Domain Compliance Philosophy
mailbot will not let you send from a custom domain until that domain passes a compliance check. This page explains why the check exists, what it measures, and how to read the readiness score.
Why compliance is gated
Email is a reputation system. Every message you send affects the sending domain's reputation with downstream mailbox providers (Gmail, Outlook, Yahoo, corporate spam filters). One misconfigured domain can sink a customer's deliverability for weeks.
mailbot enforces a compliance check before activating a custom domain so that:
- you cannot accidentally send from a domain that lacks SPF, DKIM, or DMARC
- you do not silently land in spam folders without knowing why
- the upstream MTA (Mailtarget Layang, Sender Score 99) is not exposed to bounce-rate damage from misconfigured tenants
- support burden stays low; most "my emails go to spam" tickets are pre-resolved by the gate
This is intentional friction. The cost of a domain that should not be sending is paid once, at setup. The cost of a domain that is sending and damaging reputation is paid every day, by every customer, for as long as the misconfiguration persists.
What the check measures
The compliance check looks at four DNS records:
| Record | What it does | Required? |
|---|---|---|
| SPF | Authorizes mailbot's sending IPs to send mail for your domain | Yes |
| DKIM | Cryptographic signature on every outbound message | Yes |
| DMARC | Tells receivers what to do when SPF/DKIM fail | Recommended |
| MX | Routes inbound mail to mailbot for receive flows | Required only if you want inbound on the domain |
GET /v1/compliance/check runs a live DNS lookup and returns the current state of each record.
Readiness score
The readiness endpoint (GET /v1/compliance/readiness) returns a numeric score from 0 to 100. The score is a roll-up of compliance state plus operational signals:
- DNS authentication — SPF, DKIM, DMARC presence and correctness
- Bounce posture — recent bounce rate on the domain
- Volume profile — whether send volume is in a healthy band
- Tracking health — whether engagement events are flowing back
Bands:
0–39— not ready. Sending will be blocked or heavily throttled.40–69— partial. Sending allowed but at reduced limits until score rises.70–89— production-ready for normal volume.90–100— strong reputation. Higher daily send caps available on request.
The score updates on every compliance check and on every send batch. It is not static.
How to interpret a partial score
A partial score (40–69) usually means one of:
- DKIM is published but the public key does not match what mailbot signs with
- DMARC is set to
p=none(monitor-only) when the band needsp=quarantineor higher for higher scoring - bounce rate has spiked recently (often from importing a stale list)
- the domain has been sending so little that there is not enough signal to score it higher
The endpoint response includes a recommendations array with the specific fixes for the current state. Apply them in order.
What changes when score crosses a band
Crossing into the 70+ band unlocks:
- normal account daily send limit (e.g.
25,000/dayon enterprise) - access to bulk send endpoints that are throttled at lower bands
- visibility on the founder dashboard as a "production-ready" domain
Crossing back below 70 does not auto-revoke. mailbot warns first, then throttles, then blocks if the underlying issue persists.