Deliverability · Checklist

Email Deliverability Checklist 2026: The 47-Point Pre-Send Audit

Every check that matters before you hit send. Authentication, infrastructure, content, list hygiene, compliance — plus the high-risk industry extras SendGrid, Mailchimp and Brevo will not tell you about.

By Alex Rosca · April 11, 2026 · 14 min read

This is the checklist we run internally at SendHaven before every customer launches their first campaign on our infrastructure. It is not a 12-bullet blog listicle. It is the full audit — 47 checks across 8 categories — that separates senders who hit the inbox from senders who quietly rot in the spam folder wondering why their open rates collapsed.

Fair warning: this checklist is written for senders who take deliverability seriously. If you are a hobbyist sending 500 newsletters a month from a Gmail address, most of this will be overkill. If you are sending 10,000+ messages a month — transactional, marketing, cold outreach, or anything in between — every single item below will either save you or catch up to you eventually.

We built this list after years of running dedicated email infrastructure for operators in the industries most ESPs refuse to serve: iGaming, crypto, forex, CBD, adult, dating, cold outreach. High-risk senders have less margin for error than consumer-facing SaaS, so our standards are higher than the average deliverability guide you will find online. Print this, bookmark it, or turn it into a Notion database — just run it.

The 30-second version: Authentication + clean list + warm IP + good content + honest consent = inbox. Everything on this checklist serves one of those five pillars. If you are short on time, go straight to sections 1, 2 and 4 — they cover 80% of the wins.

How to use this checklist

Run the full 47 points when you are setting up a new sending domain, migrating from another ESP, or diagnosing a deliverability drop. For ongoing sends, pull out the "pre-send audit" subset (sections 1, 2, 3 and 4) and run it before any major campaign.

Every check has a pass criterion. If you cannot confidently tick a box, the item is a fail — not a "maybe." Deliverability does not grade on a curve. Filter systems see binary signals: you pass the check or you contribute to a reputation decay that eventually lands you in the spam folder.

If you want the deeper theory behind any of these checks, we wrote a full email deliverability guide that walks through SPF, DKIM, DMARC, IP reputation and engagement signals in detail. This page is the quick-reference audit; that page is the textbook.

1. Domain & authentication (12 checks)

Authentication is non-negotiable in 2026. Google, Yahoo and Microsoft all require DMARC for senders above 5,000 messages per day, and "required" means rejected or spam-foldered if missing. This section is the single highest-leverage part of the entire checklist.

Sending domain & DNS basics

1. The sending domain is a subdomain of your main brand (e.g. mail.brand.com, send.brand.com) — never your apex root domain, never a free mailbox.
2. The sending domain has been registered for at least 30 days before first send. Brand-new domains have zero reputation and filters treat them as suspicious.
3. WHOIS information is not fully redacted. Privacy-hidden domains get scored worse by some reputation systems, especially for high-risk verticals.
4. The domain has a valid MX record pointing to a real mail host — even if you do not accept inbound. Domains that cannot receive mail cannot respond to bounces, FBL reports or DMARC aggregate reports.

SPF

5. A single SPF record exists on the sending domain. Multiple v=spf1 records is an automatic fail — many filters will reject outright.
6. SPF ends with -all (hard fail) or ~all (soft fail). +all is an open relay and an instant spam-folder sentence.
7. SPF lookup count stays under 10 DNS lookups (the RFC limit). Nesting too many include: directives breaks SPF silently and catastrophically.

DKIM

8. DKIM is signing with a 2048-bit key minimum. 1024-bit keys are tolerated but no longer recommended.
9. DKIM selector is unique and descriptive (e.g. s2026a._domainkey), and you have a rotation plan so you can switch keys without downtime if one is compromised.
10. DKIM passes alignment with the From header domain. Misaligned DKIM fails DMARC even if the signature itself is valid — this is the single most common silent deliverability killer.

DMARC

11. A DMARC record exists at _dmarc.yourdomain.com. Start with p=none for monitoring, then move to p=quarantine once you have verified all legitimate sending sources are aligned. Target p=reject within 90 days.
12. The DMARC rua aggregate reporting address is set to an inbox you actually read (or better, a service like Postmark DMARC or dmarcian that parses the reports for you).

2. IP & infrastructure (7 checks)

The machine that sends your mail matters almost as much as the domain on it. This section is where cheap ESPs leak the most deliverability — they stuff thousands of senders onto shared IP pools and you inherit the reputation of whoever is sending next to you.

13. Reverse DNS (PTR record) is configured and matches the HELO/EHLO hostname. Missing rDNS is a near-instant spam flag.
14. HELO/EHLO hostname is an FQDN under a domain you control, not a generic hostname like localhost or server1.
15. Sending IP is not listed on Spamhaus SBL, CSS, XBL, PBL, Barracuda, Invaluement, SURBL or SORBS. Check weekly using MXToolbox or MultiRBL.valli.org.
16. The IP's /24 subnet neighbors are not listed. Even a clean IP inside a dirty subnet gets reputation drag from its neighbors.
17. For volume senders (100k+ per month): a dedicated IP or dedicated server is in use. Below that volume, a reputable shared pool outperforms a cold dedicated IP — we explain the trade-off in our SendGrid alternatives guide.
18. A documented IP warmup plan is in place for any new IP — starting at 50-200 messages to your most engaged segment, doubling every 2-3 days over 4-8 weeks.
19. TLS 1.2 or 1.3 is enforced on outbound connections. Cleartext SMTP is penalized by Gmail and Microsoft and leaks message contents to any network observer.

3. Content & formatting (6 checks)

Modern spam filters care less about "spam words" than they did a decade ago, but content still matters — especially structural signals like HTML validity, text-to-HTML ratio and link hygiene.

20. Every HTML email has a matching plain-text part (multipart/alternative). Missing text parts are a strong spam signal and hurt accessibility.
21. HTML validates cleanly. Broken tags, unclosed elements and inline JavaScript all trigger filter penalties.
22. Text-to-image ratio stays sensible — at minimum 60% text, 40% images. Image-only emails are a classic spammer pattern and get filtered aggressively.
23. Link domains are consistent and reputable. Every shortened link (bit.ly, t.co) costs you points. Use your own tracking domain if you need click tracking.
24. No URIs point to domains on SURBL or URIBL blocklists. Filters inspect the domains inside your message body, not just the sending IP.
25. Your test sends score 9.5 or higher on mail-tester.com. Our dedicated servers consistently hit 10/10 — if you are below 9.5 you have a fixable authentication, content or infrastructure issue.

4. List hygiene (7 checks)

List hygiene is where most otherwise-competent senders torch their reputation. A list that was clean 12 months ago is full of abandoned accounts, spam traps and corporate addresses that now bounce hard. Bad lists are the #1 cause of sudden inbox-rate collapses we see when diagnosing new customers.

26. Every address on the active sending list was collected with verifiable explicit consent — double opt-in preferred, or a provable single opt-in with timestamp and source.
27. The list has been run through a validation service (ZeroBounce, NeverBounce, Bouncer) within the last 30 days if you have not sent to it recently.
28. Hard bounces are suppressed automatically on first occurrence. Sending a second message to a hard bounce is a direct attack on your reputation.
29. Soft bounces are suppressed after 3-5 consecutive failures.
30. A sunset policy is in place: subscribers who have not opened or clicked in 90-180 days get moved to a re-engagement sequence, then dropped.
31. Role-based addresses (info@, admin@, support@, sales@) are filtered out before send — they are complaint magnets and never convert.
32. No purchased, scraped or rented lists are ever uploaded, ever. This is non-negotiable and one of the fastest ways to get permanently blacklisted.

Heads up: If you inherited a list from a prior team member and cannot prove consent on every address, treat the entire list as suspect. Re-permission it with a fresh single-email consent request before you migrate to any new infrastructure. This is cheaper than burning a fresh IP on a dirty list.

5. Engagement signals (4 checks)

Gmail and Yahoo both score senders primarily on engagement: opens, clicks, replies, forwards, "move to inbox" actions. This section is about making sure you are not accidentally killing engagement through segmentation mistakes or bad send-time logic.

33. First sends on any new domain or IP go exclusively to your top 10-20% most engaged subscribers. High open and click rates from day one build positive reputation fast.
34. Complaint rate (Gmail Postmaster + FBL) stays under 0.1% — one complaint per 1,000 messages. Above 0.3% you will see throttling.
35. Open rate on warmed lists stays above 15% for B2C, 20% for B2B. Under 10% on a warmed list is a reputation red flag.
36. Unengaged subscribers (no opens or clicks in 60+ days) are segmented out of daily sends and only contacted through dedicated re-engagement campaigns.

6. Monitoring & feedback loops (4 checks)

You cannot manage what you do not measure. The free tools below give you the same visibility mailbox providers have into your sending reputation — and most senders do not even know they exist.

37. Google Postmaster Tools is set up for every sending domain. Check spam rate, domain reputation, IP reputation, feedback loop and authentication tabs weekly.
38. Microsoft SNDS (Smart Network Data Services) is registered for every sending IP. Microsoft does not offer a Postmaster Tools equivalent for domains, so SNDS is the only data you get for Outlook / Hotmail / Live.
39. Feedback loops are subscribed for every major ISP that offers one — Yahoo, AOL (Verizon Media), Comcast, Cox, Microsoft JMRP. Any complaints you receive must trigger immediate suppression.
40. DMARC aggregate (rua) reports are being parsed and reviewed at least weekly. Unknown IPs sending on your behalf is the strongest early signal of a compromised API key or forgotten third-party integration.

7. Compliance & legal (3 checks)

Compliance is not just a legal chore — missing footer elements and broken unsubscribe flows are direct reputation penalties with Gmail and Yahoo, regardless of jurisdiction.

41. Every commercial email includes a physical postal address and a working one-click unsubscribe link that honors the request within 10 business days (CAN-SPAM) or immediately (GDPR).
42. List-Unsubscribe and List-Unsubscribe-Post: List-Unsubscribe=One-Click headers are present on every message. These are mandatory since the 2024 Gmail/Yahoo bulk sender rules — missing them is a direct spam-folder trigger.
43. Consent records (source, timestamp, IP, form URL) are stored and retrievable for every subscriber. If a recipient files a GDPR complaint, you have 72 hours to produce proof.

8. High-risk industry extras (4 checks)

If you send email for iGaming, crypto, forex, CBD, adult, dating or cold outreach, you are operating under stricter filter rules than consumer SaaS senders. These four extras are the difference between surviving and thriving in the high-risk lane.

44. You use a dedicated IP or dedicated server — never a shared pool. Shared IPs for high-risk senders are a slow-motion disaster: one sloppy neighbor can torch your reputation overnight. This is the core reason we built SendHaven around dedicated servers per customer.
45. Your infrastructure provider's Acceptable Use Policy explicitly allows your industry. If you are reading the AUP hoping "they probably will not notice," you are one automated audit away from suspension. SendGrid, Mailchimp and Brevo prohibit gambling, crypto, CBD and adult content — we wrote a full SendGrid alternative guide if you need to migrate.
46. Your jurisdiction and company registration are publicly verifiable. European operators in particular need clean corporate transparency — a registered EU entity (ours is TRIGGER MEDIA PROJECT SRL in Romania) reduces friction with mailbox providers and payment processors alike.
47. You have a documented escalation path for blacklist removals and ISP disputes. If you wait until you are blocked at Gmail to learn how the dispute process works, you are already losing revenue by the hour.

The 5 most common mistakes we see

We run this audit on every new SendHaven customer during onboarding. Across 50+ businesses we have migrated in the last year, these are the five failures that show up most often:

  1. DKIM misalignment. The signature validates but the d= domain does not match the From header. DMARC fails silently, everything lands in spam, and the sender swears "authentication is set up correctly." It is not.
  2. Single SPF record becoming multiple. Someone adds a new sending service via a separate TXT record instead of merging into the existing one. SPF breaks entirely.
  3. Sending to unengaged segments from a new IP. Warmup lists the whole database instead of the top engaged 10%. Reputation never gets off the ground.
  4. Using a mainstream ESP for a high-risk niche. The AUP ban comes weeks or months later, always at the worst possible time, and the sender wakes up to "your account has been suspended" with a live campaign in progress. We have seen this happen three times to a single iGaming operator on SendGrid — it is the story behind our most-quoted customer testimonial.
  5. Ignoring Google Postmaster Tools. The free data is sitting right there and somehow most senders never look at it until they are already in trouble.

Honest take: If you catch and fix the first four points on this checklist alone (authentication), you will solve more deliverability problems than the rest of this document combined. Everything else is polish on top of a foundation that either works or does not.

Frequently asked questions

What is a good email deliverability rate in 2026?

A healthy inbox placement rate is 95% or higher to Gmail, Yahoo and Microsoft combined. Anything under 90% means you have a fixable problem — usually authentication, list hygiene or IP reputation. Raw delivery rate (not bouncing) should sit above 98%; the gap between delivery rate and inbox rate is how much mail is landing in spam.

How often should I run a deliverability audit?

Run the full 47-point checklist quarterly. Run the pre-send subset (sections 1, 2, 3, 4) before every major campaign or new domain launch. Automated monitoring through Google Postmaster Tools and Microsoft SNDS should be checked weekly — both take five minutes and they will save you from a six-week inbox rate recovery.

Do I really need DMARC in 2026?

Yes, unconditionally. Since February 2024 Google and Yahoo have required DMARC for any sender above 5,000 messages per day. Microsoft now enforces the same threshold. Missing DMARC does not mean "slightly worse deliverability" — it means outright rejection at the largest inbox providers on the planet.

What is the single most important item on this checklist?

Authentication alignment. SPF, DKIM and DMARC must all pass and align with the visible From domain. Everything else on the list matters, but if you fail authentication you lose before the filter even reads your content. A single misaligned DKIM selector can destroy an entire campaign's inbox rate.

How long does IP warmup take?

Four to eight weeks for B2C senders, two to four weeks for B2B with a clean list. Day 1 starts at 50-200 messages to your most engaged subscribers, doubling volume every 2-3 days while keeping complaint rate under 0.1%. Rushing warmup is the fastest way to burn a new IP into uselessness.

Does a dedicated IP actually improve deliverability?

Only if your volume justifies it. Below roughly 100,000 messages per month, a reputable shared pool outperforms a cold dedicated IP because mailbox providers cannot build a reliable reputation signal on low-volume IPs. Above 100k/month, dedicated becomes non-negotiable — you stop paying the reputation tax of whoever else is on your shared pool. For high-risk industries, we recommend dedicated from day one regardless of volume.

What is a good spam complaint rate?

Below 0.1% — one complaint per 1,000 messages. Google Postmaster Tools shows this as your User Reported Spam Rate. Above 0.3% you will see throttling. Above 0.5% you are effectively blacklisted at Gmail until the rate recovers over several weeks of clean sending.

How do I check if my IP is on a blacklist?

Free tools: MXToolbox blacklist check, Spamhaus lookup, and MultiRBL.valli.org. The blacklists that actually matter to your deliverability are Spamhaus SBL and CSS, Barracuda, Invaluement and SURBL. URIBL listings matter as much as IP listings now — filters inspect the domains inside your message body.

The bottom line

Email deliverability is not a mystery. It is a checklist. Forty-seven boxes, eight categories, a handful of free monitoring tools, and a discipline of running the audit on a schedule rather than in panic mode after a campaign tanks.

The teams who consistently hit the inbox are not smarter than the teams who do not — they are just the ones who ticked every box on a list like this one before hitting send, and then did it again the next quarter. If you are running a high-volume or high-risk sending program and you want a human to walk this audit with you, book a free 15-minute audit call with our engineers. We will tell you honestly whether your current ESP can fix the issues you have, or whether you need dedicated infrastructure to get out of the shared-pool reputation drag.

And if you are already past the point of "can this ESP handle me" and staring at a suspension email, our full SendGrid alternatives guide walks through the 10 best migration options — with an honest breakdown of which ones actually accept iGaming, crypto, forex, CBD, adult and dating senders instead of quietly banning you six months in.

Want us to run this audit on your setup?

Free 15-minute call with a SendHaven engineer. We will walk through the 47 checks against your current sending domain and tell you exactly what is leaking inbox rate.

Book a free audit