How to Check if a DNS Error Is Killing Your Deliverability

DNS errors are the most frustrating cause of deliverability problems because they're completely invisible to your ESP. Your campaigns run normally, the send counts look right, and nothing shows as broken — but your emails are landing in spam because a DNS record silently stopped working.

Why DNS breaks without warning

DNS records don't expire on their own, but they break in several ways: domain renewal issues can cause records to disappear, nameserver migrations can fail to transfer records, ESP updates can change required selectors, and accidental deletion is more common than it sounds. None of these events show up as an error in your sending tool.

The DNS records that affect email delivery

SPF (critical)

A missing or malformed SPF record means your sending server isn't authorized. Receiving servers will either reject or heavily filter your email. Check: dig TXT yourdomain.com or use the SPF checker.

DKIM (critical)

The DKIM public key record must match what your ESP is signing with. If the key was rotated in your ESP but not updated in DNS, every email has an invalid signature. Check: dig TXT selector._domainkey.yourdomain.com or use the DKIM checker which auto-discovers selectors.

DMARC (important)

A missing DMARC record doesn't immediately cause spam placement, but signals to receivers that the domain owner isn't monitoring authentication. Some filters weight this. Check: dig TXT _dmarc.yourdomain.com or use the DMARC lookup.

MX (for reply routing)

If your sending domain's MX records are missing or wrong, replies to your cold email will bounce. This increases the appearance that the domain is used only for sending and not monitored. Check: MX checker.

Tracking domain CNAME (important)

If your tracking domain's CNAME record is broken, click tracking fails and may cause delivery errors with some ESPs. Check: tracking domain checker.

The complete DNS audit process

Step 1: Check each auth record

Use the DNS checker to look up SPF, DKIM, DMARC, and MX records for your sending domain. Make a note of what's there and compare to what should be there per your ESP's setup guide.

Step 2: Check the tracking domain

Run the tracking domain checker on your tracking subdomain. Confirm the CNAME is pointing to the right destination and SSL is working.

Step 3: Run a placement test

Send an actual test through your real sending setup with the placement test. The headers will show exactly what authentication passed or failed on the receiving end — this is the most reliable way to confirm what the receiving server actually saw.

Step 4: Check redirect

Sending domains should redirect correctly. Use the redirect checker to confirm http redirects to https and both root and www work.

Common DNS scenarios and fixes

Scenario: DKIM suddenly failing

Most common cause: ESP rotated DKIM keys and you need to update the DNS record. Log into your ESP, find the current DKIM key, and update or add the DNS record with the new key. Alternatively, some ESPs auto-rotate and the new selector just needs to be published.

Scenario: SPF failing despite correct record

Your ESP may have changed their sending infrastructure. Check their current SPF documentation to confirm the include: value is still correct. Also check for duplicate SPF records — only one v=spf1 record is allowed.

Scenario: Everything looks correct but still in spam

Auth passes but placement is spam — this is a reputation issue, not a DNS issue. Check the blacklist checker and assess whether the domain needs recovery time or replacement.