Email Deliverability Audit: The Complete Process

What an Audit Actually Examines

A real deliverability audit isn't a checklist — it's a structured investigation across six areas, each generating findings ranked by severity.

1. Authentication Audit

Check

• SPF record published and resolving
• SPF includes all legitimate sending sources
• SPF under 10 DNS lookup limit
• DKIM signing on every send, 2048-bit keys
• DKIM aligned with From: domain (when possible)
• DMARC published with policy at least p=none
• DMARC RUA address receiving reports
• DMARC alignment (relaxed or strict) per business needs

Tools

• dig TXT yourdomain.com
• mail-tester.com
• mxtoolbox.com/dmarc.aspx
• DMARC report parser (dmarcian or similar)

Common findings

• SPF over 10 lookup limit (causes permerror, breaks SPF)
• Forgotten third-party senders not in SPF
• DKIM signing missing for transactional sender
• DMARC at p=none for years with no advancement plan

2. Sender Reputation Audit

Check

• Google Postmaster Tools domain reputation (target: High)
• Google Postmaster Tools IP reputation (target: High)
• Google Postmaster Tools complaint rate (target: under 0.1%)
• Microsoft SNDS green status across IPs
• Yahoo Sender Hub data (if available)
• Sender Score (talosintelligence.com) if applicable

Tools

• Google Postmaster Tools
• Microsoft SNDS
• talosintelligence.com
• senderscore.org

Common findings

• Domain reputation dropped recently — needs investigation
• IP reputation varies wildly across pool
• Complaint rate trending up
• No Postmaster Tools setup at all (flying blind)

3. List Quality Audit

Check

• Bounce rate over past 90 days (target: under 1%)
• Complaint rate over past 90 days (target: under 0.1%)
• Unsubscribe rate (target: under 0.5%)
• Engagement distribution (active vs dormant)
• List acquisition sources and per-source quality
• Sunset policy in place and enforced
• Email validation cadence

Tools

• ESP analytics
• ZeroBounce, NeverBounce, Kickbox for validation
• Manual sample audit (any obviously bad addresses, role accounts, traps)

Common findings

• High bounce rate from old list
• Specific acquisition source produces high complaints
• No sunset policy — sending to people who haven't engaged in years
• No regular validation cadence

4. Content and Patterns Audit

Check

• Plain text alternative included in HTML emails
• URL hygiene (no shorteners, all tracking domains owned/clean)
• Image-to-text balance
• Subject line patterns
• Spam trigger word density (lower importance in 2026 but still relevant)
• HTML rendering across major clients
• Consistent template structure week-over-week

Tools

• mail-tester content score
• Litmus or Email on Acid for rendering
• Manual review

Common findings

• Tracking domain on URIBL blocklist
• Marketing template uses URL shortener
• Plain text alternative missing or stripped to nothing
• HTML breaks in specific clients

5. Infrastructure Audit

Check

• Sending domain strategy (marketing vs transactional separation)
• Subdomain usage (mail.example.com vs example.com)
• Custom tracking domains in place
• Return-path domain configured
• ESP plan supports your volume
• Dedicated IPs if volume justifies
• All third-party senders documented and authenticated

Tools

• DNS lookups
• ESP configuration review
• DMARC reports (reveals all senders)

Common findings

• Transactional and marketing mixed on same domain (cross-contamination risk)
• No custom tracking domain (shared ESP tracking domain damages reputation)
• Forgotten SaaS tool sending unauthenticated
• Dedicated IP not warmed properly

6. Compliance Audit

Check

• CAN-SPAM compliance (US): physical address, unsubscribe, From: identification
• GDPR compliance (EU): consent records, data minimization, lawful basis
• CASL compliance (Canada): express/implied consent, identification
• RFC 8058 one-click unsubscribe headers
• Standard List-Unsubscribe header
• Privacy policy linked
• Consent documentation accessible

Tools

• Manual email review
• Legal/policy review
• Test unsubscribe flow (does it actually work?)

Common findings

• One-click unsubscribe header missing or broken
• No physical address in marketing email
• Old consent records can't be produced

Output: The Audit Report

A useful audit report includes:

1. Executive summary with overall posture rating
2. Findings by severity (Critical / High / Medium / Low)
3. Specific remediation steps with priority order
4. Test data (Postmaster screenshots, DMARC reports, seed test results)
5. Implementation timeline estimate
6. Monitoring recommendations going forward

Generic recommendations ("improve your sender reputation!") aren't useful. Specific actions ("add Salesforce IPs to your SPF record at example.com") are.

Practitioner note: The most valuable audits I do uncover unauthenticated third-party senders. Senders consistently forget about that 6-month-old Calendly account, the e-signature tool, the support ticket system — all sending under their domain without proper SPF inclusion or DKIM. DMARC reports reveal these instantly.

Practitioner note: A DIY audit catches the obvious stuff: authentication, reputation, list quality. It often misses the subtle stuff: cross-domain reputation contamination, third-party sender SPF inclusion details, content patterns that look fine but score high in modern AI classifiers. Pay for a professional audit at least every 18-24 months even if you're handling day-to-day deliverability yourself.

Practitioner note: For GoHighLevel agencies and SaaS teams sending across multiple client domains, the per-client audit pattern is critical. Each client needs their own authentication audit, their own reputation check, their own compliance review. Trying to audit the umbrella sending infrastructure misses client-specific problems.

If you need a comprehensive deliverability audit done properly — with documented findings, prioritized remediation, and monitoring setup — book a deliverability audit. I run full audits for senders from 50K/month through 10M+/month volumes.

Sources

• M3AAWG: Sender Best Common Practices
• Google: Email sender guidelines
• Microsoft: SNDS
• RFC 8058: One-click unsubscribe

---

v1.0 · May 2026