If you run a shared hosting platform, there is a support ticket you have learned to dread: "my email isn't being delivered." It arrives constantly, it is maddening to diagnose, and for years the honest answer was a shrug and some hand-waving about "reputation." That era is over. The major mailbox providers have spent the last couple of years quietly rewriting the rules of what gets accepted, and the change is not a tweak — it is a hard line. Authentication that used to be optional is now mandatory, and hosting providers who have not caught up are watching their customers' mail vanish into spam folders or get rejected outright. Here is what actually changed, why shared hosting is uniquely exposed, and what you have to get right.

The three letters you can no longer ignore

The foundation of modern deliverability is a stack of three authentication mechanisms, and a mailbox provider now expects to see all of them working together. The first is SPF, the Sender Policy Framework, a DNS record that declares which servers are permitted to send mail for a domain. The second is DKIM, DomainKeys Identified Mail, which attaches a cryptographic signature to each outgoing message so the receiver can verify it genuinely came from the domain and was not tampered with in transit. The third, and the one most often misunderstood, is DMARC, which ties the first two together: it tells receivers what to do with mail that fails authentication, and it requires alignment, meaning the domain in the visible "From" address must match the domains validated by SPF and DKIM.

Individually, each of these has existed for years and was widely treated as advanced configuration that conscientious admins set up and everyone else ignored. The shift is that they are no longer optional polish. A message that arrives without proper authentication is now treated, by default, as suspicious — and increasingly, it is simply not delivered.

What the big providers actually demand now

The decisive moment came when the largest mailbox providers stopped recommending authentication and started requiring it. The bulk-sender rules that Gmail and Yahoo rolled out, and that Microsoft has since echoed, set explicit conditions for anyone sending meaningful volumes of mail. Senders must authenticate their mail with SPF and DKIM. They must publish a valid DMARC policy and achieve alignment. Marketing and bulk mail must offer genuine one-click unsubscribe and honour it promptly. And — the requirement that catches the most people out — senders must keep their spam complaint rate below a strict threshold, in the region of a few tenths of a percent, with the practical target being to stay comfortably under it rather than flirt with the ceiling.

For a hosting provider, the critical realization is that these thresholds are evaluated against sending identity and reputation, and on shared infrastructure that identity is collective. One customer's bad behaviour bleeds into everyone else's deliverability, because they are all sending from the same place.

Why shared hosting is uniquely exposed

This is the heart of the problem, and it is structural. A dedicated sender controls their own domain, their own IP, and their own reputation; if they follow the rules, they are fine. A shared hosting platform is a crowd of unrelated senders pushing mail through common infrastructure, often from a shared pool of IP addresses, and the mailbox providers judge that infrastructure as a unit. When one tenant runs a sloppy mailing list, gets flagged as a spam source, or has their account compromised and turned into a relay, the reputation hit lands on the shared IP — and suddenly the small business three accounts over, who did everything right, finds their invoices landing in spam.

This collective-fate dynamic is what makes hosting email so hard and so thankless. You are responsible for the deliverability of senders whose behaviour you do not control, judged by systems that increasingly assume guilt. The only defence is to make the infrastructure itself unimpeachable and to give every legitimate tenant the tools to authenticate properly, so that the platform's baseline reputation is strong enough to survive the inevitable bad actor.

The infrastructure you have to get right

Several things have to be correct before deliverability is even possible, and on shared hosting they are platform responsibilities, not customer ones. Reverse DNS, the PTR record, must exist and match the sending hostname; mail from an IP with no proper rDNS is treated as junk by default, and this is non-negotiable. The sending hostname's forward and reverse records must agree. The shared IPs must be clean and monitored against the major blocklists, because landing on a well-respected blocklist can poison delivery for every tenant at once until you get it resolved.

Beyond the basics, the platform needs to make per-domain DKIM signing trivial, ideally automatic, so that every domain hosted gets its own signature without the customer needing to understand cryptography. SPF records need to be generated correctly for the platform's sending hosts, and customers need clear guidance — or automated tooling — to publish them. The goal is to make the authenticated path the default path, because any deliverability that depends on every customer manually configuring DNS correctly is deliverability that will fail.

Containment: stopping one bad tenant from sinking the rest

Because reputation is shared, the single most valuable thing a hosting platform can do is contain damage before it spreads. This means rate-limiting outbound mail per account so a compromised or runaway account cannot blast tens of thousands of messages before anyone notices. It means monitoring outbound volume and patterns for the signatures of compromise — sudden spikes, mail to enormous recipient lists, a quiet account that suddenly becomes a firehose. And it means having a fast path to suspend outbound sending for a single account without taking down the whole server.

The providers who survive the new regime are the ones who treat outbound mail as a risk to be actively managed rather than a service to be passively offered. The alternative is to discover the problem only when the shared IP is already blocklisted and every customer is screaming at once.

The strategic shift: separate your reputations

The deeper lesson many operators are drawing is that lumping all mail together on one reputation is no longer viable. Separating transactional mail from bulk or marketing mail, giving higher-trust customers cleaner sending paths, and isolating the riskier senders so their behaviour cannot contaminate everyone else are all becoming standard practice. The principle is simple: reputation is now a managed asset, and pooling all of it into one undifferentiated bucket means the worst sender in the pool sets the ceiling for the best.

For smaller platforms, this may mean leaning on a reputable outbound relay or smarthost for at least some classes of mail, accepting the cost in exchange for inheriting a professionally managed sending reputation. There is no shame in this; fighting the deliverability war alone, with a handful of shared IPs and a crowd of unpredictable tenants, is a battle that gets harder every year.

The bottom line for operators

The uncomfortable truth is that email deliverability has graduated from a dark art into a compliance requirement, and the mailbox providers are not going to relax. The trend runs entirely one direction: more authentication, stricter enforcement, less tolerance for unauthenticated or poorly-behaved mail. A hosting platform that has not made SPF, DKIM, and DMARC the automatic default, that does not maintain clean monitored IPs with correct rDNS, and that does not actively contain outbound abuse is not offering email so much as offering disappointment with a delay.

The good news is that none of this is mysterious, and most of it is one-time infrastructure work that pays off across every tenant indefinitely. Get the authentication automatic, keep the IPs clean, contain the bad actors fast, and separate your reputations sensibly, and the dreaded deliverability ticket becomes rare instead of routine. Ignore it, and you will spend the next few years slowly losing the trust of every mailbox provider that matters — one unauthenticated message at a time.