← Blog
The Email Deliverability Checklist for Indie SaaS (2026)

By DMARCdrift Team

The Email Deliverability Checklist for Indie SaaS (2026)

10 min readdmarcspfdkimemail-deliverabilitymonitoring

These 13 infrastructure checks determine whether your email lands in the inbox: a valid SPF record, DKIM configured for every sender, a DMARC record with monitoring, a clean sending IP, proper bounce handling, and working unsubscribe. Get these right before touching content or list hygiene, because a spam filter never even reads your content if the infrastructure layer rejects the message first.

For the background on why each record matters and how to set it up from scratch, the full email deliverability guide is the in-depth companion to this quick reference.

DNS and Authentication Layer

1. SPF Record Exists and Is Valid

Your SPF record authorizes mail servers to send email on behalf of your domain. A single, valid record under 10 DNS lookups tells ISPs which IPs and services are legitimate senders.

How to check: Use DMARCdrift's SPF checker. It counts lookups, flags issues, and confirms the record parses.

What good looks like: A single SPF record with all your sending sources: Resend, SendGrid, whatever else you use. v=spf1 include:resend.com include:sendgrid.net ~all is the template. Total lookups under 10.

What broken looks like: Multiple SPF records (DNS spec allows one; extra ones are ignored). Hitting the lookup limit because you've added tool after tool without consolidating.

How to fix it: Consolidate your SPF includes. If you're at the limit, use SPF flattening or ask your DNS provider about SPF macros. Remove old ESPs you're no longer using.

2. DKIM Is Configured for All Sending Sources

DKIM adds a cryptographic signature to every outbound email. It proves the message came from you, not an impostor.

How to check: Use DMARCdrift's email auth checker. It confirms DKIM public keys are published and retrievable.

What good looks like: Every service sending mail on your behalf has a DKIM record published. Resend gives you a CNAME or TXT record to add; follow their setup guide exactly.

What broken looks like: You added a new ESP last month but never published its DKIM record. Those emails don't have valid DKIM signatures and fail alignment checks.

How to fix it: Check each ESP's setup docs. Most give you a selector (often default or resend) and a public key. Add it as a TXT record ({selector}._domainkey.yourdomain.com). Verify with the email auth checker after 10 minutes.

3. DMARC Record Exists

DMARC tells ISPs how to handle mail that fails authentication. p=none is a fine starting point; the real value is seeing who's sending as you and what's failing.

How to check: Use DMARCdrift's DMARC checker. It confirms the record is published and readable.

What good looks like: v=DMARC1; p=none; rua=mailto:reports@yourdomain.com; ruf=mailto:forensics@yourdomain.com. The record exists, aggregate reports are being sent somewhere you can access.

What broken looks like: No DMARC record at all. Or one exists but rua= points to a dead email address; reports pile up unread and you never know what's happening.

How to fix it: Publish a basic DMARC record with p=none. Set rua= to an email or API endpoint you monitor. If you're manually reading gzipped XML, stop; point it at a tool instead.

4. DMARC Alignment Is Passing for Your Main Senders

DMARC alignment means mail from your legitimate sources passes the DMARC check. At least 95% of your non-marketing mail should align.

How to check: Use DMARCdrift's DMARC analyzer. Pull up reports for the past 30 days and look at alignment pass rates.

What good looks like: Alignment passing for all transactional senders (password resets, receipts, notifications). Your monthly marketing blast from Mailchimp might not align, and that's okay as long as you know about it.

What broken looks like: Customer password resets are failing DMARC alignment and getting junked. Indicates a misconfigured DKIM record or an SPF setup that doesn't include the sending IP.

How to fix it: For each failing sender, confirm DKIM is published and properly configured. If using SPF alignment instead of DKIM, check that the sending IP is covered by your SPF record. Run through the email auth checker again after changes.

5. You're Actually Reading Your DMARC Reports

A DMARC record without monitoring is just a paper trail. You need to see what's happening: which senders are aligning, which aren't, and if anyone unauthorized is impersonating you.

How to check: Look at your email inbox or API endpoint where rua= points. Are reports arriving daily?

What good looks like: Reports arriving daily. You're either reading them in a tool (DMARCdrift, EasyDMARC, etc.) or manually parsing gzipped XML. Either way, you know the alignment status of your senders.

What broken looks like: No reports for three weeks. Either the rua= address is wrong or dead. Or reports are arriving but you never look at them because parsing raw gzipped XML files is tedious.

How to fix it: Set rua= to a real email or API endpoint. If email, make sure it doesn't get filtered as spam. Better: use a DMARC monitoring tool. Point rua= at its API endpoint and get daily summaries, alerts on alignment drops, and notifications when new senders appear.

Sending Infrastructure

6. Transactional and Marketing Email Use Separate Sending Domains

Send password resets and receipts from mail.yourdomain.com. Send marketing blasts from marketing.yourdomain.com or a subdomain of a separate domain. This isolates reputation damage.

Why it matters: A spam complaint on your monthly newsletter shouldn't tank deliverability for customer password resets. ISPs track sending reputation by IP and domain. Separate domains give you separate reputations.

How to fix it: Add a subdomain to your DNS, configure DKIM and SPF for it, and tell your ESP to use it. Takes 15 minutes.

7. Your Sending IP Isn't on Any Major Blocklists

Blocklists (Spamhaus, Barracuda, etc.) flag IPs with poor sending behavior. Landing on one tanks deliverability.

How to check: Use DMARCdrift's blocklist checker. It queries major lists in one go.

What good looks like: Clean on all major blocklists. Bounce rates are low, complaint rates are low.

What broken looks like: Listed on Spamhaus or Barracuda. You're using a shared IP from an ESP that had a spam problem, or you inherited an IP from a previous tenant.

How to fix it: If on a shared IP, ask your ESP for a dedicated IP. If using your own IP, reduce bounce rates by suppressing hard bounces immediately. Clean up your list. Delist by contacting the blocklist operator with proof you've fixed the problem.

8. DKIM Key Length Is 2048-Bit Minimum

1024-bit DKIM keys are deprecated by Gmail, Yahoo, and others. They're no longer considered trustworthy.

How to check: Use DMARCdrift's email auth checker. It shows key length for each selector.

What broken looks like: A DKIM record with a 1024-bit key. Mail will still get signed, but the signature gets less weight.

How to fix it: Generate a new 2048-bit key (your ESP or DNS provider will have a guide). Publish it as a new selector (e.g., default2 instead of default). Update your ESP to use the new selector. Once you confirm mail is signing correctly, retire the old key.

9. You're Not Hitting the SPF 10-Lookup Limit

Every include: in your SPF record costs at least one DNS lookup. Layered tools (payment processor, email validator, fraud detection) add up fast.

How to check: Use DMARCdrift's SPF checker. It counts lookups.

What good looks like: Under 10 total lookups. Room to add another ESP if you need one.

What broken looks like: 11+ lookups. Mail from any source not explicitly covered might fail SPF.

How to fix it: Audit your SPF record and remove old ESPs or tools you're not using anymore. If you're still at the limit, use SPF flattening or consolidate services.

Sending Behavior

10. New Domain or Subdomain? Warm It Up

ISPs treat unknown sending domains and IPs as suspicious. If you blast 50,000 emails on day one from a fresh domain, a lot of them will get rejected.

What good looks like: Ramping volume over 2-4 weeks. Send 100 on day one, 500 on day three, 5,000 by day 10, full volume by week three. Most ISPs start trusting you after a week of clean sending.

What broken looks like: New domain, cold start, 100k emails to your list on day one. High rejection and bounce rates. ISPs flag you as suspicious.

How to fix it: Plan ahead. Start small, monitor bounce rates, and increase volume gradually. Check feedback loops from Gmail, Yahoo, etc., to catch complaints early.

11. Bounce Handling Is Set Up

Hard bounces (invalid address, domain doesn't exist) should be suppressed immediately. Soft bounces (mailbox full, server temporarily down) should retry a few times, then suppress.

How to check: Send a test email to a fake address. Confirm the bounce is logged and the address is suppressed. Try sending again; the address should be skipped.

What broken looks like: You're sending to dead addresses repeatedly. High bounce rates signal a low-quality list to ISPs.

How to fix it: Configure your ESP's bounce handling. Most do this automatically; verify it's on. Use a list-cleaning tool if your list is old. Remove bounces from your send list regularly.

12. Unsubscribe Is Working and Honored Within 2 Days

Gmail and Yahoo now require a working unsubscribe mechanism for bulk senders. The unsubscribe button must actually remove the person within two days.

How to check: Use DMARCdrift's Gmail/Yahoo compliance checker. It tests your unsubscribe endpoint.

What good looks like: One-click unsubscribe works. The person is removed from your send list within 48 hours. No confirmation email needed.

What broken looks like: Unsubscribe link doesn't work. Or it works but the person is still on your list a week later. Protects the spam complaint rate.

How to fix it: Implement a simple unsubscribe endpoint. Use the List-Unsubscribe header. Test it. Update your suppression list within 24 hours of unsubscribe.

Monitoring

13. You Have DMARC Monitoring in Place

Not just a p=none record sitting in DNS, but a tool that watches it. Alerts you when alignment drops, when unauthorized senders appear, or when DNS records change.

Why it matters: Without monitoring, you find out about problems when customers say "I didn't get your email," not when the problem starts.

What good looks like: Daily DMARC reports in a dashboard or email. Alerts when alignment drops below 95%. Alerts when a new sender appears. Real-time notification if your DNS changes unexpectedly.

What broken looks like: DMARC record exists but you've never opened the gzipped XML files. You find out about spoofing when a customer forwarding your domain gets compromised. Or you rotate a key and break alignment without realizing.

How to fix it: Point rua= at a DMARC monitoring tool. DMARCdrift is free for one domain and $9/month for up to fifteen. You'll get daily summaries, alert-based emails, and a dashboard showing alignment trends, spoofing attempts, and policy changes.

Next Steps

Run your domain through the checklist tools above, then point your rua= address at dmarcdrift. Free for one domain, no credit card.

Get started free