Why Your Email Goes to Spam (SPF, DKIM, and DMARC)
You send your customer an invoice. They never see it. It's not in their inbox, it's not in junk, it's just — gone. Email deliverability isn't random, and three small DNS records will fix most of it.
The problem in 30 seconds
Spam filters at Gmail, Outlook, Yahoo, and every serious mail provider don't just look at what's in the message anymore. They check whether the domain in the From: address has authorized the sending server to send mail on its behalf. If your domain hasn't, your message looks indistinguishable from spoofed spam — and the filter treats it that way.
SPF, DKIM, and DMARC are the three DNS records that do that authorizing. Without them, you're shouting from an unmarked truck. With them, your delivery rate and inbox placement get dramatically better — and you stop other people being able to spoof your domain.
What each one actually does
- SPF (Sender Policy Framework) — a TXT record listing which servers are allowed to send mail "from" your domain. Your hosted mail server, Microsoft 365, Google Workspace, Mailchimp, QuickBooks — each one that sends on your behalf gets an entry. A receiving server checks the sender's IP against your SPF record; if it doesn't match, the message is suspect.
- DKIM (DomainKeys Identified Mail) — a cryptographic signature your mail server adds to every outgoing message, verifiable against a public key you publish in DNS. If anyone tampers with the message in transit — or forges one claiming to be from you — the signature breaks and the recipient knows.
- DMARC (Domain-based Message Authentication, Reporting & Conformance) — tells receiving servers what to do when SPF or DKIM checks fail: reject the message, quarantine it as spam, or just report it back to you. DMARC also requires the authenticated domain to align with the visible From: address, which closes a common spoofing loophole.
How to check what you have today
The easiest way: paste your domain into a free checker like MXToolbox SuperTool — pick the SPF, DKIM, and DMARC lookup options in turn. It'll tell you what's present and whether it's well-formed.
Or, for any email you've already received: open it in Gmail, three-dot menu, Show original, and look at the SPF, DKIM, and DMARC lines near the top. PASS is what you want; FAIL or SOFTFAIL means something's wrong on the sender's end.
The most common problems we see
- No SPF at all. Customer sends from one mail server, never had a DNS record set up. Receiving filters treat every message as suspicious by default.
- SPF doesn't include a third-party sender. Customer uses Mailchimp or Constant Contact for newsletters, or QuickBooks for invoicing — but the SPF record only authorizes their primary mail host. Those third-party messages fail authentication and go straight to spam.
- DKIM never set up. Most modern mail systems generate a DKIM key automatically — but only if someone adds the public-key TXT record to DNS. Skip that step and DKIM never works, even though the server is signing.
- DMARC set to
p=rejecton day one. Aggressive DMARC blocks legitimate mail too. Best practice: start atp=nonewith reporting on, watch the reports for two to four weeks, then tighten toquarantine— and only move torejectonce you're confident nothing legitimate is being caught. - Multiple SPF records. Only one SPF TXT record is allowed per domain. If you have two, mail servers treat the SPF check as broken. Merge them into one with multiple
include:entries.
How we set this up for customers
For Spritz hosting and managed-care customers, SPF, DKIM, and DMARC come with the email setup — no extra cost. We start DMARC at p=none with reporting enabled, watch what comes through for a few weeks, then move to p=quarantine once we're sure nothing legitimate is being missed.
If you're not a customer but want this set up on a domain you already own, get in touch and we'll quote a one-time setup. Most domains take 30–45 minutes once we have DNS access — and the difference in delivery is usually obvious within a day or two.