When your business emails land in spam, clients miss your invoices, proposals go unread, and follow-ups get ignored. The problem is almost always one of three missing or misconfigured DNS records: SPF, DKIM, and DMARC. These aren't advanced concepts — they're three text records in your domain's DNS settings, and getting them right fixes most deliverability problems.
Here's what each one does, how to check whether yours are set up correctly, and what to do if they aren't.
Why legitimate emails end up in spam
Spam filters used by Gmail, Microsoft 365, and other providers don't just look at the content of your email. They also look at signals that tell them whether your email server is authorized to send on behalf of your domain, and whether you have a stated policy for what to do when someone fakes your domain.
If those signals are missing or misconfigured, your email looks the same to a spam filter as a spoofed email from a scammer — even if your content is perfectly legitimate.
The three records that provide those signals are SPF, DKIM, and DMARC.
SPF: Which servers are allowed to send your email
What it does: SPF (Sender Policy Framework) is a DNS record that tells receiving mail servers which mail servers are authorized to send email for your domain. If email comes from a server not listed in your SPF record, it looks suspicious.
How to check yours: Go to mxtoolbox.com/spf.aspx, enter your domain name, and run the check. You should see a valid SPF record. A missing record or one that doesn't include your actual mail server is a problem.
What a basic SPF record looks like:
For Microsoft 365:
v=spf1 include:spf.protection.outlook.com -all
For Google Workspace:
v=spf1 include:_spf.google.com ~all
If you send email from more than one system — your main email plus a marketing tool like Mailchimp or a billing system — all of those senders need to be included in your SPF record. Each provider will tell you the specific value to add.
How to add or fix it: Log into the DNS management for your domain (this is usually wherever you registered your domain — GoDaddy, Namecheap, Cloudflare, etc.) and add or update a TXT record for your root domain. Your email provider's documentation will have the specific value.
DKIM: Prove the email actually came from you
What it does: DKIM (DomainKeys Identified Mail) adds a cryptographic signature to outgoing emails that lets the receiving server verify the email wasn't tampered with in transit and actually came from your mail system. Without DKIM, there's no way for a receiving server to confirm the email wasn't spoofed or modified.
How to check yours: Use mxtoolbox.com/dkim.aspx. You'll need to know your DKIM selector (a label your email provider uses — for Microsoft 365 it's typically "selector1" or "selector2"; for Google Workspace it's "google"). Enter your domain and selector and run the check.
How to enable it:
For Microsoft 365: Go to security.microsoft.com → Email & collaboration → Policies & rules → Threat policies → Email authentication settings → DKIM → select your domain → Enable. Microsoft will give you two CNAME records to add to your DNS. Add them, then enable DKIM.
For Google Workspace: Go to admin.google.com → Apps → Google Workspace → Gmail → Authenticate email. Generate the DKIM key, add the provided TXT record to your DNS, then click "Start authentication."
DMARC: Tell receivers what to do with emails that fail
What it does: DMARC (Domain-based Message Authentication, Reporting & Conformance) is a policy record that tells receiving mail servers what to do when an email fails SPF or DKIM checks. It also tells them where to send reports so you can see whether anyone is trying to spoof your domain.
Without DMARC, a receiving server that finds an SPF or DKIM failure has to make its own judgment call. With DMARC, you tell it explicitly: quarantine suspicious emails, reject them, or just report them without taking action.
How to check yours: Use mxtoolbox.com/dmarc.aspx. If you have no DMARC record, that's a deliverability gap and also means anyone can send email that appears to be from your domain without you knowing.
A basic DMARC record to start with:
v=DMARC1; p=none; rua=mailto:[email protected]
p=none means "monitor only — don't reject or quarantine." This is the right starting policy because it lets you collect reports without risking legitimate emails being blocked while you're getting set up. Add this TXT record to your DNS as _dmarc.yourdomain.com.
Once you've confirmed SPF and DKIM are working correctly and you've reviewed a few weeks of DMARC reports, you can move to p=quarantine (failed emails go to spam) and eventually p=reject (failed emails are blocked outright).
Check your current setup in one place
Rather than checking each record separately, run a full test at mail-tester.com. Send an email from your business address to the test address they give you, then check the score. It grades your configuration and tells you specifically what's missing or misconfigured.
Another comprehensive tool: dmarcian.com has a free domain checker that shows SPF, DKIM, and DMARC status together with specific guidance on what to fix.
Other things that affect deliverability
SPF, DKIM, and DMARC cover the most common root causes, but they're not the only factors:
- Sending reputation. If your IP address or domain has previously been used to send spam — including through a compromised account — your sending reputation may be damaged. Check mxtoolbox.com/blacklists.aspx to see if your domain or IP is on a blocklist.
- Email content. Spam filters also score email content. Emails with all-caps subject lines, excessive exclamation points, certain phrases ("FREE," "ACT NOW," "click here"), or heavy image-to-text ratios score worse. Plain, professional emails score better.
- Sending volume patterns. Suddenly sending a large volume of email from a domain that rarely sends — say, an email blast from a billing system you just configured — can trigger spam filters even with good authentication in place. Warming up a new sending domain or IP gradually is standard practice.
- Your recipient's spam filter settings. Occasionally the problem is on the recipient's end — their company spam filter is misconfigured or unusually aggressive. If one specific person or company consistently misses your emails, ask them to check quarantine and add you to their safe senders list.
What to tackle first
If you have none of these records set up: add SPF first (it's the simplest and has the most immediate impact), then DKIM, then a DMARC monitoring record. Each step is independent, and each one improves deliverability on its own. You don't need all three before any of them help.
If you already have SPF and DKIM and you're still having problems, DMARC reporting is your best diagnostic tool — the reports tell you exactly what's happening to emails that fail authenticat
Frequently Asked Questions
How quickly will fixing SPF/DKIM/DMARC improve deliverability?
DNS changes propagate within hours, up to 48 hours in the worst case. You’ll typically see deliverability improvement within a day of correct configuration — use mail-tester.com to confirm before and after.
Our emails only land in spam at one specific company. Is that still a DNS problem?
Probably not. If SPF and DKIM check out, the issue is likely that recipient’s spam filter settings or an IP reputation issue. Ask them to check their quarantine folder and whitelist your sending domain.
Can we break something by adding these records?
Yes, if done incorrectly. Never create a second SPF record — only one TXT SPF record is allowed per domain, and two will cause failures. Add new sending sources to the existing SPF record. Test with MXToolbox before and after any change.
