How does a sender become Return Path Certified?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
Sender Certification (the program used to be called Return Path Certification before Validity bought Return Path in 2019) is a paid allowlist. You pay Validity, you pass their vetting, and you get preferential inbox treatment at participating mailbox providers and filtering networks. Historically that included Microsoft (Outlook, Hotmail), Yahoo, La Poste, and Cloudmark/Proofpoint. The list shifts, so check Validity's current partner page before you assume Gmail is on it. It is not.
This is not best-practices certification in the abstract sense. It is a commercial program with a high bar and a contract. Here is what you actually need to clear.
The technical floor
Before Validity will even look at your application, you need clean authentication. SPF, DKIM, and DMARC all aligned and passing. If you are shaky on what those do, the relevant almanac entries are What is RFC 7208 (SPF)?, What is RFC 6376 (DKIM)?, and What is RFC 7489 (DMARC)?.
Reverse DNS (PTR records) on your sending IPs needs to match your HELO/EHLO hostname. TLS on outbound. List-Unsubscribe headers including the one-click RFC 8058 version. No open relays, no shared IPs hosting other senders you cannot vouch for.
The behavioural thresholds
Validity publishes the metrics they monitor in their Sender Certification program standards. The exact numbers move from time to time, but the order of magnitude is consistent:
- Complaint rate below roughly 0.3 percent (3 complaints per 1,000 delivered messages) across the major mailbox providers Validity samples.
- Unknown user rate (hard bounces to non-existent addresses) below 5 percent.
- Spam trap hits at or near zero. Pristine traps (addresses that were never valid) are the killer. A handful inside a 30-day window can disqualify you.
- Volume consistency. Wild spikes and gaps look like compromised infrastructure.
They sample your traffic for 30 days before deciding, then continuously after that. If you sit at 0.25 percent complaints with occasional spikes to 0.5, you are not in.
The consent and content review
Validity reads your signup flow. Pre-checked boxes, co-registration, list rental, append, and we-found-you-on-LinkedIn sourcing all fail. They want documented affirmative opt-in (the user actively asked for this mail) with a clear description of what gets sent and how often.
They will also pull samples of your live mail. If your transactional stream is bundled with promotional content, that gets flagged. If your unsubscribe takes more than one click and one confirmation, that gets flagged. If the From name does not match the domain, that gets flagged.
The application itself
You submit through Validity. They ask for IP ranges, sending domains, ESP relationships, volume estimates, and your consent documentation. Then they invoice you. The fee scales with sending volume and number of certified IPs. Small senders land in the low five figures annually. Enterprise senders pay more. There is no public price list. Get a quote.
Why people fail
Most rejections fall into three buckets:
- The sender thought their list was clean and it was not. They had legacy addresses they had not mailed in 18 months that bounced or hit traps the moment volume came back.
- The sender had a clean main stream but one neglected sub-brand or acquired list dragged the overall numbers down. Validity looks at everything under your IPs and domains.
- The sender's consent story did not survive a careful read of the signup page. A buried checkbox under a Terms acceptance does not count.
What it actually buys you
Improved inbox placement at participating providers, images rendered by default in some clients, link tracking that does not trigger filter penalties, and a Validity rep who can escalate genuine delivery issues. It does not get you into Gmail's good books, because Gmail does not participate. Gmail evaluates you the same way it evaluates everyone else: complaint rate in Postmaster Tools, domain reputation, and authentication. See Google's bulk sender guidance for the real Gmail bar.
If your problem is Gmail, certification is not your fix. If your problem is Outlook/Hotmail treating bulk mail with suspicion despite a clean track record, certification is one of the few levers that actually moves the needle.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.