SaaS email program audit
Score your email program across consent, sending identity, product data, lifecycle coverage, workflow safety, deliverability, and measurement. The result is a short repair list, not a vanity maturity badge.
Resources
Score your program out of 14
Give each area 0, 1, or 2 points. A 0 means missing or unknown. A 1 means partly implemented, manual, or unmonitored. A 2 means documented, live, owned, and checked with evidence.
Area
A 2 means
Consent
Marketing permission and preferences are recorded, unsubscribe is easy, and transactional messages stay operational.
Identity & domains
SPF, DKIM, and DMARC pass; the From domain is recognizable; replies reach a monitored inbox.
Data & events
Critical product events have definitions, owners, test cases, and enough context to drive the right message.
Lifecycle coverage
Signup, activation, adoption, expansion, risk, win-back, and account-critical moments each have an intentional email path.
Workflow safety
Entry, exit, re-entry, suppression, delay, and frequency rules prevent duplicate or contradictory messages.
Deliverability
Bounces, complaints, and unsubscribes are monitored; inactive contacts have a policy; sudden changes have an owner.
Measurement
Every email has one job, one decision metric, and a named person who reviews it on a regular cadence.
Loops uses these ranges as a triage heuristic: 0–4 is fragile, 5–9 is partial, 10–12 is healthy, and 13–14 is strong. This is not an industry standard. Review the evidence behind each score before acting on the total.
Rule: score what is true today. A planned workflow, undocumented event, or dashboard nobody reads does not earn full credit.
Audit each layer
Consent and identity
Pull your signup forms, preference center, unsubscribe path, sending-domain records, and From addresses. Confirm what people agreed to, which messages bypass marketing preferences, and who receives replies. Fix ambiguity before adding automation.
Data and lifecycle coverage
List the product events that should change what a user receives. For each event, record its source, required properties, owner, and a real example payload. Then map the lifecycle moments you cover today and mark where users get silence, generic blasts, or two messages for the same action.
Workflow safety
Inspect every live workflow for entry, re-entry, exit, suppression, delay, and frequency rules. Test the awkward cases: a user upgrades mid-sequence, cancels and returns, belongs to two segments, or triggers the same event twice. The audit passes when the resulting inbox still makes sense.
Measurement and ownership
Assign one job to each email: activate, educate, recover, confirm, or convert. Pair it with the nearest behavior metric, not just opens. Name the person who reviews the result, the review cadence, and the action they will take when the metric moves.
Run the audit in 60 minutes
Run this with one person each from growth, product, and engineering. Their disagreements expose undocumented assumptions.
Score each area independently, then compare. A disputed score is a prompt to find the missing evidence, not average the opinions.
Write one proof line beside every 2. If nobody can point to the setting, query, owner, or test, score it a 1.
Choose the highest-risk 0 first. Consent, authentication, suppressions, and account-critical email outrank new nurture ideas.
30-day repair order
Week 1: stop risk. Fix permission, authentication, unsubscribe, bounce, complaint, and transactional-email problems.
Week 2: fix the data contract. Define the events and properties your highest-value lifecycle messages depend on, then add test cases.
Week 3: repair coverage and safety. Fill the most costly lifecycle gap and test entry, exit, re-entry, and duplicate-event behavior.
Week 4: install the review loop. Set one goal per message, assign an owner, and schedule the next audit.
What maturity is not
More workflows can create collisions without fixing coverage.
Channel count does not prove email maturity. Push, SMS, in-app, and an enterprise orchestration layer are separate requirements.
Personalization tokens come after correct timing and product context.
Open rates are noisy and do not prove that a message changed behavior.
A platform migration only helps when a documented requirement, operating cost, or reliability problem justifies it.
Common questions
What is a healthy SaaS email program audit score?
Who should participate in the audit?
How often should we run the audit?
Can this replace inbox placement testing?
What should we fix first?
How is this different from a deliverability audit?
Go deeper with the email deliverability guide, then map your lifecycle email coverage.