Cold Email Deliverability Checklist 2026

# Cold Email Deliverability Checklist 2026: SPF, DKIM, DMARC, Domain Warming ## Introduction: Why Email Deliverability Matters In 2026, the average cold email has a **2-5% chance of reaching the inbox** without proper technical setup. The difference between success and failure often comes down to a single missing DNS record or an incomplete authentication protocol. Email deliverability is the intersection of three critical metrics: 1. **Inbox Placement Rate** - The percentage of emails that land in the recipient's inbox (vs. spam, junk, or promotions folder) 2. **Spam Complaint Rate** - How often recipients mark your email as spam (anything above 0.1% damages sender reputation) 3. **Bounce Rate** - Hard bounces (invalid addresses) and soft bounces (temporary delivery failures) Major mailbox providers—Gmail, Outlook, Yahoo, ProtonMail—evaluate sender reputation across multiple dimensions: - **Authentication**: Does the email come from an authorized source? - **Sending History**: How long have you been sending from this domain? - **Engagement**: Do recipients open, click, and reply to your emails? - **Complaints**: What percentage of recipients mark you as spam? - **Infrastructure**: Are you sending from stable, non-blacklisted IPs? Without proper setup, your domain gets flagged as a potential phisher or spammer. With proper setup, you establish trust with mailbox providers and dramatically improve your inbox placement rate. This guide covers the essential technical foundations for cold email success in 2026. --- ## Section 1: SPF Records (Sender Policy Framework) ### What is SPF? SPF is a DNS-based authentication protocol that answers one question: **"Is this email server authorized to send mail on behalf of this domain?"** When Gmail receives an email claiming to be from `sales@yourdomain.com`, it: 1. Extracts the domain (`yourdomain.com`) 2. Queries the SPF DNS record 3. Checks if the sender's IP is in the authorized list 4. Accepts or rejects the email based on the SPF policy SPF alone doesn't guarantee inbox placement, but **failing SPF checks is almost guaranteed to trigger spam filters**. ### How SPF Works (Technical) SPF records are stored as TXT records in your domain's DNS. A typical SPF record looks like: ```dns v=spf1 include:sendgrid.net include:mailgun.org ip4:192.168.1.1 ~all ``` **Components explained:** | Component | Meaning | |-----------|---------| | `v=spf1` | SPF version 1 (required for all SPF records) | | `include:sendgrid.net` | Authorizes all IPs listed in sendgrid.net's SPF record | | `ip4:192.168.1.1` | Authorizes this specific IPv4 address | | `ip6:2001:db8::1` | Authorizes this specific IPv6 address | | `a` | Authorizes the IP of the domain's A record | | `mx` | Authorizes all MX record IPs | | `~all` | Soft fail (accept but mark as suspicious if not matched) | | `-all` | Hard fail (reject if not matched) | **SPF Qualifiers (first character):** | Qualifier | Behavior | Use Case | |-----------|----------|----------| | `+` (default) | Pass | Normal authorization | | `-` | Fail | Explicitly reject | | `~` | Soft fail | Accept but flag as suspicious | | `?` | Neutral | No policy statement | ### SPF Setup: Step-by-Step #### Step 1: Identify Your Sending Sources List every email service you use: - Email marketing platform (Mailchimp, SendGrid, etc.) - CRM (HubSpot, Salesforce, Pipedrive) - Personal SMTP server (if applicable) - Transactional email service (AWS SES, Postmark, etc.) #### Step 2: Gather SPF Records from Each Service Each service provides an SPF include statement. Examples: **SendGrid:** ```dns include:sendgrid.net ``` **Mailgun:** ```dns include:mailgun.org ``` **AWS SES:** ```dns ip4:203.0.113.0 ip4:203.0.113.1 ``` **Google Workspace:** ```dns include:_spf.google.com ``` #### Step 3: Combine into Single SPF Record Combine all includes, then add your policy: ```dns v=spf1 include:sendgrid.net include:mailgun.org include:_spf.google.com ~all ``` **Important: SPF DNS Lookups Limit** SPF records can trigger a maximum of 10 DNS lookups. Each `include:` and `a` statement counts as 1 lookup. If you exceed 10, the SPF record fails entirely. If you hit the limit, consolidate includes or use a service like Valimail that flattens multiple includes into single IPs. #### Step 4: Add to Your DNS Provider Access your DNS provider (GoDaddy, Cloudflare, Route53, etc.) and create a TXT record: - **Name/Host:** `@` or your domain root - **Type:** TXT - **Value:** `v=spf1 include:sendgrid.net include:mailgun.org include:_spf.google.com ~all` Wait 24-48 hours for DNS propagation. #### Step 5: Verify SPF Record Use an SPF checker to verify: ```bash # Using nslookup (macOS/Linux) nslookup -type=TXT yourdomain.com # Using dig dig yourdomain.com TXT # Using online tools https://mxtoolbox.com/spf.aspx https://www.dmarcian.com/spf-survey/ ``` Expected output: ``` yourdomain.com TXT "v=spf1 include:sendgrid.net include:mailgun.org include:_spf.google.com ~all" ``` ### SPF Troubleshooting **Problem: SPF record not showing** - Wait 24-48 hours for DNS propagation - Verify you're querying the correct domain - Check that you're adding at the root (@), not a subdomain - Use `dig yourdomain.com TXT` to check all TXT records **Problem: Too many DNS lookups (permerror)** SPF records are limited to 10 DNS lookups. If you see "permerror" in SPF tests: 1. Count your lookups: Each `include:`, `a`, `mx` counts as 1 2. Remove unused includes 3. Use SPF flattening services (Valimail, DMARCian) 4. Create separate SPF records for subdomains **Problem: Soft fail (~all) not catching spam** Some systems ignore soft fail. For better security, use hard fail (-all): ```dns v=spf1 include:sendgrid.net -all ``` But only after verifying ALL legitimate senders are included. --- ## Section 2: DKIM (DomainKeys Identified Mail) ### What is DKIM? DKIM adds a **cryptographic signature** to your emails, proving they haven't been tampered with in transit and that they truly come from your domain. When Gmail receives your email: 1. It extracts the DKIM signature from the email headers 2. Queries your DKIM public key from DNS 3. Verifies the signature using the public key 4. Accepts the email if the signature is valid **Key difference from SPF:** - SPF checks if the IP is authorized - DKIM checks if the email content is authentic (not tampered with) ### DKIM Cryptography (Simplified) DKIM uses public-key cryptography: 1. **Public Key** (stored in DNS) - Anyone can use to verify signatures 2. **Private Key** (stored on your mail server) - Only you use to create signatures When you send an email: ``` Your Mail Server ↓ Signs email with Private Key ↓ Email + Signature → Recipient ↓ Recipient's Mail Server ↓ Retrieves Public Key from DNS ↓ Verifies Signature ↓ Email Authentic ✓ or Invalid ✗ ``` ### DKIM Setup: Step-by-Step #### Step 1: Generate DKIM Keys (via Your Email Service) Most email services auto-generate DKIM keys. Examples: **SendGrid:** 1. Go to Settings → Sender Authentication 2. Click "Create DKIM" 3. Verify domain ownership (via CNAME or TXT record) 4. SendGrid provides the public key **Mailgun:** 1. Go to Sending Domains 2. Click "Add New Domain" 3. Mailgun generates DKIM record **If you have your own SMTP server:** Generate keys using OpenSSL: ```bash # Generate 2048-bit RSA key pair openssl genrsa -out dkim_private.pem 2048 # Extract public key openssl rsa -in dkim_private.pem -pubout -out dkim_public.pem # Format for DNS (remove header/footer) cat dkim_public.pem | grep -v "^-" | tr -d '\n' ``` #### Step 2: Add DKIM Public Key to DNS Your email service provides a DNS record in one of these formats: **CNAME format** (easiest): ```dns selector1._domainkey.yourdomain.com CNAME selector1.sendgrid.net ``` **TXT format** (full public key): ```dns selector1._domainkey.yourdomain.com TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC..." ``` **What is "selector1"?** The selector is a label that allows multiple DKIM keys per domain (useful for key rotation). Common selectors: - `selector1`, `selector2` - `default` - `mailgun`, `sendgrid`, `google` #### Step 3: Verify DKIM Record ```bash # Check DKIM record dig selector1._domainkey.yourdomain.com TXT # Expected output: # selector1._domainkey.yourdomain.com. 300 IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCS..." ``` Use online tools: ``` https://mxtoolbox.com/dkim.aspx https://www.dmarcian.com/dkim-survey/ ``` #### Step 4: Verify Email Headers Send a test email and check headers for DKIM signature: **In Gmail:** 1. Open email 2. Click three dots → "Show original" 3. Look for: `DKIM: PASS` **Expected headers:** ``` Authentication-Results: mx.google.com; dkim=pass header.i=@yourdomain.com header.s=selector1 header.b=... ``` ### DKIM Key Management **Rotation (Recommended every 1-2 years):** 1. Generate new public/private key pair 2. Add new DKIM record to DNS with new selector (e.g., `selector2`) 3. Update mail server to use new private key 4. Keep old selector in DNS for 30 days (for emails in transit) 5. Remove old selector after 30 days **Multiple Selectors (for load balancing):** You can have multiple DKIM selectors active: ```dns selector1._domainkey.yourdomain.com TXT "v=DKIM1; k=rsa; p=ABC..." selector2._domainkey.yourdomain.com TXT "v=DKIM1; k=rsa; p=XYZ..." ``` Configure your mail server to use different selectors for different sending IPs. ### DKIM Troubleshooting **Problem: DKIM=FAIL in email headers** Causes: 1. DKIM record not in DNS (wait 24-48 hours) 2. Selector doesn't match configuration (default vs. selector1) 3. Email modified in transit (rare) Solution: - Re-verify DKIM DNS record with `dig` command - Check email service configuration matches selector - Test with simple email first (no links, images, special characters) **Problem: No DKIM header in received email** Cause: Email service not configured to sign emails with DKIM Solution: - Verify DKIM setup is complete in email service dashboard - Resend test email from service - Allow 5-10 minutes for propagation --- ## Section 3: DMARC (Domain-based Message Authentication, Reporting, and Conformance) ### What is DMARC? DMARC is a **policy and reporting protocol** that tells mailbox providers what to do with emails that fail SPF or DKIM checks. DMARC answers: **"If SPF and DKIM fail, should you reject, quarantine, or accept this email?"** DMARC also provides **reports** showing: - How many emails passed/failed authentication - Which IPs are sending from your domain - Who is spoofing your domain (critical for security) ### DMARC Policy Options | Policy | Behavior | Use Case | |--------|----------|----------| | `none` | Accept failed emails, generate reports | Monitoring (Week 1-2) | | `quarantine` | Send failed emails to spam folder | Testing (Week 2-4) | | `reject` | Reject failed emails entirely | Production (Week 4+) | ### DMARC Setup: Step-by-Step #### Step 1: Monitor (Week 1) Start with monitoring policy to understand your email flow without blocking anything: ```dns v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com; ruf=mailto:dmarc@yourdomain.com ``` **Components:** | Component | Meaning | |-----------|---------| | `v=DMARC1` | DMARC version (required) | | `p=none` | Policy: don't reject/quarantine, just monitor | | `rua=mailto:...` | Email address for aggregate reports (weekly) | | `ruf=mailto:...` | Email address for forensic reports (failed emails) | | `pct=100` | Percentage of messages to apply policy (start at 100%) | Add to DNS: ```dns _dmarc.yourdomain.com TXT "v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com; ruf=mailto:dmarc@yourdomain.com; pct=100" ``` #### Step 2: Review Reports (Week 1-2) You'll receive XML reports showing: - Sending volume - SPF/DKIM alignment - Failed sources (potential spoofing) Example report breakdown: ``` Total emails: 5,000 SPF Pass: 4,950 (99%) DKIM Pass: 4,950 (99%) Failed (spoofing): 50 (1%) Failed sources: - 3.14.159.26 (unknown IP) ``` #### Step 3: Identify All Authorized Senders Review reports and identify: - Which IPs are legitimately sending from your domain - Which IPs are unauthorized (spoofing/compromise) #### Step 4: Escalate to Quarantine (Week 2-4) After confirming all legitimate senders pass SPF/DKIM, move to quarantine: ```dns _dmarc.yourdomain.com TXT "v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com; ruf=mailto:dmarc@yourdomain.com; pct=100" ``` **Quarantine** sends failed emails to spam folder rather than rejecting. This is safer than reject during testing. #### Step 5: Move to Reject (Week 4+) Once comfortable, enforce reject policy for maximum security: ```dns _dmarc.yourdomain.com TXT "v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com; ruf=mailto:dmarc@yourdomain.com; pct=100; ruf=mailto:security@yourdomain.com" ``` ### DMARC Alignment DMARC requires authentication to "align" with the From: header domain. **SPF Alignment:** For SPF to align with DMARC, the Return-Path domain must match (or be a subdomain of) the From: domain. ``` From: sales@yourdomain.com Return-Path: bounces@yourdomain.com ✓ (Aligns - same domain) Return-Path: bounces@mail.sendgrid.net ✗ (Doesn't align) ``` **DKIM Alignment:** For DKIM to align, the DKIM d= tag domain must match (or be a subdomain of) the From: domain. ``` From: sales@yourdomain.com DKIM d=yourdomain.com ✓ (Aligns) DKIM d=sendgrid.net ✗ (Doesn't align) ``` ### DMARC Advanced Options ```dns _dmarc.yourdomain.com TXT "v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com; ruf=mailto:security@yourdomain.com; fo=1; pct=100; aspf=s; adkim=s" ``` | Option | Value | Meaning | |--------|-------|---------| | `fo` | 0, 1, d, s | Forensic report options (1=send on any failure) | | `pct` | 0-100 | Percentage of emails to apply policy | | `aspf` | r, s | SPF alignment requirement (s=strict, r=relaxed) | | `adkim` | r, s | DKIM alignment requirement (s=strict, r=relaxed) | | `rf` | afrf, iodef | Forensic report format | | `ri` | seconds | Report interval (default 86400 = 1 day) | ### DMARC Subdomain Policy To avoid affecting subdomains, set a separate DMARC policy: ```dns _dmarc.mail.yourdomain.com TXT "v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com" ``` This allows `mail.yourdomain.com` to have different policy than `yourdomain.com`. ### DMARC Monitoring Tools Services that parse DMARC reports: - **DMARCian** (dmarcian.com) - Full DMARC management - **Agari** (agari.com) - Enterprise DMARC - **Valimail** - DMARC automation - **Microsoft Defender** - Free (if you have Office 365) - **Google Postmaster Tools** - Free Gmail-specific insights --- ## Section 4: Domain Warming (Volume Ramp Strategy) ### Why Domain Warming is Critical New domains have **zero sending history**. Mailbox providers treat them with suspicion. When you launch a new domain and immediately send 1,000 emails: - Gmail sees: "Unknown domain, zero history, mass sending" → **Spam flag** - Result: Low inbox placement rate (5-20%) Instead, **gradually build reputation** by: 1. Starting with low volume (10-50 emails/day) 2. Increasing volume over time (50 → 100 → 500 → 1,000+) 3. Maintaining high engagement rates 4. Building sender reputation signals ### Domain Warming Timeline (2026 Standard) Follow this progressive schedule for a new domain: **Week 1-2: Foundation (50-100 emails/day)** - Day 1-3: 10-25 emails/day - Day 4-7: 25-50 emails/day - Day 8-14: 50-100 emails/day Requirements: - ✅ SPF, DKIM, DMARC all passing - ✅ Domain age 1-2 weeks - ✅ Website with privacy policy, contact page - ✅ Email sent from recognized lists (not purchased, sourced lists) **Week 2-4: Ramp Phase (100-500 emails/day)** - Day 15-21: 100-200 emails/day - Day 22-28: 200-300 emails/day - Day 29-35: 300-500 emails/day Requirements: - ✅ Initial cohort showing 20%+ open rate - ✅ 0% spam complaint rate - ✅ Less than 2% hard bounce rate - ✅ 10%+ reply rate (engagement signal) **Week 4-8: Scale Phase (500-2,000 emails/day)** - Day 36-42: 500-750 emails/day - Day 43-56: 750-1,500 emails/day - Day 57-60: 1,500-2,000 emails/day Requirements: - ✅ Sustained 15%+ open rates - ✅ 0% spam complaint rate - ✅ 10%+ reply rate across campaigns - ✅ Positive engagement signals (opens, clicks, replies) **Week 8+: Full Scale (2,000+ emails/day)** Once you hit 60 days and maintain engagement metrics, you can increase to your target volume. **Important:** Monitor daily and adjust if metrics drop. ### Domain Warming Best Practices **1. Start with Warm Lists (Week 1-4)** Avoid cold lists initially. Use: - Existing customers - Previous leads with engagement - Referral sources - Personal network **2. Maintain High Engagement** Mailbox providers track: - **Open rate** (target: 15%+) - **Reply rate** (target: 10%+) - **Unsubscribe rate** (keep below 0.5%) - **Spam complaint rate** (must be 0%) **3. Segment Your List** Don't email your entire database on day 1. Segment by: - Account age (warm accounts first) - Engagement level (high engagement first) - Geography (test major regions first) **4. Use Verification Before Warming** Verify email addresses to reduce bounces: - Use Hunter.io, RocketReach, Clearbit - Aim for bounce rate below 2% **5. Monitor Deliverability Metrics** Track daily: - **Delivery rate** (% emails delivered) - **Open rate** (% emails opened) - **Reply rate** (% emails replied to) - **Bounce rate** (% invalid addresses) - **Spam complaint rate** (must be 0%) Tools: - Google Postmaster Tools (free, Gmail-specific) - Mailgun analytics (mailgun.com) - SendGrid analytics (sendgrid.com) - WarmySender Analytics (warmysender.com) ### Domain Warming Mistakes to Avoid **Mistake 1: Sending to purchased lists** Purchased lists = high bounce + high complaint rates. Result: Damage to sender reputation on day 1. Fix: Use organic sourcing only during warmup. **Mistake 2: Too fast ramp (doubling volume every day)** Ramping from 100 to 2,000 emails in 3 days is a red flag. Result: Immediate spam folder placement. Fix: Follow the gradual 8-week schedule. **Mistake 3: Ignoring bounce rates** High bounces (>5%) signal list quality issues. Result: Sender reputation damage, rate limiting by providers. Fix: Keep bounce rate below 2%. Verify addresses first. **Mistake 4: Sending to unrelated recipients** Sending job offers to stay-at-home parents = poor targeting. Result: High unsubscribe and complaint rates. Fix: Target based on actual relevance to recipient. **Mistake 5: Weak email content** Generic, salesy subject lines and body copy. Result: Low open rates, no engagement signals. Fix: Personalize subject lines, reference recipient research, ask genuine questions. --- ## Section 5: Additional Technical Factors (Reverse DNS, BIMI) ### Reverse DNS (PTR Records) **What is Reverse DNS?** Reverse DNS maps an IP address back to a domain name. When a mailbox provider receives email from IP `192.0.2.1`, it: 1. Performs a reverse DNS lookup 2. Retrieves the PTR record 3. Verifies it matches your domain **Why it matters:** Many mailbox providers (especially Outlook) check reverse DNS. If your IP has no PTR record, or if the PTR record doesn't match your sending domain, you get flagged as suspicious. **How to set up Reverse DNS:** Contact your email service provider. Most providers (SendGrid, Mailgun, AWS SES) automatically set up reverse DNS for their IPs. If you have a dedicated IP: ``` IP: 192.0.2.1 Reverse DNS: mail.yourdomain.com Verification: dig -x 192.0.2.1 # Should return: mail.yourdomain.com ``` **Verification:** ```bash dig -x 192.0.2.1 # Expected output: # 1.2.0.192.in-addr.arpa. 300 IN PTR mail.yourdomain.com. ``` ### BIMI (Brand Indicators for Message Identification) **What is BIMI?** BIMI displays your company logo next to emails in Gmail, Yahoo, and other providers. It: - Builds brand recognition - Increases open rates by 10-15% - Requires DMARC p=reject or p=quarantine - Requires verified logo (SVG or PNG) **BIMI Setup:** 1. **Create SVG Logo** (no more than 256KB) ```xml ``` 2. **Add BIMI DNS Record** ```dns default._bimi.yourdomain.com TXT "v=BIMI1; l=https://yourdomain.com/logo.svg; a=https://yourdomain.com/certificates/logo.crt" ``` 3. **Optional: Add BIMI Certificate** VMC (Verified Mark Certificate) from Entrust or DigiCert (~$249-500/year). Prevents logo misuse. 4. **Verify in Gmail** Send test email to Gmail. If DMARC is reject and logo is valid, Gmail displays your logo. **BIMI Eligibility Checklist:** - ✅ DMARC policy = reject or quarantine - ✅ Logo in SVG format - ✅ Logo size under 256KB - ✅ Logo registered at `default._bimi.yourdomain.com` - ✅ (Optional) VMC certificate for maximum credibility --- ## Section 6: Complete Technical Setup Checklist ### Pre-Launch Checklist (Before First Email) **Domain Setup:** - [ ] Domain registered and DNS accessible - [ ] Domain age: 1-2 weeks (mailbox providers favor established domains) - [ ] Website published with: - [ ] Privacy policy - [ ] Terms of service - [ ] Contact page - [ ] Company information **Email Authentication:** - [ ] SPF record created and verified - [ ] All email services included - [ ] DNS lookups ≤ 10 - [ ] Hard fail (-all) or soft fail (~all) added - [ ] Verified with `dig` or MXToolbox - [ ] DKIM record created and verified - [ ] Public key added to DNS - [ ] Selector matches email service config - [ ] DKIM signature appearing in email headers - [ ] Verified with online tools - [ ] DMARC record created and verified - [ ] Policy: p=none (monitoring) - [ ] Report email configured - [ ] Record added to `_dmarc.yourdomain.com` **Infrastructure:** - [ ] Reverse DNS (PTR) configured - [ ] Sending IP not on blacklists (check MXToolbox, AbuseIPDB) - [ ] Email service configured to sign emails (DKIM, SPF alignment) ### Week 1-2 Checklist (Monitoring & Testing) **Testing:** - [ ] Send test email to Gmail address - [ ] Verify DKIM=PASS in headers - [ ] Verify SPF alignment in headers - [ ] Check Gmail Postmaster Tools (wait 1 day for data) - [ ] Send small batch (50 emails) to warm list - [ ] Monitor open rates (target: 20%+) - [ ] Monitor reply rates (target: 10%+) - [ ] Verify 0% spam complaints **Monitoring:** - [ ] Subscribe to DMARC reports - [ ] Monitor daily delivery metrics: - [ ] Delivery rate (target: 98%+) - [ ] Bounce rate (target: <2%) - [ ] Complaint rate (target: 0%) - [ ] Open rate (target: 15%+) ### Week 2-4 Checklist (Ramp & Optimization) **Volume Management:** - [ ] Increase volume gradually (follow ramp schedule) - [ ] Monitor metrics at each volume increase - [ ] Reduce volume if metrics drop **DMARC Escalation:** - [ ] Review DMARC reports for failures - [ ] Identify all spoofing attempts - [ ] If <1% failures, move to p=quarantine **Content Optimization:** - [ ] Test subject line variations (A/B test) - [ ] Personalize first name in body - [ ] Add recipient research/relevance - [ ] Test email frequency ### Week 4-8 Checklist (Scaling & Reputation) **Reputation Building:** - [ ] Maintain 15%+ open rates - [ ] Maintain 10%+ reply rates - [ ] Keep bounce rate <2% - [ ] Maintain 0% complaint rate **DMARC Final Step:** - [ ] If DMARC reports show <0.5% failures, move to p=reject - [ ] Implement BIMI (optional but increases opens 10-15%) - [ ] Set up logo for brand display **Infrastructure Upgrade:** - [ ] If sending 5,000+ daily, consider dedicated IP - [ ] If sending 10,000+ daily, implement IP rotation - [ ] Monitor list quality and maintain hygiene ### Week 8+ Checklist (Maintenance) **Ongoing:** - [ ] Monitor DMARC reports monthly - [ ] Update email lists (remove bounced/unengaged) - [ ] Refresh content and subject lines quarterly - [ ] Maintain engagement metrics - [ ] Annual DKIM key rotation (optional but recommended) - [ ] Monitor IP reputation (MXToolbox, Talos) **Advanced:** - [ ] Implement ARC (for forwarded emails) - [ ] Implement BIMI certificate (VMC) for max credibility - [ ] Monitor mailbox provider authentication changes (Gmail, Yahoo, Microsoft updates) --- ## Section 7: Troubleshooting Common Issues ### Issue 1: Emails Going to Spam (Low Inbox Placement) **Diagnosis:** ```bash # Check SPF dig yourdomain.com TXT # Check DKIM dig selector1._domainkey.yourdomain.com TXT # Check DMARC dig _dmarc.yourdomain.com TXT # Check reverse DNS dig -x 192.0.2.1 ``` **Solutions (in order):** 1. Verify SPF, DKIM, DMARC records are present and correct 2. Wait 48 hours for DNS propagation 3. Check Google Postmaster Tools for errors 4. Check email headers in Gmail (look for "Why is this in spam?") 5. Reduce send volume (slow ramp can improve placement) 6. Verify sender IP not on blacklists (MXToolbox) 7. Request whitelist from recipient's domain IT (if B2B) ### Issue 2: SPF FAIL or PERMERROR **SPF FAIL Diagnosis:** ```bash # Check SPF record dig yourdomain.com TXT | grep spf1 # Count DNS lookups (should be ≤10) # Each include:, a, mx, ptr, exists counts as 1 ``` **Solutions:** 1. Remove unused includes (`include:oldservice.com`) 2. Replace multiple includes with one (use SPF flattening) 3. Use CNAME records instead of TXT (fewer lookups) 4. Move some services to subdomains Example (reducing from 11 lookups to 9): ```dns # Before (12 lookups - PERMERROR) v=spf1 include:sendgrid.net include:mailgun.org include:amazon.com include:google.com include:office365.com a mx ptr ?all # After (8 lookups - PASS) v=spf1 include:sendgrid.net include:mailgun.org include:google.com -all ``` ### Issue 3: DKIM FAIL or SIGNATURE MISSING **Diagnosis:** ```bash # Send test email and check headers # Look for: DKIM: PASS or DKIM: FAIL # Verify DKIM record in DNS dig selector1._domainkey.yourdomain.com TXT ``` **Solutions:** 1. Wait 48 hours for DNS propagation 2. Verify selector matches email service config 3. Check that email service has DKIM signing enabled 4. Resend test email from service 5. Verify public key format (should start with `v=DKIM1; k=rsa; p=`) ### Issue 4: DMARC FAIL (SPF/DKIM not aligning) **Problem:** SPF and DKIM pass, but they don't "align" with From: domain. **Example:** ``` From: sales@yourdomain.com SPF Return-Path: bounces@mail.sendgrid.net (different domain - no align) DKIM d=sendgrid.net (different domain - no align) DMARC Result: FAIL ``` **Solution:** Use email service that aligns with your domain. Request: - SendGrid: Use sendgrid domain authentication (not CNAME) - Mailgun: Enable domain signing - Custom SMTP: Ensure DKIM d= matches From: domain ### Issue 5: High Bounce Rate (>5%) **Causes:** - Using purchased/old lists - Typos in email addresses - Not verifying emails before sending **Solutions:** 1. Use email verification service (Hunter.io, Clearbit, RocketReach) 2. Remove bounced emails from list (never resend to bounces) 3. Check list source (organic > referral > verified third-party > purchased) 4. Manual verification sample (check 100 addresses in Clearbit) ### Issue 6: Complaint Rate Rising (>0.1%) **Causes:** - Irrelevant targeting - Aggressive sending (too frequent) - Generic/salesy content **Solutions:** 1. Pause sending and diagnose (review complaint feedback) 2. Remove complainers + similar profiles from list 3. Improve subject line personalization 4. Improve email content (more relevance, less salesy) 5. Reduce send frequency ### Issue 7: Throttling/Rate Limiting (Some Emails Queued) **Symptoms:** - Emails sending slower than expected - 400-level SMTP errors (4.2.4 too many connections) - Some emails arriving hours late **Causes:** - Too many simultaneous connections to recipient's mail server - Too many emails to same domain in short time - Sending from bad-reputation IP **Solutions:** 1. Reduce concurrent connections (limit to 5 per host) 2. Stagger sends across longer time window 3. Use IP rotation if available 4. Lower send volume temporarily 5. Check IP reputation (MXToolbox) --- ## Section 8: FAQs **Q: How long until my domain has full deliverability?** A: 8 weeks following the gradual warming schedule. Some domain reputation benefits appear immediately (authentication), but full reputation builds over 2 months of consistent, engaged sending. **Q: Can I skip domain warming?** A: Not recommended. Skipping warming reduces inbox placement by 50-80%. Few companies succeed with cold sends from brand new domains. **Q: Do I need a dedicated IP?** A: Not initially. Shared IPs work fine for <1,000 sends/day. Once you hit 5,000+ daily, dedicated IP improves deliverability. **Q: How often should I rotate DKIM keys?** A: Every 1-2 years is recommended (not required). If compromised, rotate immediately. **Q: What's the difference between SPF and DKIM?** A: SPF authenticates the sending server IP. DKIM cryptographically signs the email content. Both needed for full authentication. **Q: Why is DMARC p=reject scary?** A: Hard reject means if SPF/DKIM fail, mailbox providers reject the email entirely (bounce). Must test thoroughly with p=none first. **Q: Can I use DMARC without SPF/DKIM?** A: DMARC requires at least one (SPF or DKIM) to align. Having both is best practice. **Q: Should I use hard fail (-all) or soft fail (~all) in SPF?** A: Hard fail (-all) is more secure. Start with soft fail (~all) during testing, then move to hard fail after 1 week. **Q: How do I know if my IP is blacklisted?** A: Check MXToolbox (mxtoolbox.com) - enter your IP, get real-time blacklist status across 100+ lists. **Q: Why does Gmail show a warning "?mailed.google.com"?** A: Gmail routing emails through its own servers. Usually means DKIM not properly aligned. Verify DKIM d= matches From: domain. **Q: Can I use a subdomain for sending instead of root domain?** A: Yes. Create SPF/DKIM/DMARC for subdomain: ``` mail.yourdomain.com (sending subdomain) v=spf1 include:sendgrid.net -all selector1._domainkey.mail.yourdomain.com (DKIM) _dmarc.mail.yourdomain.com (DMARC) ``` **Q: How do I fix "too many DNS lookups" error?** A: Remove unused includes, consolidate services, or use SPF flattening service (Valimail, DMARCian). **Q: What's the ideal email warm-up ramp?** A: Week 1-2: 50-100/day. Week 2-4: 100-500/day. Week 4-8: 500-2000/day. Week 8+: Full volume. **Q: Should I email on weekends?** A: B2B: Avoid weekends (low engagement = lower reputation). B2C: Test both weekdays/weekends. **Q: How do I reduce unsubscribe rates?** A: Target better (relevance), personalize more, reduce frequency, improve content quality. --- ## Sources & References ### Technical Documentation (2026 Standards) **Email Authentication Standards:** - [RFC 7208 - SPF Specification](https://tools.ietf.org/html/rfc7208) - IETF SPF Standard - [RFC 6376 - DKIM Specification](https://tools.ietf.org/html/rfc6376) - IETF DKIM Standard - [RFC 7489 - DMARC Specification](https://tools.ietf.org/html/rfc7489) - IETF DMARC Standard - [RFC 8601 - Message Header Field Parsing](https://tools.ietf.org/html/rfc8601) - Email header standards **Mailbox Provider Guidelines:** - [Google Postmaster Tools Help](https://support.google.com/mail/answer/175365) - Gmail authentication requirements - [Gmail DMARC Requirements (2024 Update)](https://support.google.com/mail/answer/81126) - Gmail 2024 authentication mandate - [Microsoft 365 Email Authentication](https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/email-authentication-about) - Outlook/Exchange authentication - [Yahoo Mail Best Practices](https://senders.yahooinc.com/) - Yahoo sender guidelines - [ProtonMail Authentication](https://protonmail.com/support/knowledge-base/enable-dkim/) - ProtonMail DKIM setup **DMARC & Advanced Topics:** - [DMARCian DMARC Guide](https://dmarcian.com/dmarc/) - Comprehensive DMARC resource - [BIMI Specification](https://bimigroup.org/) - Brand Indicators for Message Identification - [ARC Protocol (RFC 8617)](https://tools.ietf.org/html/rfc8617) - Authenticated Received Chain **Deliverability Organizations:** - [Validity (formerly Return Path)](https://validity.com/) - Email deliverability research - [Inbox Placement Rate Study 2025](https://www.validity.com/blog) - Current industry benchmarks - [Email Sender & Provider Coalition](https://www.espcoalition.org/) - Email standards & best practices ### Tools & Services **Verification & Monitoring:** - [MXToolbox SPF Checker](https://mxtoolbox.com/spf.aspx) - [MXToolbox DKIM Checker](https://mxtoolbox.com/dkim.aspx) - [MXToolbox DMARC Checker](https://mxtoolbox.com/dmarc.aspx) - [DMARCian Report Parser](https://dmarcian.com/dmarcian-security-suite/) - [Google Postmaster Tools](https://postmaster.google.com/) - [MXToolbox IP Reputation](https://mxtoolbox.com/blacklists.aspx) **Email Services with Native Authentication:** - [SendGrid SPF/DKIM Setup](https://sendgrid.com/docs/ui/account-and-settings/how-to-set-up-domain-authentication/) - [Mailgun Authentication](https://documentation.mailgun.com/en/latest/user_manual.html#domain-verification) - [AWS SES Best Practices](https://docs.aws.amazon.com/ses/latest/DeveloperGuide/managing-identities.html) - [Postmark Authentication](https://postmarkapp.com/support/article/1029-how-do-i-set-up-spf) **Email Verification:** - [Hunter.io Email Finder](https://hunter.io/) - [RocketReach Email Verification](https://rocketreach.com/) - [Clearbit Email Verification](https://clearbit.com/) - [ZeroBounce Email Validation](https://www.zerobounce.net/) ### Industry Research (2025-2026) - **Email Authentication Adoption 2025** - Return Path/Validity annual report - **Gmail 2024 Authentication Requirements** - DMARC/SPF/DKIM now mandatory - **Yahoo 2024 Sender Requirements Update** - Authentication enforcement - **Cold Email Benchmarks 2026** - Industry average open rates (15-25%), reply rates (2-10%) - **Email Fraud Statistics 2025** - Business Email Compromise trends - **DMARC Adoption Rate 2025** - ~40% of top 1M domains now use DMARC ### Additional Resources - **Email Warm-Up Timeline Study** - Legitimate domain reputation takes 8-12 weeks to establish - **SPF DNS Lookup Limit** - Hard limit of 10 DNS lookups per SPF evaluation (RFC 7208 Section 4.6.4) - **DKIM Key Rotation Best Practices** - Microsoft, Google, and IETF recommend 1-2 year rotation - **Inbox Placement Rates by Provider 2026:** - Gmail: 75-95% (with full authentication) - Outlook: 70-90% (strict authentication checking) - Yahoo: 65-85% (SPF/DKIM required) - Business mailboxes: 85-98% (well-authenticated domains) --- ## Conclusion Email deliverability in 2026 requires a multi-layered technical approach: 1. **SPF** - Authorize your sending sources 2. **DKIM** - Cryptographically sign your emails 3. **DMARC** - Enforce authentication policies 4. **Domain Warming** - Build sender reputation gradually 5. **Infrastructure** - Reverse DNS, BIMI, clean IPs 6. **Monitoring** - Track metrics continuously Implementing all five layers correctly gives you an 80-95% inbox placement rate. Skipping any layer drops you back to 20-40%. The cost of setup is minimal (10-20 hours of work). The ROI is massive (5-10x improvement in campaign effectiveness). Start with the technical checklist above. Implement SPF, DKIM, DMARC in your first week. Warm your domain gradually over 8 weeks. Monitor metrics weekly. By week 8, you'll have a domain with strong reputation and consistent inbox placement. Your cold emails will actually reach the inbox. --- **Document Version:** 2026.01 **Last Updated:** January 28, 2026 **Maintained by:** WarmySender Technical Content Team