The Open Source MSP

Why Your Email Goes to Spam (SPF, DKIM, and DMARC)

You send your customer an invoice. They never see it. It's not in their inbox, it's not in junk, it's just — gone. Email deliverability isn't random, and three small DNS records will fix most of it.

The problem in 30 seconds

Spam filters at Gmail, Outlook, Yahoo, and every serious mail provider don't just look at what's in the message anymore. They check whether the domain in the From: address has authorized the sending server to send mail on its behalf. If your domain hasn't, your message looks indistinguishable from spoofed spam — and the filter treats it that way.

SPF, DKIM, and DMARC are the three DNS records that do that authorizing. Without them, you're shouting from an unmarked truck. With them, your delivery rate and inbox placement get dramatically better — and you stop other people being able to spoof your domain.

What each one actually does

How to check what you have today

The easiest way: paste your domain into a free checker like MXToolbox SuperTool — pick the SPF, DKIM, and DMARC lookup options in turn. It'll tell you what's present and whether it's well-formed.

Or, for any email you've already received: open it in Gmail, three-dot menu, Show original, and look at the SPF, DKIM, and DMARC lines near the top. PASS is what you want; FAIL or SOFTFAIL means something's wrong on the sender's end.

The most common problems we see

How we set this up for customers

For Spritz hosting and managed-care customers, SPF, DKIM, and DMARC come with the email setup — no extra cost. We start DMARC at p=none with reporting enabled, watch what comes through for a few weeks, then move to p=quarantine once we're sure nothing legitimate is being missed.

If you're not a customer but want this set up on a domain you already own, get in touch and we'll quote a one-time setup. Most domains take 30–45 minutes once we have DNS access — and the difference in delivery is usually obvious within a day or two.