What are the requirements for certification?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

If you've read about the benefits of sender certification, the obvious next question is: what do you actually need to qualify? The answer depends on which program you're applying to, but there's a common core that nearly every certification body looks for.

Think of it in three layers: technical setup, sending behavior, and process maturity.

Technical requirements

You'll need passing SPF, DKIM, and DMARC on every message you send. Your sending IPs need matching reverse DNS records (so an IP lookup returns a hostname that matches your sending domain). Your headers need to be properly formatted, and your messages need to comply with standard email specs. That's the baseline. If you're not already doing this, certification is the wrong conversation to be having right now.

Behavioral requirements

This is where most senders run into trouble. Programs like CSA and Validity Certification set thresholds you have to stay under continuously, not just at application time. Typical thresholds look like this:

  • Spam complaint rate: usually below 0.1%
  • Unknown user rate: a low number here tells the certifier your list is clean and you're not guessing at addresses
  • Spam trap hits: near zero. Even a handful of trap addresses in your list is a red flag
  • Unsubscribe rate and handling: you need a working, visible unsubscribe mechanism that processes requests within the required timeframe

These numbers are tracked over time. A clean month followed by a messy campaign won't get your certification revoked overnight, but a pattern of drift will.

Process requirements

Still this is the part senders often underestimate. Certification bodies want to know that good metrics aren't just lucky numbers. They want documented evidence of how you collect consent, how you handle complaints, how you maintain your list, and who in your organization is accountable for sending practices. You'll typically need to show that you have a formal opt-in process (not just "we only send to people who want our emails") and that you have a complaint-handling workflow in place.

The honest reality is that certification doesn't give you inbox placement on a silver platter. What it does is give mailbox providers a stronger signal to trust your messages. If your sending practices are already solid, certification formalizes that trust. If they're not, certification won't paper over the gaps.

Not sure where your setup currently stands? Run your domain through our free blocklist checker and SPF checker as a starting point. Or if you're actively preparing a certification application, drop us a message and we can walk through your readiness honestly.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Audit my certification readiness

I want to apply for email sender certification and need to audit my current setup first. Based on my sending infrastructure, complaint rates, and list practices below, can you tell me which requirements I likely meet and which gaps I need to close before applying? Please rank the gaps by priority and suggest specific fixes for each one. My current setup: - Authentication (SPF / DKIM / DMARC status): - Sending IPs and reverse DNS: - Average complaint rate: - Estimated unknown user / bounce rate: - Unsubscribe mechanism: - Consent collection method: - List maintenance practices:

Edit the yellow boxes, then send to the AI of your choice.