Email Deliverability Checklist: 30-Point Audit

Why a Deliverability Audit Saves Campaigns

"Email deliverability is not a switch you flip once — it is a system you audit continuously, because the signals that mailbox providers use to classify your reputation change faster than most senders realize." In 2026, inbox placement rates below 80% are not edge cases or anomalies; they are the default outcome for senders who have never run a structured deliverability audit. Every major authentication requirement, blacklist threshold, and engagement benchmark has a measurable impact on your inbox rate, and understanding exactly where your program stands on each dimension is the only way to prioritize what to fix first.

A deliverability audit is not a one-time event. It is a systematic review process that should run quarterly at minimum — more frequently if you are experiencing deliverability problems, have recently changed email infrastructure, or are preparing a new campaign to a cold list. The 30-point checklist in this guide is organized into five domains: authentication, sender reputation, content quality, infrastructure, and ongoing monitoring. Each point has a clear pass/fail criterion and a direct link to inbox placement impact. Work through the checklist from top to bottom — authentication issues at the top can cascade into false reputation signals that make the rest of the audit misleading.

The ROI case for regular audits is straightforward. A single deliverability issue — a misconfigured SPF record, a stale DKIM key, a blacklisted sending IP — can silently reduce inbox placement by 20-40 percentage points without triggering any obvious error. If your email program drives $500,000 in annual revenue and your inbox placement is 65% instead of 95%, you are leaving approximately $230,000 per year on the floor. The audit takes 2-4 hours to complete thoroughly. That ROI ratio makes it one of the highest-leverage investments available to any email-dependent business.

Stekpad’s platform automates the majority of this checklist continuously. The Domain Health Check, Blacklist Checker, Placement Tests, and Health Score dashboard together cover points 1-25 automatically, with real-time alerts when any metric falls below threshold. This guide walks you through all 30 points so you understand the mechanics behind each check — the automated monitoring is most powerful when you understand what it is measuring and why.

Authentication Checks (Points 1-10)

Point 1: SPF record exists and is valid. Use an SPF validator to confirm your domain publishes exactly one v=spf1 TXT record. Multiple SPF records cause an immediate PermError that fails every SPF check. Verify the record resolves without exceeding the 10 DNS lookup limit. Point 2: SPF includes all sending services. List every service that sends email on behalf of your domain — your ESP, CRM, helpdesk, marketing platform, and any internal mail servers. A missed include directive means emails from that service fail SPF, which directly reduces inbox placement for that sending stream. Point 3: SPF uses the correct qualifier. Confirm your record ends in -all (hard fail) rather than ?all (neutral). Hard fail tells receiving servers to reject unauthorized senders.

Point 4: DKIM is configured on your sending domain.** Verify that your email service is signing outgoing messages with a DKIM signature. Use a DKIM checker to confirm the public key in DNS matches the private key used for signing. **Point 5: DKIM key is 2048 bits or longer.** 1024-bit DKIM keys are considered cryptographically weak in 2026. Rotate to a 2048-bit key if you are still using 1024. **Point 6: DKIM selector is unique per sending service.** If you use multiple email services, each should have its own DKIM selector to prevent signature conflicts. **Point 7: DKIM signatures are not broken by email gateways or security proxies.** Some corporate mail gateways modify headers in ways that invalidate DKIM signatures. **"DKIM failures caused by intermediary gateway modifications account for approximately 15% of all authentication failures we diagnose at Stekpad — they are invisible until you specifically look for them."

Point 8: DMARC record is published. Confirm your domain has a DMARC TXT record at _dmarc.yourdomain.com. At minimum, the policy must be p=none with an rua reporting address. Without a DMARC record, you have no visibility into who is sending email using your domain name. Point 9: DMARC policy is p=quarantine or p=reject. A p=none policy is acceptable during initial implementation, but best practice is to move to p=quarantine or p=reject once you have confirmed all legitimate sending sources are passing SPF and DKIM alignment. Point 10: PTR record matches your sending IP. Your sending IP should have a reverse DNS record that resolves back to your sending domain or a hostname clearly associated with it. A mismatch is a significant spam filter trigger, especially for Microsoft Exchange Online Protection.

Reputation Checks (Points 11-16)

Point 11: Domain reputation is Medium or High in Google Postmaster Tools. Set up Google Postmaster Tools if you have not already. Your domain reputation should show Medium or High. Low or Bad classifications require immediate investigation. Point 12: Bounce rate is below 2%. Check your ESP’s bounce report for the last 30 days. Hard bounce rates above 2% are a strong spam signal. Remove all hard-bouncing addresses from your list immediately. Point 13: Spam complaint rate is below 0.08%. Google Postmaster Tools reports your spam complaint rate directly. The threshold for Gmail bulk sender requirements is 0.1%, but best practice is to stay below 0.08% with a target below 0.05%.

Point 14: You are not listed on any major blacklist. Run a blacklist check against Spamhaus, Barracuda, SORBS, URIBL, and at least 40 additional lists. Stekpad’s Blacklist Checker queries 50+ lists simultaneously and alerts you the moment your domain or sending IP appears on any of them. "A blacklist appearance you do not know about can silently block 10-30% of your emails for weeks while your metrics decline without an obvious explanation." Point 15: You have completed a proper warm-up for your sending domain and IP. New domains and new sending IPs that skip warm-up start with zero reputation. Verify your domain was gradually ramped from low volume over at least 3-4 weeks.

Point 16: Your list was acquired through permission-based opt-in methods. Purchased email lists, scraped addresses, and co-registration contacts consistently produce bounce rates, complaint rates, and spam filter hits that damage sender reputation at scale. Audit your list sources and segment by acquisition method. Any segment acquired through non-permission-based methods should be suppressed or warmed independently with extreme care. Stekpad’s Health Score dashboard tracks bounce rate, complaint rate, and engagement metrics that collectively reflect list quality, alerting you when any signal suggests a list quality problem.

Content Checks (Points 17-22)

Point 17: Subject lines do not contain spam trigger phrases.** Run your subject lines through a spam score analyzer. Classic spam triggers — all caps, excessive exclamation marks, phrases like “FREE!!!” or “ACT NOW” — still generate filter hits in 2026, even in sophisticated ML-based spam filters. **Point 18: HTML email code is clean and standards-compliant.** Broken HTML, excessive JavaScript, missing alt tags on images, and non-standard encoding all trigger spam filter penalties. Aim for a mail-tester.com score of 9/10 or higher. **"Clean HTML structure is a proxy signal for legitimate sender infrastructure — spam operations typically generate HTML with telltale structural defects that modern filters have learned to recognize."

Point 19: Text-to-image ratio is healthy. Emails that consist primarily of images with minimal text are a classic spam pattern. Aim for at least 60% text content by area. Image-heavy emails also suffer from rendering issues that reduce engagement. Point 20: Links use your own domain or a reputable tracking domain. Check every URL in your emails. Links to domains listed on URIBL or other URL blacklists will get your emails flagged even if your sending domain is clean. Point 21: Unsubscribe mechanism is functional and one-click. Gmail and Yahoo’s 2024 requirements mandate one-click unsubscribe for bulk senders via the List-Unsubscribe header. Non-functional or hidden unsubscribe links drive spam complaints as frustrated recipients reach for the spam button instead.

Point 22: Your from name and email address are consistent and recognizable. Inconsistent from names and addresses reduce brand recognition and increase the likelihood that recipients will not recognize your email and mark it as spam. Establish a consistent from name across all sending streams from the same domain. Stekpad’s platform includes a content quality checker that runs your email drafts through a deliverability assessment before you send, flagging issues across all six content dimensions described above.

Infrastructure Checks (Points 23-26)

Point 23: Your sending IP is dedicated, not shared. Shared IP addresses mean your reputation is partly determined by other senders using the same IP. If a bad actor on your shared IP sends spam, your deliverability suffers even if your own practices are perfect. Dedicated IPs are standard practice for senders with volume above 10,000 emails per month. Point 24: Your IP has an established reputation history. New dedicated IPs start with zero reputation just like new domains. If you recently moved to a dedicated IP, it must be warmed up independently from your domain.

Point 25: Your email sending patterns are consistent and humanized.** Batch sends of 10,000 emails in 30 minutes, sends exclusively at 3 AM, and zero-send days followed by burst days are infrastructure patterns that spam filters associate with automated bulk mailing. Spread sends over business hours with natural variation. **Point 26: MTA-STS policy is published for your domain.** MTA-STS enforces TLS encryption for email in transit to your domain. Publishing an MTA-STS policy signals to receiving servers that you take email security seriously. **"Infrastructure signals are the hardest category of deliverability issues to diagnose because they require access to sending logs and SMTP-level data that most ESPs do not expose to senders — Stekpad provides infrastructure-level visibility as a standard feature."

Monitoring and Stekpad Automation (Points 27-30)

Point 27: You run inbox placement tests at least monthly. Placement tests send to a curated seed list of real accounts across Gmail, Outlook, Yahoo, and other providers, then report where your emails actually landed. Monthly placement tests catch deliverability degradation before it shows up in campaign performance metrics. Stekpad’s Placement Test feature runs automated seed-list tests and reports inbox, spam, and missing rates broken down by provider within minutes of sending.

Point 28: You have automated alerts for bounce rate spikes, complaint rate increases, and blacklist appearances. Manual monitoring is too slow — by the time a weekly review catches a reputation problem, it has typically been compounding for 5-7 days. Automated alerts allow you to respond within hours. Stekpad sends push and email alerts the moment any monitored metric crosses a threshold you define. Point 29: You review DMARC reports weekly. Your DMARC rua reporting address receives XML reports showing every source that sent email claiming to be from your domain. Weekly review identifies unauthorized senders impersonating your domain and legitimate senders missing from your SPF record.

Point 30: Your Health Score has been above 80 for the past 30 days. Stekpad’s Health Score aggregates inbox placement rate, bounce rate, reply rate, open rate, DNS health, and blacklist status into a single 0-100 composite score. A score above 80 sustained for 30 days indicates a healthy, stable email program. "A Health Score above 90 for 30 consecutive days is the deliverability equivalent of a clean bill of health — it means every major signal provider monitors is trending positive." Run through this 30-point checklist quarterly, use Stekpad’s automated monitoring to track the majority of these metrics continuously, and treat any failing point as an immediate action item rather than a future optimization.