The 21-Point Email Marketing Audit You Can Run Yourself Before Hiring Anyone

Most email audits you'll find online are 50-point checklists that grade your program on vibes. They tell you to "review your subject lines" without saying what a passing subject line looks like. They flag "low engagement" without naming the number that means you have a problem on Monday morning.

This is the opposite of that. Twenty-one checks, each with a hard threshold, each with a severity if you fail it. The whole thing is designed so an operator can sit down on a Tuesday with their ESP open in one tab and this article in another, and walk away knowing exactly what's broken and in what order to fix it.

We sell email marketing as a service. We wrote this anyway, because the audits that produce real fixes are the ones a client can run before the kickoff call. If you finish this email marketing audit checklist and decide your program is fine, that's the right outcome. If you finish it and decide three flows are missing and your complaint rate is double Google's ceiling, you already know what the first 30 days of work look like.

TL;DR

• Deliverability fails when complaint rate exceeds 0.1% sustained or auth (SPF, DKIM, DMARC) isn't passing.

• Automated flows should drive roughly 30% of email revenue per Omnisend; below 20% means flows are underbuilt.

• Lists decay at least 23% per year, so gross signups without a sunset policy is a vanity metric.

• Campaigns fail the audit when there's no segmentation beyond "all subscribers" and no documented test cadence.

• Score each section pass/fail, fix deliverability first, flows second, list health third, campaigns last.

1. How to use this audit: thresholds, not vibes

Every check below has three parts: the question, the pass threshold, and the severity if you fail. You're scoring pass or fail. No partial credit, no "mostly." Email programs that mostly authenticate end up in spam folders mostly.

Work through the sections in order. Deliverability first because nothing else matters if the mail doesn't land. Flows second because that's where the revenue compounding happens. List health third. Campaigns last, even though that's where most teams want to start.

Give yourself two hours. Open your ESP, your domain DNS records, and a blank doc. If you want the operator's version of how to audit your email marketing without the consulting fees, this is it.

2. Section 1 — Deliverability: the six checks that decide whether mail lands

Deliverability is the only section where a single failed check kills the entire program. A beautifully segmented campaign sent from an unauthenticated domain to a list with a 0.4% complaint rate is just expensive spam.

Check 1 — SPF record published and passing. Pull your sending domain's DNS. There should be exactly one SPF record listing every service that sends on your behalf (ESP, transactional provider, helpdesk). Severity if failed: critical. Mail is getting filtered right now.

Check 2 — DKIM signing on the sending domain, not the ESP's shared domain. Your DKIM signature should align with the From address. If you're sending from hello@brand.com but DKIM signs as klaviyo-mail.com, you're failing alignment. Severity: critical.

Check 3 — DMARC published at p=quarantine or p=reject. A DMARC record at p=none is monitoring only. Google's bulk sender requirements effectively require DMARC for senders over 5,000 messages per day to Gmail. Severity: critical. (We've written the longer version of this in our Gmail and Yahoo sender requirements breakdown.)

Check 4 — 30-day spam complaint rate under 0.1%. Google's sender guidelines name 0.3% as the ceiling that triggers enforcement and 0.1% as the target operators should hold themselves to. Pull your Gmail Postmaster Tools dashboard. If your rate sits between 0.1% and 0.3%, you're in the warning band. Above 0.3%, Gmail is already throttling you. Severity: critical above 0.3%, high between 0.1% and 0.3%.

Check 5 — Inbox placement spot-check on the last three campaigns. Send a seed test through your usual ESP to a free inbox-placement tool. Pass is 90%+ inbox across Gmail, Yahoo, and Outlook. Severity: high if Gmail placement drops below 85%.

Check 6 — One-click unsubscribe in the header (RFC 8058). Required by Gmail and Yahoo for bulk senders. Your ESP either supports it natively or you're failing the check. Severity: critical for any sender over 5,000 messages per day.

If you failed two or more of these six, stop the audit. Fix deliverability before you touch anything downstream. There is no flow optimization that survives a 0.4% complaint rate.

3. Section 2 — Flows: six checks on the engine that should be running while you sleep

Automated emails, per Omnisend's 2026 ecommerce email statistics, drive roughly 30% of ecommerce email revenue. If your flows are doing less than 20% of total email revenue, the engine is underbuilt and you're leaving money on the table every day the audit waits.

Check 7 — Welcome series exists and runs three or more emails. A single welcome email is the most common failure here. Pass: three to five emails over seven to ten days, with offer logic that doesn't burn margin on subscribers who'd have bought anyway. Severity: high.

Check 8 — Browse abandonment flow live with a 30-minute delay or shorter. This is the cheapest revenue you'll ever recover. Severity: high if missing, medium if delay exceeds two hours.

Check 9 — Cart abandonment runs three messages over 24-72 hours. One email isn't a flow, it's a reminder. Pass: three touches with escalating specificity, ending before the 72-hour mark where intent decays sharply. Severity: high.

Check 10 — Post-purchase flow segments first-time from repeat buyers. A first-time buyer needs onboarding. A repeat buyer needs a thank-you and a cross-sell. Sending them the same email is the audit fail. Severity: medium.

Check 11 — Winback flow triggers at a defined inactivity threshold (typically 60-120 days). No winback means your list decays silently into a complaint-rate problem. Severity: medium.

Check 12 — Flow share of total email revenue at 25% or higher. Pull last 90 days of email revenue, split by campaign versus automation. Pass: automations at 25%+ of email revenue, ideally near the 30% Omnisend benchmark cited above. Severity: high if under 20%.

The 21-point scorecard. Work top to bottom — deliverability fails block everything downstream.

4. Section 3 — List health: four checks on the asset most teams measure wrong

Gross signups is the metric every team reports and the one that lies most. ZeroBounce's list decay research puts annual decay at a minimum of 23%, meaning a list that added 10,000 signups last year and didn't sunset anyone is actually about 2,300 addresses smaller than the report says, and the dead weight is hurting deliverability while you celebrate growth.

Check 13 — Decay-adjusted net list growth tracked monthly. You should be reporting net active subscribers, not gross signups. Pass: a monthly dashboard that subtracts unsubscribes, hard bounces, and sunsetted addresses from new signups. Severity: high if you don't have this number.

Check 14 — Sunset policy documented and running. A subscriber who hasn't opened or clicked in 90-180 days should move to a re-engagement track, then to suppression if they don't respond. Pass: the rule is written down and the automation runs. Severity: high.

Check 15 — Signup sources tagged at capture. You should be able to pull complaint rate and revenue per subscriber by source (popup, checkout, footer, paid form). If every signup is tagged "website," you can't fix the source that's poisoning your complaint rate. Severity: medium.

Check 16 — Double opt-in or equivalent quality gate on the highest-volume signup source. Single opt-in popups, especially incentivized ones, are the single most common source of complaint-rate inflation we see in client work. Severity: medium if your complaint rate sits between 0.1% and 0.3%, high if above.

5. Section 4 — Campaigns and content: five checks on what most teams optimize first and should optimize last

Campaigns are the part of email people enjoy talking about. They're also the part with the smallest payoff if the first three sections are broken. With that disclaimer logged:

Check 17 — Segmentation beyond "all subscribers" on at least 50% of campaigns. Pass: half your sends in the last 90 days targeted a segment (purchase history, engagement window, product affinity). Severity: medium.

Check 18 — Documented cadence with a sending floor and ceiling. Pass: a written rule like "two to four campaigns per week, minimum one, maximum five." No rule means cadence drifts seasonally and engagement craters in Q1. Severity: low to medium.

Check 19 — A/B test cadence with a recorded learning log. Pass: at least one test per month, results written down where the next operator can find them. The test doesn't have to be subject lines. The discipline of recording what you learned is the actual check. Severity: low.

Check 20 — Mobile rendering verified before send. Roughly half of email opens happen on mobile in most B2C lists. If your QA process doesn't include a mobile render check, you're shipping broken layouts to half your audience. Severity: medium.

Check 21 — Revenue per recipient (RPR) tracked per send. Open rate is a vanity metric since Apple Mail Privacy Protection broke it in 2021. RPR is the number that survives. Pass: every campaign report shows RPR alongside revenue, and you know your 90-day average. Severity: medium.

6. Scoring it: what the fails mean and which fixes come first

Count your fails by section. Here's how to read the result.

If you failed any check in Section 1, that's the only work that matters this week. A program with deliverability problems doesn't get to optimize segmentation. Fix authentication, fix complaint rate, then come back.

If Section 1 passed but Section 2 has three or more fails, you have a flows problem, and that's where the next 30 days of work live. Flow build-out has the highest revenue-per-hour of any email work because the asset compounds while you sleep.

If Sections 1 and 2 passed but Section 3 has fails, your program is making money today but bleeding capacity. The complaint rate problem is twelve months away and will show up as a sudden Gmail throttling event that feels like it came from nowhere.

Section 4 fails alone, with the first three sections clean, means you have a healthy program with optimization headroom. That's a good problem.

The order matters. We've watched teams spend a quarter A/B testing subject lines while their SPF record listed an ESP they stopped using two years ago. The subject lines got 4% better. The deliverability got 30% worse. Net result was a worse program with prettier reports.

7. When the audit says hire help — and when it says you don't need to

If you finished this email program health check with zero or one fails total, your program is healthier than most. You don't need an agency. You need a quarterly re-run of this checklist and a calendar reminder.

If you finished with two to four fails concentrated in one section, you probably have an internal operator who can fix it given a week of focused time. Block the calendar, work the list, re-audit in 30 days.

If you finished with five or more fails spread across multiple sections, or any critical fail in Section 1 that's been open for more than 60 days, the work is bigger than a side-of-desk project. That's the point where bringing in help, whether ours or someone else's, starts to pencil out against the revenue you're leaving on the floor. Our email marketing service is built around this exact audit, and our done-for-you email marketing breakdown walks through what the first 60 days of a remediation engagement actually looks like.

The honest version: most programs we audit fail four to seven checks. The common pattern is authentication half-done, two missing flows, no sunset policy, and campaign reporting that still leads with open rate. None of those are exotic. All of them compound.

FAQ

How often should I run this email flow audit?
Quarterly is the right cadence for most programs, with a lighter monthly check on the deliverability section since complaint rate and authentication can drift fast. Run a full audit after any major change: ESP migration, new signup source, sender domain change, or a campaign volume increase of more than 50%.

What's the single most important check on this email marketing audit checklist?
The 30-day spam complaint rate against Google's 0.1% target. A program failing that one check is in active deliverability decline, and every other optimization compounds in the wrong direction until it's fixed. Pull Gmail Postmaster Tools before you do anything else.

Can I run this audit on a B2B program, or is it ecommerce-only?
The deliverability and list-health sections apply identically. The flow section needs adaptation since B2B doesn't have cart abandonment, but the principle holds: automated sequences should drive a meaningful share of pipeline-attributed email activity, and a program with zero automation is underbuilt regardless of vertical.

What if my ESP doesn't report some of these numbers natively?
Most mid-market ESPs report complaint rate, flow revenue, and RPR if you know where to look. For decay-adjusted list growth and signup-source tagging, you usually need to build a small monthly export. The work is two to four hours of setup and pays for itself the first time it catches a poisoned signup source.

Should I fix everything before hiring an agency, or hand them a broken program?
Fix Section 1 yourself if you can — authentication and complaint rate are well-documented problems with public playbooks. Hand the agency Sections 2 through 4, because that's where domain expertise and build velocity pay back fastest. Walking in with clean auth shortens onboarding by two to three weeks.

Run the audit this week

Block two hours on Wednesday. Pull your DNS records, your Gmail Postmaster dashboard, and your last 90 days of email reports. Work the 21 checks in order, write down the fails, and decide on Friday which section gets the next 30 days.

If the audit says you need help, our inbox is open. If it says you don't, that's the better outcome and the one we wrote this for.