How to document the issue for later analysis?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

You've just navigated a reputation crisis. The fire is out (or at least contained). Now the most underrated step: writing it all down before your memory fades and the data disappears. A good incident record isn't just for post-mortems. It's what protects you if the same thing happens again, and what tells ISPs a coherent story if you ever need to file a complaint or remediation request.

Here's what to capture, and when to capture it.

Capture now, while you're still in it

The freshest data is the most valuable. While the incident is active (or within 48 hours of detection), pull these immediately:

  • Delivery rate snapshots from your ESP by domain, by IP, and by segment. Note the timestamp on every screenshot.
  • Bounce data broken out by type. Hard bounces (permanent failures), soft bounces (temporary failures), and any specific SMTP codes your ESP reports. Codes like 550 5.7.1 or 421 tell you a lot about what the receiving server was rejecting and why.
  • Complaint rate data from Gmail Postmaster Tools and Outlook Smart Network Data Services (SNDS). Take screenshots with the date visible. These dashboards don't hold historical data forever.
  • Your sending volume at the time of detection. How many emails went out in the 24 and 72 hours before you noticed the problem?

Build a timeline with actual timestamps

But this is the part most people skip, and regret. Write down:

  • When you first noticed something was wrong (and what you saw)
  • When each response action was taken (pausing sends, suppressing segments, changing IPs or subdomains)
  • When inbox placement or sender reputation scores started recovering
  • When you declared the incident closed

Even rough timestamps beat none. "Around 2pm Tuesday" is better than a blank field.

Document what ISPs actually saw

ISPs measure bounce rates, complaint rates, and engagement signals in aggregate across your sending history. When you're documenting for later analysis, think from that perspective:

  • What did your complaint rate look like in Gmail Postmaster (low, medium, high, critical)?
  • Was your domain reputation or IP reputation flagged? Both?
  • Were DKIM, SPF, and DMARC passing throughout the incident, or did an auth failure contribute?
  • Which receiving domains were most affected? (Gmail behaves differently from Yahoo or Outlook.)

Actions taken

Document every change you made with a timestamp:

  • What sending was paused or throttled, and for how long
  • Which segments or lists were suppressed
  • Any technical changes made (new IP, subdomain shift, DNS updates)
  • Stakeholder communications sent internally or externally

Root cause section

And this is the most important part of the whole document. Even a rough hypothesis is useful. Try to answer:

  • What triggered this? (A bad list segment, a sudden volume spike, a lapsed suppression list, an authentication gap?)
  • How was it identified? (Automated alert, a bounce spike, a client complaint?)
  • What allowed it to get this far before detection?

Be honest in this section. "We don't know yet" is a valid answer if it's true. It's better than a confident-sounding guess that sends you in the wrong direction next time.

Lessons learned

One or two concrete changes you're making as a result. Not a wish list. Specific things with owners and dates:

  • "Setting up weekly Gmail Postmaster checks by [name] starting [date]"
  • "Running a list validation before any send over 50k starting [date]"
  • "Added suppression list check to deployment checklist"

Keep this document somewhere your team can actually find it. A shared Google Doc works fine. The goal is that if this happens again in 18 months, whoever is handling it can read exactly what happened last time and not start from zero.

If you want a second set of eyes on your recovery or you're not sure what your Postmaster data is telling you, our SOS hotline is free and we actually pick up.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Paste your incident details below and I'll help you structure a complete record

Our sender reputation took a hit recently and we're still recovering. I want to document exactly what happened so we can prevent a repeat. Based on what I share below, help me identify: (1) the key data points I should capture right now before they expire, (2) how to structure my incident timeline, and (3) what the root cause section should include given our specific situation.

Edit the yellow boxes, then send to the AI of your choice.