Email Deliverability Audit

An email deliverability audit is a systematic, layer-by-layer diagnosis of why your mail is not reaching inboxes — checking authentication, reputation, blocklists, list quality, sending patterns and content in a fixed order, then producing a prioritised list of what to fix. Unlike troubleshooting one campaign, it examines the whole system. MCSNET runs audits from Toronto and is honest about the finding most guides bury: roughly 80% of deliverability problems are list-quality problems, not the technical settings everyone fixates on.

Key takeaways

  • An audit is a structured diagnosis of the whole sending system, not troubleshooting of a single campaign — it finds the cause, in order.
  • Order matters: authentication is checked first, and if it fails, it gets fixed before anything else is investigated.
  • The uncomfortable truth: about 80% of deliverability failures trace to list quality — invalid, disposable, role-based or dormant addresses — not DNS records.
  • You get a prioritised findings report: each problem mapped to a specific fix, ordered by impact, so you know exactly what to do first.
  • Run from Toronto: PIPEDA-resident, CASL-aware, and built for complex setups that automated tools miss.

When email stops landing, most teams reach for the wrong tools: they rewrite subject lines, swap send times, and A/B test their way around a problem that lives somewhere else entirely. A deliverability audit replaces that guessing with a structured diagnosis — a layer-by-layer examination of your whole sending system that finds the actual cause and tells you, in priority order, what to fix. This page explains what an audit checks, the order it follows, the finding most guides bury, and what you walk away with.

What is an email deliverability audit?

A deliverability audit is a systematic examination of every layer that decides whether your mail reaches the inbox, from your DNS records down to the quality of the addresses you send to. It differs from troubleshooting in scope and intent. Troubleshooting is reactive and narrow — one campaign underperformed, so you investigate that campaign. An audit is proactive and complete — it inspects the entire system, including the parts that have not yet visibly failed, because the cause of a future incident is usually already present and quietly building. It is diagnostic, telling you what is happening now and why, and a good one folds in a forward-looking risk assessment of what is likely to break next.

The reason a structured audit beats poking at symptoms is that deliverability is a system of many interacting parts. A campaign in spam could stem from an authentication break, a reputation slide, a blocklisting, a content trigger, or a decaying list — and they produce similar symptoms. Only checking each layer in order isolates the real cause instead of treating a guess.

Why audit instead of guessing?

Because guessing is expensive and slow. The classic pattern is a team watching open rates fall, concluding the copy is stale, and spending weeks testing subject lines while the real problem — a growing share of mail being filtered to spam — goes unaddressed and gets worse. Delivery dashboards make this easy to miss: they report mail as delivered when the server accepts it, even as that mail is routed to spam where no one sees it. An audit cuts through by measuring where mail actually lands and tracing every contributing factor, so the fix targets the cause rather than a hunch. The output is not “try writing better emails”; it is “your DKIM is misaligned, your list has a 9% bounce rate, and you are listed on one blocklist — fix them in this order.”

There is also a cost asymmetry that makes auditing worthwhile. The checks themselves are quick — a structured audit of a simple setup takes an hour or two, and even a complex multi-ESP environment is a matter of days — while the cost of guessing wrong runs for weeks and compounds. Every campaign sent into a problem you have not diagnosed makes the underlying reputation worse, so the longer you spend optimising the wrong thing, the deeper the hole. An audit front-loads a small, bounded effort to avoid an open-ended one, which is the same logic as testing before you ship rather than debugging in production.

The six layers we check

A thorough audit works through six layers in a deliberate sequence, because some failures invalidate the checks below them.

LayerWhat we checkPass looks like
1 · AuthenticationSPF, DKIM, DMARC present, passing, alignedAll three pass; DMARC past p=none
2 · ReputationDomain and IP via Postmaster Tools and SNDSHealthy spam rate, no negative trend
3 · BlocklistsSpamhaus and the major listsNo listings on your IPs or domains
4 · List healthBounce rate, engagement spread, validationBounces under 2%, engaged majority
5 · Sending patternsVolume consistency, warmup statusSteady volume, no unexplained spikes
6 · Content & technicalHTML, tracking domains, unsubscribeClean HTML, one-click unsubscribe present

Authentication comes first for a reason: if it is broken, mail is rejected or filtered regardless of how clean everything else is, so fixing it is the prerequisite for every other check meaning anything. From there the order moves from the signals that cause outright rejection toward the ones that shape placement, ending with the content checks that matter at the margin.

1 · Authenticationgate — fix first2 · Reputation3 · Blocklists4 · List health~80% of problems5 · Sending patterns6 · Content & technicalPrioritised findingseach finding → a specific fix,ordered by impact
Six layers, checked in order; authentication gates the rest, and list health is where most problems hide.

The finding most guides bury: it’s usually the list

Here is the uncomfortable truth that distinguishes an honest audit from a checklist of DNS records. Industry data consistently puts roughly 80% of deliverability failures down to list quality — invalid addresses, disposable signups, role-based accounts like info@ and sales@, and dormant contacts that have quietly accumulated. Authentication and reputation get the attention because they are technical and satisfying to fix, but they are not where most problems live. A list that has not been verified is the single most common root cause of the bounces, complaints and spam-trap hits that crater a reputation, and a B2B list decays around 28% a year as people change jobs and domains lapse. This is why we treat list verification as a first-class layer of the audit, not a footnote: a perfect DNS configuration sending to a rotten list still fails, and no record fixes bad data. When the audit finds the problem is the list, we say so plainly, even though “clean your data” is less satisfying than “here is a clever technical change.”

Checking list health properly means more than counting hard bounces. Real verification works in layers: a syntax check catches malformed and typo addresses, an MX check confirms the domain can actually receive mail, and mailbox-level verification confirms the specific address exists. On top of that, an audit flags the risky categories that a bounce count alone misses — role-based addresses like info@ and support@ that carry low engagement and high complaint rates, disposable and temporary domains used to grab a signup incentive, and the long tail of contacts who have not engaged in six to twelve months and are decaying toward becoming spam traps. Each of those is a reputation liability sitting quietly in a list that looks fine on a surface delivery report. We measure the engagement distribution too, because a list that is technically valid but mostly disengaged still drags placement down — valid is not the same as wanted.

How we check authentication

Authentication is the foundation, and it fails in specific, recurring ways. We verify that you have exactly one SPF record that lists every legitimate sending source and stays under the 10 DNS-lookup limit, because exceeding it causes a PermError that fails authentication outright. We confirm DKIM is signing with keys that align to your From domain, not just the return path, since alignment is what DMARC actually evaluates. And we check that DMARC is published and progressing past p=none toward enforcement. The single most common finding across every audit we run is the same: a sending source — a new ESP, a CRM, an invoicing tool — added without being included in SPF or given a DKIM key, so a whole stream of legitimate mail quietly fails authentication. It is invisible until you look, and it is exactly the kind of thing a structured audit catches.

How we check reputation, blocklists and placement

With authentication confirmed, we read your reputation through the provider windows — Google Postmaster Tools for the Gmail view and Microsoft SNDS for Outlook — looking at spam rate, authentication success and the trend rather than a single day. We query the major blocklists, including Spamhaus, for your IPs and domains, because a single Spamhaus listing can drop your inbox placement to near zero across providers and needs immediate remediation. And where it matters, we run seed-based inbox placement testing to measure where your mail actually lands by provider, since delivery logs and Postmaster cannot show the primary-versus-promotions-versus-spam split. Together these turn “our reputation feels off” into specific, provider-level facts.

What you get: a prioritised findings report

The deliverable is not a data dump; it is a decision tool. Every check produces a pass or fail against a clear threshold, and every failure maps to a specific remediation, ordered by impact so you know exactly what to do first. A typical report leads with the few high-impact fixes — an authentication gap, a dirty list segment, a blocklisting — and then the smaller refinements.

# mcsnet · deliverability audit · findings
[1] auth       FAIL  new ESP missing from SPF → mail failing alignment
[2] list       FAIL  9.1% bounce · 22% role-based · last verified: never
[3] blocklist  warn  1 listing (uceprotect) · low impact, monitor
[4] reputation warn  gmail spam rate 0.14% trending up
[5] auth dmarc pass  p=quarantine, aligned
priority     fix SPF (today) → verify list → recheck in 2 weeks

The point of ordering by impact is that effort goes where it pays: fixing the SPF gap and the list in that example will move the needle far more than any content tweak, and the report makes that obvious rather than leaving you to guess.

How often should you audit?

Treat it as a recurring process, not a one-time rescue. A full audit quarterly catches the slow drift — authentication that broke when a tool was added, a list decaying month over month, reputation easing down — before any of it compounds into a placement crisis. A quick monthly check of authentication, reputation and blocklists keeps the fast-moving signals honest. And any major change — an ESP migration, a domain change, a new sending tool, a volume spike — warrants an immediate audit, because those are exactly the moments authentication and reputation break. The most disciplined teams treat the audit as a release gate before big campaigns: if authentication fails the check, the send waits until it is fixed. Auditing only after deliverability drops means you are always cleaning up rather than preventing.

Why work with us?

Two reasons. First, data and consent: we run audits with your data hosted in Toronto under PIPEDA, and our CASL-aware lens means the audit checks consent and compliance, not just technical pass-fail — which matters because consent problems are reputation problems. Second, operator depth on complex setups: free tools handle a simple single-ESP audit well, and we will tell you when that is all you need. Where an experienced audit earns its place is complexity — multiple ESPs, dedicated IPs, high transactional volume, self-hosted infrastructure — where the issues that automated tools miss tend to hide. You get an operator who has seen the failure modes, not a checklist generator.

Who this is for, and who it is not

It is for senders who have watched deliverability slip and need to find the cause fast, for teams setting up or migrating who want to start compliant, and for anyone with complex sending infrastructure where the problem is hard to isolate. It is not strictly necessary for a small, simple sender on one ESP with healthy metrics — for them the free tools are usually enough, and we will say so. An audit is the honest front door to the rest of the work: it tells you whether you need deliverability services for ongoing management, reputation management for a damaged score, IP warming for a ramp, or simply a cleaner list — and it tells you in priority order, so you spend your effort where it actually moves placement rather than where it merely feels productive.

Frequently asked questions

What does an email deliverability audit check?
Six layers, in order: authentication (SPF, DKIM, DMARC passing and aligned), reputation (domain and IP via Postmaster Tools and SNDS), blocklists (Spamhaus and the major lists), list health (bounce rate, engagement distribution, validation), sending patterns (volume consistency and warmup status), and content and technical setup (HTML quality, tracking domains, unsubscribe). Each check has a pass or fail threshold and maps to a specific fix, so the output is a prioritised action list, not a vague report.
How is an audit different from just troubleshooting a bad campaign?
Troubleshooting reacts to one failure; an audit examines the whole system to find causes you would otherwise miss. A single campaign going to spam might be a content issue, a reputation slide, an authentication break, or a list problem — and only a structured look across all the layers tells you which. Audits also catch problems that have not yet caused a visible failure, like authentication that silently broke when a new ESP was added, so you fix them before they become an incident.
What is the most common problem audits find?
Two recur constantly. The first is broken authentication — usually an ESP or tool added without updating the SPF record, or DKIM that was never configured for a sending source. The second, and the bigger one by volume, is list quality: invalid, disposable, role-based and long-dormant addresses that drive the bounces and complaints sinking your reputation. Most teams expect the answer to be a clever technical tweak; far more often it is the list, which is why we check it as a first-class part of the audit rather than an afterthought.
How often should I run a deliverability audit?
A full audit quarterly, a quick check of authentication, reputation and blocklists monthly, and a full audit immediately after any major change — an ESP migration, a domain change, a new sending service, or a volume spike. Many teams also treat the audit as a release gate before big campaigns: if authentication fails the check, the send is blocked until it is fixed. Audits work best as prevention, not just as a post-mortem after deliverability has already dropped.
Can I just run a free audit myself?
For a simple setup, yes — Google Postmaster Tools, MXToolbox and a spam-score test cover the basic authentication, reputation and blocklist checks at no cost, and we will happily point you to them. Where a professional audit earns its place is complexity: multiple ESPs, dedicated IPs, high transactional volume, or a problem you have already worked through the basics on and still cannot identify. Complex sending hides issues automated tools miss, and that is where an experienced operator's audit pays for itself.
Talk to the team that runs the MTA, not just the box.
Toronto-based, PIPEDA-aligned email infrastructure — licensed, configured, and monitored.
Configure a server