Email Deliverability Checklist for Developers
A practical checklist to ensure your transactional emails actually reach the inbox. Authentication, content, infrastructure—everything you need.
You built the feature. You integrated the email API. But emails are landing in spam. Here's a no-nonsense checklist to fix that.
The essentials:
- Set up SPF, DKIM, DMARC (non-negotiable)
- Send from a subdomain
- Include plain text + List-Unsubscribe header
- Handle bounces automatically
- Monitor bounce rate (<2%) and complaint rate (<0.1%)
Authentication (Non-Negotiable)
Email authentication tells inbox providers you're legit. Without it, you're basically anonymous mail.
Need a deeper explanation? Read DKIM, SPF, and DMARC Explained Simply.
SPF (Sender Policy Framework)
SPF tells receivers which servers can send email for your domain.
v=spf1 include:sendpigeon.com ~all
Add this TXT record to your domain's DNS. Replace with your actual email provider's include statement.
Check: Use our free deliverability checker or MXToolbox to verify.
DKIM (DomainKeys Identified Mail)
DKIM adds a cryptographic signature to your emails, proving they weren't tampered with.
Your email provider gives you a public key to add as a DNS record:
sendpigeon._domainkey.yourdomain.com TXT "v=DKIM1; k=rsa; p=MIGfMA0G..."
Check: Send a test email and inspect headers for dkim=pass.
DMARC (Domain-based Message Authentication)
DMARC tells receivers what to do when SPF/DKIM fail. Start with monitoring:
v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com
Once you're confident, move to p=quarantine or p=reject.
Infrastructure
Use Subdomains for Email
Send from mail.yourdomain.com or notifications.yourdomain.com, not your root domain. This isolates email reputation from your main domain.
If your marketing emails get flagged, your transactional emails from a different subdomain stay unaffected.
Set Up Proper PTR Records
Your sending IP should have a reverse DNS (PTR) record that matches your sending domain. Most email providers handle this, but verify.
Dedicated IP (Maybe)
Shared IPs are fine for low volume. But if you're sending 50k+ emails/month, a dedicated IP gives you full control over reputation.
The catch: you need to warm it up gradually. Don't blast 100k emails day one.
Content Best Practices
Keep it Simple
- Plain text alternative for every HTML email
- No URL shorteners (they look spammy)
- Minimal images, especially in transactional email
- Avoid spam trigger words ("FREE!!!", "Act Now")
Include Required Headers
From: YourApp <notifications@mail.yourapp.com>
Reply-To: support@yourapp.com
List-Unsubscribe: <mailto:unsubscribe@yourapp.com>
Even transactional emails benefit from a List-Unsubscribe header. Gmail shows an unsubscribe button for emails with this header.
Test Before Sending
Send test emails to:
- Gmail (personal)
- Outlook/Hotmail
- Yahoo
- Your work email
Check if they land in inbox or spam. Check how they render.
Monitoring
Watch Your Metrics
| Metric | Target | Why it matters |
|---|---|---|
| Bounce rate | <2% | Hard bounces hurt reputation |
| Complaint rate | <0.1% | Complaints are reputation killers |
| Open rate | Consistent | Sudden drops indicate deliverability issues |
Handle Bounces Immediately
| Type | Action |
|---|---|
| Hard bounce (invalid address) | Remove from list immediately |
| Soft bounce (temporary) | Retry 2-3 times, then remove |
| Complaint | Never email that address again |
Set Up Feedback Loops
Register with major ISPs to receive complaint notifications:
Quick Checklist
Use our free deliverability checker to instantly verify SPF, DKIM, and DMARC for any domain.
| Item | Status |
|---|---|
| SPF record configured | ☐ |
| DKIM signing enabled | ☐ |
| DMARC policy set (start with p=none) | ☐ |
| Sending from subdomain | ☐ |
| PTR record matches sending domain | ☐ |
| Plain text alternative included | ☐ |
| List-Unsubscribe header present | ☐ |
| Bounce handling automated | ☐ |
| Complaint handling automated | ☐ |
| Monitoring dashboards set up | ☐ |
The Reality
Perfect authentication won't guarantee inbox placement. ISPs use hundreds of signals. But missing authentication almost guarantees spam placement.
Get the basics right, monitor your metrics, and iterate. Deliverability is an ongoing process, not a one-time setup.
Next Steps
- Need help with authentication? Check our step-by-step setup guide or use our email authentication checker
- Ready to send? See our framework guides for Next.js, Remix, and more
- Need email HTML? Browse our email templates for ready-to-use code
- Testing first? Set up an email sandbox so you don't accidentally email real users
- Comparing providers? See SendPigeon vs Resend, vs Mailtrap, vs Amazon SES