- A deliverability audit systematically checks every factor that influences whether your emails reach the inbox or land in spam.
- The five core audit areas are: authentication, sender reputation, infrastructure, content, and list quality.
- Most deliverability problems stem from just a few root causes that surface quickly during a structured audit.
- Regular audits (quarterly at minimum) catch issues before they cascade into reputation damage.
- Every audit should produce an actionable remediation plan with prioritized fixes.
When emails stop reaching the inbox, the cause is rarely obvious. Deliverability problems are usually the result of multiple factors compounding over time: a DNS record that was never updated, a slowly degrading list, a reputation signal you stopped monitoring. An email deliverability audit is the systematic process of inspecting every factor that influences inbox placement and identifying exactly where things are breaking down.
This guide walks through a complete deliverability audit framework, organized into the five areas that matter most. Use it as a checklist whether you are troubleshooting a sudden delivery problem or conducting a proactive review.
When to Conduct a Deliverability Audit
While proactive quarterly audits are ideal, certain events should trigger an immediate review:
- A sudden drop in open rates or click rates across campaigns
- Increased bounce rates beyond your normal baseline
- Spam complaint rate spiking above 0.1%
- Being listed on one or more email blacklists
- Migrating to a new ESP, sending domain, or IP address
- Receiving delivery failures or blocks from major mailbox providers (Gmail, Outlook, Yahoo)
- Launching a new sending domain or subdomain for the first time
Part 1: Authentication Audit
Email authentication is the foundation. If your authentication records are misconfigured, incomplete, or missing, mailbox providers will treat your messages with suspicion regardless of everything else you do right.
SPF (Sender Policy Framework)
Check that your SPF record is published on every domain and subdomain you send from. Verify that it includes all IP addresses and third-party services authorized to send on your behalf. Use the SPF record checker to validate syntax and confirm it does not exceed the 10 DNS lookup limit. A common audit finding is SPF records that have accumulated stale include statements from services you no longer use.
Tip: If your SPF record is approaching the 10-lookup limit, consider flattening it by replacing include mechanisms with direct IP ranges where possible. Some services offer automatic SPF flattening tools.
DKIM (DomainKeys Identified Mail)
Verify that every sending source (your ESP, transactional email service, CRM, etc.) is signing messages with DKIM. Check that the DKIM public key is published in DNS and that the signature aligns with your sending domain. Test actual outbound messages to confirm signatures are valid and not being broken by intermediate processing or message modifications.
DMARC (Domain-based Message Authentication)
Confirm your DMARC policy is published and at an appropriate enforcement level. Review your DMARC aggregate reports (RUA) to identify any legitimate sending sources that are failing authentication. If you are still at p=none, your audit should include a plan and timeline for moving to p=quarantine and eventually p=reject.
# Example DMARC audit checklist items:
# 1. Is a DMARC record published? Check with: dig TXT _dmarc.yourdomain.com
# 2. What is the current policy? (none / quarantine / reject)
# 3. Are RUA reports configured and being received?
# 4. Are there legitimate sources failing DMARC in reports?
# 5. Is there a timeline to move to p=reject?Supplementary Authentication
Check whether BIMI, MTA-STS, and TLS-RPT records are in place. While not required for basic deliverability, BIMI provides brand visibility in supporting inboxes, and MTA-STS/TLS-RPT protect against downgrade attacks on email in transit. These records signal to mailbox providers that you take email security seriously.
Part 2: Reputation Audit
Your sender reputation is the aggregate signal mailbox providers use to decide whether your emails deserve the inbox. A reputation audit checks both IP and domain reputation across all the major measurement systems.
IP Reputation
If you send on a dedicated IP, check its reputation directly. Use the Sender Reputation checker to get an overall assessment. Cross-reference with Google Postmaster Tools for Gmail-specific reputation data. Check whether your IP appears on any major blacklists using a blacklist checker.
Domain Reputation
Domain reputation has become the dominant signal for most mailbox providers, especially Google. Even on a clean IP, a domain with poor reputation will see inbox placement problems. Check your domain reputation in Google Postmaster Tools, and review your DMARC reports for any unauthorized use of your domain that could be dragging reputation down.
When checking Google Postmaster Tools, pay close attention to the domain reputation trend over the last 30-90 days, not just the current snapshot. A declining trend is a warning signal even if the current reputation level looks acceptable.
Blacklist Status
Scan both your sending IPs and your sending domain against all major DNSBLs (Spamhaus, Barracuda, SORBS, SpamCop, and others). A single blacklist listing can cause delivery failures at specific mailbox providers that reference that list. Document any active listings and begin the delisting process immediately.
Part 3: Infrastructure Audit
Email infrastructure issues are often overlooked because they are configured once and then forgotten. But stale DNS records, misconfigured servers, and poor IP hygiene quietly erode deliverability.
DNS Records
Verify that all email-related DNS records are correctly configured. This includes MX records for your receiving domains, A records for your sending hostnames, PTR records (reverse DNS) for your sending IPs, and that all records resolve quickly without timeouts.
| DNS Record | Purpose | What to Check |
|---|---|---|
| MX | Directs inbound mail | Valid, prioritized, resolving correctly |
| A / AAAA | IP address for sending hostname | Matches actual sending IP |
| PTR | Reverse DNS for sending IP | Resolves to a hostname that forward-resolves back to the IP |
| SPF (TXT) | Authorized senders | Includes all sources, under 10 lookups |
| DKIM (TXT) | Signing key | Valid key, matches signatures |
| DMARC (TXT) | Authentication policy | Published, reporting enabled |
Sending IP Configuration
For dedicated IPs, confirm that reverse DNS (PTR records) are properly configured with forward-confirmed reverse DNS (FCrDNS). The PTR hostname should forward-resolve back to the same IP. Also verify that the HELO/EHLO hostname your mail server announces matches the PTR record and resolves correctly.
TLS and Encryption
Verify that your mail servers support TLS and negotiate encrypted connections when sending to major providers. Most mailbox providers now flag or deprioritize messages sent without encryption. Check that your TLS certificates are valid and not expired.
Part 4: Content and Engagement Audit
Content and subscriber engagement are increasingly important ranking signals for mailbox providers. Gmail in particular uses engagement data heavily to decide inbox vs. spam placement.
Subject Lines and Preheaders
Review your recent campaigns for subject line patterns that may trigger spam filters: excessive capitalization, misleading claims, heavy use of special characters, or phrases commonly associated with spam. Preheader text should complement the subject line and encourage opens.
HTML Quality and Rendering
Poorly coded HTML, broken images, missing alt text, and excessive image-to-text ratios are all signals that spam filters evaluate. Run your email templates through rendering tests across major clients (Gmail, Outlook, Apple Mail, Yahoo) and fix any issues. Ensure a clean text-to-image ratio and include a well-formed plain-text alternative.
Common Mistake: Using URL shorteners in email content. Services like bit.ly and similar shorteners are heavily abused by spammers, and many spam filters will penalize or block messages containing shortened URLs. Always use full, direct URLs from your own domain.
Engagement Metrics
Pull your open rate, click rate, and unsubscribe rate data for the last 90 days. Look for declining trends, which indicate that subscribers are losing interest and that your sending reputation may be deteriorating. Segment the data by mailbox provider if possible, as a drop at one provider (like Gmail) often points to a reputation issue specific to that provider's ecosystem.
Unsubscribe Mechanism
Verify that every email includes a working, one-click unsubscribe mechanism and a properly formatted List-Unsubscribe header. Both Google and Yahoo now require these for bulk senders. Test the unsubscribe process end to end: click the link, confirm it works, and verify the address is actually suppressed from future sends.
Part 5: List Quality Audit
Even with perfect authentication and strong infrastructure, a poor-quality list will destroy your deliverability. The list quality audit examines the health and hygiene of your subscriber database.
Bounce Rate Analysis
Review your hard bounce and soft bounce rates over the last 30-90 days. Hard bounces above 2% are a serious concern and indicate that your list contains a significant number of invalid addresses. Investigate the source of bouncing addresses: are they from a specific acquisition channel, a particular signup period, or a purchased list?
Inactive Subscriber Review
Identify subscribers who have not opened or clicked any email in 6-12 months. These chronically inactive addresses are a major drag on engagement metrics, and some may have been converted into recycled spam traps by mailbox providers. Implement a re-engagement campaign or sunset policy to either reactivate or remove these addresses.
List Acquisition Practices
Audit how email addresses are entering your list. Every acquisition channel should use either double opt-in or real-time email verification. Identify any channels that allow unverified addresses onto the list, such as event signups, partner imports, or older web forms, and add validation.
Recycled spam traps are old, abandoned email addresses that mailbox providers reactivate specifically to catch senders who do not clean their lists. An address that was valid two years ago could be a spam trap today, which is why regular list cleaning is essential.
Building Your Remediation Plan
After completing all five audit sections, compile your findings into a prioritized remediation plan. Group issues by severity.
Critical (fix immediately): Missing or broken authentication records, active blacklist listings, sending without TLS, hard bounce rates above 5%.
High priority (fix within one week): SPF records exceeding lookup limits, DMARC at p=none with no progression plan, complaint rates above 0.1%, missing List-Unsubscribe headers.
Medium priority (fix within one month): Missing supplementary authentication (BIMI, MTA-STS), inactive subscriber segments not addressed, content rendering issues, incomplete engagement tracking.
Ongoing maintenance: Regular list cleaning, quarterly authentication reviews, continuous reputation monitoring, engagement trend analysis.
A complete email deliverability audit covers five areas: authentication (SPF, DKIM, DMARC), sender reputation (IP and domain), infrastructure (DNS, TLS, server config), content and engagement (quality, metrics, unsubscribe), and list quality (bounces, inactive subscribers, acquisition). Perform audits quarterly or immediately when deliverability metrics decline. Always conclude with a prioritized remediation plan that addresses critical issues first.
Frequently Asked Questions
At minimum, perform a full audit quarterly. High-volume senders or organizations with complex email infrastructure should audit monthly. Always run an immediate audit when you notice a significant change in delivery metrics or after any infrastructure migration.
Incomplete or misconfigured authentication is the most frequent finding. This includes SPF records missing authorized sending sources, DKIM signatures not being applied by all senders, and DMARC policies stuck at p=none with no enforcement plan. These issues are also among the easiest to fix.
You can perform a thorough audit yourself using free tools like Google Postmaster Tools, public blacklist checkers, and DNS lookup tools. This guide provides the complete framework. However, for complex multi-domain setups or persistent issues that resist self-diagnosis, a deliverability consultant can provide deeper analysis and faster resolution.
For a single sending domain with one ESP, a thorough audit typically takes 2-4 hours. Organizations with multiple domains, sending sources, and complex infrastructure may need 1-2 days. The authentication and DNS sections are fastest; the list quality and engagement analysis usually take the most time because they require pulling and analyzing historical data.
Essential tools include: an SPF/DKIM/DMARC checker for authentication validation, a blacklist lookup tool to scan for listings, Google Postmaster Tools for Gmail reputation data, your ESP's analytics dashboard for engagement metrics, and a DNS lookup tool for infrastructure verification. All of these are available for free.