Bots are silently destroying your Klaviyo deliverability.

Save My Spot →
InboxEagle
email-deliverability email-authentication ecommerce dmarc klaviyo

The Technical Anatomy of a Perfect Ecommerce Email Header

InboxEagle analyzed 256,606 emails across 16,381 brands. Only 16.7% had a perfect header. Here's what separates them from the rest — and how to fix yours.

Udhayakumar M ·
The Technical Anatomy of a Perfect Ecommerce Email Header

Most ecommerce email teams believe they’ve got authentication handled. SPF is set up. DKIM is configured. DMARC is in place. Job done.

Here’s the problem: authentication is just one component of a perfect email header — and it’s the component most brands have already solved.

InboxEagle analyzed 256,606 emails across 16,381 ecommerce brands to understand what a truly perfect email header looks like, how often it actually happens, and where the gaps are hiding.

The answer might surprise you: only 16.72% of emails in our dataset had a perfect header under the strict definition. And for 99.34% of the emails that fell short, the culprit wasn’t SPF, DKIM, or DMARC. It was something most brands have never even thought to check.

InboxEagle Email Header Analysis

256,606 emails analyzed across 16,381 brands
16.7% emails with a perfect header (exact definition)
83.6% emails with a perfect header (org alignment definition)
99.3% of imperfect headers fail due to exact alignment — not auth

What Is a Perfect Email Header, Exactly?

Before we get into the data, let’s define what we’re measuring. A perfect email header requires all five of the following to be true:

  1. SPF passes — your sending IP is authorized by your domain’s SPF record
  2. DKIM passes — your email carries a valid cryptographic signature from your domain
  3. DMARC passes — at least one of SPF or DKIM aligns with your from domain
  4. Return-path domain alignment — the bounce/return-path address matches your from domain
  5. List-Unsubscribe and List-Unsubscribe-Post headers are present — enabling one-click unsubscribe per RFC 8058

We measured this two ways: exact match (return-path domain == from domain, character for character) and organizational alignment (same root domain, different subdomain allowed).

Under the organizational definition, 83.60% of emails pass. Under the exact definition, only 16.72% do. That gap tells the whole story.

The Authentication Problem Is Largely Solved

Let’s give credit where it’s due. The three core authentication protocols are near-universal in our dataset:

  • SPF pass rate: 99.58% across all 256,606 emails
  • DKIM pass rate: 99.93%
  • DMARC pass rate: 97.31%

At the brand level, 98.95% of brands had all their emails pass SPF, and 99.58% had all pass DKIM. DMARC, the trickiest of the three, was still clean across all emails for 92.36% of brands.

That’s genuinely good news. If you’ve been focused on getting your authentication stack in order, it’s working across the industry.

But passing authentication doesn’t mean your header is perfect. It just means you’ve crossed the baseline.

The Real Gap: Exact Domain Alignment

Here’s the number that matters most: only 17.26% of emails in our dataset achieve exact alignment between the return-path domain and the from domain.

That means 82.74% of emails are sent with a return-path that doesn’t exactly match the from address your subscriber sees.

Why does this happen so often? Because most ESPs — Klaviyo, Mailchimp, and others — use their own infrastructure domain as the return-path (bounce address) by default. So your email says it’s from hello@yourbrand.com, but the technical return-path looks something like bounces.youresp.com.

That gap causes exact alignment failure. It doesn’t break DMARC — DKIM alignment alone can carry DMARC — but it means your email is relying on a single point of alignment. It also prevents your header from reaching the highest trust tier that advanced inbox providers evaluate.

At the brand level, only 10.94% of brands had all their emails with exact return-path alignment. The number who had at least one exact-aligned email: just 10.32%.

Most brands have never even seen this problem because their emails still deliver fine. But it’s the difference between a good header and a perfect one.

The Most Common Header Pattern in Ecommerce

Of all the combinations we analyzed, one pattern dominates: 79.18% of emails fell into the same configuration.

Pattern 111011: SPF pass, DKIM pass, DMARC pass, exact alignment no, List-Unsubscribe yes, List-Unsubscribe-Post yes.

This is the “authenticated but not perfectly aligned” pattern. Authentication is solid. Unsubscribe headers are in place. But the return-path domain doesn’t match the from domain exactly.

The second most common pattern — the fully perfect header — was 111111 at 16.62%: all five checks green.

Everything else was noise. DMARC failures (2.43%), missing unsubscribe headers (0.75%), and other combinations each accounted for less than 1% of the dataset.

The practical implication: for most ecommerce brands, fixing exact alignment is the single change that moves them from the 79% bucket into the 16% bucket.

DMARC Failures: Still a Real Problem for Some Brands

While the overall DMARC pass rate is high, 2.69% of emails (6,898 out of 256,606) still fail DMARC. And 7.64% of brands (1,252 of 16,381) have at least one DMARC failure in their sending history.

As Valimail explains, if your return-path domain differs from your from domain and you’re relying solely on SPF for DMARC alignment, that combination will fail DMARC. DKIM alignment is then your only lifeline — and if DKIM is also misconfigured, you fail entirely.

For brands running multiple ESPs or transactional platforms alongside their marketing sends, the risk of DMARC failure compounds. Each sending source needs to either have its own DKIM key aligned to your domain, or use a custom return-path that aligns with your from domain.

List-Unsubscribe: Nearly Universal, But Not Quite

The good news is that unsubscribe header adoption is high. 98.95% of emails include List-Unsubscribe, and 98.71% include List-Unsubscribe-Post (the RFC 8058 one-click header required by Google, Yahoo, and Microsoft for bulk senders).

That means roughly 2,682 emails in our dataset were missing List-Unsubscribe entirely — a compliance risk that can directly impact inbox placement and trigger enforcement actions at Gmail, Yahoo, and Outlook.

If you’re using a major ESP like Klaviyo, these headers are typically injected automatically. But custom transactional setups, third-party integrations, and legacy sending infrastructure can introduce gaps. Always verify.

The ARC Layer: 94.2% of Emails Are Covered

One more header worth noting: 94.17% of emails in our dataset included ARC-Authentication-Results headers.

ARC (Authenticated Received Chain) is the protocol that preserves authentication results when an email is forwarded or routed through intermediary servers. Without ARC, a forwarded email that originally passed DKIM can arrive at the final inbox with a failed signature — because forwarding broke the hash. ARC fixes that by recording the authentication chain at each hop.

Google has included ARC as part of its sender guidelines since 2024. The 5.83% of emails missing these headers are operating without a forwarding safety net — a minor issue for direct sends, but a real risk for any program using list management, forwarding, or third-party relay infrastructure.

How to Move Your Header from Good to Perfect

If your sending program looks like the 79% — authenticated but not exactly aligned — here’s the fix:

Set up a custom bounce domain in your ESP. This routes your return-path through a subdomain of your own domain (e.g., bounce.yourbrand.com) instead of your ESP’s infrastructure. In Klaviyo, this is done through the dedicated sending domain setup. In Mailchimp and Constant Contact, availability depends on your plan tier.

Once your custom bounce domain is live:

  • Your return-path domain will match or align with your from domain
  • SPF alignment strengthens (both SPF and DKIM now align, not just DKIM)
  • Your header meets the exact alignment definition
  • You’ve eliminated your single-point-of-alignment dependency on DKIM

Verify your List-Unsubscribe-Post header. Send a test email and inspect the raw headers. Both List-Unsubscribe and List-Unsubscribe-Post should be present. If you’re on a standard plan with certain ESPs that don’t inject these automatically, you’ll need to configure them explicitly or upgrade.

For transactional sends, audit each sending source separately. DMARC failures in our data are disproportionately concentrated in brands with multiple sending platforms. Each source needs independent authentication review — not just your Klaviyo flows.

The Bottom Line

Authentication is table stakes in 2026. SPF, DKIM, and DMARC pass rates are near-universal across our dataset of 256,606 emails. That part of the job is largely done.

The real differentiator is exact domain alignment — and only 16.72% of emails get it right. It’s not a hard fix. It’s a custom bounce domain configuration that most ESPs support. But the majority of ecommerce brands have never done it.

If you want your header to be in the top tier — not just compliant, but technically optimized — that’s where to start. For a full look at how authentication failures correlate with spam folder placement, see our DMARC failure and spam folder study.

Not sure where your header actually stands?

InboxEagle shows you exactly which emails are passing or failing each header check — SPF, DKIM, DMARC, alignment, and unsubscribe headers — across every send, in real time.

Start Free Trial →

Note: Content created with the help of AI and human edited and fact-checked to avoid AI hallucinations.

Explore with AI

Open this content in your AI assistant for deeper analysis, or copy it as Markdown to paste anywhere.

ChatGPT Claude Perplexity

Frequently Asked Questions

What makes an email header 'perfect' for deliverability?
A perfect email header passes all five checks: SPF, DKIM, and DMARC authentication, exact domain alignment between the return-path and from address, and both List-Unsubscribe and List-Unsubscribe-Post headers present. In InboxEagle's analysis of 256,606 emails, only 16.72% met this strict definition.
What is the difference between exact alignment and organizational alignment in email headers?
Exact alignment means the return-path domain matches the from domain character-for-character (e.g., both are brand.com). Organizational alignment means they share the same root domain but may differ at the subdomain level (e.g., mail.brand.com and brand.com). In InboxEagle's dataset, 86.04% of emails achieved organizational alignment, but only 17.26% achieved exact alignment.
Why do so many emails fail exact domain alignment?
Most ESPs — including Klaviyo, Mailchimp, and others — use their own subdomain or infrastructure domain as the return-path (bounce address) by default. This means your from domain is brand.com, but the return-path is something like bounces.klaviyo.com or mail123.klaviyo-email.com. That gap causes exact alignment failure. Fixing it requires setting up a custom bounce domain or return-path subdomain through your ESP.
Does missing exact alignment break DMARC?
Not necessarily. DMARC can pass on DKIM alignment alone, even when SPF alignment fails due to a mismatched return-path. In InboxEagle's data, 97.31% of emails passed DMARC despite only 17.26% having exact alignment. However, exact alignment adds a stronger trust signal and eliminates dependency on DKIM as the sole alignment mechanism.
What are List-Unsubscribe and List-Unsubscribe-Post headers and why are they required?
List-Unsubscribe is the header that exposes the unsubscribe option in inbox UIs like Gmail. List-Unsubscribe-Post (RFC 8058) enables one-click unsubscribe — where Gmail or Yahoo processes the opt-out via HTTP POST without the subscriber having to visit a landing page. Both are required for bulk senders by Google, Yahoo (since June 2024), and Microsoft (since May 2025). In InboxEagle's dataset, 98.95% of emails included List-Unsubscribe, and 98.71% included List-Unsubscribe-Post.
Udhayakumar M
Udhayakumar M · Content Marketer

With 8+ years writing for 80+ SaaS products, Udhay knows how to make complex ideas land. At InboxEagle, he turns email deliverability data into plain-English strategy — helping eCommerce brands understand why emails end up where they do, and what to do about it.

LinkedIn
Share this article: Share on X Share on LinkedIn

Related Articles

Does DMARC Failure Guarantee the Spam Folder? A 2M Email Study
Featured dmarc email-authentication

Does DMARC Failure Guarantee the Spam Folder? A 2M Email Study

We analyzed 2.2 million emails to find out if DMARC failure sends you straight to spam. The answer is more nuanced — and more actionable — than you'd expect.

Udhayakumar M ·
Chart showing spam rate comparison between brands with and without List-Unsubscribe headers across 19,797 senders
email-deliverability list-unsubscribe

List-Unsubscribe Header: Does It Actually Reduce Spam Rates?

Does the List-Unsubscribe header actually lower spam rates? InboxEagle's study of 19,797 brands reveals a 4.86x extreme spam risk for senders without it.

Udhayakumar M ·
The Correlation Between High Sending Frequency & Spam Complaints
email-deliverability spam

The Correlation Between High Sending Frequency & Spam Complaints

Does sending more emails mean more spam complaints? InboxEagle analyzed 31,586 sending programs — the data tells a more nuanced story than you think.

Udhayakumar M ·

One deliverability insight, every Friday.

Trusted by 2,000+ email senders. Free, always.