Deliverability on Sender Audit Blog

Email trackers explained: pixels, link wrapping, and privacy

Mon, 04 May 2026 00:00:00 +0000

Every marketing email you receive likely contains one or more invisible trackers. They measure whether you opened the message, when, how many times, from which device, and which links you clicked. Here’s how it works - and how to do better.

How open tracking works

The spy pixel: an invisible image

The mechanism is straightforward: the sender inserts a 1×1 pixel transparent image hosted on their server. When your mail client renders the message, it downloads the image. The server records:

Shadow IT and Email: The Tools Sending on Your Behalf Without You Knowing

Tue, 28 Apr 2026 00:00:00 +0000

You’ve configured SPF, DKIM, and DMARC. Your email infrastructure is under control. Then one day, while analyzing your DMARC reports, you discover dozens of unknown IPs sending emails on behalf of your domain. Not phishing - internal tools that nobody in IT ever approved.

Welcome to the world of email shadow IT.

What Is Email Shadow IT

Shadow IT refers to the use of technology services without explicit approval from the IT team. Applied to email, it’s extremely common: business teams configure SaaS tools to send emails from your domain without going through IT.

DMARC: Safely Migrating from p=none to p=reject

Sat, 11 Apr 2026 00:00:00 +0000

You’ve published your DMARC record with p=none. That’s a good start, but p=none blocks nothing: fraudulent emails still get through. The end goal is p=reject, and this guide walks you through the migration without breaking your legitimate mail flows.

Why p=none Isn’t Enough

With p=none, you’re asking mailbox providers to do nothing when an email fails DMARC. You receive RUA reports, but:

Emails spoofing your domain still reach inboxes
Your domain can be used for phishing
Google and Yahoo now require a published DMARC record, but the real benefits start at p=quarantine or p=reject

Recommended Timeline

Week	Policy	Goal
W1-W2	`p=none; rua=mailto:...`	Collect reports, inventory sources
W3-W4	Report analysis	Identify each source IP, fix SPF/DKIM
W5-W6	`p=quarantine; pct=10`	Test on 10% of traffic
W7-W8	`p=quarantine; pct=50`	Gradually increase
W9-W10	`p=quarantine; pct=100`	Observe for 2 weeks
W11-W12	`p=reject; pct=10`	Begin gradual rejection
W13-W14	`p=reject; pct=50`	Scale up
W15+	`p=reject; pct=100; sp=reject`	Full protection

This timeline is indicative. The key is to never skip a step without verifying that reports are clean.

Why Do You See Two DKIM Signatures on a Single Email?

Thu, 05 Mar 2026 00:00:00 +0000

You inspect the headers of an email sent through your ESP (Brevo, Mailchimp, SendGrid…) and notice two distinct DKIM signatures: one with your domain, one with the ESP’s domain. Is this normal? Absolutely, and it’s actually desirable.

What It Looks Like in the Headers

Here’s a typical Authentication-Results example:

Authentication-Results: mx.google.com;
 dkim=pass header.i=@yourdomain.com header.s=mail header.b=xjAWgYt1;
 dkim=pass header.i=@esp-domain.com header.s=mail header.b=zNRqfud1;
 spf=pass ...
 dmarc=pass (p=REJECT) header.from=yourdomain.com

And two DKIM-Signature: blocks in the message: one with d=yourdomain.com, the other with d=esp-domain.com.

Email Blacklists: Understand, Check and Get Delisted

Mon, 09 Feb 2026 00:00:00 +0000

Your delivery rate drops suddenly. Your emails go to spam, or worse, they’re rejected with 550 5.7.1 Service unavailable; client host blocked. There’s a good chance your IP or domain is on a blacklist.

What Is an Email Blacklist?

A blacklist (or RBL, Realtime Blackhole List, or DNSBL, DNS-based Blackhole List) is a database that catalogues IP addresses and domains identified as spam sources or abusive senders.

Receiving servers (Gmail, Outlook, ISPs, corporate servers…) query these lists in real time to decide whether to accept, filter, or reject an email.

Email Deliverability: The Ultimate Guide to Reaching the Inbox

Tue, 03 Feb 2026 00:00:00 +0000

You send emails, but do they actually reach the inbox? Deliverability is the rate at which your emails land in recipients’ inboxes, as opposed to the spam folder or outright rejection. It’s a critical issue for any business that communicates via email.

Why Your Emails Aren’t Arriving

ISPs (Gmail, Outlook, Yahoo, etc.) use hundreds of signals to decide the fate of each email. Here are the main ones:

1. DNS Authentication

This is the absolute prerequisite. Without it, you’re a stranger to ISPs.

SPF: The Complete Guide to Authorizing Your Sending Servers

Sat, 17 Jan 2026 00:00:00 +0000

SPF (Sender Policy Framework) is the first line of defense in email authentication. It lets you declare in your DNS which servers are allowed to send email for your domain. Simple on the surface, it hides subtleties that trip up even experienced admins.

What Does SPF Actually Do?

When a receiving server gets an email from contact@yourdomain.com, it asks one question: “Is this server allowed to send for this domain?”