When this skill is activated, always start your first response with the 🧢 emoji.

Email Deliverability

The discipline of ensuring emails reach the recipient's inbox rather than the spam folder or void. Email deliverability sits at the intersection of DNS configuration, cryptographic authentication, sender behavior, and mailbox provider algorithms. This skill covers the full stack - from DNS records (SPF, DKIM, DMARC) through IP warm-up strategy, bounce management, and long-term reputation maintenance. Designed for engineers setting up email infrastructure and marketers diagnosing delivery problems.

When to use this skill

Trigger this skill when the user:

• Sets up SPF, DKIM, or DMARC records for a domain
• Plans an IP warm-up schedule for a new sending IP or domain
• Diagnoses why emails are landing in spam or being rejected
• Implements bounce handling logic (hard bounces, soft bounces, complaints)
• Monitors or improves sender reputation scores
• Configures DNS TXT records for email authentication
• Evaluates an ESP (Email Service Provider) or sending infrastructure
• Troubleshoots email delivery failures, deferrals, or blocklisting

Do NOT trigger this skill for:

• Email content/copywriting or subject line optimization (use a marketing skill)
• Building email templates with HTML/CSS (use a frontend skill)

Key principles

1. Authenticate everything, no exceptions - Every sending domain must have SPF, DKIM, and DMARC configured. Missing any one of these is enough for major mailbox providers (Gmail, Outlook) to treat your mail as suspicious. Authentication is table stakes, not a nice-to-have.

2. Reputation is earned slowly and lost instantly - Sender reputation is built over weeks of consistent, low-complaint sending. A single spam trap hit or complaint spike can tank your reputation overnight. Treat every send decision as a reputation decision.

3. Bounces are signals, not noise - Every bounce carries information about your list health, infrastructure, or content. Hard bounces must be removed immediately. Soft bounces must be tracked and acted on. Ignoring bounces is the fastest path to blocklisting.

4. Warm up before you scale up - New IPs and domains have zero reputation. Mailbox providers throttle unknown senders aggressively. A proper warm-up plan ramps volume gradually over 2-6 weeks, proving you are a legitimate sender before asking for high throughput.

5. Monitor continuously, not reactively - By the time users report "emails aren't arriving," the damage is done. Monitor bounce rates, complaint rates, and inbox placement proactively. Set alerts on thresholds, not symptoms.

Core concepts

Email deliverability is governed by three layers: authentication (proving you are who you claim to be), reputation (proving you send mail people want), and behavior (proving your sending patterns are consistent and trustworthy).

Authentication uses three DNS-based protocols that work together. SPF declares which IPs may send on behalf of your domain. DKIM attaches a cryptographic signature to each message that receivers verify against a public key in your DNS. DMARC ties SPF and DKIM together with a policy that tells receivers what to do when authentication fails - and sends you reports about it.

Reputation is a score maintained by each mailbox provider independently. It is influenced by complaint rates (users clicking "spam"), bounce rates, spam trap hits, engagement signals (opens, clicks, replies), and sending volume consistency. There is no single universal reputation score - Gmail, Outlook, and Yahoo each maintain their own.

Behavior covers sending patterns: volume consistency, warm-up adherence, list hygiene practices, and how you handle bounces and unsubscribes. Sudden volume spikes, sending to stale lists, or ignoring unsubscribe requests all signal spammer behavior to mailbox providers.

Common tasks

Configure SPF

SPF (Sender Policy Framework) declares which mail servers may send email for your domain via a DNS TXT record.

example.com.  IN  TXT  "v=spf1 include:_spf.google.com include:sendgrid.net ip4:203.0.113.5 -all"

Rules:

• Only one SPF record per domain (multiple records cause permerror)
• Use include: for ESPs, ip4:/ip6: for your own servers
• End with -all (hard fail) for production, ~all (soft fail) only during testing
• Stay under 10 DNS lookups total (each include: and a: costs one lookup)
• Use SPF flattening tools if you hit the 10-lookup limit

The 10-lookup limit is the most common SPF misconfiguration. Each include: triggers recursive lookups. Monitor with dig TXT example.com and count.

Configure DKIM

DKIM (DomainKeys Identified Mail) signs outgoing messages with a private key. Receivers verify the signature against a public key published in DNS.

selector1._domainkey.example.com.  IN  TXT  "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBA..."

Setup checklist:

• Generate a 2048-bit RSA key pair (1024-bit is deprecated)
• Publish the public key as a TXT record at <selector>._domainkey.<domain>
• Configure your mail server or ESP to sign outgoing mail with the private key
• Use a unique selector per ESP so you can rotate keys independently
• Test with dig TXT selector._domainkey.example.com to verify publication
• Rotate keys annually - publish new key, wait 48h for propagation, then switch

If your TXT record exceeds 255 characters, split it into multiple strings within a single TXT record. Most DNS providers handle this automatically.

Deploy DMARC

DMARC tells receivers what to do when SPF and DKIM fail, and sends you reports.

_dmarc.example.com.  IN  TXT  "v=DMARC1; p=reject; rua=mailto:dmarc@example.com; ruf=mailto:dmarc-forensic@example.com; adkim=s; aspf=s; pct=100"

Deployment phases:

1. Start with p=none - monitor only, collect reports for 2-4 weeks
2. Move to p=quarantine; pct=10 - quarantine 10% of failures, increase gradually
3. Graduate to p=reject - full enforcement, only after all legitimate mail passes

Key parameters:

• p= policy: none (monitor), quarantine (spam folder), reject (drop)
• rua= aggregate report destination (daily XML reports)
• adkim=s strict DKIM alignment (From domain must exactly match DKIM d= domain)
• aspf=s strict SPF alignment (From domain must exactly match envelope sender)

Never jump straight to p=reject. The monitoring phase catches legitimate senders you forgot about (marketing tools, CRMs, invoicing systems).

Plan an IP warm-up

New IPs have no reputation. A warm-up schedule builds trust gradually.

Warm-up rules:

• Send to most engaged recipients first (highest open rates)
• Maintain consistent daily volume - no spikes or gaps
• Pause if hard bounces exceed 2% or complaints exceed 0.1%
• Separate transactional and marketing mail on different IPs/subdomains
• If blocklisted during warm-up, stop, clean list, restart from week 1

Handle bounces

Bounces indicate delivery failures. Proper handling protects reputation.

Threshold alerts:

• Hard bounce rate > 2%: pause sending, clean list
• Complaint rate > 0.1%: investigate content and list source
• Soft bounce