP is listed on Spamhaus and Gmail starts rejecting all their emails — including automated abandoned cart flows.

Related Terms: Blocklist, List hygiene, Reputation, Double opt-in

Category: Anti-Spam · Reputation

Edge Cases: Some traps are domain-level (e.g., role addresses that never opted in). Re-engagement campaigns can hit recycled traps. Delisting requires remediation and time.

Suppression list

Short Definition: A list of email addresses that an ESP will not send to, regardless of which campaigns or flows are active — typically composed of unsubscribers, hard bounces, and manually added contacts.

Detailed Explanation: A suppression list is the definitive opt-out and exclude list maintained in your ESP. When a contact is on the suppression list, no campaign, automation, or flow will email them. Suppression lists are populated by: unsubscribe requests (required by CAN-SPAM/GDPR), hard bounces, spam complaints (via FBL), and manual additions from deliverability tools like InboxEagle’s cost optimization tool.

Why It Matters: Maintaining a clean suppression list is fundamental to deliverability and legal compliance. Sending to unsubscribed contacts violates CAN-SPAM and GDPR. Sending to hard-bounced addresses inflates bounce rates and harms reputation. For Shopify brands, Klaviyo manages suppression automatically for unsubscribes and hard bounces — but proactively suppressing unengaged contacts via InboxEagle cost optimization protects both deliverability and budget.

Technical Details: ESP-specific implementation; usually a centralized list checked before each send. In Klaviyo, suppressed profiles are in the Suppressions section and are not counted against your billable contact limit if suppressed for spam complaints. Upload via CSV or API. Cross-account suppression requires exporting and re-importing lists.

Example: A Shopify brand exports 18k unengaged contacts identified by InboxEagle cost optimization and uploads them to Klaviyo’s suppression list; next month’s Gmail inbox rate improves from 76% to 84% because the list now reflects a higher proportion of genuinely engaged subscribers.

Category: List Management · Compliance

Edge Cases: Suppressed contacts should be retained for compliance records (GDPR subject access requests). Re-importing suppressed addresses from an old backup is a common mistake that triggers spam complaints. Some ESPs distinguish between global suppression (all emails) and list-level suppression.

T

TLS (Transport Layer Security)

Short Definition: The cryptographic protocol used to encrypt SMTP connections between MTAs (and between client and server) so that email in transit cannot be read or modified by third parties.

Detailed Explanation: When an MTA connects to another MTA, they can negotiate TLS (STARTTLS). Once encrypted, the message content and SMTP commands are protected. TLS is recommended for all hops; MTA-STS allows domain owners to require TLS for delivery to their MX.

Why It Matters: TLS ensures emails are encrypted in transit between servers, protecting your customers’ data. For Shopify brands, TLS is handled automatically by your ESP. However, if a recipient’s server enforces MTA-STS and TLS fails, your emails may be rejected rather than delivered unencrypted — an increasingly common scenario as security standards rise.

Technical Details: SMTP STARTTLS (RFC 3207). TLS 1.2 or 1.3. Certificate must match MX hostname. MTA-STS (RFC 8461) enforces TLS for receiving domains.

Example: Klaviyo delivers a transactional email for a Shopify store; it connects to the recipient’s mail server, initiates STARTTLS, and completes a TLS handshake; all email content (including order details) travels encrypted between servers — automatically protecting customer data.

Related Terms: MTA-STS, SMTP, Encryption

Category: Infrastructure · Security

Edge Cases: Older MTAs may not support TLS or may use weak ciphers. Certificate errors (expired, wrong hostname) can cause fallback to plaintext or failure. MTA-STS testing mode allows monitoring without enforcing.

Time-to-click analysis

Short Definition: The practice of measuring the time between email delivery (or open) and a click event to help distinguish human clicks from automated ones (e.g., scanners that click within seconds).

Detailed Explanation: Humans typically click minutes or hours after receiving or opening; security scanners and prefetchers often request links within seconds. By analyzing the distribution of time-to-click, senders can set thresholds (e.g., clicks within 5 seconds = likely bot) and filter or downweight those events.

Why It Matters: Time-to-click is one of the most reliable signals for distinguishing real customer clicks from security scanner activity. Real customers take minutes to hours to click after receiving an email; bots click within seconds. For Shopify brands, this signal is central to how InboxEagle Bot Finder filters your click data to reveal true engagement.

Technical Details: Timestamp of delivery/open vs. timestamp of click request. Thresholds are configurable (e.g., 10 seconds, 1 minute). May be combined with other signals in a scoring model.

Example: InboxEagle Bot Finder analyses a Shopify brand’s campaign: 80% of clicks from Proofpoint IPs arrive within 8 seconds of delivery; real customer clicks have a median time-to-click of 18 minutes; clicks under 10 seconds from known scanner IPs are labelled BOT, dramatically cleaning the CTR metric.

Related Terms: Bot Finder, Prefetching, Human click verification, Bot filtering

Category: Bot Detection · Analytics

Edge Cases: Some real users click immediately (e.g., “Confirm subscription”). Segment-specific thresholds (e.g., transactional vs. marketing) can improve accuracy.

Throttling

Short Definition: The receiver limiting the rate or volume of mail accepted from a sender (e.g., by delaying or rejecting excess messages) based on reputation or policy.

Detailed Explanation: When a receiver throttles, it may return 4xx (try again later) or queue and slow acceptance. Throttling protects the receiver from overload and is often applied to senders with neutral or low reputation. Warmup and good reputation reduce throttling.

Why It Matters: Throttling delays your campaigns and can make time-sensitive promotions (flash sales, limited-time offers) arrive after the window closes. For Shopify brands, throttling is most common when sending large volumes from a new or low-reputation IP — the solution is proper warmup and gradual volume scaling.

Technical Details: Per-IP or per-domain limits; may be dynamic based on reputation. SMTP 4xx or deferred acceptance. Gmail Postmaster and delivery errors can indicate throttling.

Example: A Shopify brand launches a flash sale email to 200k subscribers from a new sending IP; Gmail throttles them after the first 8k, returning 421 errors; the remaining 192k emails are delayed by hours, missing the peak sale window entirely — the direct cost of skipping the warmup process.

Related Terms: Rate limiting, Warmup, IP reputation, Queueing

Category: Infrastructure · Deliverability

Edge Cases: Throttling can be burst-based or sustained. Some receivers throttle by recipient domain or time of day. Retry logic must back off.

U

Unauthorized sender

Short Definition: A sending source (IP address or domain) that sends email claiming your From domain but is not authorized by your SPF record or signed with your DKIM key.

Detailed Explanation: Unauthorized senders appear in DMARC aggregate reports as sources that fail DMARC alignment. They fall into three categories: (1) legitimate services you use but forgot to authorize (a CRM, transactional service, or old ESP), (2) spoofing attempts by phishers or spammers abusing your domain, and (3) compromised third-party accounts sending in your name. InboxEagle’s DMARC monitoring dashboard surfaces unauthorized senders automatically once aggregate reports are flowing.

Why It Matters: Unauthorized senders directly damage your domain reputation with every message they send. A phisher sending spam impersonating your brand generates spam complaints attributed to your domain, harms your deliverability, and erodes subscriber trust. Enforcing DMARC (p=reject) causes mailbox providers to reject unauthorized mail outright — but only after you have confirmed all legitimate senders are authorized.

Technical Details: Identified via DMARC aggregate report data: source IPs with DMARC fail disposition. Compare IP against your SPF record and DKIM selectors. Use tools like MXToolbox or your ESP’s sending IP documentation to identify legitimate sources.

Example: A Shopify brand receives DMARC reports showing an unknown IP in Singapore sending 2,000 emails per day claiming their domain; the DMARC policy is at p=none so these emails are being delivered; after moving to p=reject, the unauthorized source’s messages are rejected by Gmail and Yahoo — stopping the spam campaign and protecting the brand’s reputation.

Related Terms: DMARC aggregate report, DMARC, SPF, DKIM, Alignment

Category: Authentication · Security

Edge Cases: Legitimate senders sending cross-domain mail (e.g., a subsidiary sending from your brand domain via their own ESP) appear as unauthorized until authorized. Some sending sources are impossible to identify — if unrecognized, assume they should be rejected.

URL reputation

Short Definition: A score or classification assigned to URLs (links) by security and filtering systems based on whether they have been associated with malware, phishing, or abuse.

Detailed Explanation: When an email contains links, receivers or gateways may check each URL against reputation databases (e.g., Google Safe Browsing, Microsoft SmartScreen). Links to known-bad or suspicious URLs can cause the message to be filtered or the link to be blocked or rewritten.

Why It Matters: The URLs in your emails — your Shopify store links, tracking redirects, and any third-party URLs — are checked by spam filters and security tools. Using URL shorteners, newly registered domains, or redirect chains that obscure the destination can trigger spam filtering even if your authentication is perfect. Always link directly to your verified store domain.

Technical Details: Real-time or cached lookup by URL or domain; blocklists and ML models. Microsoft Safe Links and similar rewrite links and check on click.

Example: A Shopify brand uses a third-party discount aggregator link in a campaign; the aggregator domain has poor URL reputation from past spam reports; Gmail routes the campaign to spam despite clean authentication; replacing the link with a direct URL to their store fixes the issue.

Category: Security · Anti-Spam

Edge Cases: New URLs have no history; false positives occur. Legitimate marketing links may share domains with bad actors. Reputation can change quickly.

User-agent fingerprinting

Short Definition: Using the HTTP User-Agent header (and related request characteristics) of an open or click event to infer whether the request came from a real browser or from automation (e.g., scanner, proxy).

Detailed Explanation: When a tracking pixel or link is requested, the User-Agent identifies the client. Real users typically have browser UAs (Chrome, Safari, etc.); security scanners and prefetchers often use distinct UAs (e.g., “Proofpoint”, “AppleMail”, generic HTTP client). Fingerprinting helps bot detection classify events.

Why It Matters: User-agent fingerprinting helps InboxEagle Bot Finder distinguish real customer clicks (arriving from a browser user-agent) from security scanner clicks (arriving from known scanner user-agents like Proofpoint URL Defense). For Shopify brands, this is one of the automated signals in Bot Finder that keeps your click data clean without any configuration required.

Technical Details: HTTP User-Agent header; sometimes combined with Accept, Accept-Language, or other headers. Known-bot patterns in a list or rule set. Bot Finder uses UA among other signals.

Example: A click event arrives at InboxEagle from User-Agent “Proofpoint URL Defense” — immediately classified as bot. Another click from a real customer shows “Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 Chrome/120” — classified as human (subject to IP and timing checks), and counted in your store’s true CTR.

Category: Bot Detection · Analytics

Edge Cases: Some bots use browser-like UAs. Mobile and embedded clients may have unusual UAs. UA can be spoofed (less common for scanners).

V

VMC (Verified Mark Certificate)

Short Definition: A certificate issued by an approved certification authority that attests to a brand’s right to use a logo for BIMI display in supporting mailbox providers.

Detailed Explanation: BIMI allows senders to specify a logo URL in DNS; some receivers (e.g., Gmail) require that the logo be backed by a VMC. The VMC is issued after the CA verifies the brand’s trademark and identity. The certificate is referenced in the BIMI DNS record.

Why It Matters: A VMC is the certificate that proves your brand logo ownership for BIMI — required for Gmail to display your logo next to emails. For e-commerce brands investing in BIMI, the VMC is the final step that makes the logo appear. It adds cost (~$1,500+/year) but the inbox branding impact improves open rates and brand recognition at scale.

Technical Details: X.509 certificate; issued by approved CAs (e.g., DigiCert, Entrust). Referenced in BIMI record. DMARC must be at p=quarantine or p=reject for BIMI to apply.

Example: A Shopify brand completes DMARC p=reject, obtains a VMC from DigiCert with their trademarked logo, and publishes their BIMI DNS record; Gmail now shows their brand logo next to every campaign and automation email — increasing recognition and improving open rates for the brand’s subscriber list.

Related Terms: BIMI, DMARC, Authentication

Category: Authentication

Edge Cases: Not all brands qualify (trademark required). Cost and renewal. Not all receivers require VMC yet.

Warmup

Short Definition: The gradual increase in sending volume and reputation from a new IP or domain so that receivers learn to trust the sender and do not throttle or block.

Detailed Explanation: New IPs and domains start with no or neutral reputation. Sending full volume immediately can trigger rate limits and spam filters. Warmup involves starting with low volume and high-engagement segments, then scaling up over days or weeks while monitoring reputation and placement.

Why It Matters: Switching email platforms (for example, moving to a new ESP or dedicated sending IP) without warming up is one of the most common mistakes e-commerce brands make — it causes bulk filtering or blocks that can take months to recover from.

Technical Details: No standard; typically 2–4 weeks. Volume curves vary by provider and ESP. Dedicated IP warmup is common; shared IPs may not require sender-specific warmup. InboxEagle and Postmaster tools help monitor during warmup.

Example: A DTC brand moves to a dedicated sending IP for Klaviyo: week 1 sends 1k–5k/day to their most engaged subscribers (recent openers and buyers); week 2 increases to 20k/day; week 3+ scales to full list volume while monitoring reputation and placement in InboxEagle.

Related Terms: IP reputation, Domain reputation, Rate limiting, Throttling

Category: Deliverability · Reputation

Edge Cases: Cold IPs on shared pools can warm up quickly due to pool reputation. Very large senders may use multiple IPs and warm them in parallel. Sudden volume drop after warmup can also hurt reputation.

Y

Yahoo Sender Hub

Short Definition: Yahoo’s postmaster tool for bulk senders, providing complaint rate data, risk zone classification, and enforcement threshold alerts for Yahoo and AOL email delivery.

Detailed Explanation: Yahoo Sender Hub (sender.yahoo.com) is the Yahoo equivalent of Google Postmaster Tools. It gives email senders direct visibility into how Yahoo and AOL classify their sending program. The key metric is complaint rate — the percentage of Yahoo/AOL-delivered mail that recipients mark as spam. Yahoo groups senders into three risk zones (Normal, Warning, Enforcement) based on complaint rate, with the warning threshold at 0.10%. InboxEagle integrates with Yahoo Sender Hub to surface this data alongside Google Postmaster and overall placement metrics.

Why It Matters: Yahoo and AOL together represent a significant share of consumer email addresses in the US. Without Yahoo Sender Hub data, a complaint rate problem at Yahoo is invisible until it causes delivery failures. For Shopify brands with large consumer lists, connecting Yahoo Sender Hub gives the same direct provider visibility for Yahoo that Google Postmaster Tools provides for Gmail — making complaint rate monitoring complete across both major consumer providers.

Technical Details: Access at sender.yahoo.com; requires domain verification via DNS TXT record. Complaint rate is normalized against delivered mail to Yahoo/AOL addresses. Data is published approximately once per 24 hours. OAuth-based API access; InboxEagle connects via OAuth and displays data in the deliverability dashboard.

Example: A DTC brand’s Yahoo Sender Hub risk zone changes to Warning after a re-engagement campaign generates elevated complaints from Yahoo/AOL addresses; InboxEagle fires an alert within 1 minute of receiving the data; the brand pauses sends to their oldest Yahoo/AOL segments and the risk zone returns to Normal within 48 hours.

Category: Authentication · Reputation · Integration

Edge Cases: Yahoo Sender Hub requires minimum send volume to Yahoo/AOL addresses before generating complaint rate data. Very low-volume senders may see no data or persistent 0% rates. Domain verification must be completed at sender.yahoo.com before connecting to InboxEagle.

Yahoo sender reputation

Short Definition: Yahoo’s internal reputation score for a sending domain or IP, which determines inbox placement, promotions tab routing, or spam folder delivery at Yahoo and AOL.

Detailed Explanation: Like Google, Yahoo maintains per-domain and per-IP reputation signals based on complaint rate, bounce rate, engagement, and authentication. Yahoo sender reputation is not publicly exposed as a numerical score, but it is reflected in placement outcomes (inbox vs. spam) and in the Yahoo Sender Hub risk zone. Maintaining a Normal risk zone and low complaint rate (below 0.10%) is the primary lever for good Yahoo sender reputation.

Why It Matters: Yahoo and AOL together represent a large share of US consumer email. Poor Yahoo sender reputation leads to bulk or spam placement, directly reducing revenue from campaigns and automations. Unlike Google Postmaster’s four-tier domain reputation gauge, Yahoo’s signals are less granular — making complaint rate monitoring via Yahoo Sender Hub the most actionable proxy.

Related Terms: Yahoo Sender Hub, Risk zone, Complaint rate, Domain reputation

Category: Reputation

Email Deliverability Glossary

Table of contents

Alphabet navigation

A

Alignment

ARC (Authenticated Received Chain)

Apple Mail Privacy Protection (MPP)

Authentication

Automated link scanner

B

Barracuda filtering

Bayesian filtering

BIMI (Brand Indicators for Message Identification)

Blocklist

Bounce processing

Bot Finder

Bot filtering

Bot detection

Bounce rate

C

Complaint rate

Competitive intelligence

Content filtering

Click tracking

Cost optimization

Corporate email gateway

Deliverability

D

DKIM (DomainKeys Identified Mail)

DKIM replay attack

DMARC (Domain-based Message Authentication, Reporting and Conformance)

DMARC aggregate report

DNS propagation

Domain age signals

Domain impersonation

Domain reputation

E

Feedback loop (FBL)

Forwarding

F

False click

G

Gmail Postmaster Tools

Greylisting

Hard bounce

H

Heuristic filtering

Human click verification

I

Image proxying

Inbox placement

Inbox placement test

IP reputation

Key rotation

L

Link wrapping

List hygiene

M

MTA (Mail Transfer Agent)

MTA-STS (Mail Transfer Agent Strict Transport Security)

Mimecast link rewriting

Microsoft Safe Links

O

Open tracking

Pixel tracking

P

Phishing detection

Policy enforcement

Prefetching

Proofpoint click scanning

Q

Quarantine

R

Reputation filtering

Retry logic

Rate limiting

Risk zone

Queueing

S

SPF (Sender Policy Framework)