What logs or headers should be collected during diagnosis?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
Something's off with your deliverability, and you need to figure out what. Before you start guessing, collect the right evidence first. Here's what actually matters and why.
Email headers are your first stop. Specifically, look at the Authentication-Results header, which tells you whether SPF, DKIM, and DMARC passed or failed. The Received headers show you the full routing path the message took, which reveals whether something unexpected happened in transit. X-headers added by your ESP or a receiving filter can also flag why a message was treated a certain way. You can paste a raw header into our Email Header Analyzer and it'll decode it instantly.
SMTP logs tell you what happened at the connection level. Look for the response codes your receiving servers returned (4xx means a temporary deferral, 5xx means a hard rejection), the exact error messages alongside them, and whether timing or throughput changed around the time problems started. A spike in deferrals at a specific time often points to a reputation issue or rate limit kicking in.
Bounce logs go a level deeper. The error codes and accompanying messages from the receiving server are often surprisingly specific. "This message was blocked because your sending IP is on a blocklist" is a very different problem than "user doesn't exist." Timestamp correlation matters here too. If bounces started at a specific hour, cross-reference that with your sending schedule to find the trigger.
Sending records give you context for everything else. What went out, when, to which segment, and from which list source. Without this, you can't tell whether a reputation dip happened because of a specific campaign, a list import, or a volume spike. Your ESP's dashboard usually holds this, but export it so you have it in one place.
External reputation data rounds out the picture. Screenshots from Postmaster Tools, blocklist check results, and third-party domain or IP reputation scores can confirm what the logs are hinting at. Run a quick blocklist check with our Blocklist Checker if you haven't already.
The goal isn't to collect everything at once. It's to let each layer confirm or contradict what the previous one is telling you. Headers point to auth. Logs point to timing. Bounces point to the specific receiver's reason. Reputation data confirms whether the problem is widespread or isolated. Work through them in order and you'll usually find the thread to pull.
Still if you've gathered all of this and still can't see the pattern, our SOS hotline is free and we'll walk through it with you.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.