Incident cost: SPF >10 lookups & missing List‑Unsubscribe

Breaks rarely scream. An extra vendor include: or a missing List‑Unsubscribeheader quietly erodes deliverability, then explodes on launch day. Here’s what typically happens, what it costs, and a playbook to prevent it.

Common failure modes

• SPF include chains exceed 10; evaluation stops mid‑path → permerror or soft‑fail
• DKIM selector expired or rotated without DNS updated → dkim=fail
• DMARC stuck at p=none; alignment not enforced
• Missing One‑Click; complaints climb, throttling kicks in

Incident timeline (typical)

1. Week ‑2: vendor adds nested include → lookups creep to 11–12
2. Week ‑1: template switch removes List‑Unsubscribe
3. Launch day: complaints spike; deliveries slow; revenue loss
4. Aftermath: frantic rollbacks and manual DNS edits

Impact breakdown

• Delivery loss: soft‑fails push to promotions/spam; hard fails trigger bounces
• Reputation: missing unsubscribe inflates complaint rate → throttling
• Ops cost: hotfix windows, ad‑hoc DNS changes, client trust erosion
• Opportunity: missed launch windows, make‑good discounts, re‑sends

Prevention playbook

• Keep SPF headroom: target ≤ 8 lookups; cap recursion depth ≤ 3
• Flatten only stable vendor ranges; avoid ptr/exists where possible
• Embed header checks in staging and 24h post‑launch (One‑Click + alignment)
• Enable daily monitoring and alert on FAIL↔PASS flips or Δscore ≥ 20

Evidence & rollback

End every fix with a PDF that prints scanId/sha256 and a public Verify link. Attach it to the change ticket. If metrics regress, roll back to the last green proof and re‑open the change.

FAQ

Every fix should end with evidence: a PDF that prints scanId/sha256 and a public Verify link.