Last verified: June 16, 2026
TL;DR
An email deliverability audit is a structured diagnostic that examines every technical, reputational, and content-level factor affecting whether messages reach the inbox. A thorough audit covers sender authentication records, IP and domain reputation, list hygiene, engagement signals, and content analysis. The depth and sequencing of these components vary by provider, but the most actionable audits produce prioritized remediation steps, not just a status report.
What an Email Deliverability Audit Actually Examines
An email deliverability audit is a systematic review of the infrastructure, configuration, and sending behavior that mailbox providers use to decide whether a message lands in the inbox, the spam folder, or gets blocked entirely. The audit is distinct from a one-time spam test, distinct from an ESP health dashboard, and distinct from a blacklist check. Those tools surface symptoms; an audit traces root causes.
The scope of a substantive audit spans four interconnected layers: technical authentication, sender reputation, list and engagement quality, and message content. Weakness in any single layer can suppress inbox placement rates even when the other three are clean. A credible audit treats these layers as interdependent rather than as a checklist of isolated items.
The Technical Authentication Layer: What Gets Checked and Why It Matters
Authentication is the foundation every other deliverability factor rests on. An audit examines whether SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance) records are correctly configured, aligned, and enforced. Misconfigured SPF records with too many DNS lookups, DKIM keys that are too short (below 2048-bit is now considered weak), or a DMARC policy sitting at p=none with no enforcement are all findings that appear in nearly every audit of a sender who is experiencing deliverability problems.
BIMI (Brand Indicators for Message Identification) is a newer layer that audits increasingly include. BIMI requires a DMARC policy at enforcement (p=quarantine or p=reject) and a verified mark certificate before a brand logo displays in supporting mailboxes. Auditors check whether the prerequisites are in place and whether the BIMI record itself is correctly published.
Beyond the DNS records themselves, an audit examines sending infrastructure alignment: whether the envelope From domain, the header From domain, and the DKIM signing domain are aligned as DMARC requires. Misalignment is a common root cause of DMARC failures that senders often overlook because individual authentication checks pass while the alignment check fails.
Reputation Signals: IP, Domain, and Sending History
Sender reputation is not a single score. An audit examines reputation at the IP level, the domain level, and increasingly at the brand or entity level that major mailbox providers like Google and Microsoft maintain internally. These signals are partially visible through public tools and partially inferred from behavioral data.
At the IP level, the audit checks whether sending IPs appear on major DNS-based blocklists (DNSBLs) such as Spamhaus ZEN, Barracuda, or SURBL, and whether the IP's reverse DNS (PTR record) is correctly configured. A PTR record that does not resolve to a hostname matching the sending domain is a low-effort fix that materially affects deliverability at some receiving systems.
Domain reputation analysis looks at the age of the sending domain, its historical sending volume, and any prior spam complaints associated with it. A domain that was recently registered and immediately used for high-volume sending will encounter friction at Gmail and Outlook regardless of clean authentication, because mailbox providers weight domain age and sending consistency as trust signals. Auditors also examine Google Postmaster Tools data (for Gmail) and Microsoft SNDS (Smart Network Data Services) data for Outlook, where available, because these platforms publish domain and IP reputation signals directly to senders who have verified ownership.
The audit should also surface whether the sender is enrolled in relevant feedback loops (FBLs). FBLs from providers like Yahoo and Comcast route spam complaint notifications back to the sender, enabling list suppression. Senders not enrolled in available FBLs are flying blind on complaint rates.
List Quality and Engagement: The Signals Mailbox Providers Weight Most
List hygiene and engagement data have become the dominant deliverability signals at Gmail and Outlook over the past several years. An audit examines both the composition of the list and the behavioral signals the list generates.
On the composition side, auditors look for invalid addresses (hard bounces), role-based addresses (info@, support@, admin@) that are prone to spam complaints, spam trap addresses embedded in purchased or scraped lists, and unengaged subscribers who have not opened or clicked in an extended window. The acceptable threshold for hard bounce rates is generally below 2%, and complaint rates above 0.1% (Google's published threshold for Gmail) trigger deliverability suppression.
Engagement analysis examines open rates, click rates, and unsubscribe rates segmented by recency cohort. A list where 60% of addresses have not engaged in 12 months is a structural deliverability liability, even if the addresses are technically valid. Auditors assess whether the sender has a re-engagement or sunset policy in place and whether suppression lists are being applied correctly across all sending streams.
The audit should also examine list acquisition practices: whether subscribers opted in explicitly, whether confirmation emails were sent (double opt-in), and whether the acquisition source is documented. Purchased lists and co-registration lists are root causes of spam trap exposure and elevated complaint rates that no technical fix can fully compensate for.
Content and Infrastructure Checks: The Final Diagnostic Layer
Content analysis in a deliverability audit is narrower than a full creative review. Auditors are looking for signals that content filters flag: spam trigger phrases, excessive use of HTML image-to-text ratios that skew heavily toward images, broken or redirecting links, URL shorteners that obscure destination domains, and missing or malformed unsubscribe mechanisms.
CAN-SPAM (United States), CASL (Canada), and GDPR (European Union) each impose specific requirements on commercial email. An audit checks whether the physical mailing address is present, whether the unsubscribe mechanism functions within the required timeframe (10 business days under CAN-SPAM), and whether consent records are being maintained. Compliance gaps here create legal exposure in addition to deliverability risk.
Infrastructure checks at this layer include verifying that dedicated sending IPs are properly warmed if they are new, that sending volume is consistent rather than spiking erratically, and that transactional and marketing streams are separated onto distinct IP pools or subdomains. Mixing transactional mail (password resets, receipts) with marketing mail on the same IP means that a spam complaint spike from a promotional campaign can suppress delivery of transactional messages that recipients actually want.
A well-structured audit also examines seed list testing results, where available. Seed testing sends a message to a panel of real mailbox addresses across providers and reports inbox vs. spam folder placement by provider. Tools like GlockApps and MailGenius provide this capability. Seed test results are a useful diagnostic snapshot, though they reflect placement at the moment of sending and do not capture the engagement-based filtering that affects real subscriber lists over time.
What a Deliverability Audit Should Produce
The output of an audit is where quality varies most significantly across providers. A status report that lists findings without prioritization or remediation guidance has limited operational value. A substantive audit produces a prioritized action plan that distinguishes between critical fixes (authentication failures, active blacklistings, complaint rates above threshold) and lower-priority improvements (BIMI implementation, re-engagement campaign design).
Prioritization matters because senders with limited technical resources cannot address every finding simultaneously, and some fixes have immediate inbox placement impact while others are longer-term infrastructure investments. An audit that treats a missing BIMI record with the same urgency as a broken DMARC policy is not calibrated to actual risk.
The audit output should also establish a baseline inbox placement rate by mailbox provider, so that remediation progress can be measured. Without a baseline, it is impossible to determine whether changes made after the audit actually improved deliverability or whether inbox placement shifted for unrelated reasons. A credible audit defines the measurement window and the methodology used to calculate placement rates, rather than citing a single aggregate number that obscures provider-level variation.
Senders evaluating audit providers should ask specifically what the deliverable looks like, how findings are prioritized, and what the methodology is for measuring inbox placement before and after remediation. The answer to those questions distinguishes a substantive diagnostic from a surface-level report.