PowerMTA service
A PowerMTA audit that reads the configuration, not just the dashboard.
A PowerMTA audit is a configuration-level review of a running PowerMTA estate — the VirtualMTAs, domain policies, backoff rules, DKIM signing and bounce handling that decide where your mail lands. We measure that setup against how Gmail, Yahoo and Microsoft actually filter in 2026, then report what to fix, in priority order.
A PowerMTA audit is a configuration-level review of a running PowerMTA estate — the VirtualMTA-to-IP mapping, domain policies, backoff patterns, DKIM signing, bounce and feedback-loop handling — measured against how Gmail, Yahoo and Microsoft actually filter in 2026, then delivered as a prioritized written assessment. It opens the engine files a platform-agnostic check never touches, needs only read access to the configuration, recent logs and accounting files to begin, and reports plainly whether each finding is a ten-minute fix, a tuning project or a structural reason to consider migration.
In short
- → It reads the configuration, not the dashboard: VirtualMTA mapping, domain policies, backoff rules, DKIM and bounce handling — the settings that decide inbox placement and that a dashboard never shows.
- → Read access to the config, a window of recent logs and the accounting files is enough to begin; nothing on the server is changed without explicit sign-off.
- → The deliverable is a written assessment ranked by how much each finding costs your delivery, not a score and a sales call — yours to act on with us or without us.
- → Because the consultancy resells no MTA, the optimize-hold-or-migrate recommendation follows the evidence, not a sales incentive.
- → Multi-tenant estates get specific scrutiny of tenant isolation — shared VMTAs, DKIM applied unevenly, one customer’s complaints bleeding into another’s reputation.
Most delivery problems do not announce themselves in the dashboard. The dashboard shows you that mail to a provider slowed down; it does not show you that a wildcard domain policy has been quietly overriding the specific one you wrote for Gmail, or that half your transactional stream has been leaving unsigned since a DNS change last spring. Those answers live in the configuration. A PowerMTA audit is the work of reading that configuration the way the people who built your estate meant it to be read, and then checking it against a set of provider rules that have moved underneath it.
And they have moved a great deal. The estate that delivered cleanly in 2022 was tuned for a world where authentication was a best practice and inbox placement was mostly about reputation scores. Neither assumption holds now. So an audit is less about finding a single broken setting and more about measuring drift — the slow distance between how PowerMTA was configured and how the major providers behave today.
Why do PowerMTA estates drift out of tune?
PowerMTA did not get worse. The ground shifted in three directions at once, and a configuration that nobody touched simply stayed where it was while everything around it changed.
The first shift is the product itself. PowerMTA is commercial software licensed by Bird, with volume pricing that the vendor lists from around 8,000 US dollars a year and otherwise quotes privately against your volume, instance count and environments. A reviewer on Capterra — a long-time user, not a competitor — put the change bluntly: the price rose sharply after the software was acquired, and the core product has received few real upgrades since, with the company no longer making big investments in what is now mature software. Read alongside the wider reporting that Bird folded PowerMTA into its omnichannel platform and let go of the dedicated teams behind it, the practical message for an operator is simple. The engine on your servers is stable, but the help and the forward motion around it have thinned. Configurations that used to be revisited by a vendor relationship now sit untouched.
The second shift is enforcement. Through 2024 and into 2026 the largest mailbox providers stopped nudging non-compliant senders and started refusing them. Google and Yahoo set their bar on 1 February 2024: any domain sending 5,000 or more messages a day to their users needs SPF, DKIM and DMARC, has to keep spam complaints low, and must offer one-click unsubscribe on promotional mail, a requirement that followed on 1 June 2024. Microsoft joined on 5 May 2025 with the same authentication floor and the hard rejection code 550 5.7.515 for mail that misses it. Then in November 2025 Google escalated Gmail from temporary delays to permanent rejections. The threshold is counted per provider, not across your whole program, and once a domain crosses it the bulk-sender classification does not expire even if volume later drops. A PowerMTA config written before any of this took effect can be technically valid and still sending into a wall.
The third shift is the filter itself. Authentication and a clean reputation are now the price of admission rather than the thing that wins the inbox. Mailbox providers lean heavily on engagement signals — opens, replies, folder moves, deletions — because those are far harder to fake than a DNS record. Google has said its systems block on the order of 15 billion unwanted messages a day, and reported that authentication enforcement removed hundreds of billions of unauthenticated messages from Gmail in its first year. The takeaway for a high-volume sender is that the engine can no longer be tuned purely for throughput. It has to be tuned so it stops working against the engagement that now decides placement.
What are the signs a PowerMTA estate is overdue for an audit?
A handful of patterns reliably mean the configuration has fallen behind the providers rather than failed outright. None is proof on its own. Several together usually mean the distance between your setup and the current rules has grown wide enough to cost you mail.
- Placement that erodes slowly over months instead of dropping in a single event — the signature of drift rather than a break.
- Deferrals from one provider that never quite clear, a sign that backoff is fighting the queue instead of easing it.
- A migration, a DNS change or a new IP that went in some time ago and was never validated downstream against seed placement.
- Mail that used to reach the inbox now landing in spam for the same recipients who used to open it.
- A version and a configuration that nobody has opened since the people who wrote them moved on.
If two or three of those describe your situation, the estate is not necessarily broken. It is almost certainly out of tune, and an audit is the cheapest way to learn by how much — before it turns into a delivery incident rather than a quiet tax on every send.
What does a PowerMTA audit examine in the configuration?
PowerMTA uses a declarative, policy-driven configuration — usually rooted at /etc/pmta/config and split across includes — that prioritizes control and predictability over convenience. That control is exactly why it is powerful and exactly why it drifts: there are many places to get it subtly wrong, and the engine will do precisely what you told it to, even when what you told it stopped being a good idea two years ago. These are the places we read first, and what tends to be hiding in each.
| What we read | Where it lives | What tends to be wrong |
|---|---|---|
| VirtualMTA → IP mapping | <virtual-mta>, smtp-source-host | Every stream pinned to one VMTA, so a single bad send drags transactional and marketing reputation down together. |
| Domain policies | max-smtp-out, max-msg-rate, max-conn-rate | Global limits where per-domain limits belong, or numbers tuned years ago against ISP tolerances that no longer exist. |
| Backoff patterns | <smtp-pattern-list> | Deferral codes that never trigger backoff, so PowerMTA keeps hammering a provider that already asked it to slow down. |
| Backoff recovery | backoff-retry-after, backoff-to-normal-after | Retry windows that loop instead of recover, growing the spool until the queue explodes. |
| DKIM signing | domain-key, dkim-sign | Streams leaving unsigned, a 512- or 1024-bit key where 2048 is now expected, or a selector that points at nothing. |
| Bounce & FBL handling | bounce categories, feedback loops | Hard bounces and complaints that are logged but never fed back into suppression, so the same dead addresses ship again. |
| Precedence | <domain *> vs specific | A wildcard policy quietly overriding the specific one you thought was in force. |
| Spool & logging | spool, acct-file, log-file | Disk I/O as the real bottleneck at volume, and accounting files growing faster than they are rotated. |
Directive names follow PowerMTA configuration conventions; specifics are confirmed against your installed version during the audit.
None of these settings is exotic. The skill is in reading them together. A max-smtp-out value looks fine on its own; it looks very different when you notice it sits inside a wildcard <domain *> block that takes precedence over the carefully written Gmail policy two screens down. A backoff list looks thorough until you check it against the deferral strings the providers actually return today and find half of them unmatched. The audit is the act of holding the whole configuration in view at once, which is hard to do from inside a team that lives in it every day.
# A wildcard policy taking precedence over the specific Gmail one
$ grep -nE "<domain (\*|gmail)" /etc/pmta/config
412:<domain *> max-msg-rate 5000/h # wildcard wins by position
601:<domain gmail.com> max-msg-rate 90/min # never reached
# Does the backoff list match the strings providers return today?
$ pmta show queues | grep -c "421"
1843
$ grep -c "reply-pattern" /etc/pmta/config
2 # only 2 patterns for a provider set that returns dozens
# Which streams are leaving unsigned right now?
$ pmta show domains | awk '$4=="no" {print $1, "UNSIGNED"}'
receipts.example.com UNSIGNEDThe backoff trap, specifically
Backoff deserves its own paragraph because it is where the most expensive mistakes hide. Backoff protects deliverability and controls performance at the same time. When a provider returns a soft 4xx — a 421 deferral, a temporary rate limit — PowerMTA is supposed to slow that queue down and recover gently. Misconfigure it and the failure mode is not subtle: queues explode, or the engine drops into an effectively infinite retry loop that turns a brief rate limit into a sustained block. Practitioners who tune PowerMTA at volume are blunt about the cause. Providers throttle connections more aggressively than they throttle message rate, so exceeding connection limits is the fastest way to earn a 421 in the first place; and the correct way to scale is horizontal separation across VirtualMTAs, not vertical pressure on a single one. As one performance guide puts it, tuning PowerMTA well means respecting provider limits intelligently rather than pushing against them.
There is a quieter cost too. At high volume, PowerMTA is frequently limited by disk speed rather than CPU, because the spool and the famously detailed logging are both I/O-heavy. An audit that only looks at send rates misses this entirely. We check whether the spool, the accounting files and the log rotation are sized for the volume actually moving through the machine, because a queue that grows is a symptom, and the cause is usually upstream of where people look.
How is reputation and authentication checked against 2026 rules?
Configuration is half the picture. The other half is how the outside world sees the IPs and domains that configuration sends from, measured against the requirements that are now enforced rather than encouraged.
On authentication we check the things providers reject for. SPF has to resolve within its ten-DNS-lookup limit, a budget that large senders blow through more often than they realize once every sending service is included. DKIM has to be present on every stream, with a key of at least 1024 bits and 2048 recommended — Yahoo rejects 512-bit keys outright. DMARC has to exist and align against SPF or DKIM; even a policy of p=none satisfies all three providers as a floor, though the real protection arrives at p=reject. We confirm reverse DNS and HELO alignment, and we check whether MTA-STS and TLS-RPT are published, since encrypted transport is now an expectation rather than a nicety.
On reputation we read the signals the providers themselves expose, because they are the only honest source. That means Google Postmaster Tools, Microsoft SNDS and Yahoo’s Sender Hub — all free, and all showing your complaint rates from each provider’s own vantage point. The complaint thresholds are not advisory. The working rule is to stay below 0.1 percent and never reach 0.3 percent; cross it and you are in enforcement territory, where, as one 2026 guide framed it, a high complaint rate is treated as a trust failure rather than a content problem. We check blacklist status across Spamhaus and the major lists, but with perspective: the inbox providers increasingly weigh their own internal reputation over public blacklists, so a clean Spamhaus record is necessary without being sufficient.
Deliverability, engagement and the streams themselves
The last layer is what actually happens to your mail once it leaves. We run seed-list placement to see where messages land by provider, separate from what your own logs claim, and we look at the spam-folder and missing-mail rates that a delivery report alone will hide. Because engagement now drives placement, we examine the behavioral picture as much as the technical one: are your most engaged recipients getting the mail that keeps them engaged, and are dead segments dragging the whole sender down with non-opens and complaints.
This is also where stream separation matters most. The single most damaging pattern we find is transactional mail — password resets, receipts, shipping notices — sharing IPs and domains with marketing. One-click unsubscribe and the complaint thresholds exempt transactional mail, and that mail enjoys engagement rates that marketing cannot match. Mixing the two means a marketing complaint spike can push a password reset into spam, which is the kind of failure that quietly breaks a product. We check whether the streams are isolated at the VMTA, IP and domain level, and whether the configuration actually enforces that separation or merely intends it.
How does the PowerMTA audit run, and do you need server access?
The work moves in four passes, and you see all of it. First, discovery: we inventory the estate — every VirtualMTA, IP pool, sending domain, DKIM selector and domain policy — so what follows is read against the whole thing rather than a convenient sample. Second, the configuration read: we work through the directives and their precedence against your installed version, looking for the failure modes above and for the ones particular to how you send. Third, the outside view: seed-list placement by provider, the reputation signals from Postmaster Tools, SNDS and Sender Hub, blacklist status, and the authentication checks that decide outright rejection. Fourth, the write-up, where findings are ordered by impact and each one carries a verdict and a fix.
Across a typical estate that runs three to five business days, most of it spent reading rather than waiting. We work read-only throughout. Nothing changes on your servers during an audit unless you ask us to act on a finding, and even then only with your sign-off — the audit observes the estate, it does not rearrange it. If you would rather we did not hold credentials at all, we work from exports and a screen-share, and the depth of the assessment does not suffer for it.
What do you receive at the end of the audit?
The deliverable is a written assessment, ordered by impact. Each finding names the problem, says what it is costing in delivery terms, and classifies it honestly: a quick fix, a tuning project, or a structural issue that is worth weighing against migration. We do not hand over a numeric score and a calendar invite. The document is written to be read by an engineer and understood by the person who signs off the budget, and it is yours whether or not you ever work with us again.
Where the right answer is to keep PowerMTA and tune it, the assessment becomes the brief for that work. Where the configuration is sound but the roadmap is the real risk, it becomes the honest starting point for a conversation about KumoMTA — built by the architect behind the original PowerMTA engine, open source, and the path a growing number of senders are taking. Either way, the audit comes first, because no one should migrate, re-tune or re-platform an estate they have not actually read. One thing the ranking makes concrete is the cost of doing nothing. A backoff list that fails to match a provider’s current deferral strings is not an abstract misconfiguration; it is a measurable share of a send arriving late or not at all, every campaign, until it is fixed. Putting a delivery cost next to each finding is what turns the assessment from a list of technical observations into a decision document, because it lets the person holding the budget see which fixes pay for themselves in the first month and which can wait a quarter. That ordering is the part teams most often tell us they could not have produced from the inside, because triage is hardest on the system you operate every day.
FAQ
Audit questions
How is a PowerMTA audit different from your free 25-point audit?
The free audit is a cross-platform snapshot — it works for any sender on any stack and tells you where your authentication, reputation and inbox placement stand right now. A PowerMTA audit opens the engine itself: the configuration files, the VirtualMTA-to-IP mapping, the domain policies and the backoff rules that a platform-agnostic check never touches. Most clients begin with the free audit and move here when the findings point back at how PowerMTA is set up.
Do you need root access to our PowerMTA server?
Not to begin. Read access to the configuration, a window of recent logs and the accounting files is enough to find most problems. We can work from exports you send us, or over a screen-share if you would rather not hand over credentials at all. Nothing on the server is changed during an audit without your explicit sign-off — the audit observes, it does not touch.
We are on an old PowerMTA version. Does that change anything?
It often explains a lot. A reviewer on Capterra noted that the core product has seen few upgrades in recent years and that the company is no longer making large investments in it. An estate frozen on a release from several versions back can still send well, but it tends to carry config patterns written against provider rules that have since changed. We flag where your version matters and where it does not.
Will the audit just tell us to migrate to KumoMTA?
Only if the evidence points there. Plenty of PowerMTA estates are worth tuning and keeping for years. Because we do not resell either engine, we have nothing to gain from the recommendation — we report what the configuration and the data show, and the decision to optimize, hold or migrate stays with you.
How long does it take, and what does it cost?
A focused PowerMTA audit usually runs three to five business days, depending on how large the estate is and how quickly we receive the configuration and logs. The free 25-point audit is the entry point and carries no charge; a deep config-level engagement is scoped once we have seen what we are working with, so the number reflects your estate rather than a list price.
Can you audit a multi-tenant or white-label PowerMTA setup?
Yes. Multi-tenant estates are where segmentation tends to break down — shared VMTAs across tenants, one tenant’s complaints bleeding into another’s reputation, DKIM applied unevenly. We look specifically at isolation between tenants and at whether the reputation of one customer can damage the rest.
What do we actually receive at the end?
A written assessment, not a score and a sales call. It lists each finding, ranks it by how much it is costing your delivery, and says plainly whether it is a ten-minute fix, a tuning project or a structural reason to consider migration. It is yours to keep and act on, with us or without us.
We send through PowerMTA and an ESP. Can you audit that?
Yes, and the seam between them is often where the problem sits. Many senders run transactional or marketing mail through an ESP while pushing the rest through PowerMTA, which means two reputations, two sets of authentication records and two places for alignment to break. We audit the PowerMTA estate in depth and check how it coexists with the ESP — whether SPF includes and DKIM selectors line up, whether the streams are genuinely separated, and whether the two are quietly competing for the same domain reputation.
Start with the audit.
Twenty-five points across authentication, reputation, infrastructure and compliance — a written assessment, no charge and no obligation. It tells both of us exactly what we are working with.