Features

Every check, in detail.

WillItInbox is more than a score page: deliverability testing, email validation, bulk list hygiene, account quotas, API workflows, and exportable results are already wired together.

What is already built

Validation and deliverability diagnostics in one place.

The frontend now showcases both sides of the platform: the message-level deliverability tester and the recipient-level validator.

Deliverability tester

Generate a unique inbox, send a real email to it, and open a live report.

Tokenized test addresses
Live pending/analyzing/complete report flow
0-100 weighted scoring
Prioritized recommendations

12-layer email validator

Verify recipient quality before sending, with conservative handling for blocked SMTP probes.

Syntax and MX validation
SMTP mailbox probe
Catch-all detection
Provider, disposable, role, typo, and spam-trap signals

Bulk list validation

Upload CSV files, track progress, and download enriched validation results.

CSV upload with email-column detection
Queued background jobs
Valid, invalid, risky, catch-all, and unknown buckets
Pro and Agency webhook callback support

Accounts and quotas

Secure account access protects reports, test tokens, validation quota, and account usage.

Email/password and Google login
Forgot-password flow
Free, Starter, Pro, and Agency tiers
Per-user usage counters

Developer API

Use WillItInbox programmatically for repeatable checks, QA workflows, and internal tooling.

Generate test inboxes
Poll deliverability reports
Single and batch validation
Bulk upload/status/download endpoints

Reliability and privacy

WillItInbox is designed for repeatable tests, private account-scoped results, and controlled data retention.

Private reports and validation jobs
Usage limits enforced by plan
Short raw-email retention
Status checks for backend dependencies

Open deliverability tools Read API docs

01Authentication35 02DNS & infrastructure20 03Headers15 04Content20 05Links10 Scoring methodology

Authentication

35 of 100 points · 13 checks

The single largest weight in the score. SPF, DKIM and DMARC together prove the message is legitimately from your domain. Without them, mailbox providers default to skepticism — modern Gmail and Yahoo flat-out require all three for bulk senders.

Authentication is what gates inbox placement before reputation or content even matter. A failed DMARC alignment can route a perfectly legitimate transactional email straight to spam, regardless of how clean its body is.

Every check in this category

SPF record existsA TXT record at the apex starting with v=spf1.
SPF syntax validAll mechanisms parse cleanly with no stray tokens.
SPF lookup countTotal DNS lookups stay under the RFC 7208 limit of 10.
SPF policy strengthEnds in -all (hardfail) or ~all (softfail), not ?all or +all.
SPF authorizes senderThe connecting IP is covered by the published mechanisms.
DKIM signature presentA DKIM-Signature header is on the message.
DKIM signature validThe signature verifies against the published public key.
DKIM key sizePublic key is at least 1024 bits; 2048 recommended.
DKIM selector resolvable<selector>._domainkey.<domain> returns a public key.
DMARC record existsA _dmarc.<domain> TXT record is published.
DMARC policyp=none, p=quarantine, or p=reject — stronger is better.
DMARC alignmentFrom-header domain aligns with SPF and/or DKIM identifier.
BIMI record (bonus)Brand indicator with a verified mark certificate.

Common failure

v=spf1 include:_spf.google.com include:mailgun.org include:sendgrid.net include:zoho.com include:_spf.mandrillapp.com -all

Fix

v=spf1 include:_spf.google.com include:mailgun.org -all

Five `include:` lookups plus their nested lookups blow past the 10-query limit and trigger an SPF permerror. Drop the providers you no longer use.

DNS & infrastructure

20 of 100 points · 12 checks

What the connecting server looks like to the receiver. Reverse DNS, blacklist status, and TLS posture quietly decide whether your mail even reaches the spam folder — most rejections at this layer are silent.

Mailbox providers do a sanity check on the IP that hands them your message. Missing PTR records, residential IP ranges, and DNSBL listings put you in the same bucket as botnets — many large receivers will reject the SMTP connection outright.

Every check in this category

Reverse DNS (PTR)The sender IP resolves to a hostname.
Forward-confirmed rDNSThat hostname resolves back to the same IP.
HELO hostname validThe HELO/EHLO greeting is a real, resolvable FQDN.
Sender domain MXThe From-domain has at least one MX record.
Sender domain A/AAAAThe domain resolves so it can receive replies.
Spamhaus ZENCombined SBL+CSS+XBL+PBL — the most authoritative DNSBL.
Barracuda ReputationWidely used by mid-market receivers.
SpamCopReactive list driven by user complaints.
SORBS aggregateMultiple SORBS sub-lists checked together.
PSBL, UCEPROTECT, NiX, JIPPG, ivmSIP, S5HSix secondary lists covering long-tail receivers.
TLS usedSTARTTLS was negotiated for the SMTP transaction.
Dynamic IP detectionThe IP is not in a known residential or DSL range.

Common failure

Connecting IP: 203.0.113.42 — no PTR record

Fix

203.0.113.42  IN  PTR  mail.example.com.
mail.example.com  IN  A  203.0.113.42

Without forward-confirmed rDNS, Outlook.com and many corporate filters reject before DATA. Ask your hosting provider to set the PTR; it usually takes one ticket.

Headers

15 of 100 points · 18 checks

Boring on the surface, decisive in practice. Mailbox providers parse 50+ headers per message; missing or malformed ones are a strong negative signal because legitimate ESPs always get them right.

A bad Date, an absent Message-ID, or a malformed Received chain look like the work of a script — exactly what filters are trained to catch. Headers are also where bulk-sender requirements like List-Unsubscribe and Feedback-ID live.

Every check in this category

Date present and validRFC 5322 format, not in the future, not weeks old.
Message-ID formatGlobally unique, contains an @ and a domain.
From header existsA single From with a valid mailbox.
From not all capsDisplay name uses sentence case, not SHOUTING.
To/Cc/Bcc saneAt least one recipient header, no header-injection patterns.
Reply-To alignmentIf present, its domain matches the From domain.
Subject not all capsSubject in mixed case.
Subject trigger wordsNo stacked spam triggers (FREE, ACT NOW, $$$).
Received chainHop-to-hop timestamps move forward and hostnames resolve.
X-Mailer reputationIf set, references a known mailer rather than a homemade tag.
List-Unsubscribe headerRFC 8058 one-click unsubscribe present for bulk mail.
List-Unsubscribe-PostCompanion header for one-click POST.
Content-TypeExplicit, parseable, with a charset for text parts.
MIME-VersionSet to 1.0 on multipart messages.
PrecedenceSet to bulk or list when sending campaigns.
Feedback-IDOptional Gmail/Yahoo feedback loop identifier.
Auto-SubmittedMarked auto-generated for transactional auto-replies.
Return-Path matches envelopeBounce path is set and aligned.

Common failure

List-Unsubscribe: <mailto:[email protected]>

Fix

List-Unsubscribe: <mailto:[email protected]?subject=unsub>, <https://example.com/u/{token}>
List-Unsubscribe-Post: List-Unsubscribe=One-Click

Gmail and Yahoo's 2024 bulk-sender rules require BOTH headers AND a working POST endpoint. Mailto-only earns you a hard fail.

Content

20 of 100 points · 15 checks

What's actually in the message. SpamAssassin runs a corpus of hundreds of weighted rules, and we layer modern heuristics on top — image-to-text ratios, hidden text, dangerous attachments, CAN-SPAM compliance.

Even with perfect auth and a clean IP, content can sink a campaign. The hidden cost is partial — content rarely causes outright rejection, but it pushes you into the Promotions tab or the spam folder where engagement collapses.

Every check in this category

SpamAssassin scoreAggregate score across the entire rule corpus.
SpamAssassin top rulesIndividual rules that fired, with their per-rule score.
HTML part presentA text/html alternative exists for richer rendering.
Plain-text part presentA text/plain fallback for accessibility and old clients.
Image-to-text ratioReal text outweighs image area; image-only mails are a red flag.
Hidden textNo display:none, white-on-white, or zero-width characters.
Trigger words — pharmaViagra, Cialis and friends — instant filter bait.
Trigger words — financeLoan, credit-repair, debt-relief stacks.
Trigger words — urgencyACT NOW, LIMITED TIME, EXPIRES TODAY.
Trigger words — adult/weight lossTwo more high-risk word categories.
Excessive exclamationsMore than ~3 ! per 100 chars in the body.
Body sizeEmpty or absurdly large bodies both look automated.
Unsubscribe linkA user-visible opt-out link in HTML campaigns.
Physical mailing addressCAN-SPAM requires a postal address in commercial mail.
Dangerous attachmentsNo .exe, .scr, .bat, .vbs, .iso payloads.

Common failure

<body><img src='cid:hero' /></body>  (image-only marketing email)

Fix

Add a real text body alongside the image. Aim for at least 100 words of meaningful copy and a text/plain alternative part.

Image-only mails get filtered hard because spammers use them to evade text scanners. Even short copy moves the needle dramatically.

Links

10 of 100 points · 6 checks

Every URL in your email is a reputation signal. Shorteners, mismatched anchors, and HTTP-only links are the same patterns phishers use — receivers know that and weight accordingly.

Even one suspicious link can flag the whole message. Domain reputation services like URIBL feed back into spam scoring, so a compromised link host poisons every email it appears in.

Every check in this category

URL shortenersbit.ly, tinyurl, t.co, ow.ly etc. — opaque to filters.
Mismatched anchor textDisplay says paypal.com, href goes elsewhere — phishing pattern.
HTTP-only linksPlain http:// in 2026 looks abandoned at best, hostile at worst.
External link countAbove ~25 external links per message starts to look spammy.
Free hosting domainsFree-site builders and shared hosting domains used as the primary CTA.
Tracking-pixel patternsDetects unusual or excessive tracking-pixel usage.

Common failure

<a href='https://bit.ly/3xyz'>Click here</a>

Fix

<a href='https://example.com/welcome?utm_source=onboarding'>Welcome to Example</a>

Replace shorteners with your own branded domain. You keep the analytics and stop sharing reputation with everyone else on bit.ly.

Scoring

How we get to 0–100

Each check has a maximum point value. Within a category we sum the points earned and divide by the points possible to get a percentage; the category's contribution to the overall score is that percentage multiplied by the category weight.

Status → score

Pass — full credit for the check's max value.
Warn — partial credit (typically 50%). The check passed minimally but isn't ideal.
Fail — zero credit and a recommendation surfaces in the report.
Info — no score impact. Used when a check can't run (e.g. localhost has no public IP).

Score bands

90–100 Excellent — no action needed.
75–89 Good — small fixes will tighten things up.
60–74 Fair — at least one important check is failing.
40–59 Poor — likely deliverability problems.
Under 40 — messages will frequently land in spam or be rejected.

Run it on your own email

One test address. 56+ checks. A 0–100 score and a prioritised fix list.

Run a free test