Email Deliverability Audit Checklist for 2026
The 7-section deliverability audit we run on every client domain in 2026 — what to check, what passing looks like, and how to fix common failures.
An email deliverability audit is the diagnostic process that surfaces what’s actually wrong when placement is dropping — before another campaign launches and gets buried in spam. Most teams don’t run a structured audit; they react to symptoms (low replies, high bounces, complaints from prospects) and try fixes in isolation. A proper audit covers every layer in sequence, finds the root cause, and prioritizes fixes by impact. This article is the exact audit checklist we run on every client domain in 2026, in the order that catches the most problems with the least back-and-forth. It pairs with the email deliverability guide, the SPF/DKIM/DMARC overview, and the Gmail spam prevention guide.
A deliverability audit in 2026 runs across seven layers: domain authentication, sender reputation, sending infrastructure, list quality, content patterns, sending behavior, and recipient engagement signals. Each layer has specific things to verify, specific failure modes to look for, and specific fixes. Running them out of order produces noise — fixing content before authentication, for example, doesn’t help if SPF is broken.
Section 1: Domain authentication
Verify SPF, DKIM, and DMARC are all correctly configured. The full setup details live in how to set up SPF, how to set up DKIM, and DMARC policy — the audit just verifies they’re working.
What to check:
- SPF record exists and includes all sending services. Use
dig +short TXT yourdomain.comto view; verify every service that sends from your domain is in theinclude:list. - SPF lookup count under 10. Use Kitterman SPF Test or MXToolbox SPF Surveyor to count lookups. Over 10 =
permerrorfailures. - DKIM signing works for every sending service. Send test emails from each service to a Gmail address; inspect headers for
dkim=passwith alignment. - DMARC record exists and is at
p=quarantineor above (after migration).p=noneis acceptable during initial setup but should not be the long-term state. - DMARC alignment passes. The DKIM or SPF domain must align with the From-address domain.
Pass condition: all three pass with alignment for every sending service. Fail condition: any service produces spf=fail, dkim=fail, or dmarc=fail in test sends.
Section 2: Sender reputation
Verify the domain’s reputation across major receiving systems.
What to check:
- Google Postmaster Tools dashboard. Domain reputation, IP reputation, spam rate. Target: domain reputation at “High” or “Medium,” spam rate under 0.3%.
- Microsoft SNDS (Smart Network Data Services). For domains sending to Microsoft 365 / Outlook recipients.
- Public blacklist check. Use MXToolbox blacklist check or HetrixTools to verify the sending IP/domain isn’t on any major blocklist (Spamhaus, Barracuda, SORBS, etc.).
Pass condition: Postmaster shows “High” or “Medium,” no major blacklist hits. Fail condition: “Low” or “Bad” reputation in Postmaster, or any presence on Spamhaus/Barracuda/major blocklists.
Section 3: Sending infrastructure
Verify the technical setup of the sending stack.
What to check:
- PTR records (reverse DNS). The sending IP’s PTR record should point back to a domain that matches your sending domain.
- Custom tracking domain. Cold email platforms should use a custom tracking domain (
track.yourdomain.com) rather than the platform’s shared tracking domain. Shared tracking domains accumulate poor reputation from other senders. - TLS/STARTTLS support. The sending server should support TLS encryption. Most platforms handle this automatically.
- Sending domain isolation. Cold outreach should use a dedicated sending domain (e.g.,
outreach.yourdomain.com) separate from transactional and marketing email. - Warm-up state. Sending domains should be warmed 4+ weeks before scaling cold volume; check warm-up tool reports.
Pass condition: PTR matches, custom tracking domain configured, TLS supported, sending isolation in place, warm-up complete. Fail condition: missing PTR, shared tracking domain, no isolation between cold and transactional.
Section 4: List quality
Verify the lists being sent to are clean.
What to check:
- Bounce rate (last 30 days). Target: under 2%. Above 5% = serious list quality problem.
- Spam complaint rate (last 30 days). Target: under 0.1%. Above 0.3% = serious problem requiring immediate volume reduction.
- Unsubscribe rate (last 30 days). Higher unsubscribe rate isn’t necessarily bad, but rapid acceleration signals content or targeting problems.
- List source documentation. For each list, document the source (which database, which scrape, which referral path). Lists without documented sources are compliance risks.
- List freshness. Verify lists were re-verified within the last 30 days before send.
Pass condition: bounce under 2%, complaints under 0.1%, sources documented, lists fresh. Fail condition: any of the above thresholds exceeded.
Section 5: Content patterns
Verify the outreach content itself doesn’t trigger spam classifiers.
What to check:
- Subject line patterns. Avoid curiosity-bait (“you won’t believe…”), fake reply prefixes (“Re:” without referent), generic CTAs (“quick question”). Use specific, prospect-anchored subjects.
- Body content trigger words. Scan for common spam-flagged words (“free,” “guaranteed,” “limited time,” “act now,” etc.). Tools like Mail Tester score content for spam risk.
- Link count and quality. Maximum 1-2 links per email; links should resolve cleanly and not redirect through suspicious domains.
- HTML simplicity. Cold email should look like personal email, not marketing email. Avoid heavy HTML, image-heavy designs, multi-column layouts.
- Tracking pixel visibility. If using open tracking, the pixel shouldn’t be the only image, and the email shouldn’t depend on it loading.
- Personalization quality. Each email should contain prospect-specific content, not just
{first_name}substitution.
Pass condition: subjects specific and varied, body avoids trigger phrases, minimal HTML, real personalization. Fail condition: templated content with only token substitution, marketing-style HTML, trigger-heavy phrasing.
Section 6: Sending behavior
Verify the actual sending pattern matches what receiving systems consider legitimate.
What to check:
- Sends per hour per mailbox. Target: 30-80 emails/hour/mailbox. Higher = bot-pattern detection.
- Total daily volume per domain. Should align with warm-up state. Scaling from 50/day to 500/day in a week tanks reputation.
- Sending window consistency. Mail sent at predictable business hours looks legitimate; mail sent at 3am UTC every day looks automated.
- Cadence between sequence emails. No same-weekday repetition; vary by 1-2 days per sequence step.
- Multiple sending mailboxes/domains. Past 500/day, use multiple sending domains in rotation.
Pass condition: sends within rate limits, scaling matches warm-up, varied cadence and timing. Fail condition: bursty sending, single-weekday patterns, rapid volume scaling.
Section 7: Recipient engagement signals
Verify the engagement signals receiving systems use to judge your domain are healthy.
What to check:
- Open rate (cold campaigns). Target: 25-45% on warmed domains.
- Reply rate. Target: 3-7% cumulative across 4-message sequence.
- Positive-intent reply rate. Target: 35-50% of replies are positive intent.
- Spam-mark rate (Postmaster Tools). Target: under 0.1%.
- Engagement trend over 30/60/90 days. Stable or improving = healthy. Declining = something is degrading.
Pass condition: rates within target bands, stable or improving over 90 days. Fail condition: any rate below target band, declining trend.
How to use the audit
Run all seven sections in order before launching any cold campaign. Re-run quarterly for active campaigns, or immediately when you see any of these warning signs:
- Open rate drops 10+ points
- Reply rate drops 30%+ over a 4-week window
- Spam-mark rate climbs above 0.1%
- Bounce rate climbs above 2%
- Mail starts landing in spam folders that previously hit inbox
When the audit surfaces multiple failures, fix in order of section (1 first, 7 last). Authentication problems make all downstream layers meaningless; fixing content while SPF is broken won’t help.
A complete audit takes 60-90 minutes for a single domain (less if you’ve audited before and your stack is documented). Skipping it produces deliverability mystery — placement drops with no clear cause, fixes attempted in random order, weeks of mediocre results. Running it produces a clear diagnosis and a prioritized fix list. The investment is small relative to the cost of running cold campaigns into spam folders.
Related reading
Best Email Verification Tools in 2026: Tested Picks
Which email verification tools actually catch invalid addresses in 2026, the accuracy benchmarks that matter, and how to integrate them into workflow.
Best Email Warm-Up Tools in 2026: What Actually Works
Which email warm-up tools actually deliver in 2026 — the categories that matter, what to test before buying, and the warm-up scams to avoid.
Email Deliverability in 2026: The Complete Guide for Cold Outreach
Why cold emails miss the inbox in 2026, and the exact authentication, reputation, and content moves that fix it. A practitioner's guide, not theory.
How to Prevent Cold Emails Going to Spam in Gmail (2026)
Why Gmail is the strictest receiver in 2026 and what specifically prevents cold emails from landing in spam there — diagnostics, fixes, and ongoing discipline.
SPF, DKIM, and DMARC for Cold Email: What Actually Matters in 2026
A practical walkthrough of SPF, DKIM, and DMARC setup for cold email. What providers check, what trips up new domains, and what to skip.