Your Emails Are Bouncing: Here’s How to Fix Them

You send an important invoice to a client. It bounces. You send a password reset to a user. It lands in spam. You send a newsletter to your mailing list. Delivery rates plummet.

This is the reality we see at Canadian Web Hosting: businesses that rely on their servers for email but struggle with delivery problems. The issue isn’t your email content — it’s the technical configuration that tells other mail servers “this email is legitimate.”

This guide walks through diagnosing and fixing email delivery problems, from simple SPF misconfigurations to complex DMARC policies. Whether you run a small business email server or send transactional emails from your applications, these steps will ensure your messages reach their destination.

Why Email Delivery Fails: The Three Pillars of Email Authentication

Modern email delivery relies on three authentication standards that work together:

  • SPF (Sender Policy Framework): Lists which servers are allowed to send email for your domain
  • DKIM (DomainKeys Identified Mail): Cryptographically signs your emails to prove they weren’t tampered with
  • DMARC (Domain-based Message Authentication, Reporting & Conformance): Tells receiving servers what to do with emails that fail SPF or DKIM checks

When any of these are missing or misconfigured, email servers treat your messages as suspicious — resulting in bounces or spam folder placement.

Step 1: Diagnose Your Current Email Delivery Status

Before making changes, understand your current situation:

# Test basic email delivery
$ telnet gmail-smtp-in.l.google.com 25
220 mx.google.com ESMTP

# Check your SPF record
$ dig TXT example.com | grep "v=spf1"

# Test email authentication with mail-tester.com
# Send an email to the provided address for a free analysis

Key metrics to check:

  • Bounce rate: Percentage of emails rejected by receiving servers
  • Spam placement rate: Percentage landing in spam folders
  • Authentication pass rate: Percentage passing SPF, DKIM, and DMARC

Step 2: Fix SPF (Sender Policy Framework) Records

SPF tells the world which servers can send email for your domain. A missing or incorrect SPF record is the most common cause of email bounces. All three authentication standards rely on DNS records — see our Beginner’s Guide to DNS Records if you need a refresher on TXT records and how DNS propagation works.

# Example SPF record for a server sending email directly
v=spf1 ip4:192.0.2.1 ip6:2001:db8::1 -all

# Example SPF record using a third-party email service
v=spf1 include:_spf.google.com include:servers.mcsv.net -all

# Example SPF record for multiple scenarios
v=spf1 ip4:192.0.2.1 include:_spf.mailgun.org ~all

Common SPF mistakes:

  • Missing SPF record: No TXT record at all — certain bounce
  • Too many DNS lookups: SPF has a 10-DNS-lookup limit
  • Hard fail (-all) when testing: Use ~all (soft fail) during setup
  • Outdated IP addresses: Server changed but SPF not updated

CWH recommendation: Use our Cloud VPS with static IP addresses for consistent email delivery. Dynamic IPs (common with residential ISPs) trigger spam filters immediately.

Step 3: Implement DKIM (DomainKeys Identified Mail)

DKIM adds a cryptographic signature to your emails, proving they came from your domain and weren’t modified in transit.

# Generate DKIM keys (example with OpenDKIM)
$ opendkim-genkey -s default -d example.com
# Creates default.private and default.txt

# DNS record from default.txt
default._domainkey IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC..."

# Postfix configuration for OpenDKIM
smtpd_milters = inet:localhost:8891
non_smtpd_milters = $smtpd_milters
milter_default_action = accept

DKIM best practices:

  • Key rotation: Rotate DKIM keys annually (but keep old keys valid for 7 days during transition)
  • Key size: Use 2048-bit RSA keys (1024-bit is deprecated)
  • Selector naming: Use date-based selectors (dkim202603) for easy rotation
  • Testing: Send test emails and verify DKIM signatures with tools like dmarcian.com

Step 4: Configure DMARC (Domain-based Message Authentication)

DMARC tells receiving servers what to do with emails that fail SPF or DKIM checks, and sends you reports about authentication results.

# Basic DMARC policy (monitoring only)
_dmarc.example.com IN TXT "v=DMARC1; p=none; rua=mailto:dmarc-reports@example.com"

# Enforcing DMARC policy
_dmarc.example.com IN TXT "v=DMARC1; p=quarantine; pct=100; rua=mailto:dmarc-reports@example.com"

# Strict DMARC policy (reject failures)
_dmarc.example.com IN TXT "v=DMARC1; p=reject; pct=100; rua=mailto:dmarc-reports@example.com"

DMARC deployment phases:

  1. Monitor (p=none): 30 days — collect data without affecting delivery
  2. Quarantine (p=quarantine): 30 days — failing emails go to spam
  3. Reject (p=reject): Permanent — failing emails are rejected

DMARC reports: The rua address receives XML reports showing which emails pass/fail authentication. Use tools like dmarcian.com or Postmark’s DMARC digester to parse these.

Step 5: Secure Email Connections with SSL/TLS

While SPF, DKIM, and DMARC authenticate your emails, SSL/TLS encrypts the connections between mail servers. This prevents eavesdropping and ensures privacy.

Key SSL/TLS configurations for email:

  • SMTP over TLS (port 587): Encrypted submission for sending email
  • IMAP over SSL/TLS (port 993): Encrypted access to email folders
  • POP3 over SSL/TLS (port 995): Encrypted email retrieval
  • SMTP over SSL (port 465): Legacy but still used

Getting SSL certificates: Use Let’s Encrypt for free SSL certificates. Our Let’s Encrypt setup guide shows how to get and automatically renew certificates for your email server.

Testing SSL/TLS configuration: Use SSL Labs to test your email server’s SSL/TLS configuration for vulnerabilities and proper certificate setup.

Step 6: Address Other Common Email Delivery Issues

Reverse DNS (PTR) Records

Many email servers check reverse DNS to verify your server’s identity:

# Check your reverse DNS
$ dig -x 192.0.2.1

# Should return something like:
# 1.2.0.192.in-addr.arpa. IN PTR mail.example.com.

CWH service: Our Managed Support includes reverse DNS configuration for all Cloud VPS and Dedicated Server customers.

Blacklist Monitoring

Check if your IP address is on email blacklists:

# Check multiple blacklists
$ dig 2.0.192.zen.spamhaus.org
$ dig 1.2.0.192.bl.spamcop.net

Use tools like mxtoolbox.com for comprehensive blacklist monitoring.

Email Server Reputation

Factors affecting reputation:

  • Volume consistency: Sudden spikes in email volume trigger filters
  • Complaint rates: High “mark as spam” rates damage reputation
  • Engagement: Low open/click rates signal unwanted email
  • List hygiene: Sending to invalid addresses hurts reputation

Step 7: Test and Monitor Ongoing Delivery

Testing Tools

  • mail-tester.com: Free email analysis with detailed scoring
  • glockapps.com: Inbox placement testing across multiple providers
  • mxtoolbox.com: Comprehensive DNS and blacklist checks
  • Google Postmaster Tools: Reputation monitoring for Gmail delivery
  • SSL Labs: For SSL/TLS configuration testing (important for secure email connections), see our guide on SSL Labs testing.

Monitoring Setup

# Simple bounce monitoring script
#!/bin/bash
BOUNCE_LOG="/var/log/mail.log"
ALERT_EMAIL="admin@example.com"

# Check for bounces in last hour
BOUNCE_COUNT=$(grep "$(date -d "-1 hour" +"%b %d %H:")" "$BOUNCE_LOG" | grep -c "bounced")

if [ "$BOUNCE_COUNT" -gt 10 ]; then
  echo "High bounce rate detected: $BOUNCE_COUNT bounces in last hour" | \
    mail -s "Email Alert: High Bounce Rate" "$ALERT_EMAIL"
fi

CWH Product Recommendations for Email Delivery

For Small Businesses

Cloud VPS — Medium Plan:

  • Dedicated IP address (essential for email reputation)
  • Static IP (no changes that break SPF records)
  • Root access for Postfix/Dovecot configuration
  • Reverse DNS (PTR) record configuration included

For Growing Businesses

Managed Support Add-on:

  • Email server setup and configuration
  • SPF/DKIM/DMARC implementation
  • Ongoing monitoring and maintenance
  • Blacklist removal assistance

For High-Volume Email

Dedicated Server:

  • Isolated IP space (no neighbor’s poor reputation affecting you)
  • Higher sending limits
  • Custom firewall rules for email traffic
  • Dedicated resources for queue processing

When to Consider Third-Party Email Services

While self-hosted email gives you control, consider third-party services when:

  • You send marketing emails: Services like Mailchimp have established reputations
  • Transactional volume is high: AWS SES, SendGrid, Mailgun handle scaling
  • You lack technical resources: Google Workspace or Microsoft 365 handle everything
  • Deliverability is critical: Professional services invest in reputation management

For most business email needs, a properly configured self-hosted server on a CWH Cloud VPS provides the best balance of control, cost, and deliverability.

Next Steps: From Fixing to Preventing Problems

  1. Implement monitoring: Set up alerts for bounce rate increases
  2. Regular audits: Quarterly checks of SPF/DKIM/DMARC configurations
  3. Stay updated: Email authentication standards evolve
  4. Consider professional help: Our Managed Support team can handle email configuration and monitoring
  5. Secure your connections: Ensure your email server uses proper SSL/TLS encryption. Our Let’s Encrypt setup guide shows how to get free SSL certificates for email encryption.

Email delivery problems are solvable with the right technical configuration. Start with SPF, add DKIM, implement DMARC with monitoring, secure with SSL/TLS, and maintain your server’s reputation. The result: emails that reach the inbox, not the bounce queue.