The opens that never came
You shipped the campaign. The subject line was sharp. The list was clean. But two days later, open rates are half what you expected — and nobody can explain why. You didn't get a bounce notification or a warning from your ESP. The emails just… disappeared.
That slow, silent drop is what happens when DNS misconfigurations accumulate across months of adding tools and changing providers. Nobody touches the records because everything "still works" — until it doesn't. The good news is that the most common causes are visible in your DNS in under 15 minutes, and you can spot them without an engineering background.
Why deliverability rots quietly
Email protocols are brittle. They depend on a handful of DNS records staying accurate and consistent. When your team adds a new sending service — a CRM, a survey platform, a transactional mailer — someone might update SPF, but rarely does anyone verify that the update didn't break DKIM alignment or that the new service even spins up its own DKIM key. Over time, these small gaps pile up.
What makes this dangerous is the lack of immediate feedback. A misconfigured v=spf1 record doesn't show a red light. It just soft-fails checks on the receiving side, slowly lowering your domain's trust score. By the time your open rates tank, the problem has been building for months. A 15-minute audit that checks five core signals — SPF, DKIM, DMARC, MX, and IP reputation — catches these failures while they're still invisible.
The 15-minute audit: scan these five areas
SPF: who can send mail on your behalf
The Problem
A missing SPF record means receivers have no authorized sender list — so they treat all email from your domain with suspicion. Even if an SPF record exists, it's often incomplete: it lists your primary mail provider but not the marketing platform, CRM, or survey tool you added six months ago. Many teams also accidentally create multiple SPF records (which invalidates the check) or exceed the 10 DNS lookup limit without knowing it.
How to Fix It
Audit every service that sends email as your domain — transactional, sales outreach, marketing, and support — and build a single SPF record that includes all of them. Watch for nested include: statements that eat up lookups. If you're close to the limit, consider flattening the record or moving to subdomain-specific SPF. SPF explains the syntax and avoids the most common breakage.
DKIM: proving the message isn't tampered with
The Problem
DKIM keys are often missing for secondary sending services. Your primary ESP signs messages, but your outbound sales tool or survey platform sends unsigned mail — and receivers notice. Even when DKIM is set up, key rotation gets ignored for years, and old keys get orphaned in the DNS without anyone realizing they're no longer valid.
How to Fix It
For each service that sends mail, verify that a DKIM selector exists and matches the published public key. Visit your DNS console and check for selector._domainkey.yourdomain.com records. If a service doesn't provide DKIM, push them to set it up. Rotate keys on a schedule. DKIM Explained walks through what a valid record looks like and how to validate it.
DMARC: telling receivers what to do with failures
The Problem
Many companies don't publish a DMARC record at all, leaving receivers to guess how to handle failing messages. Others set p=none and then forget about it, never reviewing the forensic or aggregate reports that would tell them about misconfigurations or spoofing attempts. A DMARC policy that's too aggressive (p=reject on a shaky setup) can nuke legitimate mail.
How to Fix It
Publish a DMARC record with p=none initially, then review the RUA aggregate reports at least monthly. The reports show which sources are sending (or attempting to send) from your domain. Once SPF and DKIM are clean, tighten the policy to p=quarantine or p=reject. DMARC breaks down how to read those reports and when to escalate.
MX: where your incoming mail actually lands
The Problem
MX records point to a retired mail server after a migration, or they include a fallback host that no longer exists. Priority values (10, 20) are reversed, causing inbound mail to hit a slower backup server first. Nobody checks these records until a client reports they never received a critical attachment.
How to Fix It
Confirm your MX records point to your current mail provider's servers in the correct priority order. Remove any entries for discontinued services. A quick check against your provider's documentation usually reveals discrepancies. MX Record shows you what a correct record should return and why priority matters.
IP reputation: the sender score nobody talks about
The Problem
Your domain's DNS might be flawless, but if your sending IP is on a blacklist, mail still gets blocked. Shared IP pools at ESPs can be tainted by another sender, and your own dedicated IP can end up on a list if even one campaign triggers spam complaints. This problem is invisible unless you actively check.
How to Fix It
Use a reputable blacklist checker to look up your sending IP (or your ESP's shared IP range) at least quarterly. If you're seeing delivery issues with no DNS explanation, IP reputation is the likely culprit. Setting up DMARC reports also surfaces third-party abuse that can damage your domain's overall reputation. Dig deeper with IP Reputation & Email Blacklists.
How to perform this audit yourself
v=spf1) and ensure every sending service is included — no gaps, no duplicates, no orphaned entries.p= tag. If you’ve never looked at the RUA reports, start now.Keep deliverability from drifting
The majority of the fixes above are changes inside your DNS dashboard. TechSpy’s domain scan automates the lookup and flags the exact records that need attention — in less time than it takes to brew coffee.
The bottom line
Email deliverability doesn't announce its failures. It erodes quietly, campaign after campaign, while your team blames content or list quality. But most of the time, the root cause is staring back at you from a DNS console — an incomplete SPF record, a missing DKIM key, a DMARC policy that was never graduated from p=none.
You don't need an elaborate compliance review. A 15-minute audit that covers these five areas will surface the misconfigurations that matter. Run a free domain scan today and see which records are causing trouble before your next send.