A full email deliverability review conducted annually — and maintained through monthly and quarterly checkpoints — catches configuration drift, list quality degradation, and compliance gaps before they become reputation events. This checklist covers every dimension of commercial email deliverability in 2026: authentication, infrastructure, list quality, ISP monitoring, content quality, and regulatory compliance. Work through each section systematically, document findings, and address every gap before the next high-volume sending period begins.
Authentication Checklist: SPF, DKIM, DMARC, BIMI
| Item | How to verify | Frequency |
|---|---|---|
| SPF record publishes for all sending domains | dig TXT sending-domain.com — must return v=spf1 record | Quarterly |
| SPF lookup count below 10 | MXToolbox SPF analyzer — lookup count shown | Quarterly |
| SPF returns pass (not softfail or permerror) | Check Authentication-Results header in delivered test message | Monthly |
| DKIM signing active with own domain (d=yourdomain.com) | Check Authentication-Results: dkim=pass header.i=@yourdomain.com | Monthly |
| DKIM key size 2048-bit minimum | dig TXT selector._domainkey.domain — count base64 chars in p= value (≥260 chars = 2048-bit) | Annual |
| DKIM selector DNS records all valid | dig TXT each selector — must return DKIM1 key record | Quarterly |
| DMARC record published | dig TXT _dmarc.yourdomain.com — must return v=DMARC1 record | Quarterly |
| DMARC policy at p=quarantine or p=reject | Review DMARC record p= value — p=none provides no protection | Annual |
| DMARC rua= address functional (receives aggregate reports) | Verify aggregate reports are being received at the rua= address monthly | Monthly |
| DMARC aggregate reports reviewed for unknown sources | Review rua= reports for any sources showing DMARC fail — may indicate new sending system or spoofing | Monthly |
| ARC correctly configured for any mailing list or forwarding infrastructure | Check ARC-Seal headers in forwarded messages — should show arc=pass at destination | Annual |
| BIMI record published (if applicable) | dig TXT default._bimi.yourdomain.com — verify record present and logo URL accessible | Quarterly |
| BIMI logo SVG P/S compliant | BIMI Group validator at bimigroup.org — validates SVG format compliance | Annual |
Infrastructure Checklist: IPs, PTR, TLS
| Item | How to verify | Frequency |
|---|---|---|
| PTR records set for all sending IPs | dig -x SENDING_IP — must return a hostname | Monthly |
| FCrDNS valid (PTR hostname resolves back to same IP) | dig A PTR_HOSTNAME — must match sending IP | Monthly |
| PTR hostname matches EHLO/HELO hostname in MTA config | Check mail headers: Received: from EHLO_HOSTNAME — must match PTR | Quarterly |
| TLS enabled for all outbound SMTP connections | Check Received: headers for TLS cipher notation | Quarterly |
| TLS certificate valid and not expiring within 30 days | echo | openssl s_client -connect mail1.domain.com:25 -starttls smtp 2>&1 | openssl x509 -noout -dates | Monthly |
| All sending IPs not on major blacklists | MXToolbox blacklist check for each IP — Spamhaus, Barracuda, SORBS | Weekly |
| Microsoft SNDS status Green for all sending IPs | postmaster.live.com SNDS dashboard — all IPs should show Green | Weekly |
| IP warmup complete for any IPs added in past 90 days | Review Gmail Postmaster Tools domain reputation — should be High after warmup completes | Per IP addition |
| FBL enrollment active for Yahoo (CFL) and Microsoft (JMRP) | Verify FBL complaint emails are being received and processed | Annual |
| Bounce processing functional — hard bounces suppressed automatically | Send test to a known invalid address — verify it bounces and is added to suppression | Quarterly |
List Quality Checklist
| Item | Action | Frequency |
|---|---|---|
| Full list verification | Run complete active list through NeverBounce or ZeroBounce — remove invalid, risky, and catch-all segments | Semi-annual (Jan + Jul) |
| Hard bounce suppression — all bounced addresses removed | Audit suppression list against recent bounce logs — verify 100% coverage | Monthly |
| Engagement-based suppression active | Verify contacts with no open/click in 90+ days are in suppression hold or re-engagement queue | Monthly |
| Re-engagement sequence in place for lapsed contacts | Confirm automated re-engagement workflow is triggering correctly for disengaged contacts | Quarterly |
| Acquisition source quality monitoring | Track complaint rate and bounce rate per acquisition source — flag sources above 0.05% complaint rate | Monthly |
| Real-time verification at signup active | Test subscription form — submit an invalid email format and a known invalid domain — both should be rejected | Quarterly |
| Unsubscribe opt-outs processed within 10 days (CAN-SPAM requirement) | Audit recent opt-out requests — verify processing timestamps | Monthly |
| Global suppression list exported and backed up | Export complete suppression list and store securely — essential for ESP migration and disaster recovery | Monthly |
Monitoring Checklist: Postmaster Tools, FBL, SNDS
| Item | Target metric | Frequency |
|---|---|---|
| Gmail Postmaster Tools spam rate | Below 0.05% daily; never above 0.10% | Daily (weekly minimum) |
| Gmail Postmaster Tools domain reputation | High tier — investigate immediately if Medium or below | Weekly |
| Gmail Postmaster Tools authentication rate | 100% — any non-100% indicates unauthenticated sending sources | Weekly |
| Yahoo FBL complaint rate | Below 0.05% — Yahoo FBL typically leads Gmail reputation changes by 1-2 weeks | Daily |
| Microsoft SNDS IP status | All IPs Green — investigate any Yellow or Red immediately | Daily (during active sending) |
| Blacklist monitoring (all sending IPs) | Zero listings on Spamhaus SBL, Barracuda BRBL, SORBS — any listing requires immediate investigation | Daily (automated alert preferred) |
| Hard bounce rate per campaign | Below 0.5% per campaign — above this warrants list segment investigation | Per campaign |
| Per-ISP deferral rate (accounting log) | Below 10% at any major ISP — elevated deferral indicates rate limit or reputation issue | Per campaign |
| DNS record change monitoring | Zero unexpected changes — SPF, DKIM, DMARC, PTR records should match baseline | Automated continuous |
Content and Template Checklist
| Item | How to verify | Frequency |
|---|---|---|
| From name consistent and brand-recognisable | Review all From names across active sending streams — no fictitious person names | Quarterly |
| Subject lines accurate (no misleading content) | Review subject line approval process — verify no "Your account has been suspended" type lines for promotional email | Per campaign |
| Preheader present in all templates (CSS method, not white-on-white) | Check email source for span with display:none preheader — not white font colour on white background | Per template update |
| Unsubscribe link present and functional in all templates | Click unsubscribe link in test message — confirm it processes correctly | Quarterly |
| List-Unsubscribe and List-Unsubscribe-Post headers present | Check raw email headers — both headers required for MAGY compliance for bulk senders | Quarterly |
| Physical mailing address in footer (CAN-SPAM requirement) | Review all active email templates — must include current physical address | Quarterly |
| Plain text version present (multipart/alternative) | Check email source — Content-Type should be multipart/alternative with text/plain part | Per template update |
| Alt text on all images | View email with images disabled — all meaningful content should still be conveyed | Per template update |
| Color contrast WCAG 2.1 AA compliant | Check text/background contrast ratios using WebAIM Contrast Checker for all colour combinations | Per template update |
| Dark mode rendering correct | Test in Apple Mail dark mode and Gmail dark mode — no broken layouts or invisible text | Per template update |
| Email renders correctly with images disabled | View in Outlook (images off by default in many corporate environments) — must still be actionable | Per template update |
| No URL shorteners in email links | Scan all links in template — must use full branded or ESP click-tracking domain URLs | Per template update |
| mail-tester.com score above 8/10 | Send test message to mail-tester.com address — score below 8 warrants investigation | Per major template update |
Compliance Checklist: CAN-SPAM, GDPR, MAGY
| Item | Standard | Frequency |
|---|---|---|
| Unsubscribe requests processed within 10 business days | CAN-SPAM | Monthly audit |
| Physical mailing address current and accurate in all emails | CAN-SPAM | Quarterly |
| From address accurately identifies the sender | CAN-SPAM, CEMA | Quarterly |
| GDPR consent records maintained for EU subscribers | GDPR | Annual audit |
| Data processor agreements in place with ESP and any list vendors | GDPR | Annual |
| DKIM signing with own domain (not shared ESP domain) | MAGY (Google, Yahoo, Microsoft, Apple) | Monthly |
| DMARC record published at minimum p=none | MAGY | Quarterly |
| One-click unsubscribe functional (RFC 8058) | MAGY (bulk senders >5K/day to Gmail) | Quarterly |
| Gmail spam rate below 0.10% | MAGY (Google bulk sender requirement) | Daily monitoring |
| PTR/FCrDNS valid for all sending IPs | MAGY | Monthly |
| TLS for all SMTP connections | MAGY | Quarterly |
| Email archiving in place for financial/healthcare senders (FINRA, HIPAA) | Industry-specific | Annual |
ESP and Infrastructure Review Checklist
| Item | Action | Frequency |
|---|---|---|
| ESP pricing vs current volume — still cost-efficient? | Calculate total cost of ownership at current volume — compare against alternatives if above 1M monthly | Annual |
| ESP deliverability features still meet programme needs | Review ESP capabilities against programme requirements — dedicated IP, custom DKIM, FBL processing, per-ISP reporting | Annual |
| ESP uptime SLA compliance | Review ESP's uptime history for the past 12 months — any incidents affect SLA compliance | Annual |
| Backup MTA or ESP failover plan documented and tested | Run quarterly DR test — verify failover works within target RTO | Quarterly |
| API keys and credentials rotated | Rotate all ESP API keys, SMTP credentials, and webhook secrets — document new values securely | Annual |
| Sending volume capacity appropriate for planned campaigns | Calculate peak campaign volume needs for next 6 months — verify infrastructure can handle without IP exhaustion | Semi-annual |
Quarterly and Monthly Task Schedule
January (full annual review): Complete all checklist sections above. Run full list verification. Export and audit suppression list. Review ESP contract and costs. Document all findings and create remediation tasks for any gaps found. This is the biggest review of the year — allow 2-3 days for a thorough team review of a mid-size programme.
April (Q2 check): Authentication spot-check (SPF lookup count, DKIM key validity, DMARC policy). Infrastructure check (all IPs clear of blacklists, SNDS Green, FBL enrollment active). List quality: verify engagement-based suppression is running correctly. Compliance: verify MAGY requirements still met. Content: verify templates up to date with any recent ESP or ISP changes.
July (Q3 check): Same scope as Q2 check. Additionally: run mid-year list verification (second of the semi-annual verification passes). Review Postmaster Tools trends for Q2 — any reputation drift to address before Q4 ramp-up. Begin Q4 preparation planning (volume ramp schedule, IP capacity assessment).
October (pre-Q4 hardening): Critical pre-holiday preparation. Full list cleanup — suppress 90-day non-engagers. Verify IP capacity for Q4 volume. Implement infrastructure freeze (no config changes from Oct 15). Switch to daily Postmaster Tools monitoring. Verify backup MTA is operational (run DR test if not done in Q3).
Monthly tasks (every month): Gmail Postmaster Tools spam rate and domain reputation review. SNDS status check for all IPs. Blacklist monitoring report. Hard bounce rate review for recent campaigns. FBL complaint report review. DNS record baseline verification. Global suppression list backup.
The deliverability programme that systematically executes this checklist — on the annual, quarterly, and monthly cadences it specifies — consistently maintains the High reputation, 0% short/broken, and MAGY compliance that commercial email requires in 2026. No individual checklist item is technically complex; the discipline is in consistent execution across all items on their scheduled cadence. Build the schedule into the team calendar; assign each section to a responsible owner; and the deliverability programme will never be surprised by an infrastructure configuration gap or list quality problem that a routine check would have caught weeks earlier.
Using This Checklist Effectively
A checklist is only useful when it produces action, not just documentation. After each review cycle, every gap found should be assigned to a specific owner with a deadline. Authentication gaps are typically resolved within 1-2 days (DNS record updates propagate quickly). List quality gaps take 1-2 weeks to address completely (verification runs take time; engagement suppression logic takes a deployment cycle). Compliance gaps may take 2-4 weeks depending on the change involved (template updates, consent record audits, processor agreement negotiations). Infrastructure gaps vary widely — a missing PTR record might be resolved in a support ticket within hours; an IP capacity issue might require a 6-8 week warmup cycle before the new IP is ready for production use.
The prioritisation framework: P1 (address within 24 hours) — active blacklist listings, authentication failures causing delivery rejection, spam rate above 0.10%. P2 (address within one week) — DMARC at p=none, missing FCrDNS, SNDS Yellow status, hard bounce rate above 1%. P3 (address within one month) — DKIM key below 2048-bit, missing BIMI, colour contrast failures in templates, incomplete consent records. P4 (address in next quarter) — ESP pricing review, template accessibility improvements, DMARC advancement to p=reject from p=quarantine.
The team that runs this checklist consistently — treating email deliverability as the operational discipline it is rather than the reactive crisis response it becomes when unmanaged — operates with a confidence in their programme's foundations that teams without systematic review cannot have. Build the discipline; execute the schedule; and the deliverability programme will stay healthy through every platform change, ISP requirement update, and audience evolution the commercial email landscape delivers.