A full email deliverability review conducted annually — and maintained through monthly and quarterly checkpoints — catches configuration drift, list quality degradation, and compliance gaps before they become reputation events. This checklist covers every dimension of commercial email deliverability in 2026: authentication, infrastructure, list quality, ISP monitoring, content quality, and regulatory compliance. Work through each section systematically, document findings, and address every gap before the next high-volume sending period begins.

Annual
Full checklist review — typically January after Q4, before the new year's programme ramps up
Quarterly
Authentication, infrastructure, and monitoring spot-checks
Monthly
List hygiene, blacklist monitoring, Postmaster Tools review
Per campaign
Bounce rate check, complaint rate check, seed test for major campaigns

Authentication Checklist: SPF, DKIM, DMARC, BIMI

ItemHow to verifyFrequency
SPF record publishes for all sending domainsdig TXT sending-domain.com — must return v=spf1 recordQuarterly
SPF lookup count below 10MXToolbox SPF analyzer — lookup count shownQuarterly
SPF returns pass (not softfail or permerror)Check Authentication-Results header in delivered test messageMonthly
DKIM signing active with own domain (d=yourdomain.com)Check Authentication-Results: dkim=pass header.i=@yourdomain.comMonthly
DKIM key size 2048-bit minimumdig TXT selector._domainkey.domain — count base64 chars in p= value (≥260 chars = 2048-bit)Annual
DKIM selector DNS records all validdig TXT each selector — must return DKIM1 key recordQuarterly
DMARC record publisheddig TXT _dmarc.yourdomain.com — must return v=DMARC1 recordQuarterly
DMARC policy at p=quarantine or p=rejectReview DMARC record p= value — p=none provides no protectionAnnual
DMARC rua= address functional (receives aggregate reports)Verify aggregate reports are being received at the rua= address monthlyMonthly
DMARC aggregate reports reviewed for unknown sourcesReview rua= reports for any sources showing DMARC fail — may indicate new sending system or spoofingMonthly
ARC correctly configured for any mailing list or forwarding infrastructureCheck ARC-Seal headers in forwarded messages — should show arc=pass at destinationAnnual
BIMI record published (if applicable)dig TXT default._bimi.yourdomain.com — verify record present and logo URL accessibleQuarterly
BIMI logo SVG P/S compliantBIMI Group validator at bimigroup.org — validates SVG format complianceAnnual

Infrastructure Checklist: IPs, PTR, TLS

ItemHow to verifyFrequency
PTR records set for all sending IPsdig -x SENDING_IP — must return a hostnameMonthly
FCrDNS valid (PTR hostname resolves back to same IP)dig A PTR_HOSTNAME — must match sending IPMonthly
PTR hostname matches EHLO/HELO hostname in MTA configCheck mail headers: Received: from EHLO_HOSTNAME — must match PTRQuarterly
TLS enabled for all outbound SMTP connectionsCheck Received: headers for TLS cipher notationQuarterly
TLS certificate valid and not expiring within 30 daysecho | openssl s_client -connect mail1.domain.com:25 -starttls smtp 2>&1 | openssl x509 -noout -datesMonthly
All sending IPs not on major blacklistsMXToolbox blacklist check for each IP — Spamhaus, Barracuda, SORBSWeekly
Microsoft SNDS status Green for all sending IPspostmaster.live.com SNDS dashboard — all IPs should show GreenWeekly
IP warmup complete for any IPs added in past 90 daysReview Gmail Postmaster Tools domain reputation — should be High after warmup completesPer IP addition
FBL enrollment active for Yahoo (CFL) and Microsoft (JMRP)Verify FBL complaint emails are being received and processedAnnual
Bounce processing functional — hard bounces suppressed automaticallySend test to a known invalid address — verify it bounces and is added to suppressionQuarterly

List Quality Checklist

ItemActionFrequency
Full list verificationRun complete active list through NeverBounce or ZeroBounce — remove invalid, risky, and catch-all segmentsSemi-annual (Jan + Jul)
Hard bounce suppression — all bounced addresses removedAudit suppression list against recent bounce logs — verify 100% coverageMonthly
Engagement-based suppression activeVerify contacts with no open/click in 90+ days are in suppression hold or re-engagement queueMonthly
Re-engagement sequence in place for lapsed contactsConfirm automated re-engagement workflow is triggering correctly for disengaged contactsQuarterly
Acquisition source quality monitoringTrack complaint rate and bounce rate per acquisition source — flag sources above 0.05% complaint rateMonthly
Real-time verification at signup activeTest subscription form — submit an invalid email format and a known invalid domain — both should be rejectedQuarterly
Unsubscribe opt-outs processed within 10 days (CAN-SPAM requirement)Audit recent opt-out requests — verify processing timestampsMonthly
Global suppression list exported and backed upExport complete suppression list and store securely — essential for ESP migration and disaster recoveryMonthly

Monitoring Checklist: Postmaster Tools, FBL, SNDS

ItemTarget metricFrequency
Gmail Postmaster Tools spam rateBelow 0.05% daily; never above 0.10%Daily (weekly minimum)
Gmail Postmaster Tools domain reputationHigh tier — investigate immediately if Medium or belowWeekly
Gmail Postmaster Tools authentication rate100% — any non-100% indicates unauthenticated sending sourcesWeekly
Yahoo FBL complaint rateBelow 0.05% — Yahoo FBL typically leads Gmail reputation changes by 1-2 weeksDaily
Microsoft SNDS IP statusAll IPs Green — investigate any Yellow or Red immediatelyDaily (during active sending)
Blacklist monitoring (all sending IPs)Zero listings on Spamhaus SBL, Barracuda BRBL, SORBS — any listing requires immediate investigationDaily (automated alert preferred)
Hard bounce rate per campaignBelow 0.5% per campaign — above this warrants list segment investigationPer campaign
Per-ISP deferral rate (accounting log)Below 10% at any major ISP — elevated deferral indicates rate limit or reputation issuePer campaign
DNS record change monitoringZero unexpected changes — SPF, DKIM, DMARC, PTR records should match baselineAutomated continuous

Content and Template Checklist

ItemHow to verifyFrequency
From name consistent and brand-recognisableReview all From names across active sending streams — no fictitious person namesQuarterly
Subject lines accurate (no misleading content)Review subject line approval process — verify no "Your account has been suspended" type lines for promotional emailPer campaign
Preheader present in all templates (CSS method, not white-on-white)Check email source for span with display:none preheader — not white font colour on white backgroundPer template update
Unsubscribe link present and functional in all templatesClick unsubscribe link in test message — confirm it processes correctlyQuarterly
List-Unsubscribe and List-Unsubscribe-Post headers presentCheck raw email headers — both headers required for MAGY compliance for bulk sendersQuarterly
Physical mailing address in footer (CAN-SPAM requirement)Review all active email templates — must include current physical addressQuarterly
Plain text version present (multipart/alternative)Check email source — Content-Type should be multipart/alternative with text/plain partPer template update
Alt text on all imagesView email with images disabled — all meaningful content should still be conveyedPer template update
Color contrast WCAG 2.1 AA compliantCheck text/background contrast ratios using WebAIM Contrast Checker for all colour combinationsPer template update
Dark mode rendering correctTest in Apple Mail dark mode and Gmail dark mode — no broken layouts or invisible textPer template update
Email renders correctly with images disabledView in Outlook (images off by default in many corporate environments) — must still be actionablePer template update
No URL shorteners in email linksScan all links in template — must use full branded or ESP click-tracking domain URLsPer template update
mail-tester.com score above 8/10Send test message to mail-tester.com address — score below 8 warrants investigationPer major template update

Compliance Checklist: CAN-SPAM, GDPR, MAGY

ItemStandardFrequency
Unsubscribe requests processed within 10 business daysCAN-SPAMMonthly audit
Physical mailing address current and accurate in all emailsCAN-SPAMQuarterly
From address accurately identifies the senderCAN-SPAM, CEMAQuarterly
GDPR consent records maintained for EU subscribersGDPRAnnual audit
Data processor agreements in place with ESP and any list vendorsGDPRAnnual
DKIM signing with own domain (not shared ESP domain)MAGY (Google, Yahoo, Microsoft, Apple)Monthly
DMARC record published at minimum p=noneMAGYQuarterly
One-click unsubscribe functional (RFC 8058)MAGY (bulk senders >5K/day to Gmail)Quarterly
Gmail spam rate below 0.10%MAGY (Google bulk sender requirement)Daily monitoring
PTR/FCrDNS valid for all sending IPsMAGYMonthly
TLS for all SMTP connectionsMAGYQuarterly
Email archiving in place for financial/healthcare senders (FINRA, HIPAA)Industry-specificAnnual

ESP and Infrastructure Review Checklist

ItemActionFrequency
ESP pricing vs current volume — still cost-efficient?Calculate total cost of ownership at current volume — compare against alternatives if above 1M monthlyAnnual
ESP deliverability features still meet programme needsReview ESP capabilities against programme requirements — dedicated IP, custom DKIM, FBL processing, per-ISP reportingAnnual
ESP uptime SLA complianceReview ESP's uptime history for the past 12 months — any incidents affect SLA complianceAnnual
Backup MTA or ESP failover plan documented and testedRun quarterly DR test — verify failover works within target RTOQuarterly
API keys and credentials rotatedRotate all ESP API keys, SMTP credentials, and webhook secrets — document new values securelyAnnual
Sending volume capacity appropriate for planned campaignsCalculate peak campaign volume needs for next 6 months — verify infrastructure can handle without IP exhaustionSemi-annual

Quarterly and Monthly Task Schedule

January (full annual review): Complete all checklist sections above. Run full list verification. Export and audit suppression list. Review ESP contract and costs. Document all findings and create remediation tasks for any gaps found. This is the biggest review of the year — allow 2-3 days for a thorough team review of a mid-size programme.

April (Q2 check): Authentication spot-check (SPF lookup count, DKIM key validity, DMARC policy). Infrastructure check (all IPs clear of blacklists, SNDS Green, FBL enrollment active). List quality: verify engagement-based suppression is running correctly. Compliance: verify MAGY requirements still met. Content: verify templates up to date with any recent ESP or ISP changes.

July (Q3 check): Same scope as Q2 check. Additionally: run mid-year list verification (second of the semi-annual verification passes). Review Postmaster Tools trends for Q2 — any reputation drift to address before Q4 ramp-up. Begin Q4 preparation planning (volume ramp schedule, IP capacity assessment).

October (pre-Q4 hardening): Critical pre-holiday preparation. Full list cleanup — suppress 90-day non-engagers. Verify IP capacity for Q4 volume. Implement infrastructure freeze (no config changes from Oct 15). Switch to daily Postmaster Tools monitoring. Verify backup MTA is operational (run DR test if not done in Q3).

Monthly tasks (every month): Gmail Postmaster Tools spam rate and domain reputation review. SNDS status check for all IPs. Blacklist monitoring report. Hard bounce rate review for recent campaigns. FBL complaint report review. DNS record baseline verification. Global suppression list backup.

The deliverability programme that systematically executes this checklist — on the annual, quarterly, and monthly cadences it specifies — consistently maintains the High reputation, 0% short/broken, and MAGY compliance that commercial email requires in 2026. No individual checklist item is technically complex; the discipline is in consistent execution across all items on their scheduled cadence. Build the schedule into the team calendar; assign each section to a responsible owner; and the deliverability programme will never be surprised by an infrastructure configuration gap or list quality problem that a routine check would have caught weeks earlier.

Using This Checklist Effectively

A checklist is only useful when it produces action, not just documentation. After each review cycle, every gap found should be assigned to a specific owner with a deadline. Authentication gaps are typically resolved within 1-2 days (DNS record updates propagate quickly). List quality gaps take 1-2 weeks to address completely (verification runs take time; engagement suppression logic takes a deployment cycle). Compliance gaps may take 2-4 weeks depending on the change involved (template updates, consent record audits, processor agreement negotiations). Infrastructure gaps vary widely — a missing PTR record might be resolved in a support ticket within hours; an IP capacity issue might require a 6-8 week warmup cycle before the new IP is ready for production use.

The prioritisation framework: P1 (address within 24 hours) — active blacklist listings, authentication failures causing delivery rejection, spam rate above 0.10%. P2 (address within one week) — DMARC at p=none, missing FCrDNS, SNDS Yellow status, hard bounce rate above 1%. P3 (address within one month) — DKIM key below 2048-bit, missing BIMI, colour contrast failures in templates, incomplete consent records. P4 (address in next quarter) — ESP pricing review, template accessibility improvements, DMARC advancement to p=reject from p=quarantine.

The team that runs this checklist consistently — treating email deliverability as the operational discipline it is rather than the reactive crisis response it becomes when unmanaged — operates with a confidence in their programme's foundations that teams without systematic review cannot have. Build the discipline; execute the schedule; and the deliverability programme will stay healthy through every platform change, ISP requirement update, and audience evolution the commercial email landscape delivers.

H
Henrik Larsen

Deliverability Manager at Cloud Server for Email. Specialising in email deliverability, infrastructure architecture, and high-volume sending operations.