You can write the best newsletter in your niche, and it won't matter at all if it lands in spam. Deliverability is the unglamorous, invisible layer underneath every newsletter platform, and it's the difference between an email someone actually opens and one that quietly dies in a folder they never check.
Ghost handles a meaningful chunk of this for you automatically, especially if you're on Ghost(Pro). But there's still a real amount you need to understand and, if you're self-hosting, actively configure yourself. Here's what actually matters.
Why You Can't Just Send Newsletters Like Regular Email
This trips up almost everyone coming from a smaller mailing habit. You might assume that if Ghost can send a single email through SMTP, it could send a newsletter to a thousand people the same way. It can't, and Ghost is direct about why: sending bulk mail to many recipients through basic SMTP gets your sending IP address blacklisted almost immediately, since mail providers treat that pattern as a strong spam signal regardless of your actual content. Because of this, Ghost doesn't support sending newsletters through plain SMTP at all.
Instead, newsletters need to go through a dedicated bulk email provider built specifically for this kind of sending, one that maintains sender reputation, handles authentication, and has existing trust relationships with major inbox providers. Mailgun is the provider Ghost most commonly pairs with, though it's not the only option available if you're self-hosting.
The Three Acronyms That Actually Matter: SPF, DKIM, DMARC
These three show up in every deliverability conversation, and they're worth actually understanding rather than just copying DNS records blindly.
SPF (Sender Policy Framework) tells receiving mail servers which servers are allowed to send email on behalf of your domain. Without it, anyone could spoof your domain and send email pretending to be you, which is exactly the kind of thing spam filters watch for.
DKIM (DomainKeys Identified Mail) adds a digital signature to your outgoing emails, proving the message wasn't altered in transit and genuinely came from your domain. It's a core piece of how mail providers verify your emails are legitimate rather than forged.
DMARC builds on both of the above, telling receiving servers what to do if an email claims to be from your domain but fails SPF or DKIM checks. You can start in monitoring mode, which just reports failures without blocking anything, before moving to a stricter policy once you've confirmed everything's configured correctly.
Together, these three form the backbone of how mail providers decide whether your domain is trustworthy. Getting them right is less about checking a box and more about establishing your domain's reputation over time.
If You're on Ghost(Pro)
Good news here: this entire layer is handled for you. Ghost(Pro) configures SPF, DKIM, and DMARC authentication on your behalf, along with blocklist monitoring and sending domain management. You genuinely don't need to touch DNS records for any of this.
The one thing worth knowing is that if your list grows large and you've built up a strong sender reputation, you may eventually have the option to configure a custom sending domain rather than using Ghost's shared infrastructure. This isn't something you need to think about early on, but it's worth knowing it exists once your newsletter scales.
If You're Self-Hosting
This is where the actual setup work lives. The general process looks like this:
- Create a Mailgun account (or your provider of choice) and add your sending domain, typically as a subdomain like
mail.yourdomain.comrather than your root domain. - Add the DNS records Mailgun gives you. This usually includes an SPF record, DKIM records, and an MX record for the subdomain. Most providers also offer a tracking CNAME, which lets them measure opens and clicks.
- Add a DMARC record on top of these. Start with a
p=nonepolicy so you're only monitoring results at first, and consider tightening it top=quarantineorp=rejectlater, once you've confirmed your authentication is solid and consistent. - Verify everything in your provider's dashboard. Mailgun (and most providers) will tell you clearly whether each record is correctly detected.
- Connect your Mailgun credentials in Ghost Admin, under Settings → Email newsletter. You'll need your region (US or EU), your verified domain, and an API key generated specifically under "API Keys" rather than "Sending API Keys," since those serve different purposes.
- Set up transactional email separately. This is a detail people miss: your newsletter sending (handled by Mailgun's API) is a different pipeline from transactional emails like staff invites, password resets, and member sign-in links. Those typically need their own SMTP configuration in your
config.production.jsonfile, often using Mailgun's SMTP credentials rather than its API. - Send a test email before going live. Ghost's email newsletter settings let you send a test send to yourself. Always check this lands properly, and check it across more than one email provider if you can, since Gmail, Outlook, and others can behave differently.
What Actually Hurts Deliverability (Beyond DNS)
Authentication gets you in the door, but it's not the whole story. A few other factors matter just as much over time:
Sending domain reputation builds gradually. A brand-new domain or subdomain has no sending history yet, which means inbox providers treat it cautiously at first. It's normal to see slightly lower open rates in your first few sends as your domain "warms up." This isn't usually a configuration problem, it's just trust accumulating over time.
Engagement matters more than people expect. Inbox providers watch how recipients interact with your emails: opens, clicks, and crucially, how often people mark you as spam or simply never open anything you send. A newsletter with consistently low engagement signals to providers that maybe this sender shouldn't be trusted with inbox placement, regardless of how clean your authentication setup is.
List hygiene matters. Sending to a list full of dead addresses, typos, or people who signed up once and never engaged again drags down your overall engagement metrics. Periodically removing long-term unengaged subscribers, even though it shrinks your numbers, tends to improve actual deliverability for the people who do want your emails.
Content still matters, even with great authentication. Spam filters also look at the content itself: excessive links, spammy phrasing, ALL CAPS subject lines, and image-heavy emails with little actual text can all still get flagged, even from a perfectly authenticated domain.
Avoid using a personal email service as your "from" address. Using a Gmail or Outlook address as your sending "from" address, rather than your own domain, undermines the entire point of setting up SPF and DKIM in the first place, since those records are tied to your domain, not a generic provider account.
A Quick Troubleshooting Checklist
If newsletters seem to be landing in spam or simply not arriving, work through these in order:
- Are your SPF, DKIM, and DMARC records actually verified in your provider's dashboard, not just added to DNS?
- Did you generate the correct type of API key (not a "Sending API Key" where a regular API key is required)?
- Is your "from" address using your own domain, not a generic email provider?
- Has enough time passed for DNS changes to propagate? These can take anywhere from minutes to a couple of hours depending on your registrar.
- Are you sending a healthy volume relative to your domain's age? Sudden large sends from a brand-new domain look suspicious to mail providers, even with correct authentication.
- Have you checked whether your domain or IP appears on any public blocklists?
The Bigger Picture
Deliverability isn't a one-time setup task so much as an ongoing relationship between your sending domain and the mail providers deciding whether to trust it. Authentication (SPF, DKIM, DMARC) gets your foot in the door. What keeps you there is consistent sending, genuine engagement from people who actually want your content, and a list that isn't padded with addresses that never open anything.
If you're on Ghost(Pro), most of the technical burden here is already off your plate, which is honestly one of the more underrated reasons people choose managed hosting once their newsletter starts to matter. If you're self-hosting, the setup is a genuinely manageable afternoon of DNS work, not a deep technical rabbit hole, as long as you follow the steps in order and actually verify each piece before moving to the next.
