Why Emails Go to Spam (and How to Fix It)
Spam filters are aggressive. They judge your domain reputation, IP reputation, content, past engagement, and—crucially—your authentication. If you don’t publish SPF/DKIM/DMARC, recipients can’t verify your mail really comes from you. That’s when legitimate messages start disappearing into junk folders.
SPF: Who’s Allowed to Send for Your Domain
SPF is a DNS TXT record that lists the servers/providers permitted to send mail on your domain’s behalf.
Example SPF (replace providers):
v=spf1 include:_spf.google.com include:sendgrid.net include:mailgun.org -all
- Put it at the root (@).
- Use -all (hard fail) after you’ve validated the includes; start with ~all (soft fail) if unsure.
- Avoid multiple include chains that exceed 10 DNS lookups.
DKIM: Cryptographic Proof the Message Wasn’t Altered
DKIM adds a signature to each email. The public key lives in DNS, typically as a selector-specific TXT record like selector1._domainkey.
Steps:
1) In your email provider, generate a DKIM key (selector + public key).
2) Add DNS TXT: selector1._domainkey.example.com → v=DKIM1; k=rsa; p=PUBLICKEY...
3) Enable DKIM signing in the provider dashboard.
Use one DKIM record per sending service (each with its own selector). Rotating keys annually is good hygiene.
DMARC: Policy & Reporting
DMARC ties SPF and DKIM to your visible From: domain and tells receivers what to do when mail fails (none/quarantine/reject). It also enables reports so you can see who’s sending as you.
Start safe (monitor mode):
_dmarc.example.com → v=DMARC1; p=none; rua=mailto:dmarc-reports@example.com; ruf=mailto:dmarc-forensics@example.com; adkim=s; aspf=s; pct=100
- Alignment: Set adkim=s and aspf=s for strict alignment once configured—this improves trust.
- Enforcement: After 1–2 weeks of clean reports, move to p=quarantine, then p=reject.
- Subdomain policy: Add sp= if subdomains also send mail.
Optional: BIMI for Brand Logos
When DKIM/SPF/DMARC are solid and at enforcement, many providers support BIMI to display your logo beside messages.
BIMI TXT:
default._bimi.example.com → v=BIMI1; l=https://example.com/logo.svg; a=https://example.com/vmc.pem
Common Gotchas
- Multiple senders, one domain: Add each sender to SPF and DKIM (its own selector). Keep DKIM signing enabled everywhere you send.
- Forwarding breaks SPF: That’s normal; DKIM survives forwarding. DMARC relies on at least one passing (SPF aligned or DKIM aligned).
- Exceeded SPF lookups: Flatten with your provider’s tools or consolidate services.
- Wrong DNS host: Make sure you’re editing DNS at the active nameserver set at your registrar.
Step-by-Step Setup (15 Minutes)
- Create/verify your sending domain in your email platform (e.g., Google Workspace, Microsoft 365, SendGrid, Mailgun).
- Add their required DNS: SPF include, DKIM TXT, sometimes a bounce/return-path CNAME.
- Publish DMARC with p=none + rua to start reports.
- Send test emails to multiple inboxes (Gmail, Outlook, Yahoo). Check message headers: look for spf=pass, dkim=pass, dmarc=pass.
- After clean reports, raise to p=quarantine → p=reject.
Troubleshooting Checklist
- Use message headers to see why a message failed (search for “Authentication-Results”).
- Confirm your SPF includes are correct and under 10 DNS lookups.
- Ensure DKIM selectors exist in DNS and match the provider’s selector name.
- Check DMARC alignment: From: domain must match the domain used by SPF/DKIM.
- Warm up new sending domains and IPs gradually; avoid sudden large campaigns.
Related: How DNS Works · .htaccess Tricks · Security Checklist
