How to Check Email Deliverability
To check email deliverability, verify the three authentication records (SPF, DKIM and DMARC), confirm your MX and reverse DNS are correct, and check whether your sending IP or domain is on a blacklist. Together these tell you whether mailbox providers will trust and accept your mail. The steps below walk through each check with real record examples and the failures that most often cause messages to land in spam or bounce.
Step 1 - Verify SPF
SPF (Sender Policy Framework, RFC 7208) is a TXT record at your domain apex
listing the servers allowed to send mail as your domain. Receivers check the envelope sender
(MAIL FROM) against it. You must have exactly one v=spf1 record.
Example: example.com. IN TXT "v=spf1 include:_spf.google.com include:sendgrid.net -all"
Common failures: two separate SPF records (invalid - merge them); more
than 10 DNS lookups, which triggers a permerror; or ending in ~all
when you intended a strict -all.
Step 2 - Verify DKIM
DKIM (DomainKeys Identified Mail, RFC 6376) cryptographically signs your
outgoing messages. The public key lives in a TXT record at a selector subdomain; the private
key signs at your mail provider. Send a real test message and confirm the receiver reports
dkim=pass in the Authentication-Results header.
Example: selector1._domainkey.example.com. IN TXT "v=DKIM1; k=rsa; p=MIGfMA0G..."
Common failures: the selector published in DNS does not match the one your mail server signs with; the key was rotated at the provider but not updated in DNS; or the message was modified in transit, breaking the signature.
Step 3 - Verify DMARC
DMARC (RFC 7489) ties SPF and DKIM to the visible From header through
alignment and tells receivers what to do on failure. It is a TXT record at
_dmarc.example.com. Start at p=none to monitor, read the aggregate
reports, then tighten to quarantine and reject.
Example: _dmarc.example.com. IN TXT "v=DMARC1; p=reject; rua=mailto:[email protected]; adkim=s; aspf=s"
Common failures: SPF/DKIM technically pass but do not align with the
From domain (a frequent issue when mail is sent through a third party using its own domain);
or jumping straight to p=reject before confirming every legitimate source aligns,
which silently blocks real mail.
Step 4 - Confirm MX and reverse DNS
Your MX records must point to reachable hostnames (with A/AAAA records, never an IP and never a CNAME), lowest priority first. For sending, the IP should have a PTR (reverse DNS) record whose hostname forward-resolves back to the same IP - forward-confirmed reverse DNS (FCrDNS). Many receivers reject mail from IPs with no PTR or a generic ISP PTR.
Example MX: example.com. IN MX 10 mail.example.com.
Example PTR: 34.216.184.93.in-addr.arpa. IN PTR mail.example.com.
Step 5 - Check blacklists
Finally, check whether your sending IP or domain is listed on a DNSBL such as the Spamhaus
ZEN, Barracuda or SpamCop lists. A listing produces SMTP rejections like
550 5.7.1 Service unavailable; client host blocked using Spamhaus. Fix the
underlying cause - a compromised account, an open relay, or a sudden volume spike -
before requesting delisting, or you will be relisted.
Deliverability checklist
- Single valid
v=spf1record, all senders listed, ≤10 lookups. - DKIM signing enabled and the selector's public key published in DNS.
- DMARC record present, alignment confirmed, policy tightened over time.
- MX hosts reachable; sending IP has matching forward and reverse DNS.
- Sending IP and domain clear of major blacklists.
Related tools
- DKIM, SPF & DMARC Lookup - check all three authentication records at once.
- Domain Email Health Check - a composite deliverability scorecard.
- Email Header Analyzer - read Authentication-Results from a real message.
- IP Blacklist Checker - test a sending IP against DNSBLs.
- DNS MX Lookup - confirm your mail exchange records.
- Reverse DNS Lookup - verify the PTR for your sending IP.
Frequently asked questions
Why are my emails going to spam even though SPF passes?
SPF passing only proves the sending IP is authorized; it does not align with the From header on its own. Inbox placement also depends on DKIM signing, DMARC alignment, the sending IP and domain reputation, content, and engagement. A common cause is DKIM not being set up or DMARC failing alignment, so the message has weak authentication even though SPF technically passes.
What does a soft fail (~all) versus hard fail (-all) mean in SPF?
In an SPF record the mechanism after the IP list sets the policy for unlisted senders. "-all" is a hard fail (reject/treat as unauthorized), "~all" is a soft fail (accept but mark as suspicious), and "?all" is neutral. Most providers recommend "-all" once you are confident every legitimate source is listed.
How do I read a DMARC report?
Aggregate (rua) reports are XML files sent daily that summarize how many messages claiming your domain passed or failed SPF and DKIM alignment, grouped by source IP. Start in p=none monitoring mode, read the reports to confirm all your legitimate sources align, then move to p=quarantine and finally p=reject.
What is the difference between an SMTP 4xx and 5xx rejection?
A 4xx code (e.g. 451) is a temporary failure - the sending server should retry later, often caused by greylisting or rate limits. A 5xx code (e.g. 550) is a permanent failure - the message is rejected outright, commonly because the mailbox does not exist, the IP is blacklisted, or authentication failed.
How long does it take to get off a blacklist?
It varies by list. Some, like Spamhaus, auto-expire listings within hours to days once the spam source stops, while others require a manual delisting request. Fixing the root cause (a compromised account, open relay, or missing authentication) first is essential, or you will simply be relisted.
How this tool works: This tool runs in your browser and on our server in real time. Depending on the tool, results are computed directly from the input you provide or retrieved from live, authoritative data sources at the moment you run a lookup. We do not sell your data, and your lookups are kept private — any history shown here is stored only on your device.