Skip to content

Email Deliverability Checklist

1. Authentication

Email authentication is the foundation of deliverability. Without it, receiving servers have no way to verify that your messages are legitimate. All three protocols must be configured and passing.

  • SPF record published β€” A TXT record at your domain root listing all authorized sending IPs. End with -all. β†’ SPF Record Guide
  • SPF under 10 DNS lookups β€” Exceeding the limit causes a permerror (treated as no SPF). β†’ Fix SPF Lookup Limit
  • DKIM signing enabled β€” All outgoing mail signed with a 2048-bit RSA key. Verify the public key is in DNS. β†’ DKIM Setup Guide
  • DMARC record published β€” At minimum v=DMARC1; p=none; rua=mailto:.... Target p=reject after monitoring. β†’ DMARC Setup Guide
  • DMARC alignment passing β€” The From: header domain must align with either the SPF domain or the DKIM d= domain.
  • All third-party senders authenticated β€” Marketing platforms, CRM, ticketing systems β€” each must pass SPF or DKIM with alignment for your domain.

2. DNS Configuration

Correct DNS setup signals to receivers that your sending infrastructure is properly maintained.

  • PTR record (reverse DNS) β€” Your sending IP must have a PTR record that resolves back to a hostname, and that hostname must resolve forward to the same IP. Many receivers reject mail from IPs without valid PTR records.
  • MX records β€” Your domain should have MX records pointing to valid mail servers. Domains without MX records look suspicious to spam filters.
  • HELO/EHLO hostname β€” Your mail server's HELO hostname should be a fully qualified domain name (FQDN) that resolves to the server's IP. Avoid using localhost or bare IP addresses.
  • No conflicting records β€” Only one SPF record, one DMARC record. No duplicate or contradictory TXT records.

3. IP Reputation

Your sending IP's reputation is one of the strongest signals receivers use to decide whether to deliver your mail to the inbox, spam folder, or reject it entirely.

  • Not on any blacklists β€” Check your IP against major blacklists (Spamhaus, SpamCop, Barracuda, SORBS). β†’ Blacklist Removal Guide
  • Dedicated IP (for high-volume senders) β€” If you send more than 50,000 emails per day, use a dedicated IP so your reputation is not affected by other senders on a shared IP.
  • IP warm-up for new IPs β€” New IPs have no reputation. Start with low volume (100-500/day) and gradually increase over 2-4 weeks. Sudden high volume from a new IP triggers spam filters.
  • Consistent sending volume β€” Avoid large spikes in volume. Receivers flag sudden increases as potential spam campaigns.
  • Low bounce rate β€” Keep hard bounce rate below 2%. High bounce rates indicate poor list hygiene and damage your reputation.
  • Low spam complaint rate β€” Keep complaint rate below 0.1% (Google's threshold). Above 0.3% will cause delivery problems.

4. Content Best Practices

Modern spam filters analyze message content, structure, and engagement signals. These practices help your messages pass content-based filtering.

  • Balanced text-to-image ratio β€” Avoid image-only emails. Include meaningful text content. A good ratio is at least 60% text to 40% images.
  • No URL shorteners in email body β€” Shortened URLs (bit.ly, tinyurl) are heavily associated with phishing. Use full, transparent URLs.
  • Clean HTML β€” Use well-formed HTML. Avoid excessive inline styles, hidden text, or tiny fonts (spam techniques).
  • Clear subject lines β€” Avoid ALL CAPS, excessive punctuation (!!!), and spam trigger phrases ("Act now", "Free", "Limited time").
  • Working unsubscribe link β€” Every marketing email must have a visible, functional unsubscribe link. This is both a legal requirement and a deliverability factor.
  • Consistent From name and address β€” Use the same From: address consistently. Frequent changes confuse recipients and spam filters.
  • No attachments in bulk email β€” Attachments increase spam scores. Use links to hosted files instead.

5. Infrastructure

Transport security and modern email standards signal to receivers that your infrastructure is well-maintained and trustworthy.

  • TLS/STARTTLS enabled β€” Your mail server should support STARTTLS for opportunistic encryption. Most major providers now flag unencrypted connections.
  • Valid TLS certificate β€” Use a certificate from a trusted CA (Let's Encrypt is free). Self-signed certificates cause TLS negotiation failures with strict receivers.
  • MTA-STS policy β€” Publish an MTA-STS policy (_mta-sts.example.com TXT record + mta-sts.example.com/.well-known/mta-sts.txt) to enforce TLS for inbound mail. This prevents downgrade attacks.
  • DANE/TLSA records β€” If your DNS supports DNSSEC, publish TLSA records to bind your TLS certificate to your MX records. This provides the strongest transport security guarantee.
  • TLS-RPT reporting β€” Publish a _smtp._tls.example.com TXT record to receive reports about TLS connection failures to your domain.

6. Compliance

Google and Yahoo implemented strict sender requirements in 2024 for bulk senders (5,000+ messages/day). These requirements are now industry standard.

  • DMARC policy published β€” At minimum p=none. Google and Yahoo require DMARC for bulk senders.
  • One-click unsubscribe β€” Include both a List-Unsubscribe header and a List-Unsubscribe-Post header for one-click unsubscribe support (RFC 8058).
  • Spam complaint rate below 0.1% β€” Google's threshold. Monitor via Google Postmaster Tools.
  • Valid From header β€” The From: address must be a real, monitored address at your domain. Do not use noreply@ for marketing email.
  • Message-ID header β€” Every message must have a unique Message-ID header. Most mail servers generate this automatically.
  • ARC signing for forwarded mail β€” If you forward or relay email, implement ARC (RFC 8617) to preserve authentication results.

7. Monitoring

Deliverability is not a one-time setup. DNS records change, services get added, IPs get blacklisted. Continuous monitoring catches problems before they affect delivery.

  • DMARC aggregate reports β€” Review weekly. Look for unauthorized senders, failing sources, and alignment issues.
  • Google Postmaster Tools β€” Monitor domain reputation, spam rate, authentication rates, and delivery errors for Gmail.
  • Blacklist monitoring β€” Check your sending IPs against blacklists regularly. Set up alerts for new listings. β†’ Domain Monitor
  • Bounce monitoring β€” Track hard bounces and remove invalid addresses promptly. Continued sending to invalid addresses damages reputation.
  • Authentication monitoring β€” Periodically verify that SPF, DKIM, and DMARC are still passing. DNS changes, key expirations, and service changes can break authentication silently.

Test Your Setup

Run a comprehensive delivery test to check authentication, DNS, blacklists, content, and infrastructure in one step.

Run Delivery Test β†’ Domain Scan β†’

Related Guides