A deliverability audit checks whether the email program meets a fixed standard at a point in time and produces a binary pass-fail finding. The infrastructure assessment looks forward instead and asks where the program will degrade in the next 6 to 18 months if the current trajectory continues. Most organizations operating email programs above 100,000 monthly messages have never had this assessment run because the existing audit market focuses on compliance verification rather than risk identification. The deliverable is a 25 to 40 page document scoring the program across five dimensions against the 2026 industry baseline, identifying the gaps with the highest impact-to-effort remediation ratio, and presenting a prioritized roadmap the customer engineering team can execute internally or hand to any vendor including EMP. Programs that implement the recommendations typically improve inbox placement by 15 to 25 percent within the first two audit cycles which translates directly into deliverable revenue for the affected campaigns. The assessment is vendor-neutral; EMP delivers it with no obligation to engage for the remediation work. The methodology is published in the document itself so the customer team can re-execute the assessment in 6 or 12 months using the same framework as reference, and the evidence captured during the engagement is delivered as an appendix folder that the operations team can use as historical baseline against which to measure progress.
The framework partitions the email program into five dimensions because that is the smallest set that maintains separation between technically distinct concerns. Authentication is independent from sender reputation; reputation is independent from monitoring; monitoring is independent from architecture; architecture is independent from compliance. A program can score 85 on authentication and 35 on monitoring, which is a common pattern in organizations that did the one-time SPF/DKIM/DMARC setup years ago and never built the ongoing telemetry. The scoring framework surfaces these imbalances explicitly rather than averaging them into a single number that hides the underlying risk.
SPF, DKIM, DMARC, MTA-STS, DANE, BIMI eligibility. The technical foundation that mailbox providers use to verify the sender's identity before applying engagement signals.
Google Postmaster Tools status, Microsoft SNDS color, blocklist exposure, Sender Score, complaint rate trends. The current reputation across consumer and B2B providers.
Coverage and cadence of the operational monitoring stack. Reactive monitoring catches problems after the damage; proactive monitoring catches them before send volumes are affected.
The sending infrastructure design relative to volume profile. IP pool segregation, subdomain strategy, MTA software currency, OS hardening, and patching discipline.
Regulatory and bulk-sender requirement alignment. Gmail and Yahoo bulk sender rules, GDPR, CAN-SPAM, Panama Law 81, ISO 27001 mapping where applicable.
Overall score 64 · median across EMP assessment population
The visible imbalance in the sample above is the 38 in monitoring maturity against the 82 in authentication. That pattern is the most common finding in EMP's 2024-2026 assessment population: the organization invested in the one-time authentication work years ago and never built the operational monitoring layer, which means problems are caught reactively from bounce-rate spikes or sales-team complaints rather than proactively from Postmaster Tools degradation signals. The remediation roadmap addresses this gap in the first 30 days through Postmaster registration, SNDS enrollment, DMARC aggregate processor selection, and alert threshold configuration; the operational discipline that follows is harder than the initial setup but the document specifies the recurring checks the operations team should adopt.
The 68 in sender reputation health is the second most common gap pattern: the reputation is in the warning band rather than the danger zone but the trend is degrading rather than stable. The remediation list for this dimension typically includes IP pool re-segmentation between transactional and marketing traffic, suppression list maintenance discipline, list hygiene cadence increase, and engagement-based segmentation to remove unengaged subscribers before they trigger algorithmic flagging. The 62 in compliance posture reflects the gap between the 2024 baseline (when most programs achieved p=none DMARC) and the 2026 baseline (where p=quarantine or p=reject is expected by Gmail and Microsoft for bulk senders) plus typical gaps in RFC 8058 one-click unsubscribe implementation that the operations team has not yet rolled out across all sending domains.
| Capability | EMP Assessment | SOC 2 / ISO Audit | Deliverability Audit | DIY Self-check |
|---|---|---|---|---|
| Forward-looking risk identification | Yes | No | Partial | No |
| Compliance certification evidence | No | Yes | No | No |
| 5-dimension scoring framework | Yes | No | Partial | No |
| Vendor-neutral remediation | Yes | Yes | Mixed | Yes |
| Document deliverable | 25-40 pages | Audit report | No | |
| Typical cost | $1,850-$8,500 | $15K-$80K+ | $2K-$5K | Free |
| Typical timeline | 3 days - 4 weeks | 3-6 months | 2-3 weeks | 1 hour |
| Best for | Forward planning | Certification | Acute problem | Quick triage |
The comparison surfaces a point that catches engineering teams off guard: the EMP assessment is not a replacement for a SOC 2 audit and not a replacement for a deliverability audit when an acute deliverability incident is in progress. The three engagements solve different problems. SOC 2 audits verify controls at a point in time and produce certification evidence; deliverability audits diagnose acute degradation and recommend specific remediations; the EMP assessment runs the forward-looking risk identification across all five dimensions to catch the degradation patterns before they trigger acute incidents or audit findings. Customers who recently emerged from a deliverability crisis and want to prevent the next one are the ideal assessment audience; customers actively in crisis should engage the sender reputation recovery service first and run the assessment 60-90 days after the recovery completes.
One nuance worth naming: the EMP assessment also differs from the free 48-hour audit EMP offers. The free audit is a directional read on authentication and reputation taking 2-3 engineering hours; it surfaces obvious gaps without structured five-dimension scoring. Most customers accept the directional read and act on it internally, or upgrade to a paid tier for the deeper analysis.
The PDF runs 15 pages for Snapshot tier, 25 pages for Standard, 40 pages for Enterprise. The structure is consistent across tiers; what changes is the depth of evidence and the breadth of dimensions covered. The appendix folder includes the raw data captured during the assessment: Postmaster Tools screenshots, SNDS color history, DMARC aggregate reports parsed into spreadsheet form, configuration excerpts from the MTA, DNS record snapshots. The customer team can re-execute the analysis in 6 or 12 months using the same evidence as baseline.
The Snapshot tier compresses all four phases into 3 business days because the dimension coverage is shallower. Standard and Enterprise tiers extend the data gathering phase to allow 30-60 days of DMARC aggregate reports, Postmaster Tools history, and SNDS color tracking to inform the scoring. Most of the elapsed time is data gathering, not analysis; the analysis itself runs in 4-8 EMP engineering hours regardless of tier.
Bilateral NDA, 60-90 minute discovery call with the customer engineering and operations team, read-only access provisioning to Postmaster Tools, SNDS, DNS zones, MTA configuration, ESP dashboard, DMARC processor.
Postmaster Tools history capture across 30-60 days, SNDS color tracking, DMARC aggregate report parsing, blocklist sweep across 80+ DNSBLs, seed testing across 6-10 providers, MTA configuration capture, DNS authentication record validation.
Five-dimension scoring against 2026 baseline, gap identification with impact-effort matrix, remediation prioritization, budget estimation for each recommended item, document drafting and internal EMP peer review.
PDF and appendix delivery via encrypted channel, 90-minute readout call with the customer team, two follow-up Q&A windows of 30-45 minutes within 30 days, optional reassessment scheduling.
All four tiers are fixed-fee with no hourly billing surprises. The Snapshot tier exists for organizations that need a quick directional read before committing to a deeper engagement; the Standard tier covers most production assessments; Enterprise applies to multi-domain platforms and regulated industries; Continuous formalizes the quarterly hygiene cadence for mature programs.
Under 500K/month · 3 business days.
500K-5M/month · best fit most.
Above 5M/month · multi-domain.
Quarterly cadence · ongoing.
"We just passed our SOC 2 audit. What does this assessment add?"
The SOC 2 audit verifies that documented controls existed and operated correctly across the audit window. It does not score the email program against industry baselines and it does not identify forward-looking risk. Many organizations carrying clean SOC 2 reports also carry significant email infrastructure debt: DMARC at p=none years after the standard moved toward p=reject, no Postmaster Tools registration, IP pools designed for the volume profile from three years ago. The assessment complements the SOC 2 audit because the two engagements answer different questions; SOC 2 answers "did we meet the controls?" and the assessment answers "where is the program drifting from current best practice?" Organizations using both engagements typically schedule them with 6-month offset so the assessment findings can be remediated before the next SOC 2 evidence collection window.
"We have an in-house deliverability specialist. Do we need an external assessment?"
In-house specialists are the right answer for ongoing operational discipline and the assessment does not replace that role. What in-house specialists do not have is the comparative view across 60-80 client assessments per year that EMP runs; this is the perspective that surfaces what the specialist's own program looks like relative to the cohort. EMP assessment runs typically identify 3-6 items the in-house team had not prioritized because they had no benchmark to compare against. The assessment also produces a document the CFO, CTO, or board can read which is rare for in-house specialist deliverables that tend to remain operational artifacts. Organizations with strong in-house deliverability often engage the Snapshot tier annually as a sanity check rather than the deeper tiers; the cost is comparable to one week of specialist time and the external perspective has value.
"How is this different from running MXToolbox or Mail-Tester ourselves?"
MXToolbox, Mail-Tester, EasyDMARC, and similar free tools answer narrow questions well: does the SPF record exist, does DKIM verify, what does Spamhaus say about this IP. The assessment integrates 10-15 such tool outputs into a coherent gap analysis with prioritization that the individual tools cannot produce. Mail-Tester gives a 0-10 score; it does not tell you that fixing the score from 7 to 9 has lower impact than registering for Postmaster Tools and starting weekly Microsoft SNDS monitoring. The assessment also captures historical context (30-60 day DMARC trends, 90-day reputation drift) that the point-in-time tools do not show. For organizations that want to run their own assessment using the same framework, EMP publishes the methodology in the document itself; the in-house team can replicate the assessment in 6 or 12 months using the methodology as reference.
"What if we don't want EMP to do the remediation work afterward?"
The assessment is sold standalone and EMP does not require commitment to remediation work. Roughly 30-40 percent of assessments lead to follow-up engagement with EMP for specific remediation items; the remaining 60-70 percent route to either the customer's internal team, the existing ESP, or to other vendors better suited for specific items (legal counsel for compliance, certificate authorities for VMC, separate consulting firms for the items where EMP does not have specialty depth). The engagement letter explicitly states the vendor-neutrality and the remediation roadmap routes each item to the most appropriate executor including non-EMP vendors. Customers who engage EMP for remediation receive a 15 percent credit on the engagement fee against the original assessment cost as a goodwill discount but the credit is not contingent on signing. Three additional protections exist for customers who want to keep the assessment honest. First, the document explicitly names the vendor recommended for each remediation item rather than leaving the routing ambiguous, which makes the recommendations auditable. Second, the methodology section names the public source for every baseline value used in scoring (Validity 2026 Benchmark, Gmail Postmaster documentation, Microsoft SNDS documentation, EmailGeeks community thresholds, RFC 8058 specification, NIST SP 800-177 authentication guidance) so the customer team can verify the thresholds independently. Third, the engagement letter includes a no-retroactive-recommendation clause meaning EMP cannot revise the recommendations after delivery to favor EMP services in response to subsequent customer requests.
"Why is the methodology vendor-neutral? You sell MTA installation."
EMP delivers approximately 60-80 assessments annually across customer segments that include direct competitors to EMP services. The methodology has to be defensible across that range; if the scoring framework produced systematically favorable results for EMP services it would be detected within the first dozen assessments and the engagement model would collapse. The five-dimension framework was peer-reviewed across three external deliverability consultants in 2023 and adjusted in 2024 based on the feedback. The 2026 baseline values used for scoring (DMARC p=reject target, SPF lookup limits, Postmaster spam rate target under 0.1 percent, SNDS green status target, bounce rate target under 2 percent) come from published industry sources (Validity, Litmus, Return Path, EmailGeeks community, Gmail Postmaster documentation, Microsoft SNDS documentation) rather than EMP proprietary thresholds. Customers can audit the baseline sources cited in the methodology section of the document.
"Our program is too small to need this. What is the lower threshold?"
For senders under 100,000 monthly messages, the assessment is usually disproportionate to the program scale and the recommendation is to invest in disciplined manual monitoring instead. Below 100K monthly the operationally adequate approach is weekly Postmaster Tools review, monthly Mail-Tester check, daily ESP dashboard bounce review, and quarterly authentication audit using MXToolbox; this discipline costs 2-4 hours per week of marketing operations time and catches most issues. Between 100K and 500K monthly the Snapshot tier becomes appropriate; the cost-benefit math favors a one-time external view to confirm the program is not drifting. Above 500K monthly the Standard tier becomes the default. Above 5M monthly the Enterprise tier applies and the cost-benefit is structurally favorable because the impact of even a small placement improvement at that volume exceeds the assessment cost.
Forward-looking vs backward-looking:
EMP delivers assessment as primary because forward-looking risk identification has higher ROI than point-in-time verification for most programs above 100K monthly.
Default B2B program weighting:
Weighting adjusts by profile: regulated industries push compliance to 30%, consumer-heavy programs push reputation to 35%, multi-tenant platforms push architecture to 30%.
Structure across tiers:
Format: PDF + appendix folder with raw evidence (Postmaster screenshots, configs, DMARC reports, DNS snapshots) so customer can re-run analysis 6-12 months later as baseline.
Read-only access set:
Bilateral NDA signed before access. Data purged 60 days post-delivery unless extended.
Vendor-neutrality is structural:
30-40% of assessments lead to EMP follow-up; the rest go to internal teams, existing ESPs, certificate authorities, legal counsel, or other vendors.
EMP 2025-2026 assessment population distribution:
Largest gaps consistently in monitoring maturity and DMARC enforcement.
Standard timelines:
Expedited available at 25% premium for Snapshot (1 day) and Standard (1 week); Enterprise cannot be meaningfully rushed because data gathering itself takes time. Lead time from contract to start: 5-10 business days.
Post-delivery flow:
Continuous tier formalizes quarterly cadence for organizations wanting ongoing hygiene discipline.
The scheduling call gathers the four data points required to size the engagement: current monthly sending volume, number of sending domains and IPs, regulatory scope (banking, legal, healthcare, none of the above), and the operational reason driving the assessment (pending audit, recent reputation degradation, ESP migration consideration, inherited stack documentation). With those four points EMP issues a fixed-fee quote within 48 hours and the assessment can start 5-10 business days after contract signature. Bilateral NDA signed before any data is shared. Delivered as PDF + appendix folder via encrypted channel.
