Email Deliverability Checklist for SaaS Developers
Your SaaS sends transactional emails, password resets, notifications, and marketing campaigns. But if your DNS isn't configured correctly, none of that matters โ your emails silently vanish. Use this checklist to ensure every email reaches its destination.
๐ฅ SPF Checklist
โ Sender Policy Framework
Single SPF record โ You must have exactly ONE SPF TXT record on your domain. Multiple records are an RFC violation that causes receivers to reject your email.
Include all senders โ Every service that sends email on your domain must be listed:
include:_spf.google.com (Google Workspace), include:sendgrid.net (SendGrid), etc.DNS lookups โค 10 โ Count every
include, a, mx, and redirect mechanism. If over 10, use SPF flattening.End with
-all โ Use hardfail (-all) when all senders are known. Use ~all (softfail) only during deployment. Never use +all or ?all.SPF flattening โ If you have many includes, use a flattening service or self-hosted tool to replace includes with their resolved IPs.
๐ DKIM Checklist
โ DomainKeys Identified Mail
2048-bit keys minimum โ 1024-bit keys are cryptographically weak and penalized by Microsoft/Yahoo. Check with:
mailcheck yourdomain.com --json | jq .dkimCorrect selector records โ Each sending service has its own selector:
google._domainkey, s1._domainkey, sendgrid._domainkey, etc. Ensure all are published.Key rotation plan โ Rotate DKIM keys annually. Keep both old and new keys during transition. Monitor for key expiration.
EDNS-compliant key size โ Ensure DKIM TXT records fit within 512-byte UDP packets, or confirm your DNS supports TCP fallback for larger responses.
๐ก๏ธ DMARC Checklist
โ Domain-based Message Authentication
DMARC record exists โ Publish
_dmarc.yourdomain.com TXT "v=DMARC1;p=none;rua=mailto:dmarc@yourdomain.com" at minimum.Set
rua reporting address โ Aggregate reports tell you who's sending email as your domain. You need this intelligence before enforcing.Progress to
p=reject โ After 2-4 weeks of clean DMARC reports, move from p=none โ p=quarantine โ p=reject. p=reject;sp=reject is the end goal.Use
pct for gradual enforcement โ Start with pct=10 to test reject policy on 10% of failing mail, then increase.๐ MTA-STS & TLS-RPT Checklist
โ SMTP MTA Strict Transport Security
MTA-STS DNS record โ
_mta-sts.yourdomain.com TXT "v=STSv1;id=20250401000000"HTTPS policy endpoint โ Serve
https://mta-sts.yourdomain.com/.well-known/mta-sts.txt with mode, mx, and max_age.TLS-RPT record โ
_smtp._tls.yourdomain.com TXT "v=TLSRPTv1;rua=mailto:tls@yourdomain.com"๐ Monitoring & CI/CD Checklist
โ Continuous Monitoring
Automate checking โ Add mailcheck to CI/CD:
mailcheck yourdomain.com --json | jq .score Fail the build if score drops below threshold.Monitor daily โ Use mailcheck's API to check domain scores daily. Alert on any regression.
Batch check customer domains โ If you're a SaaS, check your customers' sender domains:
POST /api/v1/batch with a list of domains.DMARC report parsing โ Process rua reports to identify unauthorized senders. Tools:parsedmarc, Clarly, or dmarcian.
Quick Start: Automate Everything
# Install mailcheck
pip install mailcheck --index-url https://korpo.pro/git/api/packages/mailcheck/pypi/simple/
# Check your domain
mailcheck yourdomain.com
# Get JSON for scripts
mailcheck yourdomain.com --json
# REST API (no auth needed)
curl https://korpo.pro/api/v1/check/yourdomain.com
# Batch check multiple domains
curl -X POST https://korpo.pro/api/v1/batch \
-H "Content-Type: application/json" \
-d '{"domains": ["example.com", "google.com", "github.com"]}'