Email Deliverability Incident Response Runbook

Cloud Server for Email
cloudserverforemail.com · infrastructure@cloudserverforemail.com · +372 602 3545
EU-Based Infrastructure
Operating Since 2015
Email Deliverability Incident Response Runbook
Step-by-Step Response for Common Deliverability Incidents
Version 2026-04 · Cloud Server for Email

Incident Type 1: Gmail Deferral Rate Spike

Trigger: Gmail deferral rate exceeds 15% for 2+ consecutive hours

  • Immediate (0–30 min): Reduce max-smtp-out to 50% of current value for gmail.com domain block
  • Pause any active cold/reactivation campaigns immediately
  • Check Google Postmaster Tools: domain reputation and spam rate (look for spike in last 24h)
  • Investigation (30 min – 2h): Query accounting log dsnDiag for dominant Gmail response text
  • Compare current campaign segments to last clean campaign (list segment change?)
  • Check if a new IP was added to pool without proper warming
  • Resolution: If spam rate elevated: identify offending segment, suppress, reduce volume
  • If IP reputation issue: isolate affected IP from pool; warm separately
  • Monitor: deferral rate should return below 5% within 24–48h

Incident Type 2: Microsoft SNDS Red Status

Trigger: SNDS shows Red for any sending IP

  • Immediate: Pause ALL sending from affected IP; reroute traffic to other pool IPs
  • Check SNDS data: complaint rate and trap hit count for affected IP
  • Check JMRP inbox: review last 48h complaint messages for source campaign
  • Investigation: Identify which campaign sent to Outlook recipients in last 48–72h
  • Look for: list purchases, reactivation segments, cold lists mixed into warm pool
  • Remediation: Suppress all Outlook non-openers (180+ days) before next Outlook send
  • Submit SNDS remediation request after identifying and resolving root cause
  • Resume low-volume sending to Outlook (10% of normal) after SNDS turns Yellow
  • Full volume restoration when SNDS Green for 5 consecutive days

Incident Type 3: Active Blacklisting

Trigger: Bounce messages contain blacklist reference, or monitoring alert fires

  • Immediate: Pause delivery from blacklisted IP; reroute to other IPs
  • Identify exact blacklist(s) and listing date
  • Check if listing correlates with specific campaign or time window
  • Investigation: Root cause analysis: spam trap hit? complaint spike? unauthorized access?
  • Verify server is secure: check for open relay, malware, unauthorized processes
  • Remediation: Fix root cause completely before submitting removal request
  • Submit removal request (see Blacklist Removal Guide)
  • Monitor removal: most complete within 24–48h of valid request
  • Resume low-volume sending after removal confirmed

Incident Type 4: Authentication Failure (DMARC)

Trigger: Bounce messages show 5.7.26 (DMARC fail) or 5.7.28 (SPF fail) at volume

  • Immediate: Send test email; inspect Authentication-Results header
  • Check: is DKIM signature present? Does dkim=pass show in Authentication-Results?
  • Check: does SPF pass? Is sending IP in SPF record?
  • Common causes: IP address changed/added but SPF not updated; DKIM key expired; new server not configured for signing
  • Fix SPF: Add new sending IP to SPF TXT record at sending domain
  • Fix DKIM: Verify dkim-key config in PowerMTA; check DNS TXT record; run pmta reload
  • Verify: Send test email post-fix; confirm dkim=pass and spf=pass
  • Gmail typically clears 5.7.26/5.7.28 rejections within 1–4 hours of auth fix

Post-Incident Documentation Template

FieldValue
Incident date/time
Incident type
ISPs affected
Duration
Root cause
Fix applied
Prevention measure
Estimated impact (emails not delivered)