monkeyman.agency
scaling

Your Klaviyo Bounce Rate Spiked Overnight: Emergency Deliverability Triage for Shopify Stores

A newsletter bouncing at 21% instead of 0.4% is a five-alarm fire for a Shopify store. Here's the triage we run to find the leak and rebuild sender reputation.

July 4, 2026 8 min read

Dev runs Cedar and Salt, a coastal skincare brand on Shopify doing about $1.8M a year, with email responsible for roughly a third of that revenue. For two years his Klaviyo dashboard was the boring kind of healthy. Bounces around 0.39%, opens in the low forties, nothing worth staring at.

Then a Thursday newsletter went out and bounced at 21%.

On the discovery call the next morning he said the exact sentence we’ve heard from a dozen merchants since: “We didn’t change any settings.” And that’s the unsettling part. Almost nobody who hits this wall changed a setting. Something changed around them, and the newsletter just happened to be the send that exposed it.

What a spike that size is actually telling you

A bounce number that jumps fifty-fold in a single send is not noise. Mailbox providers didn’t collectively misplace a fifth of your subscribers between Tuesday and Thursday. Either the addresses you mailed got worse, or the way inbox providers judge your sending got worse. Those are the only two families of causes, and every useful triage step exists to tell you which family you’re in.

The first family is list quality. Somewhere, a batch of addresses that don’t exist, or shouldn’t exist, entered your account. The send itself was fine; the audience was contaminated.

The second family is reputation and infrastructure. The addresses are real, but Gmail, Yahoo, or Microsoft decided your mail no longer deserves the inbox, or your authentication records quietly broke and providers stopped trusting that the mail is really yours.

The fix for one family makes the other worse. Trimming your list won’t repair a broken DKIM record, and re-authenticating your domain won’t remove four thousand bot signups. So you diagnose before you touch anything.

Hard bounces, soft bounces, and the story they tell

Klaviyo splits bounces into two types, and the split is the fastest diagnostic you have. A hard bounce is permanent: the address doesn’t exist, the domain is dead, someone typed gmial instead of gmail. Klaviyo suppresses those automatically after one occurrence. A soft bounce is nominally temporary, a full mailbox or a server hiccup, but here’s the part that matters: reputation blocks from big providers usually surface as soft bounces too. Klaviyo’s own guide to bounced emails walks through the full taxonomy.

Read the split like this. A spike that’s mostly hard bounces, scattered across hundreds of odd domains, points at list contamination. A spike that’s mostly soft bounces, concentrated at one or two major providers, points at reputation or authentication. One pattern says “your audience is fake”, the other says “the inbox stopped trusting you.”

Dev’s export was 84% hard bounces spread across throwaway domains nobody has ever sent a real email from. A list problem, diagnosed inside twenty minutes.

The first hour: stop the bleeding before you diagnose

Before any detective work, pause everything scheduled. Every campaign in the queue, every promotional send for the next few days. A second bad send into the same contaminated audience does more reputation damage than the first, because now the pattern looks deliberate to the providers watching it.

Your flows are a different call. Order confirmations and shipping updates go to people who just bought something, which makes them the healthiest traffic you have. Leave those running. It’s the batch-and-blast campaigns that need to stop.

Then pull the bounce export for the bad send and look at two breakdowns: bounce type and recipient domain. That’s it. Don’t resend with a new subject line, don’t test a different template, don’t “try a smaller segment” chosen by gut feel. Dev called, we pulled the export, the pattern was obvious inside the first coffee.

One more thing while you’re in there. Note your spam complaint rate on the same send. If complaints spiked alongside bounces, the problem is bigger than bad addresses and you should assume reputation damage is already underway.

Finding where the bad addresses came from

Bad addresses arrive in bulk, not one at a time, so you’re looking for an event. The usual suspects, roughly in the order we find them: a recent list import (the trade-show CSV, the “cleaned” export from an old email platform), an unprotected signup form getting hit by bots, a giveaway or contest that attracted freebie accounts, and a win-back campaign aimed at a segment that hasn’t opened anything in three years.

The form one deserves special attention because it’s invisible while it happens. Bots crawl the web submitting junk addresses into any form without a CAPTCHA or confirmation step, sometimes as random vandalism, sometimes as deliberate list bombing. Your subscriber count climbs, which feels great, and nothing looks wrong until the next big send mails all of them at once.

That was Cedar and Salt. The footer signup form had no bot protection. Over nineteen days, 4,100 addresses from garbage domains flowed in. Dev’s “growth spike” was a poisoning.

The cleanup is suppression, not deletion. Build a segment around the contamination window and its telltale patterns (no opens ever, suspicious domains, no site activity), then suppress it. Suppressed profiles keep their history and can’t be accidentally mailed again; deleted ones can walk right back in through the same door.

When the list is clean and the domain is the problem

The other half of these calls turn up nothing wrong with the list, and that’s when we go looking at authentication. Email providers verify sender identity through SPF, DKIM, and DMARC records in your DNS, and since Gmail and Yahoo tightened bulk-sender rules, failing them isn’t a style point. Mail gets rejected outright, and rejected mail shows up in your dashboard as bounces.

Here’s how this breaks with nobody touching Klaviyo: the store replatforms, or switches DNS hosts, or a developer tidies up “unused” DNS records during a migration, and a DKIM record silently vanishes. Nobody changed any email settings; the change happened at the registrar, weeks before the send that revealed it.

So the check is external. Verify your SPF, DKIM, and DMARC records are intact and passing, confirm your sends include one-click unsubscribe, and confirm your spam complaint rate sits under the 0.3% threshold providers now enforce. If you’re still sending from Klaviyo’s shared infrastructure, this is also the moment to set up a branded sending domain, which puts your reputation under your own control instead of pooling it with strangers.

A store doing real revenue through email should treat those DNS records like it treats its checkout. Monitored, owned, and never edited casually.

Climbing out of the reputation hole

Whichever family caused the spike, if a bad send already went out at volume, some reputation damage is done and the recovery playbook is the same. Send less, to better people, consistently.

Build a segment of subscribers who opened or clicked in the last 30 to 60 days and send only to them for the next two to three weeks. Volume matters less than the signal quality: high opens, low bounces, near-zero complaints, repeated on a steady cadence. That’s the pattern providers read as “legitimate sender having a normal week”, and it’s the only thing that moves reputation back up.

Expand gradually: add the 90-day engaged group, watch the bounce and complaint numbers hold, then widen again. If any expansion tips the numbers, fall back a step and hold longer.

And resist the instinct to escape by switching platforms. Reputation attaches to your sending domain, not to Klaviyo, so a mid-crisis migration carries the problem with you while adding the exact volume disruption providers treat as suspicious. We’ve watched merchants turn a three-week recovery into a three-month one this way.

Guardrails that make the next spike boring

Everything above is fire-fighting. The stores that never call us twice all run some version of the same five guardrails.

Bot protection on every signup form, either a CAPTCHA or double opt-in, ideally both on the forms that feed your main list. Default campaign audiences built on engaged segments rather than “all subscribers”, so a contaminated cohort can’t be mailed by habit. A sunset flow that suppresses profiles after six months of zero engagement. A weekly two-minute glance at bounce and complaint rates per send, because a spike caught at 2% never becomes a story like this one. And a quarterly check that your authentication records still exist and still pass, especially after any dev work that touched DNS.

None of this grows revenue directly, which is why it never gets prioritized. It’s insurance. The premium is about an hour a quarter.

What we keep telling clients

Deliverability is the part of email marketing that’s invisible right up until it’s the only thing that matters. Merchants watch opens, clicks, and revenue per recipient. Pretty much nobody watches bounces, because for years the number just sits there being tiny. That’s exactly why a spike catches teams flat-footed.

The mental shift we push is treating your list as inventory quality, not inventory size. A subscriber count that grows while engagement decays isn’t an asset, it’s a liability with a fuse on it. The merchants who brag about list size on kick-off calls are usually the ones whose lists we end up cutting by a third.

We also tell them the boring truth about recovery: there’s no support ticket, no setting, no platform switch that shortcuts it. Reputation rebuilds the same way it was built, one clean send at a time. The triage gets you a diagnosis in an hour. The cure is measured in weeks, which is the strongest argument there is for the guardrails that make the cure unnecessary.

Dev suppressed the 4,100 bot signups the same afternoon, put double opt-in on every form, and spent three weeks mailing only his 60-day engaged segment. By the fourth week his bounce rate was back at 0.41%, and his summer sale campaign went out on a domain that had already healed. The subscriber count is smaller than it was in June. The revenue per send is higher.

Questions we get every week

Should I delete bounced profiles or suppress them? Suppress. Klaviyo already auto-suppresses hard bounces, and suppression keeps the profile’s history while guaranteeing it can’t be mailed. Deleting a profile erases the evidence and leaves the door open for the same address to re-enter through a form or import.

How long does it take sender reputation to recover? For a single bad send with a fast cleanup, two to four weeks of disciplined engaged-only sending usually does it. If bad sends went out repeatedly before anyone noticed, plan for six to eight weeks. The consistency of the recovery sends matters more than any single action you take.

Can I just switch email platforms to escape the bad reputation? No, and it usually backfires. Reputation follows your sending domain, and providers view a sudden platform change with new volume patterns as a spam signal, not a fresh start. Fix the underlying cause where you are, then migrate later if you have real reasons to.

What bounce rate should I actually aim for? Under 0.5% hard bounces per campaign is the healthy zone for an established Shopify store, and well-run lists sit closer to 0.2%. Anything above 1% on a routine send deserves a look the same day, because trends in that number are early warnings, not trivia.

If your last campaign came back with a bounce number you’ve never seen before, book a deliverability triage with Monkey Man and we’ll find the leak before your next send.

Need help with this?

Send us your store. We'll send back an audit.

Send us your store URL. We'll send back a free audit within 48 hours.

Phone (optional)