Email Deliverability Checklist & Score Calculator
Every cold email campaign lives or dies by deliverability. You can have the best copy, the most accurate prospect list, and the sharpest ICP in your market — and still land in spam if your technical infrastructure is misconfigured. The major providers (Google Workspace, Microsoft 365) have become dramatically more aggressive about filtering in the past 18 months, and the rules that worked in 2023 no longer apply.
This checklist and scoring guide gives you the tools to audit your own email deliverability infrastructure without a paid tool subscription. Work through each section, score your configuration, and prioritize fixes based on impact and severity.
What This Checker Covers
Email deliverability is determined by five layers that interact with each other. A weakness in any layer can override strengths in the others:
- DNS authentication records (SPF, DKIM, DMARC) — the technical foundation that proves you are who you claim to be
- Domain reputation — the historical sending behavior of your domain and IP address
- Sending infrastructure — the quality and configuration of your sending setup
- Content and engagement signals — how recipients interact with your emails
- List hygiene — the quality and recency of your contact data
Each section below includes a checklist, scoring rubric, and verification method.
Section 1: DNS Authentication Records (40 points maximum)
SPF (Sender Policy Framework) — 15 points
SPF tells receiving mail servers which IP addresses are authorized to send email on behalf of your domain. Without SPF, receiving servers have no way to verify that your email actually came from you.
Verification method:
- Open your DNS management panel (Cloudflare, GoDaddy, Route 53, etc.)
- Look for a TXT record on your root domain that starts with
v=spf1 - Alternatively, use the command:
dig TXT yourdomain.com | grep spf
Scoring:
| Condition | Points |
|---|---|
| No SPF record found | 0 |
| SPF record exists but is malformed or has syntax errors | 3 |
SPF record exists and includes your sending provider (e.g., include:_spf.google.com) |
8 |
SPF exists, correct, and ends with -all (hard fail — recommended) |
15 |
SPF exists, correct, but ends with ~all (soft fail) |
12 |
SPF exists but ends with +all (allows any server — security risk, penalize) |
2 |
Common SPF errors to check:
- More than 10 DNS lookups in your SPF record (a hard limit — causes evaluation failures)
- Multiple SPF records on the same domain (only one is valid)
- Missing your actual sending provider's include statement
- Using a deprecated
v=spf1 a mxpattern without include statements
Example of a correct SPF record for Google Workspace:
v=spf1 include:_spf.google.com ~all
Example with multiple senders:
v=spf1 include:_spf.google.com include:sendgrid.net include:mailgun.org ~all
DKIM (DomainKeys Identified Mail) — 15 points
DKIM adds a cryptographic signature to every email you send. Receiving servers verify the signature against a public key published in your DNS, confirming the message was not tampered with in transit.
Verification method:
- Check your email sending platform settings (Google Workspace Admin → Gmail → Authenticate Email)
- Look for DKIM TXT records:
dig TXT google._domainkey.yourdomain.com(replacegooglewith your selector) - Send a test email to
check-auth@verifier.port25.com— you receive a full authentication report
Scoring:
| Condition | Points |
|---|---|
| No DKIM configured | 0 |
| DKIM configured but using 1024-bit key (deprecated) | 7 |
| DKIM configured with 2048-bit key | 13 |
| DKIM configured with 2048-bit key AND key rotation documented | 15 |
DKIM checklist:
- DKIM is enabled in your email sending platform
- The public key is published in DNS (verify with
dig TXT) - You are using a 2048-bit key (1024-bit is considered insecure by major providers as of 2024)
- You have a documented key rotation schedule (annually recommended)
- If using multiple sending platforms, each has its own DKIM selector
DMARC (Domain-based Message Authentication, Reporting & Conformance) — 10 points
DMARC builds on SPF and DKIM. It tells receiving servers what to do when an email fails authentication — and where to send reports about authentication failures. Without DMARC, even perfect SPF and DKIM implementation leaves you vulnerable to domain spoofing.
Verification method:
dig TXT _dmarc.yourdomain.com
Scoring:
| Condition | Points |
|---|---|
| No DMARC record | 0 |
DMARC exists with p=none (monitoring only, no action taken) |
4 |
DMARC exists with p=quarantine (suspicious emails go to spam) |
7 |
DMARC exists with p=reject (failing emails are rejected) |
10 |
DMARC checklist:
- DMARC TXT record exists on
_dmarc.yourdomain.com - Record includes an
ruatag pointing to a reporting email:rua=mailto:dmarc-reports@yourdomain.com - If at
p=none, you have a plan to move top=quarantineorp=rejectwithin 90 days - You have a tool or process to review DMARC reports (Google Postmaster Tools, Postmark, Dmarcian)
Example of a production-ready DMARC record:
v=DMARC1; p=quarantine; pct=100; rua=mailto:dmarc@yourdomain.com; sp=quarantine; adkim=r; aspf=r
Section 2: Domain Reputation (25 points maximum)
Domain Age and Sending History — 10 points
New domains have no reputation. Sending cold outbound from a domain registered in the last 30 days is almost guaranteed to land in spam because major providers aggressively filter new domains.
Scoring:
| Condition | Points |
|---|---|
| Domain registered < 30 days ago | 0 |
| Domain 30–60 days old, no prior sending history | 3 |
| Domain 60–180 days old, limited prior sending | 6 |
| Domain > 6 months old, consistent sending history | 10 |
Domain warm-up schedule (for new sending domains):
| Week | Daily Email Volume | Notes |
|---|---|---|
| 1–2 | 5–10 | Send only to known contacts who will open/reply |
| 3–4 | 20–40 | Expand to warm opt-in list |
| 5–6 | 80–150 | Begin testing cold outbound with small batches |
| 7–8 | 200–400 | Ramp toward campaign volume |
| 9+ | 500+ | Full campaign volume if engagement metrics are healthy |
IP Reputation and Blacklist Status — 10 points
Your emails travel through mail servers with IP addresses. If those IPs are on blacklists (due to prior abuse by other senders using the same shared infrastructure), your deliverability suffers regardless of your own sending behavior.
Verification method:
- Find your sending IP: send an email, open the full headers, look for the originating IP
- Check it against the major blacklists: MXToolbox Blacklist Check (mxtoolbox.com/blacklists.aspx)
- Check domain reputation in Google Postmaster Tools (postmaster.google.com)
Scoring:
| Condition | Points |
|---|---|
| IP on one or more major blacklists (Spamhaus SBL, URIBL, Barracuda) | 0 |
| IP on minor blacklists only | 4 |
| IP clean across major blacklists, Google reputation: Bad or Low | 5 |
| IP clean, Google reputation: Medium | 7 |
| IP clean, Google reputation: High | 10 |
Subdomain Separation — 5 points
Best practice is to send cold outbound from a separate subdomain (or separate domain) from your primary business email. This isolates reputation risk — if your cold outreach triggers spam complaints, it does not damage the reputation of your core company domain.
Scoring:
| Condition | Points |
|---|---|
| Sending cold outbound from your main company domain (e.g., @yourcompany.com) | 0 |
| Sending from a subdomain (e.g., @mail.yourcompany.com or @outreach.yourcompany.com) | 3 |
| Sending from a completely separate domain (e.g., @yourcompany-sales.com) with its own SPF/DKIM/DMARC | 5 |
Section 3: Sending Infrastructure (20 points maximum)
Sending Volume and Cadence — 10 points
Sudden spikes in sending volume are a major spam signal. Consistent, gradual sending is far safer than sending 2,000 emails in a single burst.
Scoring:
| Condition | Points |
|---|---|
| No sending limits configured; sending in large daily batches | 0 |
| Daily sending volume is capped, but no delay between sends | 4 |
| Daily cap in place + time delays between individual sends (60–180 seconds) | 7 |
| Daily cap + time delays + sending windows configured (avoids nights/weekends) | 10 |
Recommended daily volume limits by domain age:
- < 3 months old: 50–100 emails/day
- 3–6 months old: 200–500 emails/day
- 6–12 months old: 500–1,000 emails/day
12 months old, good reputation: 1,000–2,000 emails/day (per domain)
Unsubscribe and Bounce Handling — 10 points
Gmail and Outlook actively penalize senders who do not include functional unsubscribe mechanisms. The February 2024 Google sender requirements made this mandatory for bulk senders.
Scoring:
| Condition | Points |
|---|---|
| No unsubscribe link in emails | 0 |
| Unsubscribe link exists but takes > 2 clicks or requires login to complete | 3 |
| One-click unsubscribe link that removes immediately | 7 |
| One-click unsubscribe + List-Unsubscribe header + automatic bounce suppression | 10 |
Bounce rate benchmarks:
- Hard bounce rate > 5%: serious deliverability risk; stop campaign and clean list
- Hard bounce rate 2–5%: concerning; verify new contacts before adding to sequences
- Hard bounce rate < 2%: acceptable
- Hard bounce rate < 0.5%: healthy for well-maintained lists
Section 4: Content Signals (10 points maximum)
Spam Trigger Words and Formatting — 5 points
Spam filters use content scoring as one signal. Excessive capitalization, heavy HTML formatting, and certain trigger phrases negatively impact scoring.
Scoring:
| Condition | Points |
|---|---|
| Heavily formatted HTML email with images and large CTAs | 0 |
| Some HTML formatting, contains common spam triggers (FREE, GUARANTEED, ACT NOW) | 2 |
| Plain-text or minimal HTML, no spam trigger keywords | 4 |
| Plain-text, conversational tone, reads like a real person wrote it | 5 |
Engagement Rate (Historical) — 5 points
The most powerful deliverability signal is engagement. Emails that get opened, replied to, and occasionally clicked on signal to providers that recipients want your mail.
Scoring:
| Condition | Points |
|---|---|
| Open rate < 10% (past 30 days) | 0 |
| Open rate 10–20% | 2 |
| Open rate 20–35% | 4 |
| Open rate > 35% OR reply rate > 8% | 5 |
Note: Open rate tracking via pixel is increasingly unreliable due to iOS Mail Privacy Protection and other proxy-opening technologies. Reply rate is a more reliable engagement signal.
Section 5: List Hygiene (5 points maximum)
Scoring:
| Condition | Points |
|---|---|
| No verification or cleaning of contact list before sending | 0 |
| Basic deduplication only | 1 |
| Email validation run within the past 6 months (removes invalid/catch-all addresses) | 3 |
| Email validation + suppression list from prior bounces and unsubscribes + spam trap removal | 5 |
Overall Score and Interpretation
Add all section scores together (maximum: 100 points).
| Score | Status | Action Required |
|---|---|---|
| 0–40 | Critical | High spam placement risk. Fix DNS records and domain reputation issues immediately before running any outbound campaign. |
| 41–60 | At Risk | Significant gaps. Your emails likely reach primary inbox inconsistently. Prioritize the sections with lowest scores. |
| 61–75 | Acceptable | Reasonable foundation. Further optimization will improve deliverability and engagement rates. |
| 76–89 | Good | Strong deliverability infrastructure. Focus on content and list hygiene for further improvement. |
| 90–100 | Excellent | Best-practice setup. Monitor ongoing reputation signals and maintain current practices. |
Prioritized Fix Order
If you have a low score, address issues in this order (highest to lowest impact per hour of work):
- Missing SPF record — Fix in 10 minutes; unlocks most basic authentication
- Missing DMARC record — Fix in 15 minutes; prevents domain spoofing and improves trust
- Missing DKIM or 1024-bit key — Fix in 30–60 minutes depending on platform; required for Gmail bulk sender compliance
- Blacklist removal — Submit delisting requests to each blacklist provider where your IP appears; typically resolved in 24–72 hours
- Domain warming — If under 90 days old, slow down and follow the warm-up schedule above
- List cleaning — Run through a validation service (NeverBounce, ZeroBounce, Bouncer) before next campaign
- Unsubscribe mechanism — Ensure compliant with Gmail's February 2024 bulk sender requirements
Industry Benchmarks
| Metric | Poor | Acceptable | Good | Excellent |
|---|---|---|---|---|
| Spam placement rate | > 10% | 5–10% | 1–5% | < 1% |
| Hard bounce rate | > 5% | 2–5% | 0.5–2% | < 0.5% |
| Unsubscribe rate | > 2% | 0.5–2% | 0.1–0.5% | < 0.1% |
| Open rate (cold outbound) | < 15% | 15–25% | 25–40% | > 40% |
| Reply rate (cold outbound) | < 2% | 2–5% | 5–10% | > 10% |
FAQ
Q: Can I use my main company domain for cold outbound if I only send 20 emails per day?
Low volume does not eliminate the risk — it reduces it. A single spam complaint from a cold email can damage your main domain's reputation and affect your entire team's email deliverability, including internal communications and customer emails. The asymmetric risk justifies using a separate domain for outbound.
Q: How often should I verify my email list?
Any list that has not been emailed in the past 3 months should be re-verified before a campaign. Email addresses decay at roughly 25–30% per year — what was valid 12 months ago may now bounce or be a spam trap.
Q: Do I need DMARC at p=reject, or is p=quarantine sufficient?
p=quarantine is sufficient for most outbound use cases and is significantly safer to deploy than p=reject when you have not fully audited all your sending sources. Move to p=reject after 60–90 days of clean DMARC reports confirming all legitimate senders are properly authenticated.
Q: My emails are landing in spam even though all my DNS records are correct. What else could be wrong?
Correct DNS records are necessary but not sufficient. After checking DNS, investigate: (1) your IP reputation via Google Postmaster Tools, (2) the content of your emails against spam scoring tools, (3) your engagement rates over the past 30 days — low engagement is increasingly weighted by Gmail's machine learning filters, and (4) whether you are on any minor blocklists not covered by the major blacklist checkers.
Q: How does email deliverability relate to AI outbound campaigns?
AI outbound tools send at much higher volume than human SDRs, which magnifies deliverability problems. A 3% bounce rate that is manageable for a 50-email-per-day human SDR becomes catastrophic for an AI agent sending 500 per day. Fix deliverability infrastructure before scaling with AI.
Related Resources
- AI Cold Email Automation Guide
- AI Outbound — Glossary
- AI Email Personalization — Glossary
- SDR Cost Calculator
- Outbound Sales Automation Playbook
Want a full technical audit of your email sending infrastructure? Our team will review your DNS records, sending history, and Google Postmaster data and deliver a prioritized remediation plan. Book a free consultation — typical audit takes 48 hours and is delivered as a written report.