email-deliverability

# Email Deliverability

Get email into inboxes, not spam folders. Set up authentication. Monitor reputation. Diagnose problems before they hurt the business.

---

## When to use

- Setting up email for a new domain
- A meaningful percentage of email is going to spam
- Customers report they're not receiving emails
- Setting up DMARC, SPF, or DKIM
- Hardening against domain spoofing
- Migrating email service providers
- Sender reputation has dropped
- Pre-launch audit before sending volume increases

## When NOT to use

- Writing the email content itself (use `email-sequences`)
- Designing the email program strategy (use `email-sequences`)
- DNS records in general (use `domain-strategy`)
- Outbound spam coming FROM your account (different problem; investigate compromised credentials)

---

## Required inputs

- The sending domain(s)
- The email service provider (ESP, transactional service, mail server)
- Current DNS records (or access to them)
- Email volume (transactional vs marketing, daily volume)
- Current deliverability state (if known: bounce rate, spam complaints)

---

## The framework: 3 pillars

Email deliverability rests on three pillars. Weakness in any one limits the others.

### Pillar 1: Authentication

Mailbox providers verify email is actually from who it claims to be from. Three records.

**SPF (Sender Policy Framework)**

Lists which servers are authorized to send mail for the domain. Published as a TXT record at the apex.

```
v=spf1 include:_spf.mailprovider.com -all
```

- `include:` adds another sender's authorized list
- `-all` (hard fail): mail from unlisted senders fails authentication
- `~all` (soft fail): unlisted senders are suspicious but pass; useful during rollout
- `+all`: never use; allows anyone to send

Only one SPF record per domain. Multiple SPF records break SPF entirely. Combine senders into a single record.

SPF has a 10-DNS-lookup limit. Each `include:` may use multiple lookups. Hit the limit and SPF stops working. Watch this carefully.

**DKIM (DomainKeys Identified Mail)**

A cryptographic signature on each outgoing email. The mail server signs with a private key; the public key is published in DNS.

```
selector1._domainkey.example.com    TXT    "v=DKIM1; k=rsa; p=MIGfMA0G..."
```

Selectors differ by ESP. Some use `default._domainkey`, some use unique selectors per service. Most ESPs walk you through publishing the records.

DKIM proves the message wasn't modified in transit and that the sender controls the domain.

**DMARC (Domain-based Message Authentication, Reporting, and Conformance)**

The policy layer. Tells receivers what to do when SPF or DKIM fails, and where to send reports.

```
_dmarc.example.com    TXT    "v=DMARC1; p=reject; rua=mailto:dmarc-aggregate@example.com; ruf=mailto:dmarc-forensic@example.com; pct=100; adkim=s; aspf=s"
```

Components:
- `p=`: policy. `none`, `quarantine`, or `reject`.
- `rua=`: aggregate reports (daily, summary). Always set this.
- `ruf=`: forensic reports (per-message). Optional, can be high volume.
- `pct=`: percentage of failing mail subject to the policy. Useful for gradual rollout.
- `adkim=`, `aspf=`: alignment mode. `s` (strict), `r` (relaxed). Strict means From: domain must match exactly.

DMARC is the most important record. It's what makes spoofing your domain hard.

### Pillar 2: Reputation

Mailbox providers (Gmail, Outlook, Yahoo) score every sender. Reputation drives delivery.

Reputation factors:
- **Authentication pass rates** (SPF, DKIM, DMARC)
- **Engagement signals** (opens, replies, marking as not-spam)
- **Negative signals** (spam complaints, deletions without opens, blocking)
- **List hygiene** (low bounce rates, no spam traps)
- **Volume consistency** (sudden spikes look like spam)
- **Content patterns** (link reputation, attachment patterns)
- **IP and domain history**

Reputation is per (sending domain × mailbox provider). Gmail's view of you is independent of Outlook's.

### Pillar 3: List quality and engagement

Authentication and reputation rest on list quality. Bad list = bad reputation eventually.

- Only send to people who explicitly opted in
- Confirmed (double) opt-in for marketing wherever feasible
- Honor unsubscribes immediately and reliably
- Remove hard bounces immediately
- Sunset disengaged contacts (no opens in 6 months: reduce frequency or remove)
- Avoid third-party lists, scraped emails, or "purchased opt-ins"

The single biggest deliverability lever for most senders is list hygiene.

---

## Workflow

### Step 1: Audit current state

Check the current DNS records:

```bash
dig +short txt example.com
dig +short txt selector1._domainkey.example.com
dig +short txt _dmarc.example.com
```

Also check:
- Current bounce rate (target: under 2%)
- Current spam complaint rate (target: under 0.1%)
- Current open rate (varies by industry; falling trend is a warning)
- Current sending volume

Tools: mxtoolbox.com, dmarcian.com, mail-tester.com (for individual messages).

### Step 2: Fix authentication

If any of SPF, DKIM, DMARC is missing or misconfigured, fix first.

**SPF fix order:**
1. Identify all legitimate senders (transactional ESP, marketing ESP, support tools, etc.)
2. Get the `include:` value or IP for each
3. Combine into a single SPF record
4. Verify lookup count is under 10
5. Use `-all` for hard fail (or `~all` if rolling out gradually)

**DKIM fix order:**
1. Generate a new selector per sending service
2. Publish the public key in DNS
3. Configure the ESP to sign with the private key
4. Verify with a test send (check headers for `dkim=pass`)

**DMARC fix order:**
1. Publish DMARC with `p=none` initially (monitoring mode)
2. Set up an aggregate report endpoint (use a DMARC analytics service or your own)
3. Watch reports for at least 2-4 weeks
4. Identify any legitimate senders failing alignment; fix them
5. Move to `p=quarantine` with `pct=10`, gradually increase
6. Move to `p=reject` once confidence is high

The full progression typically takes 2-3 month