Cloud Server for Email
cloudserverforemail.com · infrastructure@cloudserverforemail.com · +372 602 3545
EU-Based Infrastructure
Operating Since 2015
Operating Since 2015
Email Deliverability Incident Response Runbook
Step-by-Step Response for Common Deliverability Incidents
Version 2026-04 · Cloud Server for Email
Incident Type 1: Gmail Deferral Rate Spike
Trigger: Gmail deferral rate exceeds 15% for 2+ consecutive hours
- Immediate (0–30 min): Reduce max-smtp-out to 50% of current value for gmail.com domain block
- Pause any active cold/reactivation campaigns immediately
- Check Google Postmaster Tools: domain reputation and spam rate (look for spike in last 24h)
- Investigation (30 min – 2h): Query accounting log dsnDiag for dominant Gmail response text
- Compare current campaign segments to last clean campaign (list segment change?)
- Check if a new IP was added to pool without proper warming
- Resolution: If spam rate elevated: identify offending segment, suppress, reduce volume
- If IP reputation issue: isolate affected IP from pool; warm separately
- Monitor: deferral rate should return below 5% within 24–48h
Incident Type 2: Microsoft SNDS Red Status
Trigger: SNDS shows Red for any sending IP
- Immediate: Pause ALL sending from affected IP; reroute traffic to other pool IPs
- Check SNDS data: complaint rate and trap hit count for affected IP
- Check JMRP inbox: review last 48h complaint messages for source campaign
- Investigation: Identify which campaign sent to Outlook recipients in last 48–72h
- Look for: list purchases, reactivation segments, cold lists mixed into warm pool
- Remediation: Suppress all Outlook non-openers (180+ days) before next Outlook send
- Submit SNDS remediation request after identifying and resolving root cause
- Resume low-volume sending to Outlook (10% of normal) after SNDS turns Yellow
- Full volume restoration when SNDS Green for 5 consecutive days
Incident Type 3: Active Blacklisting
Trigger: Bounce messages contain blacklist reference, or monitoring alert fires
- Immediate: Pause delivery from blacklisted IP; reroute to other IPs
- Identify exact blacklist(s) and listing date
- Check if listing correlates with specific campaign or time window
- Investigation: Root cause analysis: spam trap hit? complaint spike? unauthorized access?
- Verify server is secure: check for open relay, malware, unauthorized processes
- Remediation: Fix root cause completely before submitting removal request
- Submit removal request (see Blacklist Removal Guide)
- Monitor removal: most complete within 24–48h of valid request
- Resume low-volume sending after removal confirmed
Incident Type 4: Authentication Failure (DMARC)
Trigger: Bounce messages show 5.7.26 (DMARC fail) or 5.7.28 (SPF fail) at volume
- Immediate: Send test email; inspect Authentication-Results header
- Check: is DKIM signature present? Does dkim=pass show in Authentication-Results?
- Check: does SPF pass? Is sending IP in SPF record?
- Common causes: IP address changed/added but SPF not updated; DKIM key expired; new server not configured for signing
- Fix SPF: Add new sending IP to SPF TXT record at sending domain
- Fix DKIM: Verify dkim-key config in PowerMTA; check DNS TXT record; run pmta reload
- Verify: Send test email post-fix; confirm dkim=pass and spf=pass
- Gmail typically clears 5.7.26/5.7.28 rejections within 1–4 hours of auth fix
Post-Incident Documentation Template
| Field | Value |
|---|---|
| Incident date/time | |
| Incident type | |
| ISPs affected | |
| Duration | |
| Root cause | |
| Fix applied | |
| Prevention measure | |
| Estimated impact (emails not delivered) |