Email Deliverability Checklist for 2026

Authentication Setup

• SPF record published for your sending domain with your SMTP provider's IPs included. Verify with a DNS lookup tool. (SPF setup guide)
• DKIM signing enabled with your own domain (not the provider's domain). DKIM public key published in DNS and matching the private key your provider uses to sign. (DKIM setup guide)
• DMARC record published with at minimum p=none for monitoring, ideally p=quarantine or p=reject for enforcement. Gmail and Yahoo require DMARC for bulk senders as of 2024. (DMARC setup guide)
• Return-Path domain alignment so the envelope sender domain matches or is a subdomain of your From domain. This is required for SPF alignment under DMARC.
• DMARC aggregate reports being received and reviewed. These reports from mailbox providers tell you who is sending email using your domain and whether authentication is passing.

Domain and IP Reputation

• Sending domain age is at least 30 days. Brand new domains are treated with suspicion by mailbox providers. (Domain warming guide)
• Domain not on any blocklists. Check your domain against Spamhaus DBL, SURBL, and URIBL. Being listed on any of these will cause widespread delivery failures.
• Sending IP not on blocklists. Check your IPs against Spamhaus SBL/XBL, Barracuda, and SpamCop. If using shared IPs, your provider should monitor this for you.
• IP warming completed if using a dedicated IP. New IPs must be warmed gradually over 2-4 weeks with increasing volume. (IP warming guide)
• Google Postmaster Tools configured for your sending domain. This gives you direct visibility into how Gmail rates your domain reputation and spam rate.
• Microsoft SNDS registered if you send significant volume to Outlook/Hotmail addresses. Smart Network Data Services shows your sending reputation from Microsoft's perspective.

List Hygiene

• All email addresses are opt-in. Never send to purchased, rented, or scraped lists. Permission-based lists have dramatically better deliverability and lower complaint rates.
• Hard bounces removed immediately. Your platform should automatically remove addresses that return permanent failure codes. Continuing to send to hard bounces signals poor list management to mailbox providers.
• Soft bounce threshold set. Addresses that soft bounce consistently (3-5 times in a row) should be moved to a review queue or removed.
• Spam complainers suppressed permanently. Anyone who reports your email as spam must never receive another message from you. (Suppression list guide)
• Unsubscribes processed immediately. CAN-SPAM requires processing within 10 business days, but best practice is instant removal.
• Inactive subscribers identified. Contacts who have not opened or clicked in 6+ months should be segmented into a re-engagement campaign or removed. (List cleaning guide)
• List validated periodically. Run your list through an email validation service every 3-6 months to catch addresses that have gone invalid since your last send.

Sending Configuration

• List-Unsubscribe header included on every marketing email. Gmail and Yahoo require this header for bulk senders. It enables one-click unsubscribe directly from the email client interface.
• From address is consistent and uses a domain you have authenticated. Changing your From address frequently confuses recipients and can hurt recognition-based filtering.
• Reply-To address is monitored. If people reply to your marketing emails, someone should be reading and responding. Unmonitored reply addresses lead to frustrated recipients who may report you as spam instead.
• Sending volume is consistent. Avoid large spikes in volume that look suspicious to mailbox providers. If you need to increase volume, do it gradually over days or weeks. (ISP volume management guide)
• ISP-level send pacing configured. Spread your sending across time rather than blasting your entire list simultaneously. This is especially important for Outlook, which is more sensitive to sending bursts than Gmail.
• Webhook reporting active for your SMTP provider. You need real-time bounce, complaint, and delivery data to maintain list hygiene automatically. (Webhook setup guide)

Content Best Practices

• Physical mailing address included in every marketing email. Required by CAN-SPAM.
• Visible unsubscribe link in the email body. Do not bury it in tiny text at the bottom of a long footer.
• Text-to-image ratio is balanced. Emails that are mostly images with minimal text are more likely to be filtered. Include enough text content for filters to evaluate.
• No URL shorteners in email links. Bit.ly and similar services are heavily used by spammers, and their domains frequently appear on blocklists. Use full destination URLs.
• Subject line is accurate. Misleading subject lines violate CAN-SPAM and trigger spam complaints when recipients feel deceived.
• HTML is valid and well-formed. Broken HTML can trigger spam filters and causes rendering issues across email clients.

2026-Specific Requirements

These requirements became mandatory or significantly more enforced starting in 2024-2025 and are now fully in effect:

• Gmail bulk sender requirements: Senders of 5,000+ emails per day to Gmail must have SPF, DKIM, and DMARC all configured. Must include one-click List-Unsubscribe header. Spam complaint rate must stay below 0.3%, with 0.1% or lower as the target.
• Yahoo bulk sender requirements: Similar to Gmail's requirements with SPF, DKIM, DMARC, and one-click unsubscribe mandatory for bulk senders.
• DMARC enforcement trending toward reject: More organizations are moving their DMARC policies from p=none (monitoring) to p=quarantine or p=reject (enforcement). If your authentication is not properly aligned, more of your email will be rejected outright rather than just monitored.
• Apple Mail Privacy Protection is universal: Assume that all Apple Mail users generate inflated open rates. Do not rely on open rate alone for engagement measurement. Use click tracking as your primary engagement metric.

Monthly Maintenance

• Review DMARC aggregate reports for unauthorized senders using your domain
• Check domain and IP reputation using Google Postmaster Tools and blocklist monitors
• Review bounce and complaint rates from your last 30 days of sending
• Remove or re-engage subscribers who have been inactive for 6+ months
• Verify authentication records still pass by sending test emails to seed accounts
• Review your sender reputation score and address any declining trends