Email Deliverability Audit: 10-Step Checklist to Fix Your Cold Email Problems

Your cold emails aren't getting responses - but the problem might not be your copy.

If your emails aren't reaching inboxes, the best subject line in the world won't help. Before optimizing templates or testing CTAs, you need to audit your deliverability foundation.

This guide provides a systematic 10-step audit process to identify and fix the issues keeping your emails out of inboxes. By the end, you'll know exactly where your deliverability stands and what to prioritize fixing.

What Is Email Deliverability (And Why It Matters)

Email deliverability is the ability to successfully land emails in recipients' inboxes rather than spam folders or having them blocked entirely.

Key distinction: Delivery rate and deliverability are not the same thing.

• Delivery rate: Percentage of emails accepted by the receiving server (not bounced)
• Inbox placement rate: Percentage of delivered emails that reach the primary inbox
• Deliverability: Your overall ability to consistently reach inboxes

You can have a 98% delivery rate while only 50% of those emails actually land in inbox. The rest go to spam, promotions, or other folders where they'll never be seen.

The Financial Impact

Poor deliverability directly impacts revenue:

• Lost reach: If 30% of emails hit spam, you're effectively losing 30% of your outreach capacity
• Wasted resources: Every email to spam costs money (tools, time, lead data) with zero return
• Reputation damage: Consistent spam placement makes recovery harder over time
• Opportunity cost: Prospects who never see your message can't respond

Deliverability Benchmarks for 2026

Target these metrics for healthy cold email campaigns:

If your metrics fall in "Poor" or "Acceptable" ranges, this audit will help you identify why.

The 10-Step Deliverability Audit

Work through each step systematically. Document your findings and prioritize fixes based on severity.

Step 1: SPF Record Verification

What it checks: Whether your domain tells receiving servers which mail servers are authorized to send email on your behalf.

Why it matters: Without valid SPF, receiving servers have no way to verify emails claiming to be from your domain are legitimate. Many will reject or spam-filter such emails by default.

How to audit:

1. Look up your SPF record using MXToolbox or Google Admin Toolbox
2. Enter your domain and check the SPF record tab
3. Verify the record exists and includes all your sending sources

What to look for:

✅ Good SPF record:

1v=spf1 include:_spf.google.com include:mail.mailbeast.com ~all

❌ Problems:

• No SPF record exists
• Multiple SPF records (only one is allowed)
• Missing authorized sending sources
• Exceeds 10 DNS lookup limit
• Uses -all without being certain (starts as ~all)
• Syntax errors

How to fix:

1. Create or update your SPF record in DNS settings
2. Include all legitimate sending sources:

• Your email provider (Google Workspace, Microsoft 365)
• Your cold email platform
• Any marketing automation tools

1. Use ~all (soft fail) while testing, move to -all (hard fail) once verified
2. Flatten SPF if you exceed 10 lookups

Tools:

• MXToolbox SPF Lookup
• Google Admin Toolbox
• SPF Record Generator

Step 2: DKIM Signature Check

What it checks: Whether your emails are cryptographically signed to prove they haven't been modified in transit and truly originate from your domain.

Why it matters: DKIM prevents email spoofing and tampering. ISPs trust signed emails more than unsigned ones, and DKIM is required for DMARC to work properly.

How to audit:

1. Send a test email to a tool like Mail Tester or to your personal Gmail
2. Check email headers for DKIM signature (in Gmail: click three dots → Show original)
3. Look for dkim=pass in the authentication results
4. Verify the signing domain matches your sending domain (alignment)

What to look for:

✅ Good DKIM:

• dkim=pass in authentication results
• Signature domain aligns with From address domain
• Key size is 1024 bits or higher (2048 recommended)

❌ Problems:

• No DKIM signature present
• dkim=fail in authentication results
• Misaligned domains (signing as different domain than From address)
• Key published incorrectly in DNS
• Outdated or weak key (512 bits)

How to fix:

1. Enable DKIM signing in your email provider settings
2. Generate DKIM keys (your provider usually does this)
3. Publish the public key as a DNS TXT record
4. Verify the signature appears in sent emails
5. Ensure alignment between signing domain and From domain

For Google Workspace: Admin Console → Apps → Google Workspace → Gmail → Authenticate email → Generate new record → Add to DNS

For Microsoft 365: Microsoft 365 Defender → Email & Collaboration → Policies → DKIM → Enable for domain

Tools:

• Mail Tester (mail-tester.com)
• DKIM Validator
• MXToolbox DKIM Lookup

Step 3: DMARC Policy Review

What it checks: Whether you have a policy telling receiving servers how to handle emails that fail SPF or DKIM checks.

Why it matters: DMARC ties SPF and DKIM together, enables reporting on authentication failures, and signals to ISPs that you take email security seriously. As of 2026, a DMARC policy of p=reject is increasingly expected from trusted senders.

How to audit:

1. Look up your DMARC record: _dmarc.yourdomain.com
2. Check that a record exists and parse its components
3. Review DMARC reports if you have reporting enabled

What to look for:

✅ Good DMARC record:

1v=DMARC1; p=reject; rua=mailto:dmarc-reports@yourdomain.com; pct=100;

Policy levels:

• p=none - Monitoring only, no action taken (starting point)
• p=quarantine - Failed emails go to spam
• p=reject - Failed emails are blocked entirely (strongest, recommended)

❌ Problems:

• No DMARC record exists
• Policy set to p=none with no plans to strengthen
• No reporting address (rua) configured
• Subdomain policy (sp) missing if using subdomains
• pct set below 100 without reason

How to fix:

1. If no DMARC record exists, start with monitoring:

1   v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

1. Analyze reports for 2-4 weeks to identify all legitimate sending sources

1. Ensure all sources pass SPF and DKIM

1. Gradually strengthen policy:

• Move to p=quarantine with pct=10, increase to 100%
• Move to p=reject with pct=10, increase to 100%

1. Continue monitoring reports for any issues

Tools:

• MXToolbox DMARC Lookup
• DMARC Analyzer
• Google Postmaster Tools (for aggregate data)

Step 4: Domain and IP Reputation Analysis

What it checks: How ISPs and spam filters perceive your sending domain and IP addresses based on historical behavior.

Why it matters: Even with perfect authentication, poor reputation means emails go to spam. Reputation is built over time through consistent sending patterns and positive engagement.

How to audit:

For domain reputation:

1. Google Postmaster Tools - Shows reputation with Gmail (requires verification)
2. Microsoft SNDS - Shows reputation with Outlook (requires verification)
3. Talos Intelligence (by Cisco) - General reputation lookup
4. Barracuda Reputation Lookup

For IP reputation:

1. Sender Score (by Validity) - 0-100 score based on IP
2. Talos Intelligence - IP reputation lookup
3. Your email platform's reputation dashboard

What to look for:

✅ Good reputation:

• Google Postmaster: "High" reputation
• Microsoft SNDS: Normal/Green status
• Sender Score: 80+ (ideally 90+)
• Talos: Neutral or Good

❌ Problems:

• Google Postmaster: "Low" or "Bad" reputation
• Sender Score below 70
• Listed as "Poor" on Talos
• Sudden reputation drops after campaigns

How to fix:

1. Pause aggressive sending - Reduce volume while you fix issues
2. Clean your list - Remove bouncing, unengaged, and risky addresses
3. Fix authentication - Complete Steps 1-3 first
4. Improve engagement - Send to engaged segments only
5. Consistent sending - Avoid spikes; maintain steady volume
6. Warmup - Re-warmup damaged accounts before scaling

Reputation recovery takes time - weeks to months depending on severity.

Step 5: Blacklist Scanning

What it checks: Whether your domain or sending IPs appear on any DNS-based blacklists (DNSBLs) used by spam filters.

Why it matters: Major blacklists like Spamhaus, Barracuda, and SORBS are used by ISPs to block or filter email. Being listed can devastate deliverability instantly.

How to audit:

1. Run your domain and IP through a multi-blacklist checker:

• MXToolbox Blacklist Check
• MultiRBL.valli.org
• BlacklistMaster
• Spamhaus Lookup (directly)

1. Check all IPs associated with your email sending, not just primary

Major blacklists to monitor:

• Spamhaus (SBL, XBL, PBL, DBL)
• Barracuda
• SORBS
• SpamCop
• CBL (Composite Blocking List)
• URIBL (for domain content)

What to look for:

✅ Clean status:

• Not listed on any major blacklists
• No recent listings

❌ Problems:

• Listed on Spamhaus (most impactful)
• Listed on multiple blacklists
• Recurring listings after removal

How to fix:

1. Identify the cause - Why were you listed? Common reasons:

• Sending to spam traps
• High spam complaints
• Compromised account sending spam
• Poor list hygiene

1. Fix the underlying issue - Don't just delist; solve the problem

1. Request removal - Each blacklist has its own delisting process:

• Spamhaus: blocklist removal form
• Barracuda: removal request portal
• Others: Follow instructions on their websites

1. Monitor continuously - Set up alerts for future listings

Tools:

• MXToolbox Blacklist Check (100+ lists)
• Spamhaus Lookup
• BlacklistMaster (monitoring alerts)

Step 6: Content Spam Score Testing

What it checks: Whether your email content triggers spam filters based on words, formatting, or structural elements.

Why it matters: Over 75% of spam filtering decisions involve content analysis. Even with perfect infrastructure, spammy content triggers filters.

How to audit:

1. Send a test email to Mail Tester (mail-tester.com) - Get a 1-10 score with detailed breakdown
2. Use MailReach or Folderly spam checkers for content analysis
3. Test multiple variations of your actual cold emails

What to look for:

✅ Good content signals:

• Mail Tester score of 8+/10
• No spam words flagged
• Clean HTML (if using any)
• Good text-to-image ratio
• All links resolve to legitimate domains

❌ Problems:

Spam trigger words to avoid:

• Urgency: "Act now," "Limited time," "Urgent"
• Money: "Free," "Discount," "No cost," "Best price"
• Overpromising: "Guaranteed," "Revolutionary," "Miracle"
• Suspicious: "Click here," "Winner," "Congratulations"

Formatting issues:

• ALL CAPS TEXT
• Excessive punctuation!!!
• Too many images, not enough text
• Broken HTML
• Hidden text or tiny fonts
• Multiple colors and fonts

Structural issues:

• No unsubscribe link
• Missing physical address
• Generic From name
• Mismatch between From and Reply-To domains

How to fix:

1. Rewrite subject lines and body to remove trigger words
2. Keep emails short and plain-text (no HTML for cold outreach)
3. Use a professional From name (your actual name or brand)
4. Include a proper signature with contact information
5. Ensure unsubscribe link is present and functional
6. Avoid links in first cold email (add in follow-ups)

Tools:

• Mail Tester (mail-tester.com)
• MailReach Spam Test
• Folderly Spam Words Checker
• Smartlead Spam Checker

Step 7: List Hygiene Assessment

What it checks: The quality of your email list - whether addresses are valid, active, and appropriate to contact.

Why it matters: Sending to invalid addresses causes bounces, which damage reputation. Sending to spam traps causes blacklisting. Sending to unengaged addresses signals to ISPs that your emails aren't wanted.

How to audit:

1. Run your list through an email verification service
2. Check historical bounce rates across recent campaigns
3. Review list sources and acquisition methods
4. Analyze engagement by list segment

What to look for:

✅ Healthy list:

• Less than 2% invalid addresses
• Known sources for all contacts
• Regular cleaning schedule
• Segmented by engagement level

❌ Problems:

High-risk addresses:

• Role addresses: info@, sales@, support@
• Catch-all domains (accept all addresses, often spam traps)
• Disposable email addresses
• Very old addresses (not verified recently)

List quality issues:

• Unknown or purchased list sources
• Bounce rate above 3%
• Many addresses from free email providers (for B2B)
• No verification before sending

How to fix:

1. Verify before sending - Run all new leads through verification
2. Remove invalids - Delete hard bounces immediately
3. Quarantine risky - Move catch-all and role addresses to separate, careful sends
4. Sunset unengaged - After 3-4 emails with no engagement, pause contact
5. Document sources - Track where every lead comes from
6. Regular re-verification - Re-verify lists every 3-6 months

Tools:

• ZeroBounce
• NeverBounce
• Clearout
• BriteVerify

Step 8: Bounce Rate Analysis

What it checks: The percentage and types of emails that fail to deliver, broken down by cause.

Why it matters: High bounce rates signal to ISPs that you're sending to unverified lists - a spam indicator. Different bounce types have different causes and fixes.

How to audit:

1. Pull bounce data from your email platform
2. Categorize by bounce type (hard vs. soft)
3. Calculate overall bounce rate and trend over time
4. Identify patterns (specific domains, list segments)

Bounce types explained:

Hard bounces (permanent failures):

• Invalid address (doesn't exist)
• Domain doesn't exist
• Recipient blocked you permanently

Soft bounces (temporary failures):

• Mailbox full
• Server temporarily unavailable
• Message too large
• Graylisting (temporary delay for unknown senders)

What to look for:

✅ Healthy bounce rates:

• Total bounce rate: <2%
• Hard bounce rate: <0.5%
• No sudden spikes
• No patterns by domain

❌ Problems:

• Bounce rate above 3% (immediate action needed)
• Bounce rate above 5% (stop sending, audit list)
• Concentrated bounces from specific domains
• Increasing bounce trend over time

How to fix:

1. Hard bounces - Remove immediately, never send again
2. Soft bounces - Retry 2-3 times, then remove if persistent
3. Domain patterns - Investigate if many bounces from one domain (you may be blocked)
4. Verify before sending - Catch invalids before they bounce
5. Monitor real-time - Set up alerts for bounce rate spikes

Step 9: Engagement Metrics Review

What it checks: How recipients interact with your emails - opens, clicks, replies, spam reports.

Why it matters: ISPs increasingly use engagement signals to determine inbox placement. High engagement = trusted sender. Low engagement = spam risk.

How to audit:

1. Pull engagement data from your email platform
2. Segment by campaign, list source, and time period
3. Compare to industry benchmarks
4. Identify trends and outliers

Key metrics:

Open rate:

• Benchmark: 35-50% for cold email
• Note: iOS privacy features make opens less reliable

Reply rate:

• Benchmark: 3-10% for cold email
• This is your most important metric

Click rate:

• Benchmark: 1-5% if including links
• High clicks with low replies may indicate curiosity but weak offer

Spam complaint rate:

• Benchmark: Below 0.1% (0.3% maximum)
• Above 0.3% triggers ISP throttling/blocking

Unsubscribe rate:

• Benchmark: Below 0.5%
• Higher rates indicate poor targeting or messaging

What to look for:

✅ Healthy engagement:

• Open rates 40%+
• Reply rates 5%+
• Spam complaints <0.1%
• Consistent or improving trends

❌ Problems:

• Open rates below 20% (possible spam placement)
• Reply rates below 1% (poor targeting or message)
• Spam complaints above 0.1%
• Declining engagement over time

How to fix:

1. Low opens - Fix deliverability first, then test subject lines
2. Low replies - Improve targeting, personalization, and value proposition
3. High complaints - Review list sources, improve opt-out visibility
4. Declining engagement - Rotate messaging, update lists, check warmup status

Step 10: Sending Pattern Evaluation

What it checks: Whether your email sending volume, timing, and distribution follow patterns that ISPs expect from legitimate senders.

Why it matters: Sudden spikes, inconsistent timing, or unusual patterns trigger spam filters. Legitimate senders have predictable behavior.

How to audit:

1. Review daily/weekly sending volumes over past 3 months
2. Check sending time distribution (should spread through day)
3. Verify volume per mailbox stays within limits
4. Look for spikes correlating with deliverability drops

What to look for:

✅ Healthy patterns:

• Consistent daily volume (within 20% variation)
• Gradual volume increases (not sudden jumps)
• Sending spread across business hours
• Under 50 emails per inbox per day
• Multiple mailboxes for higher volumes

❌ Problems:

• Sudden volume spikes (3x+ normal)
• All emails sent in a short burst
• Single mailbox sending 100+ per day
• Weekend sending patterns (unusual for B2B)
• Volume exceeding warmup level

How to fix:

1. Smooth your sending - Use scheduling to spread emails through the day
2. Respect limits - Stay under 50/inbox/day for cold email
3. Scale gradually - Increase by 10-20% per week, not per day
4. Add infrastructure - More mailboxes and domains for more volume
5. Maintain warmup - Keep warmup running even at full capacity

Creating Your Deliverability Fix Priority Matrix

After completing all 10 steps, prioritize fixes based on impact and urgency:

Fix Immediately (Today)

• Blacklist listings
• Missing/failed SPF
• Missing/failed DKIM
• Bounce rates above 5%
• Spam complaint rates above 0.3%

Fix This Week

• DMARC not configured
• Spam trigger content
• List hygiene issues
• Irregular sending patterns

Fix This Month

• Suboptimal engagement rates
• DMARC policy below p=reject
• Reputation below "Good"
• Minor authentication alignment issues

Ongoing Maintenance

• Regular list cleaning
• Continuous warmup
• Weekly metric reviews
• Quarterly full audits

Ongoing Monitoring Schedule

Deliverability isn't a one-time fix. Set up this maintenance schedule:

Daily:

• Check bounce rates
• Monitor spam complaints
• Review delivery/open metrics

Weekly:

• Run blacklist scans
• Review Google Postmaster reputation
• Analyze engagement trends

Monthly:

• Test content spam scores
• Verify authentication records
• Re-assess list hygiene

Quarterly:

• Full 10-step audit
• DMARC report analysis
• Sending pattern review
• Tool and process updates

MailBeast Deliverability Features

At MailBeast, we've built deliverability monitoring directly into the platform:

Real-time dashboards: See inbox placement, bounces, and complaints as they happen - not days later.

Automated warmup: Our warmup engine maintains your sender reputation continuously, not just during initial setup.

Smart sending: Automatic distribution across mailboxes, time-zone-aware sending, and volume pacing that respects ISP expectations.

Authentication monitoring: We verify your SPF, DKIM, and DMARC on every account and alert you to issues before they impact campaigns.

Blacklist alerts: Get notified immediately if any of your sending domains or IPs appear on major blacklists.

Stop guessing about deliverability. See exactly where your emails land and why.

Key Takeaways

1. Authentication is non-negotiable - SPF, DKIM, and DMARC must all pass
2. Reputation takes time - Both to build and to repair
3. Blacklists require immediate action - Fix the cause, then request removal
4. Content matters - Avoid spam triggers even with perfect infrastructure
5. List quality drives everything - Bad lists destroy good senders
6. Engagement signals trust - ISPs watch how recipients interact with your emails
7. Consistency beats volume - Steady, predictable sending patterns win

Frequently Asked Questions

How often should I run a full deliverability audit?

Run a complete 10-step audit quarterly. Between audits, monitor key metrics (bounces, complaints, inbox placement) daily or weekly. Run immediate audits after any significant deliverability drop.

What's the most important factor for deliverability?

Authentication (SPF, DKIM, DMARC) is foundational - without it, nothing else matters. But for accounts with proper authentication, list quality and engagement metrics have the biggest impact on inbox placement.

How long does it take to fix deliverability issues?

Simple fixes like authentication can be done in hours. Reputation recovery takes 2-8 weeks depending on severity. Blacklist delisting typically takes 24-72 hours once you've fixed the underlying issue.

Should I use a dedicated IP or shared IP?

For most cold email senders, shared IP through a reputable provider is fine. Dedicated IPs require higher volumes to build reputation and more management overhead. Consider dedicated IP only if sending 100,000+ emails monthly.

What inbox placement rate should I target?

Aim for 90%+ inbox placement. Above 95% is excellent. Below 80% indicates problems requiring immediate attention. Below 70% suggests fundamental issues with authentication, reputation, or list quality.

Can I recover from a damaged sender reputation?

Yes, but it takes time and discipline. Pause aggressive sending, fix underlying issues, restart with engaged segments only, and gradually rebuild trust through positive engagement signals. Full recovery can take 4-12 weeks.

Last updated: January 2026