Email Deliverability Audit: The Complete Step-by-Step Checklist

Open rates dropped 20% last month with no obvious cause. A customer just texted to say their order confirmation went to spam. Your campaign report shows a bounce spike you can't explain. These are the warning signs your email deliverability is in trouble - and the fastest way to find out what's broken is a thorough email deliverability audit.

Most deliverability problems don't appear out of nowhere. They build up slowly: list decay that nobody noticed, an authentication misconfiguration that slipped through, a sending IP that quietly landed on a blacklist. The audit process brings all of it into view at once so you can fix the actual problem instead of guessing.

This guide walks through a 7-step audit checklist that covers every layer of email delivery - from your DNS records down to your contact data. Work through it before your next major campaign and you'll know exactly where you stand.

What Is an Email Deliverability Audit?

An email deliverability audit is a structured evaluation of the technical, list-related, and content factors that determine whether your emails reach the inbox, land in spam, or get blocked by mail servers entirely. It identifies the root cause of delivery failures and provides specific, actionable fixes to restore inbox placement and protect your sender reputation.

When to Run a Deliverability Audit

Don't wait until your domain gets blacklisted. Run an audit the moment you notice any of these warning signs:

• Open rates dropped 10% or more from your normal baseline
• Hard bounce rate exceeded 2%
• Spam complaint rate climbed above 0.1%
• Emails are landing in promotions or spam folders
• You received a blacklist notification
• Your list hasn't been verified in more than 90 days
• You're about to send to a re-engaged or purchased list
• You switched to a new sending domain or IP address

Run a preventive audit before any major campaign too - a product launch, a seasonal push, or a win-back sequence. Catching problems before you hit send is always easier than recovering a damaged sender reputation after the fact.

Step 1: Verify Your Email Authentication (SPF, DKIM, DMARC)

Start here. Gmail and Yahoo have made SPF, DKIM, and DMARC mandatory for bulk senders, and getting any of them wrong means your emails fail authentication checks before they ever reach a spam filter or human recipient.

What each protocol does

SPF (Sender Policy Framework) tells receiving mail servers which IP addresses are authorized to send email from your domain. If your email comes from an unauthorized IP, it fails the SPF check.

DKIM (DomainKeys Identified Mail) attaches a cryptographic signature to your outgoing emails. The receiving server uses your public DNS key to verify the signature wasn't tampered with in transit. Think of it as a tamper seal on every message you send.

DMARC (Domain-based Message Authentication, Reporting and Conformance) ties SPF and DKIM together. It tells receiving servers what to do with mail that fails either check - reject it, quarantine it, or just report back to you. Without a DMARC policy in place, even authenticated emails can be treated inconsistently across providers.

How to check authentication during the audit

1. Run a free lookup on MXToolbox - Check your SPF, DKIM, and DMARC records at mxtoolbox.com for any configuration errors or missing records
2. Send a test email to mail-tester.com - This free tool scores your email setup and flags any authentication failures with specific guidance
3. Check Google Postmaster Tools - Authentication section shows your DMARC compliance rate for mail to Gmail addresses specifically
4. Review your DMARC policy level - A policy of "none" means monitoring only. Move to "quarantine" or "reject" once your configuration is solid

If authentication is broken, fix it before moving to the other steps. Mail servers may block or flag your emails on authentication failure alone, making every other audit step irrelevant.

Step 2: Clean and Verify Your Email List

This is the step that makes the biggest difference - and the one most teams either skip or do poorly. Email lists decay at roughly 22-23% per year. A list you verified 12 months ago has almost a quarter of its addresses that may no longer be valid. That's not an edge case. That's the industry baseline.

Why dirty lists are the root cause of most deliverability problems

Every hard bounce sends a signal to inbox providers that you're not managing your data responsibly. Gmail, Outlook, and Yahoo all track bounce rate per sending domain. Cross 2% and you start getting throttled. Cross 5% and you risk deliverability problems across every email you send from that domain - not just the campaign that caused it.

Spam traps are worse. A single spam trap hit can trigger a blacklisting that takes weeks to resolve. These addresses wind up on old lists through list decay, bad data sources, and poor signup form hygiene.

How to verify your list during the audit

Start with a free email spot-check on a random sample of 50-100 addresses from your list. If more than 5% come back invalid, your entire list needs verification before the next send.

For full list verification, Bulk Email Checker runs each address through a 17-factor process: SMTP handshake, MX record validation, syntax checking, disposable email detection, catch-all domain detection, role-based email flagging, and more. Every address comes back with a clear status - passed, failed, or unknown - plus specific flags for risky email types.

Here's how a real-time verification API call works using the Bulk Email Checker API:

<?php
// Real-time email verification using Bulk Email Checker API
$apiKey = 'YOUR_API_KEY';
$email  = 'contact@example.com';

$url      = 'https://api.bulkemailchecker.com/real-time/?key=' . $apiKey . '&email=' . urlencode($email);
$response = file_get_contents($url);
$result   = json_decode($response, true);

// Primary status: passed | failed | unknown
if ($result['status'] === 'passed') {
    // Safe to send - mailbox verified
    echo 'Valid email address';

} elseif ($result['status'] === 'failed') {
    // Hard bounce risk - remove from list
    // Use event field for specific reason
    switch ($result['event']) {
        case 'mailbox_does_not_exist':
            echo 'Mailbox not found - remove';
            break;
        case 'domain_does_not_exist':
            echo 'Domain invalid - remove';
            break;
        case 'invalid_syntax':
            echo 'Bad email format - remove';
            break;
        default:
            echo 'Failed: ' . $result['event'];
    }

} else {
    // Unknown - catch-all or greylisting
    echo 'Uncertain: ' . $result['event'];
}

// Check risky email type flags
if (!empty($result['isDisposable'])) {
    echo 'Disposable email - block at signup forms';
}
if (!empty($result['isRoleAccount'])) {
    echo 'Role account (info@, admin@) - flag for low engagement';
}
?>

How to act on verification results

status: "passed" - Safe to send. Keep these contacts active.

status: "failed" - Remove immediately. These are hard bounce risks that damage your sender reputation with every send.

status: "unknown" with event "is_catchall" - Proceed with caution. Test a small segment of catch-all addresses first, monitor the bounce rate closely, and suppress any that bounce.

isDisposable: true - Remove or suppress. Disposable addresses go dead quickly and indicate low-quality signups.

isRoleAccount: true - Flag for review. Role accounts like info@ or admin@ rarely convert and often have lower engagement rates that hurt your reputation.

For large lists, the Bulk Email Checker API documentation covers batch processing patterns with proper rate limiting. Verification starts at a fraction of a cent per address with pay-as-you-go credits that never expire, so you're never paying a monthly subscription for capacity you don't use.

Step 3: Check Your Sender Reputation and IP Health

Your sender reputation is how inbox providers score your sending behavior over time. It's what determines whether your emails get delivered, throttled, or blocked - and it's directly tied to your list quality and bounce history from previous sends.

Google Postmaster Tools

If you send more than a few hundred emails per day to Gmail addresses, you need Google Postmaster Tools configured. It gives you direct visibility into domain reputation (classified as low, medium, high, or bad), IP reputation per sending IP, DMARC compliance rate, spam complaint volume from Gmail users, and delivery error reporting. A "bad" domain reputation here is a five-alarm problem. The fix almost always comes back to Step 2 - list cleanup - combined with sending to engaged subscribers first to rebuild trust.

Microsoft SNDS

The Smart Network Data Services tool gives you the Outlook equivalent - complaint rates and spam trap hits per sending IP. If you're seeing delivery failures specifically with Outlook.com or Microsoft 365 addresses, SNDS usually tells you exactly why.

Key reputation thresholds

Step 4: Review Bounce Rates and Complaint Rates

Pull 60-90 days of campaign data from your ESP, not just the most recent send. A single outlier campaign can skew the numbers dramatically, so look at the trend over time.

Hard bounces vs. soft bounces

Hard bounces are permanent delivery failures. The mailbox doesn't exist, the domain is gone, or the mail server is permanently rejecting your domain. Every hard bounce should trigger an automatic removal from your active list. Letting them accumulate is one of the fastest ways to tank your sender reputation.

Soft bounces are temporary failures - a full mailbox, a server temporarily unavailable, a message that exceeded the size limit. Most ESPs retry soft bounces automatically over 72 hours. If an address soft bounces consistently across three or more campaigns, treat it as a hard bounce and suppress it.

Diagnosing a bounce rate spike

Segment your bounce data by acquisition source or list segment. A uniform spike across all segments means your list aged out and needs bulk verification. A spike concentrated in one segment points to a bad data source - pause that segment until you can verify the quality.

Complaint rate spikes are usually content or frequency problems, not list quality issues. If complaints jumped after you changed your email format, subject line style, or send frequency, revert and retest.

Step 5: Test Your Inbox Placement

Authentication and list quality handle the heavy lifting, but content and sending patterns still affect where your email lands. Inbox placement testing shows you the actual result - inbox, spam, or promotions tab - across different mail providers.

Tools worth using for placement testing:

• Mail-tester.com - Free, fast. Send your email to their test address and get a deliverability score with specific issues called out
• GlockApps - Tests placement across Gmail, Outlook, Yahoo, and other major providers simultaneously
• Google Postmaster Tools - Shows inbox vs. spam placement trends specifically for your Gmail traffic over time

If your email is landing in spam despite clean authentication and a verified list, the problem is almost always content. Check Step 6 next.

Step 6: Audit Your Email Content for Spam Triggers

Spam filters analyze dozens of signals in your email content. Run through this checklist on every template in your rotation:

• ALL CAPS words in subject lines or body copy
• Excessive exclamation marks in subject lines
• High image-to-text ratio (emails that are mostly images look like spam)
• Links pointing to blacklisted or suspicious domains
• Missing, hidden, or broken unsubscribe link (required by CAN-SPAM and GDPR)
• No plain-text alternative version of your HTML email
• Too many outbound links in a single email (seven or more raises flags)
• Inconsistent From name or sending address across campaigns
• URL shorteners that hide the actual destination domain

The fastest content check: send a test campaign through mail-tester.com before every send. Fix anything below a score of 8/10 before it goes to your list.

Step 7: Check Blacklist Status

If your first six steps all check out but you're still having delivery problems, check whether your sending IP or domain is on a blacklist. Blacklisting can happen fast - sometimes within hours of a bad send.

The major blacklists that affect deliverability:

• Spamhaus - The most widely consulted blacklist. Blocking by Spamhaus affects delivery to virtually every major ISP
• Barracuda - Heavily used by enterprise email security gateways
• SpamCop - User-reported spam database, more volatile but widely checked
• SORBS - Open relay and spam source database

MXToolbox's free blacklist checker tests your domain and IP against 100+ blacklists simultaneously. Run it any time you see an unexplained delivery failure.

If you're listed, fix the root cause first - usually high bounces, spam trap hits, or spam complaints from a dirty list. Then request delisting from each blacklist operator directly. Most will delist within 24-72 hours once the root problem is resolved and documented.

How Often Should You Run an Email Deliverability Audit?

Active senders (weekly or more): Monthly basic audit covering authentication, list spot-check, and bounce review. Full 7-step audit every quarter.

Moderate senders (biweekly to monthly): Quarterly full audit, plus a pre-campaign mini-audit before any large send.

Always run a full audit before:

• Any list you haven't mailed in 60 days or longer
• A re-engagement or win-back campaign targeting inactive subscribers
• Launching from a new sending domain or IP address
• A major seasonal campaign like a Black Friday push or year-end send
• Adding contacts from any new data source you haven't used before

If you're sending at high volume, Bulk Email Checker's unlimited API plans let you verify every new address at the point of capture and schedule automatic re-verification across your full database on a regular cadence. That's the difference between reactive deliverability management and a proactive list health program that never lets problems accumulate.

Frequently Asked Questions

How long does an email deliverability audit take?

A basic audit covering authentication, a list spot-check, bounce rate review, and a blacklist scan takes 1-2 hours. A full 7-step audit including inbox placement testing, content review, and bulk list verification for a large database can take a full business day depending on list size and how many issues you find.

What's the most common cause of email deliverability problems?

Poor list hygiene is the root cause in the majority of cases. Invalid email addresses generate hard bounces, which damage sender reputation, which causes inbox placement failures. The fix starts with thorough email list verification before every major campaign - and real-time verification on every signup form so bad data never enters your database in the first place.

Can a deliverability audit fix an existing blacklisting?

An audit identifies why you got blacklisted, but the fix requires resolving the underlying problem first - typically high bounce rates, spam trap hits, or complaints from a dirty list. Once resolved, you submit delisting requests to each blacklist operator. Most process requests within 24-72 hours once the root cause is confirmed as fixed.

Do I need to verify my email list even if I use a reputable ESP?

Yes. ESPs route your emails efficiently but do not verify the quality of your contact data. List hygiene and bounce management are your responsibility as the sender. Most ESPs will suspend accounts that sustain bounce rates above their thresholds - typically 2-5% depending on the platform - regardless of how reputable they are.

How much does email list verification cost?

Bulk Email Checker's pay-as-you-go model prices verification at a fraction of a cent per address, with credits that never expire. That's significantly cheaper than monthly subscription services that bill you for quota you may not use. For high-volume operations, the unlimited API plan provides flat-rate access with no per-verification charges.

Conclusion

An email deliverability audit isn't something you do once and move on from. It's how healthy email programs stay healthy. The 7 steps in this checklist cover every layer of deliverability - from your DNS configuration down to individual contact records.

The most impactful single step for most teams is Step 2: verifying and cleaning the list. A verified list protects every other deliverability investment you make. Clean contacts mean lower bounce rates, which means better sender reputation, which means better inbox placement. Everything else builds on that foundation.

Start with a free spot-check of your current list today. No account required, no credit card, ten free verifications per day. If the results flag problems, pay-as-you-go verification gives you the flexibility to clean your full list on your schedule without a monthly commitment.