Cold Email Deliverability Audit: The Complete Self-Check Checklist

Deliverability doesn't degrade overnight. It erodes gradually -- a DNS record that expires, a blacklist you didn't notice, a warmup pool that went stale. By the time your reply rates drop, the damage is already done and recovery takes weeks.

The solution is a systematic audit. Running through a structured checklist on a regular cadence catches problems while they're still small. This guide gives you the complete self-check framework: every DNS record, blacklist source, warmup metric, content signal, sending pattern, and list hygiene practice you should verify on a monthly basis.

Each section includes a pass/fail checklist. Work through them in order -- DNS issues compound into blacklist problems, which compound into deliverability collapse. Catching them upstream saves you from firefighting downstream.

1. DNS & Authentication Audit

DNS authentication is the foundation of deliverability. If your SPF, DKIM, or DMARC records are misconfigured, broken, or missing, nothing else in this checklist matters -- email providers will filter your messages regardless of how good your content is.

Run these checks on every sending domain:

• SPF record exists and passes validation -- Verify your SPF record is published, includes all authorized sending IPs, and doesn't exceed the 10-lookup limit. Use dig TXT yourdomain.com or an online SPF validator to confirm. A missing or broken SPF record is the single most common DNS failure.
• DKIM signing active with 2048-bit key -- Confirm DKIM signatures are being applied to outbound mail and that your key length is 2048 bits (not the legacy 1024-bit). Check the DKIM selector DNS record and verify signatures pass validation on recent sent emails.
• DMARC policy set to quarantine or reject -- A DMARC policy of p=none provides monitoring but no protection. Move to p=quarantine at minimum, ideally p=reject. Verify your DMARC record includes a reporting address (rua=) so you receive aggregate reports.
• MX records configured and responding -- Even on domains used only for sending, MX records should be configured and pointing to a live mail server. Some spam filters penalize domains with no MX records. Verify the MX target responds on port 25.
• No duplicate or conflicting DNS records -- Check for multiple SPF records (only one is allowed per domain), conflicting MX entries, or stale DKIM selectors from previous providers. Duplicate SPF records cause authentication failures.

For a step-by-step DNS setup walkthrough, see our DNS setup checklist. Winnr configures SPF, DKIM, and DMARC automatically on every domain, but you should still verify records haven't been accidentally modified if you manage DNS externally.

2. Blacklist Check

Blacklists (DNSBLs) are shared databases of IPs and domains identified as spam sources. Landing on one can cut your inbox placement rate in half overnight. The tricky part: you can get listed without doing anything wrong, simply because a shared IP was abused by another sender.

Check these sources monthly:

• MXToolbox blacklist check -- Covers 100+ blacklists in a single query. Enter your sending domain and each sending IP. Pay particular attention to Spamhaus (SBL/XBL/PBL), Barracuda, and SORBS -- these are the lists that major email providers actually reference in their filtering decisions.
• Google Postmaster Tools -- Free dashboard showing your domain reputation as seen by Gmail. Check for reputation drops from "High" to "Medium" or "Low." Gmail processes over 60% of B2B email, so their reputation score is the most important single indicator.
• Microsoft SNDS (Smart Network Data Services) -- Microsoft's equivalent of Postmaster Tools for Outlook/Hotmail/Office 365. Shows your IP reputation, spam complaint rates, and trap hits. Requires registration with the sending IP owner.

If you find a listing: Don't panic. Most blacklists have self-service delisting processes. The critical step is identifying why you were listed (usually a spam trap hit or complaint spike) and fixing the root cause before requesting removal. Simply delisting without fixing the underlying issue leads to re-listing within days.

For a full recovery playbook, read our guide on recovering a burned domain.

3. Warmup Health Check

Email warmup builds sender reputation by exchanging emails with a network of real inboxes. But warmup isn't set-and-forget -- pool quality degrades, providers update their filters, and accounts can silently fall out of warmup rotation without anyone noticing.

Verify these on every sending account:

• Warmup still active on all sending accounts -- Log into your warmup provider and confirm every account shows active status. It's common for accounts to get paused after a password change, an IMAP connection reset, or a provider-side error -- and the failure is usually silent.
• Warmup emails landing in inbox (not spam) -- Check the inbox placement rate reported by your warmup provider. If warmup emails are landing in spam, your actual outbound emails are almost certainly hitting spam too. This is the earliest warning signal you'll get.
• Warmup volume at 15-25/day per account -- Too little warmup doesn't build enough reputation. Too much looks artificial. The sweet spot for most accounts is 15-25 warmup emails per day, with the total daily volume (warmup + real sends) staying under the provider's safe threshold.
• Bounce rate on warmup emails under 1% -- Warmup emails should have near-zero bounces because they're sent to known-good addresses. A bounce rate above 1% indicates a problem with the warmup pool -- stale addresses, inactive accounts, or a degraded provider network.
• Warmup provider pool quality verified -- Not all warmup networks are equal. Pools dominated by other cold emailers (sending to each other) provide less signal than pools including genuine business inboxes. If your warmup provider's inbox placement rate has dropped below 85%, consider switching.

For a detailed comparison of warmup approaches, see our warmup provider guide.

4. Content Analysis

Content filters have become sophisticated enough to detect cold email patterns even when authentication is perfect. The goal is to make every outbound message look like a genuine one-to-one email from a real person, because that's exactly what email providers reward.

Review your current email templates against these criteria:

• Plain text format (no HTML templates) -- Cold emails should be plain text. HTML templates with styled headers, images, and footers scream "marketing email" to spam filters. Even basic HTML formatting (bold, colors, font changes) increases filtering risk. The most successful cold emails look identical to what you'd type in Gmail.
• No tracking pixels or link wrapping -- Open-tracking pixels and click-tracking link redirects are among the strongest spam signals in 2026. Every major sequencer wraps links through their tracking domain, and email providers maintain lists of known tracking domains. Remove all tracking or use a dedicated tracking domain with established reputation.
• No spam trigger words -- Avoid overused sales language: "guaranteed," "act now," "limited time," "free trial," "schedule a call." These phrases alone won't send you to spam, but they compound with other signals. Write like you're emailing a colleague, not writing ad copy.
• Spintax variations active -- Every email in a campaign should be unique. Use spintax (text rotation syntax) to vary greetings, opening lines, value propositions, and sign-offs. Sending identical emails across hundreds of recipients is a strong spam pattern. For a deep dive, see our spintax guide.
• Links minimal (0-1 per email) -- Each link in a cold email is an opportunity for spam filters to flag the message. Zero links is safest. If you must include a link, limit it to one and use your own domain (not a shortened URL or tracking redirect).
• Email length 50-125 words -- Short emails outperform long ones for both deliverability and reply rate. Emails under 50 words can look automated; emails over 125 words get skimmed or ignored. The sweet spot is a concise, personalized message that respects the recipient's time.

5. Sending Pattern Audit

Email providers track sending patterns across days, weeks, and months. Sudden volume changes, unnatural timing distributions, and mechanical consistency are all signals that distinguish bulk senders from legitimate business email users.

Check these patterns weekly:

• Volume per account under 40-50/day -- This includes both warmup and real sends. Exceeding 50 emails per day per account on Google Workspace or Microsoft 365 is the single fastest way to trigger a suspension. Stay in the 30-40 range for safety, and read our sending limits guide for provider-specific thresholds.
• Sends distributed across business hours -- Emails should go out between 8am and 6pm in the recipient's timezone, with natural variation. Sending 40 emails in a 15-minute burst at 3am is an obvious automation signal. Use randomized delays between sends and spread volume across the full business day.
• No volume spikes vs previous week -- Compare this week's daily send volume to last week's. A sudden jump (e.g., 20/day to 50/day) triggers provider scrutiny. If you need to increase volume, ramp up gradually -- add no more than 10-15% per week.
• Weekend/holiday schedules appropriate -- Legitimate business email volume drops on weekends and holidays. If your automation sends the same volume seven days a week, it looks automated. Reduce or pause sends on weekends unless your audience is in an industry where weekend email is normal.
• Account rotation working correctly -- If you're using multiple accounts, verify the rotation logic is distributing sends evenly. A common failure mode is one account handling 80% of volume while others sit idle, which overloads the active account and wastes the reputation of the idle ones.

6. List Hygiene Audit

Your sending list is only as good as the data in it. Bad addresses cause bounces, spam traps destroy reputation, and stale contacts generate complaints. List hygiene isn't glamorous, but it's responsible for more deliverability rescues than any other single practice.

• All addresses verified before sending -- Run every new list through an email verification service before importing. Verification catches invalid addresses, disposable emails, and known spam traps. The cost is negligible compared to the reputation damage from sending to bad addresses.
• Bounce rate under 2% (ideally under 1%) -- Track your hard bounce rate per campaign. If any campaign exceeds 2%, immediately pause sending from that list and re-verify. Hard bounces above 3% can trigger provider-level blocks that affect all your accounts.
• Unsubscribes processed immediately -- When someone replies asking to be removed (or clicks an unsubscribe link), process it within minutes, not days. Delayed unsubscribe processing leads to spam complaints, which are far more damaging to reputation than unsubscribes.
• Catch-all domains identified and handled -- Catch-all domains accept email to any address, which means verification services can't confirm whether a specific mailbox exists. These addresses have higher bounce rates over time as catch-all configurations change. Flag them in your CRM and monitor their bounce rates separately.
• No purchased or scraped lists in use -- Purchased lists are the fastest path to deliverability ruin. They contain spam traps, outdated addresses, and people who never consented to receive your email. If any team member has imported a purchased list, quarantine those contacts immediately and verify each one individually.

7. Key Metrics Dashboard

Numbers don't lie. Track these five metrics monthly and compare against the thresholds below. If any metric enters the "Warning" zone, investigate immediately. If it hits "Critical," pause sending and audit before continuing.

Reading the table: A bounce rate under 1% means your list is clean and your sending infrastructure is healthy. An open rate above 40% indicates strong inbox placement and relevant subject lines. Reply rates above 3% show your messaging resonates with the audience. Spam placement under 5% means your authentication and content are passing filter checks. And a warmup inbox rate above 90% confirms your accounts have strong underlying reputation.

When multiple metrics enter the Warning zone simultaneously, treat it as a Critical situation -- compounding issues accelerate faster than isolated ones. For a deeper analysis of what these numbers mean in context, see our deliverability benchmarks guide.

8. Recommended Audit Schedule

Not every check needs to happen at the same frequency. Some metrics shift daily, while others are stable for months. Here's the cadence that balances thoroughness with practicality:

Daily (2 minutes)

• Check bounce rates on yesterday's sends
• Verify warmup is active and inbox placement is healthy
• Review any provider notifications or account warnings

Weekly (10 minutes)

• Review open and reply rates by campaign and account
• Check sending volume distribution across accounts
• Verify no single account is overloaded
• Process any pending unsubscribes

Monthly (30-45 minutes)

• Run the full audit -- all sections above, start to finish
• Check MXToolbox blacklists for all sending domains and IPs
• Review Google Postmaster Tools and Microsoft SNDS dashboards
• Verify DNS records haven't changed or expired
• Re-verify any list segments with rising bounce rates
• Update the metrics dashboard table with this month's numbers

Quarterly (1 hour)

• Deep DNS review: check every sending domain's SPF, DKIM, and DMARC records
• Comprehensive blacklist scan across all monitoring services
• Evaluate warmup provider performance -- consider switching if inbox rates have declined
• Review and update email copy for freshness and compliance
• Audit account rotation strategy and domain portfolio health

Set calendar reminders for each cadence. The monthly audit is the most important -- it's the one that catches the slow-burn issues that daily checks miss.

Related guides: Start with our DNS setup checklist if you're configuring infrastructure from scratch. Read the cold email best practices guide for a broader strategy overview. Compare warmup providers if your current provider's pool quality has declined. If you're already in trouble, see our burned domain recovery guide. And benchmark your results against industry averages in our 2026 deliverability benchmarks.