Section 20 · Error Tracking & Reliability

Email Infrastructure

DNS authentication (MX, SPF, DKIM, DMARC), deliverability testing, and email logging

8 items 5 critical 3 recommended

This guide walks you through auditing a project's email infrastructure, covering DNS authentication (MX, SPF, DKIM, DMARC), deliverability testing, and email logging for both transactional and marketing emails.

The Goal: Trusted, Visible Email

Email infrastructure should be authenticated, monitored, and auditable. Every email your domain sends should be trusted by receivers and visible to your team.

  • Authenticated — SPF, DKIM, and DMARC configured with enforcement enabled
  • Routable — MX records correctly configured with reachable mail servers
  • Visible — transactional and marketing emails flow through providers with full delivery and engagement metrics
  • Tested — periodic deliverability testing prevents inbox placement degradation
  • Retained — email log retention policies intentionally defined and documented

Before You Start

  1. Get domain inventory from user:

    • Root domain(s)
    • Subdomains that send email (e.g., mail.example.com, transactional.example.com)

  2. Get DNS read access:

    • Cloudflare API token (read-only) OR
    • AWS Route53 access OR
    • Other DNS provider API access
    • This enables automated discovery of all email-related DNS records

  3. Identify email providers:

    • Transactional email provider (SendGrid, Mailgun, Postmark, SES, etc.)
    • Marketing email provider (Mailchimp, Klaviyo, HubSpot, etc.)

DNS Authentication

EMAIL-001
MX records configured critical

MX records exist, resolve, and are reachable on port 25 for all domains in email inventory

“Are you sure mail to your domain actually lands somewhere?”
EMAIL-002
SPF configured critical

SPF records exist with authorized senders and hard fail (-all) or documented soft fail (~all)

“Could someone send email as [email protected] right now?”
EMAIL-003
DKIM configured critical

DKIM records exist with valid public keys for all sending domains/subdomains

“Are your emails actually cryptographically signed?”
EMAIL-004
DMARC configured critical

DMARC records with enforcement policy (quarantine/reject), reporting configured, reports reviewed

“What's your DMARC policy — p=none is basically nothing.”

Email Monitoring

EMAIL-005
Email deliverability testing recommended

Spam scoring tool and periodic placement tests with fresh accounts (Gmail, Outlook minimum)

“When did you last check if your emails hit Gmail's spam folder?”
EMAIL-006
Transactional email control and logging critical

Dedicated provider with dashboard access, bounce tracking, open/click tracking (or documented exceptions)

“Can you prove a specific user received a specific email last month?”
EMAIL-007
Marketing email logging recommended

Marketing platform with send logs, engagement metrics, and individual recipient tracking

“What's your unsubscribe rate, and is it trending up?”
EMAIL-008
Email log retention recommended

Intentionally defined retention period (typically 2-4 weeks) for transactional and marketing logs

“How far back can you prove what emails you sent and to whom?”
← Previous section

Error Reporting

8 items

 Next section →

Caching

2 items