Email Deliverability
What a $500 Deliverability Audit Actually Checks And How to Automate It
Deliverability consultants charge $300–$800 for a domain audit. Here's exactly what they check, what they put in the report, and how agencies can run the same audit automatically across every client domain.
If you've ever hired a deliverability consultant, you know the drill. They ask for access to your DNS, your ESP, your sending history. A few days later you get a PDF sometimes a polished one, sometimes a Google Doc with a list of issues and recommendations. You pay somewhere between $300 and $800. The domain gets fixed. Deliverability improves.
Then six months later something breaks again and nobody notices until open rates drop.
This post breaks down exactly what a professional deliverability audit covers, what goes into the report, and why agencies managing multiple client domains need a better answer than hiring a consultant every time something changes.
What consultants are actually doing during an audit
A deliverability audit is not magic. It's a structured inspection of DNS records, authentication configuration, sending infrastructure, and reputation signals. Experienced consultants have a checklist they run through either manually or with a combination of tools and they know what a bad result looks like and how to fix it.
Here's what that checklist covers.
Phase 1: Authentication stack review
The first thing any deliverability consultant checks is whether the domain's authentication records are present, valid, and correctly configured.
SPF Is the record present? Does it include all authorized sending sources? Does it stay within the 10 DNS lookup limit? Is enforcement set to -all or still sitting at ~all?
DKIM Is a key published for each selector the ESP is using? Is the key at least 2048 bits? Is the key accessible and correctly formatted?
DMARC Is a record present? What's the policy p=none, p=quarantine, or p=reject? Is pct set to 100? Are aggregate reports (rua) being sent somewhere that someone actually reads? Does the policy extend to subdomains via sp=?
DMARC alignment Is the From domain aligned with either the SPF domain or the DKIM signing domain? A passing SPF check on a misaligned domain doesn't satisfy DMARC.
A consultant who finds p=none with no reporting address and a 1024-bit DKIM key has found three billable findings in the first ten minutes.
Phase 2: Infrastructure inspection
Authentication tells you whether the domain is configured correctly. Infrastructure tells you whether the mail server setup is sound.
MX records Are they present and pointing to the right place? Multiple MX records should have correct priority values.
PTR records Does the sending IP have a reverse DNS entry that matches the sending domain? Many enterprise mail servers reject email from IPs that fail this check.
Blacklist status Is the domain or any of its sending IPs listed on major blacklists? This includes Spamhaus, Barracuda, SORBS, SpamCop, and a dozen others. A single listing on the right blacklist can tank deliverability to a significant portion of recipients.
SSL certificate Is the certificate valid and not expiring imminently? An expired certificate on a mail server breaks encrypted email delivery.
MTA-STS Is a policy published that forces incoming mail servers to use encrypted connections?
Phase 3: Security posture
DNSSEC Are the domain's DNS records signed? Without DNSSEC, DNS responses can be forged, redirecting email traffic to an attacker.
CAA records Is the domain specifying which certificate authorities can issue certificates for it?
DANE/TLSA Is the domain using DNS to pin its mail server certificate, preventing man-in-the-middle attacks on email in transit?
Registrar lock Is the domain locked against unauthorized transfers?
Nameserver integrity Are the domain's nameservers the ones you expect? An unexpected nameserver change is one of the earliest signs of domain hijacking.
Subdomain exposure Do any subdomains lack SPF or DMARC coverage? Unprotected subdomains are open vectors for spoofing.
Phase 4: Compliance checks
Google Bulk Sender requirements For domains sending more than 5,000 emails per day to Gmail addresses, Google requires valid SPF, DKIM, and DMARC, a one-click unsubscribe header, and spam complaint rates below 0.3%.
BIMI readiness Is the domain eligible for BIMI? This requires DMARC at p=quarantine or p=reject, a published BIMI record, and an accessible SVG logo. Some mail clients will show the brand logo next to email from BIMI-compliant domains.
DKIM key strength Is the DKIM key 2048 bits or stronger? 1024-bit keys are deprecated and should be rotated.
What goes into the report
A thorough deliverability audit report covers more than a list of pass/fail checks. Here's what you'd expect in a professional deliverability report:
Executive summary A plain-language overview of the domain's health, written for someone who doesn't know what SPF stands for. What's the risk level? What are the top three things to fix?
Domain health score A numeric or letter-grade score that summarizes the overall authentication and infrastructure posture. Useful for tracking progress over time.
Check-by-check breakdown Each check listed with its result, the exact DNS value found, what it should be, and what the risk is if it's not fixed.
Blacklist status Which blacklists the domain or its sending IPs appear on, with links to removal request pages.
Fix plan Prioritized recommendations with estimated effort and business impact. A good fix plan separates the critical fixes (do today) from the important ones (do this week) from the nice-to-haves (do eventually).
DNS diff The exact record values that need to be changed, so whoever manages the DNS can make the changes without needing to understand why.
30-day trend If the consultant has historical data, a view of how the domain's health score has changed over the past month.
For a single domain, a competent consultant can complete this work in two to four hours. At $150–$200 per hour, that's where the $300–$800 price range comes from.
The problem agencies run into
For a single domain, hiring a consultant makes sense. The math works.
For an agency managing 20, 50, or 100 client domains, it breaks down quickly.
The first problem is cost. At $500 per audit and quarterly review cadence, you're spending $2,000 per client per year just on audits. For an agency with 30 clients that's $60,000 annually on something that should be a standard service.
The second problem is timing. A point-in-time audit tells you what the domain looked like the day the consultant ran it. Email domain health is not static. Domains get blacklisted. SSL certificates expire. Clients add new ESPs without telling you, breaking SPF records. DMARC policies get modified during migrations and never changed back. None of these appear in a quarterly audit until the next quarterly audit.
The third problem is client communication. Agencies that discover issues and tell clients about them proactively build trust. Agencies that find out about issues from clients lose it. Quarterly audits make proactive communication structurally difficult you can only be proactive about things you know about.
What automation actually looks like
Automating a deliverability audit means running the same checks a consultant runs, continuously, across every domain in your portfolio, and surfacing results in a format that's actionable for your team and readable for clients.
The technical layer runs 25+ checks per domain the full authentication stack, infrastructure, security posture, and compliance checks described above every hour. When something changes, an alert fires. When a domain appears on a blacklist, you know within the hour. When an SSL certificate is 30 days from expiry, you get a warning with enough time to act.
The reporting layer takes everything the technical layer finds and turns it into something you can put in front of a client. Not a raw list of DNS records, but a narrative: here's your domain health score, here's what changed this month, here's what needs attention and in what order, here's what we fixed.
This is what Infraova does. It runs the full audit checklist the same checks a deliverability consultant would run on every domain, every hour. When the week ends, it generates an 8-page PDF report for each client: health score, executive summary, blacklist alerts, fix plan, 30-day trend, and a client-facing summary that non-technical stakeholders can actually read.
The report a consultant would charge $500 to produce. Generated automatically. Every week.
What this means for how agencies position themselves
Agencies that monitor continuously can offer something consultants can't: they know about problems as soon as they happen, not when a client reports them or when the next audit is scheduled.
That's a positioning shift. Instead of being reactive fixing problems after they're reported you become the agency that calls the client before the client calls you. That's a different relationship, and it commands different pricing.
It also changes what your deliverability service looks like. Instead of selling audit-and-fix engagements, you can sell ongoing monitoring as a retainer. The deliverability consultant you hire for a one-time audit becomes the baseline your monitoring service catches up to every week, automatically.
The $500 audit is a useful benchmark for understanding what continuous monitoring is worth. If a single audit, covering a single domain, at a single point in time, is worth $500 then hourly monitoring across your entire client portfolio, with weekly reports, is worth considerably more.
The short version
A professional deliverability audit covers authentication (SPF, DKIM, DMARC, alignment), infrastructure (MX, PTR, blacklists, SSL), security (DNSSEC, registrar lock, nameserver integrity, subdomain exposure), and compliance (Google bulk sender, BIMI, DKIM key strength).
The report covers a health score, check-by-check breakdown, prioritized fix plan, exact DNS values, and trend data.
Consultants charge $300–$800 for a single domain, once. That's the right answer for a one-time problem.
For agencies managing multiple client domains, the right answer is continuous monitoring with automated reporting the same checks, running every hour, with the same quality of output, across every domain in your portfolio.
That's what separates agencies that find out from clients from agencies that find out first.