What are the three pillars of deliverability?

Authentication (SPF, DKIM, and DMARC, which let mailbox providers verify the mail is from who it claims), reputation (the score providers assign every sender, independently per sending-domain and mailbox-provider pair), and list quality and engagement (the foundation, since a bad list eventually produces a bad reputation no matter how clean the authentication). Weakness in any one pillar limits the others, so all three get attention rather than just the DNS records.

How do I roll out DMARC safely?

Gradually, over two to three months. Publish DMARC at p=none to monitor without blocking, set up an aggregate report endpoint, and watch the reports for two to four weeks. Identify any legitimate senders failing alignment and fix them, then move to p=quarantine at a low percentage (pct=10) and increase it, and finally to p=reject once confidence is high. Moving to reject too quickly bounces legitimate mail, while leaving DMARC at p=none forever is monitoring without enforcement, so spoofing stays easy.

Why is my email going to spam?

Check the pillars in order: authentication first (SPF, DKIM, and DMARC passing and aligned), then reputation, then list quality, then content. For most senders the single biggest lever is list hygiene: explicit opt-in, double opt-in for marketing, immediate hard-bounce removal, and sunsetting disengaged contacts. Once reputation is bad, recovery takes months, so the goal is never landing in spam in the first place rather than counting on recipients to mark messages as not-spam.

What are the common SPF mistakes?

Two break SPF outright. Publishing multiple SPF records on one domain breaks SPF entirely, so all senders must be combined into a single record. And SPF has a 10-DNS-lookup limit that chained includes can exceed, at which point SPF silently stops working, so the lookup count needs watching. Use -all for a hard fail (or ~all during a gradual rollout), and never +all, which lets anyone send as your domain.

How is this different from email-sequences?

Email-sequences writes the content and designs the program: the onboarding flow, the lifecycle campaign, the subject lines. Email-deliverability makes sure that mail reaches the inbox through authentication, reputation, and list hygiene, because great copy in the spam folder converts nobody. The DNS records themselves sit in the zone that domain-strategy manages, and security-baseline routes email authentication here rather than owning the SPF, DKIM, and DMARC setup itself.

Skill · Email deliverability

Email deliverability.

Get email into inboxes, not spam folders.

Get email into inboxes rather than spam folders: set up authentication, monitor reputation, and diagnose problems before they hurt the business. Deliverability rests on three pillars, and weakness in any one limits the others: authentication, reputation, and list quality and engagement.

DMARC is the most important record and the one that makes spoofing hard, but it is rolled out gradually over months. The single biggest lever for most senders is list hygiene.

Audience: engineers and marketers setting up email for a domain, fixing mail that lands in spam, hardening against spoofing, or migrating email providers.

View the skill on GitHub Browse the full catalog

The framework

Three pillars, each holding up the others.

Deliverability rests on three pillars. Weakness in any one caps the others, so all three get attention.

01Authentication: mailbox providers verify mail is from who it claims to be, through three DNS records: SPF (authorized senders), DKIM (a cryptographic signature), and DMARC (the policy and reporting layer).
02Reputation: providers score every sender, per sending-domain and mailbox-provider pair. Driven by authentication pass rates, engagement, complaints, list hygiene, and volume consistency.
03List quality and engagement: the foundation under the other two. Explicit opt-in, double opt-in for marketing, immediate unsubscribe handling, hard-bounce removal, and sunsetting disengaged contacts.

Authentication, in detail

The three records mailbox providers check.

Authentication is three DNS records working together. DMARC ties the other two to the visible From address.

01
SPF
A TXT record listing which servers may send for the domain. One SPF record only (multiple break it), with a 10-DNS-lookup limit that chained includes can exceed.
02
DKIM
A cryptographic signature on each message, with the public key in DNS. Proves the message was not modified in transit and the sender controls the domain.
03
DMARC
The policy layer (none, quarantine, or reject) plus reporting. The most important record, and what makes spoofing the domain hard.

How to earn the inbox

Roll DMARC out slowly; keep the list clean.

DMARC is rolled out gradually. Publish at p=none to monitor, set an aggregate report endpoint, watch the reports for two to four weeks, fix any legitimate senders failing alignment, then move to quarantine at a low percentage and finally to reject. The full progression typically takes two to three months, and rushing to reject bounces legitimate mail.

SPF has two traps. Only one SPF record is allowed per domain, so multiple records break it entirely and senders must be combined into one. And SPF has a 10-DNS-lookup limit that chained includes can blow past, at which point it stops working. DKIM signs each message, and DMARC aligns the From domain and tells receivers what to do on failure.

List hygiene is the single biggest deliverability lever for most senders. Send only to people who explicitly opted in, prefer double opt-in for marketing, honor unsubscribes immediately, remove hard bounces, and sunset disengaged contacts. Separate marketing from transactional on different subdomains, because a spam complaint on a marketing blast hurts transactional delivery, and warm up new IPs and domains gradually, since a sudden volume spike looks like spam.

Reference files

The reference that goes alongside the SKILL.md.

references/dmarc-rollout-playbook.md
A step-by-step for moving from no DMARC to p=reject, with timing, monitoring, and how to handle the problems found along the way.

Browse all reference files on GitHub

Bridges to other skills

What sits around the inbox.

Deliverability is about whether mail arrives. These cover the content it carries, the zone its records live in, and the monitoring that watches reputation.

The content
email-sequences
Writes the email content and designs the program. Deliverability makes sure that content arrives: great copy in the spam folder converts nobody.
The DNS zone
domain-strategy
The SPF, DKIM, and DMARC records live in the zone domain strategy manages. That skill keeps the zone clean; this one tunes the authentication records inside it.
Routes here
security-baseline
The security baseline points email authentication to this skill rather than owning it. Anti-spoofing through DMARC is a deliverability and a security concern at once.
Watching reputation
monitoring-and-alerting
Bounce rates, spam complaints, and DMARC report anomalies all need ongoing visibility. This skill names what to watch; monitoring routes the alerts.

Open source under MIT

Read the SKILL.md on GitHub.

The skill source lives in the rampstackco/claude-skills repository alongside dozens of other skills covering the full lifecycle of brand and product work. This page is a structured overview; the SKILL.md is the source. MIT licensed.

View SKILL.md Browse the full catalog

Frequently asked questions.

What are the three pillars of deliverability?: Authentication (SPF, DKIM, and DMARC, which let mailbox providers verify the mail is from who it claims), reputation (the score providers assign every sender, independently per sending-domain and mailbox-provider pair), and list quality and engagement (the foundation, since a bad list eventually produces a bad reputation no matter how clean the authentication). Weakness in any one pillar limits the others, so all three get attention rather than just the DNS records.
How do I roll out DMARC safely?: Gradually, over two to three months. Publish DMARC at p=none to monitor without blocking, set up an aggregate report endpoint, and watch the reports for two to four weeks. Identify any legitimate senders failing alignment and fix them, then move to p=quarantine at a low percentage (pct=10) and increase it, and finally to p=reject once confidence is high. Moving to reject too quickly bounces legitimate mail, while leaving DMARC at p=none forever is monitoring without enforcement, so spoofing stays easy.
Why is my email going to spam?: Check the pillars in order: authentication first (SPF, DKIM, and DMARC passing and aligned), then reputation, then list quality, then content. For most senders the single biggest lever is list hygiene: explicit opt-in, double opt-in for marketing, immediate hard-bounce removal, and sunsetting disengaged contacts. Once reputation is bad, recovery takes months, so the goal is never landing in spam in the first place rather than counting on recipients to mark messages as not-spam.
What are the common SPF mistakes?: Two break SPF outright. Publishing multiple SPF records on one domain breaks SPF entirely, so all senders must be combined into a single record. And SPF has a 10-DNS-lookup limit that chained includes can exceed, at which point SPF silently stops working, so the lookup count needs watching. Use -all for a hard fail (or ~all during a gradual rollout), and never +all, which lets anyone send as your domain.
How is this different from email-sequences?: Email-sequences writes the content and designs the program: the onboarding flow, the lifecycle campaign, the subject lines. Email-deliverability makes sure that mail reaches the inbox through authentication, reputation, and list hygiene, because great copy in the spam folder converts nobody. The DNS records themselves sit in the zone that domain-strategy manages, and security-baseline routes email authentication here rather than owning the SPF, DKIM, and DMARC setup itself.