Home/Blog/How to Audit Your Email Deliverability in 15 Minutes
← Back to Blog

How to Audit Your Email Deliverability in 15 Minutes

emaildeliverability·June 3, 2026·5 min read

A 15-minute DNS audit catches the silent config errors that kill your email deliverability. Check SPF, DKIM, DMARC, MX, and IP reputation before your next …

The opens that never came

You shipped the campaign. The subject line was sharp. The list was clean. But two days later, open rates are half what you expected — and nobody can explain why. You didn't get a bounce notification or a warning from your ESP. The emails just… disappeared.

That slow, silent drop is what happens when DNS misconfigurations accumulate across months of adding tools and changing providers. Nobody touches the records because everything "still works" — until it doesn't. The good news is that the most common causes are visible in your DNS in under 15 minutes, and you can spot them without an engineering background.

Why deliverability rots quietly

Email protocols are brittle. They depend on a handful of DNS records staying accurate and consistent. When your team adds a new sending service — a CRM, a survey platform, a transactional mailer — someone might update SPF, but rarely does anyone verify that the update didn't break DKIM alignment or that the new service even spins up its own DKIM key. Over time, these small gaps pile up.

What makes this dangerous is the lack of immediate feedback. A misconfigured v=spf1 record doesn't show a red light. It just soft-fails checks on the receiving side, slowly lowering your domain's trust score. By the time your open rates tank, the problem has been building for months. A 15-minute audit that checks five core signals — SPF, DKIM, DMARC, MX, and IP reputation — catches these failures while they're still invisible.

The 15-minute audit: scan these five areas

SPF: who can send mail on your behalf

The Problem

A missing SPF record means receivers have no authorized sender list — so they treat all email from your domain with suspicion. Even if an SPF record exists, it's often incomplete: it lists your primary mail provider but not the marketing platform, CRM, or survey tool you added six months ago. Many teams also accidentally create multiple SPF records (which invalidates the check) or exceed the 10 DNS lookup limit without knowing it.

How to Fix It

Audit every service that sends email as your domain — transactional, sales outreach, marketing, and support — and build a single SPF record that includes all of them. Watch for nested include: statements that eat up lookups. If you're close to the limit, consider flattening the record or moving to subdomain-specific SPF. SPF explains the syntax and avoids the most common breakage.

DKIM: proving the message isn't tampered with

The Problem

DKIM keys are often missing for secondary sending services. Your primary ESP signs messages, but your outbound sales tool or survey platform sends unsigned mail — and receivers notice. Even when DKIM is set up, key rotation gets ignored for years, and old keys get orphaned in the DNS without anyone realizing they're no longer valid.

How to Fix It

For each service that sends mail, verify that a DKIM selector exists and matches the published public key. Visit your DNS console and check for selector._domainkey.yourdomain.com records. If a service doesn't provide DKIM, push them to set it up. Rotate keys on a schedule. DKIM Explained walks through what a valid record looks like and how to validate it.

DMARC: telling receivers what to do with failures

The Problem

Many companies don't publish a DMARC record at all, leaving receivers to guess how to handle failing messages. Others set p=none and then forget about it, never reviewing the forensic or aggregate reports that would tell them about misconfigurations or spoofing attempts. A DMARC policy that's too aggressive (p=reject on a shaky setup) can nuke legitimate mail.

How to Fix It

Publish a DMARC record with p=none initially, then review the RUA aggregate reports at least monthly. The reports show which sources are sending (or attempting to send) from your domain. Once SPF and DKIM are clean, tighten the policy to p=quarantine or p=reject. DMARC breaks down how to read those reports and when to escalate.

MX: where your incoming mail actually lands

The Problem

MX records point to a retired mail server after a migration, or they include a fallback host that no longer exists. Priority values (10, 20) are reversed, causing inbound mail to hit a slower backup server first. Nobody checks these records until a client reports they never received a critical attachment.

How to Fix It

Confirm your MX records point to your current mail provider's servers in the correct priority order. Remove any entries for discontinued services. A quick check against your provider's documentation usually reveals discrepancies. MX Record shows you what a correct record should return and why priority matters.

IP reputation: the sender score nobody talks about

The Problem

Your domain's DNS might be flawless, but if your sending IP is on a blacklist, mail still gets blocked. Shared IP pools at ESPs can be tainted by another sender, and your own dedicated IP can end up on a list if even one campaign triggers spam complaints. This problem is invisible unless you actively check.

How to Fix It

Use a reputable blacklist checker to look up your sending IP (or your ESP's shared IP range) at least quarterly. If you're seeing delivery issues with no DNS explanation, IP reputation is the likely culprit. Setting up DMARC reports also surfaces third-party abuse that can damage your domain's overall reputation. Dig deeper with IP Reputation & Email Blacklists.

How to perform this audit yourself

1Look up your SPF record (v=spf1) and ensure every sending service is included — no gaps, no duplicates, no orphaned entries.
2For each sending service, verify the DKIM selector and public key match — check at least two selectors per service.
3Confirm a DMARC record exists and review the p= tag. If you’ve never looked at the RUA reports, start now.
4Resolve your MX records and confirm they still point to your live mail provider in the correct priority order.
5Check your sending IP reputation against at least three public blacklist databases.

Keep deliverability from drifting

The majority of the fixes above are changes inside your DNS dashboard. TechSpy’s domain scan automates the lookup and flags the exact records that need attention — in less time than it takes to brew coffee.

Schedule a 10-minute DNS record review once a month
Add DMARC aggregate reporting and review the top sending sources
Maintain a living list of every service that sends email as your domain
Rotate DKIM keys annually and retire old selectors immediately
Check IP blacklist status quarterly and after any deliverability dip

The bottom line

Email deliverability doesn't announce its failures. It erodes quietly, campaign after campaign, while your team blames content or list quality. But most of the time, the root cause is staring back at you from a DNS console — an incomplete SPF record, a missing DKIM key, a DMARC policy that was never graduated from p=none.

You don't need an elaborate compliance review. A 15-minute audit that covers these five areas will surface the misconfigurations that matter. Run a free domain scan today and see which records are causing trouble before your next send.

Go Deeper Than a One-Time Scan

The issues you just read about — SPF gaps, missing DKIM, weak DMARC policies — don't fix themselves. A free scan gives you a snapshot. To monitor competitors, track changes over time, and get Deep Scan analysis of any site, you need more than the free tier.

Deep Scan

Multi-page analysis and API endpoint discovery — see what a single-page scan misses.

Competitor Monitoring

Save scans, compare stacks side by side, and track tech changes over time.

Export & API

Export PDF reports and integrate scans into your workflow with Zapier or the API.

Interact

Browser-level inspection — clicks forms, modals, and navigation to detect tools static scans can't find.