If you manage WordPress sites for clients, you are in the email deliverability business whether you signed up for it or not. Every contact form notification, every WooCommerce order confirmation, every password reset rides on three DNS records most sites set up once and never look at again.
The three records, without the jargon
SPF answers: which servers are allowed to send mail for this domain? It’s a DNS TXT record listing approved senders. Common failure: the record exists but doesn’t include the SMTP service the site actually uses, or it exceeds the 10-DNS-lookup limit and silently stops validating.
DKIM answers: was this message actually sent by the domain, unmodified? The sending server signs each message; a public key in DNS lets receivers verify the signature. Common failure: the site switches SMTP providers and the old selector key stays in DNS while the new one never gets published.
DMARC answers: what should receivers do with mail that fails SPF and DKIM? It’s the policy layer. Common failure: either no DMARC at all (increasingly punished by Gmail and Microsoft), or a p=reject policy published before SPF/DKIM alignment was actually verified, which quarantines the domain’s own legitimate mail.
Why this breaks silently across portfolios
One client’s site is manageable. Ninety are not. Each site potentially sends from a different domain, through a different SMTP plugin, configured by whoever built it. A host migration changes sending IPs. A new marketing tool starts sending “from” the domain without being added to SPF. Providers tighten enforcement (as Gmail and Yahoo did for bulk senders) and mail that squeaked through last year starts landing in Spam.
Nothing errors. Deliverability just degrades, domain by domain, until a client asks where the enquiries went.
Auditing at agency scale
The manual version: for each sending domain, check the SPF record and count lookups, verify the DKIM selector actually matches what’s being signed, read the DMARC policy, and then, because DNS truth and delivery truth differ, inspect the Authentication-Results header on a real delivered message.
That’s an afternoon per portfolio, repeated every time anything changes. The automated version is Formitor’s deliverability layer: per-domain SPF/DKIM/DMARC checks with one-click rechecks, real header verdicts from actually-delivered test messages, and inbox-placement reads that tell you whether the mail lands in Inbox or Spam at multiple providers.
The takeaway
You don’t need to become a deliverability consultant. You need three things per client domain: records that validate, a policy that’s enforced but safe, and evidence that real messages land in the Inbox. Automate the checking, and the first time a client’s DMARC drift gets caught before their leads start bouncing, the monitoring pays for itself.