deliverability

Email Deliverability Best Practices Checklist

A practical, checklist-driven guide to the seven pillars of email deliverability: authentication, infrastructure, warm-up, list hygiene, engagement, complaint and bounce thresholds, and monitoring.

Updated Jul 4, 20268 min read

Email deliverability is the sum of many small decisions: how you authenticate, how you send, who you send to, and how closely you watch the results. There is no single switch that fixes the inbox, so the reliable path is a checklist you work through and then keep monitoring. This guide organizes the essentials into seven pillars you can audit today, starting with the one mailbox providers check first.

Reads public DNS only. Nothing is stored unless you save the domain to an account.

The seven pillars at a glance

Deliverability problems almost always trace back to one of these areas. Work top to bottom; the earlier pillars gate the later ones.

PillarWhat it provesPrimary signal
AuthenticationThe message really came from youSPF, DKIM, DMARC
InfrastructureYour sending host is legitimatePTR, TLS, MX, HELO
Warm-upVolume grew at a believable paceSending history
List hygieneYou send to real, willing peopleBounce and spam-trap rates
EngagementRecipients want your mailOpens, replies, deletes
ThresholdsYou stay under provider limitsComplaint and bounce rates
MonitoringYou see problems before they compoundReports and dashboards

Pillar 1: Authenticate every message

Authentication is non-negotiable. Google, Yahoo, and Microsoft now require SPF, DKIM, and a DMARC policy for anyone sending in bulk (5,000 or more messages per day to Gmail is the line Google draws), and unauthenticated mail is increasingly rejected outright rather than filed in spam.

  • SPF. Publish a single TXT record listing every service that sends on your behalf. Stay under the hard limit of 10 DNS-querying mechanisms (include, a, mx, ptr, exists, and redirect all count); exceeding it returns a PermError, which DMARC treats as a fail. End the record with -all (hard fail) or ~all (soft fail), never +all. See our walkthrough on how to set up SPF.
  • DKIM. Sign every message with a 2048-bit key published under a named selector, for example selector1._domainkey.example.com. Rotate keys on a schedule and keep a second selector ready so you can rotate without downtime.
  • DMARC. Publish a policy at _dmarc.example.com. Start at p=none to collect reports, then move to p=quarantine and finally p=reject once your legitimate streams pass. DMARC passes when SPF or DKIM aligns with the visible From: domain, so alignment, not just a raw pass, is what matters.

Authentication is also the fastest thing to verify, which is why it belongs first in any deliverability audit. Fix it before you touch anything else, because every later signal is discounted while your mail is unauthenticated.

Pillar 2: Get the sending infrastructure right

Once your domain is authenticated, mailbox providers evaluate the machine doing the sending.

  • Forward-confirmed reverse DNS. Every sending IP needs a PTR record, and the hostname it returns must resolve back to the same IP. This forward-confirmed pairing (often called FCrDNS) is a baseline requirement; a missing or generic PTR is an immediate downgrade. Our guide on what a PTR record is covers the setup.
  • TLS in transit. Serve mail over opportunistic TLS at minimum. Consider MTA-STS and TLS-RPT to enforce encryption and get reporting on failures.
  • Consistent HELO and MX. The HELO/EHLO name should match the PTR hostname, and your MX records should be clean and reachable so bounces and replies route correctly.
  • Return-Path alignment. Use a custom return-path (envelope sender) on a subdomain of your organizational domain so SPF aligns under DMARC even with relaxed alignment.

Pillar 3: Warm up new domains and IPs

A brand-new domain or IP has no reputation, and dumping full volume on day one looks exactly like a compromised account. Ramp gradually: start with a few hundred of your most engaged recipients per day and roughly double volume every two to three days, watching complaint and bounce signals at each step before you increase. Send your best content first, because early engagement builds the reputation that carries later, less-engaged sends. Separate transactional and marketing streams onto different subdomains so a marketing complaint spike does not drag down password resets and receipts. Our dedicated guide on how to warm up an email domain has a full schedule.

Pillar 4: Keep the list clean

The single fastest way to wreck a good sending reputation is mailing addresses that never agreed to hear from you.

  • Use confirmed (double) opt-in. A confirmation click proves the address is real, typed correctly, and owned by a willing recipient. It is the strongest protection against typos and malicious signups.
  • Never buy or scrape lists. Purchased lists are riddled with spam traps, which are addresses that exist only to catch senders who did not get permission. A single pristine trap hit can blacklist you.
  • Validate at the point of capture. Reject role accounts and obvious typos in your signup form rather than after the fact.
  • Sunset inactive contacts. Suppress addresses that have not opened or clicked in a defined window (commonly 90 to 180 days). Stale addresses turn into spam traps and drag down engagement metrics.

Pillar 5: Earn engagement

Modern filtering is behavioral. Providers watch whether recipients open, reply, move you out of spam, or delete without reading, and they weight those signals heavily. To keep engagement high:

  • Send relevant content at a cadence people expect, and let them set frequency preferences.
  • Segment so you mail engaged and disengaged users differently.
  • Make replies possible; a monitored, human From: address earns positive signals that a no-reply address never will.
  • Prune the disengaged before they start deleting or complaining. Low engagement is a leading cause of the slide into the spam folder.

Pillar 6: Respect complaint and bounce thresholds

Mailbox providers publish hard numbers, and crossing them has direct consequences. These are the ones to keep on a dashboard.

MetricTargetProvider guidance
Spam complaint rateUnder 0.1%Google enforces a 0.3% ceiling; sustained rates above it cost you filtering mitigation until you stay under 0.3% for seven consecutive days
Authentication100% of bulk mailSPF, DKIM, and DMARC required by Google, Yahoo, and Microsoft
One-click unsubscribeOn every marketing messageList-Unsubscribe and List-Unsubscribe-Post headers per RFC 8058; honor requests within two days
Hard bounce rateUnder roughly 2%High permanent-failure rates signal poor list quality

One-click unsubscribe deserves emphasis: bulk senders must include the RFC 8058 headers so recipients can leave with a single click, and the request must be processed within 48 hours. Making it easy to leave feels counterintuitive, but an easy unsubscribe prevents the spam complaint that actually damages you, because a complaint teaches the provider to filter every message you send. The full requirement set is in our bulk email sender requirements guide.

Handle bounces correctly, too. A 5xx permanent failure means remove the address immediately; a 4xx transient failure (for example 421 or 450) can be retried, but repeated soft bounces should eventually be suppressed. Enhanced status codes like 5.1.1 (no such user) and 5.7.1 (rejected by policy) tell you exactly why, so parse them rather than guessing.

Pillar 7: Monitor continuously

Everything above degrades over time, so treat deliverability as an operational metric, not a one-time project. Track it from several angles:

  • DMARC aggregate reports (the rua stream) show every source sending as your domain, including shadow IT and spoofers. Read them weekly.
  • Google Postmaster Tools exposes your domain and IP reputation, spam rate, and authentication pass rates for Gmail traffic. Set it up early so you have history when you need it.
  • Blacklist checks against major lists such as Spamhaus (SBL, XBL, PBL, and the combined ZEN) catch listings before they spread.
  • Seed and inbox-placement tests reveal folder placement across providers that raw delivery logs cannot.

Reputation is the thread running through all seven pillars; if you want the underlying model, read what sender reputation is and how to improve it.

A quick pre-send checklist

Before any significant campaign, confirm:

  1. SPF, DKIM, and DMARC all pass and align on a test message.
  2. Sending IPs have forward-confirmed PTR and TLS is active.
  3. The list is permission-based and recently cleaned.
  4. List-Unsubscribe one-click headers are present.
  5. Complaint and bounce rates from your last send were within target.
  6. Monitoring (DMARC reports, Postmaster Tools, blacklist checks) is live.

Frequently asked questions

What is the most important factor in email deliverability?

Authentication is the gate: without passing, aligned SPF, DKIM, and DMARC, bulk mail is now rejected by major providers before any other factor is considered. Once you clear authentication, sender reputation driven by low complaint rates and high engagement becomes the dominant factor.

What spam complaint rate is too high?

Keep your complaint rate below 0.1%. Google enforces a ceiling of 0.3%, and staying above it costs you filtering mitigation until you drop back under 0.3% for seven consecutive days. At roughly one complaint per thousand messages you are already at risk.

How long does it take to build a good sending reputation?

Warming a new domain or IP to full volume typically takes four to eight weeks of gradual ramp-up with strong engagement. Recovering a damaged reputation can take longer, because you must first fix the underlying list or content problem and then rebuild positive signals over weeks of clean sending.

Do I still need SPF if I have DKIM and DMARC?

Yes. DMARC passes when either SPF or DKIM aligns, but many providers and forwarding paths still evaluate SPF independently, and some services require it. Publishing all three gives you the widest compatibility and the most resilient authentication.

Ready to check where you stand? Run a free SPFWise scan to see your SPF, DKIM, and DMARC status in seconds and find the gaps that are keeping your mail out of the inbox.

Check your own domain

Run a free scan and get your grade with the exact records to fix.

Scan a domain

Related guides

Email Deliverability Best Practices Checklist