The startup had built a beautiful product. The onboarding flow was polished, the features were solid, the pricing was right. But their activation rate was terrible. Users signed up and then... nothing. No engagement, no conversion, no retention.
The problem wasn't the product. It was email. Confirmation emails were landing in spam. Onboarding sequences never arrived. Password resets took hours because users had to fish them out of junk folders. The product was fine; the email infrastructure was broken.
Deliverability problems are silent killers. Your logs show emails sent successfully. Your ESP reports delivery. But "delivered" means the receiving server accepted the message—not that it reached the inbox. The gap between delivery and inbox placement is where businesses lose customers.
This checklist covers everything that affects whether your emails actually reach people.
Authentication (points 1-6)
1. SPF record is published and valid. Your SPF record should list all IP addresses and services authorized to send email for your domain. Use an SPF checker to verify syntax and that you're under the 10-lookup limit. End with -all for hard fail, not ~all for soft fail.
2. DKIM is configured and signing emails. Every email should be signed with a valid DKIM signature. Verify that your DKIM public key is published in DNS and that your sending infrastructure is actually signing messages. Check received emails to confirm the DKIM-Signature header is present.
3. DMARC policy is published. At minimum, publish a DMARC record with p=none to receive reports. Ideally, progress to p=quarantine or p=reject once you've verified all legitimate senders are authenticated. Include rua and ruf tags to receive aggregate and forensic reports.
4. DMARC alignment passes. DMARC requires that SPF or DKIM (or both) align with the From domain. If you're sending from [email protected], either the SPF-authenticated domain or the DKIM-signing domain must be company.com (or a subdomain, depending on alignment mode).
5. All sending services are authorized. Audit every service that sends email on your behalf: your ESP, marketing automation, transactional email service, CRM, support desk, etc. Each must be included in your SPF record and configured to sign with your DKIM key.
6. Authentication passes consistently. Don't just check once—monitor ongoing. Use DMARC reports to track authentication pass rates. Any legitimate email failing authentication needs investigation.
Infrastructure (points 7-12)
7. Sending IP has good reputation. Check your sending IP's reputation using Sender Score, Google Postmaster Tools, and Microsoft SNDS. Scores below 70 indicate problems. If you're on a shared IP, your reputation is affected by other senders on that IP.
8. Sending domain has good reputation. Domain reputation is increasingly important, sometimes more than IP reputation. Google Postmaster Tools shows domain reputation specifically. Build reputation gradually with engaged recipients before high-volume sending.
9. IP is not blacklisted. Check major blacklists (Spamhaus, Barracuda, SORBS, etc.) regularly. Use MXToolbox or similar to check multiple lists at once. If listed, identify the cause, fix it, and request removal.
10. Reverse DNS (PTR) is configured. Your sending IP should have a PTR record that resolves to a hostname, and that hostname should resolve back to the IP. Many receiving servers check this and reject or penalize emails from IPs without proper reverse DNS.
11. Sending volume is consistent. Sudden spikes in sending volume trigger spam filters. If you need to increase volume, do it gradually—no more than doubling week over week. Consistent sending patterns build trust.
12. IP warmup was completed (if applicable). New IPs have no reputation. Warm them up by starting with small volumes to your most engaged recipients, gradually increasing over 4-8 weeks. Skipping warmup results in poor deliverability that takes months to recover from.
Content (points 13-18)
13. Subject lines aren't spammy. Avoid ALL CAPS, excessive punctuation (!!!), spam trigger words (FREE, ACT NOW, LIMITED TIME), and misleading content. Subject lines should accurately reflect the email content.
14. From name and address are recognizable. Recipients should immediately recognize who the email is from. Use consistent From names and addresses. Changing them frequently confuses recipients and spam filters.
15. Unsubscribe is easy and works. Include a visible unsubscribe link in every marketing email. Honor unsubscribe requests immediately—within hours, not days. Include the List-Unsubscribe header for one-click unsubscribe in email clients.
16. Physical address is included. CAN-SPAM and other regulations require a physical mailing address in commercial emails. Include it in your footer.
17. HTML is well-formed. Broken HTML triggers spam filters. Use email-specific HTML (tables for layout, inline styles) and test rendering across clients. Avoid JavaScript, forms, and other elements that email clients strip or flag.
18. Text version is included. Send multipart emails with both HTML and plain text versions. Some spam filters penalize HTML-only emails, and some recipients prefer plain text.
List quality (points 19-22)
19. List is permission-based. Only email people who explicitly opted in to receive email from you. Purchased lists, scraped addresses, and assumed consent lead to spam complaints and deliverability problems.
20. Bounces are handled promptly. Remove hard bounces immediately—they're invalid addresses that will never work. Track soft bounces and remove addresses that consistently fail. High bounce rates damage reputation.
21. Complaints are monitored and addressed. Set up feedback loops with major ISPs to receive complaint notifications. Remove complainers immediately. Investigate patterns—if a particular campaign generates complaints, fix the underlying issue.
22. List hygiene is maintained. Regularly remove unengaged subscribers (no opens or clicks in 6-12 months). Validate email addresses before adding them to your list. Re-confirm subscribers periodically, especially for older lists.
Monitoring (points 23-25)
23. Deliverability metrics are tracked. Monitor delivery rate, bounce rate, complaint rate, open rate, and click rate. Establish baselines and investigate deviations. A sudden drop in open rates might indicate inbox placement problems.
24. Inbox placement is tested. Use seed list testing (GlockApps, Validity) to see where emails actually land—inbox, spam, or promotions tab. Delivery rate alone doesn't tell you about inbox placement.
25. Authentication reports are reviewed. Process DMARC reports regularly to identify authentication failures and unauthorized senders. Aggregate reports show patterns; forensic reports provide details on specific failures.
Using this checklist
Don't try to fix everything at once. Prioritize based on impact:
Authentication issues (1-6) are foundational. Fix these first—without proper authentication, nothing else matters.
Infrastructure issues (7-12) affect everything you send. Address reputation and blacklist problems before worrying about content optimization.
Content issues (13-18) are easier to fix but have less impact than authentication and infrastructure. Address them, but don't obsess over subject line optimization while your DKIM is broken.
List quality (19-22) compounds over time. Good practices prevent problems; bad practices create debt that's painful to repay.
Monitoring (23-25) catches problems early. Invest in visibility so you can fix issues before they become crises.
Frequently asked questions
How long does it take to fix deliverability problems?
Authentication issues can be fixed in hours. Reputation recovery takes weeks to months, depending on severity. The key is identifying the root cause—fixing symptoms without addressing causes leads to recurring problems.
What's a good delivery rate to target?
Delivery rate (accepted by receiving servers) should be above 95%. But delivery rate doesn't equal inbox placement. You can have 99% delivery rate while most emails land in spam. Track inbox placement separately.
Should I use a dedicated IP or shared IP?
Dedicated IPs give you control over your reputation but require sufficient volume (typically 100k+ emails/month) to build and maintain reputation. Shared IPs are fine for lower volumes if your ESP maintains good sender practices.
How do I know if my emails are going to spam?
Seed list testing shows inbox placement directly. Declining open rates (especially sudden drops) suggest spam folder placement. Google Postmaster Tools shows spam rate for Gmail specifically. Ask customers—if they report not receiving emails, check their spam folders.