Why Your Emails Land in Spam β€” Fix It With SPF, DKIM & DMARC

Bymichael.kamel.it@gmail.com
📋 Table of Contents
  1. Why Email Authentication Matters More Than Ever
  2. Step 1: Set Up SPF
  3. SPF Syntax Explained
  4. Step 2: Configure DKIM
  5. DKIM DNS Record Format
  6. Step 3: Enforce DMARC
  7. Start with a Monitoring Policy
  8. Escalate to Enforcement After 30 Days
  9. Step 4: Fix Your Sending Reputation
  10. βœ… Email Deliverability Checklist
  11. Emails Still Landing in Spam?
πŸ“§ Email Deliverability

Why Your Emails Land in Spam β€” And How to Fix It With SPF, DKIM & DMARC

If your business emails are landing in spam, you’re losing revenue. This guide explains exactly why it happens and how to configure SPF, DKIM, and DMARC to fix it permanently.

πŸ“… 2025⏱ 8 min read✍️ Michael Kamel β€” CloudShift360

Key Stat: 45% of all email is spam. Gmail and Outlook now reject or filter emails without proper SPF, DKIM, and DMARC authentication β€” even from legitimate businesses.

Why Email Authentication Matters More Than Ever

In 2024, Google and Yahoo made SPF, DKIM, and DMARC mandatory for bulk senders. But even for regular business email, missing these records means your emails get filtered or rejected. The result: lost leads, missed invoices, and damaged sender reputation.

Three records protect your email domain:

  • SPF (Sender Policy Framework) β€” Tells receiving servers which IP addresses are allowed to send email for your domain
  • DKIM (DomainKeys Identified Mail) β€” Adds a cryptographic signature to every outgoing email, proving it wasn’t tampered with
  • DMARC (Domain-based Message Authentication) β€” Tells receivers what to do if SPF or DKIM fails, and sends you reports about who’s sending as your domain

Step 1: Set Up SPF

An SPF record is a DNS TXT record that lists all servers authorized to send email for your domain.

SPF Syntax Explained

v=spf1 include:_spf.google.com include:spf.protection.outlook.com ip4:203.0.113.10 ~all
  • v=spf1 β€” SPF version
  • include: β€” Allow servers from another domain’s SPF
  • ip4: β€” Authorize specific IP addresses
  • ~all β€” SoftFail (filter but don’t reject). Use -all for HardFail once tested.

⚠️ SPF Lookup Limit: SPF has a maximum of 10 DNS lookups. Exceeding this causes a “permerror” and SPF fails. Use a flattening service if you have many include: statements.

Step 2: Configure DKIM

DKIM adds a digital signature to every email you send. It requires generating a key pair and publishing the public key in DNS.

DKIM DNS Record Format

selector1._domainkey.yourdomain.com IN TXT “v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBA…”
  • For Microsoft 365: Enable DKIM in Exchange Admin Center β†’ Email Authentication
  • For Google Workspace: Admin Console β†’ Apps β†’ Google Workspace β†’ Gmail β†’ Authenticate email
  • For custom SMTP servers: Generate a 2048-bit RSA key pair and publish the public key as a TXT record

Step 3: Enforce DMARC

DMARC ties SPF and DKIM together and tells receivers what to do with emails that fail authentication.

Start with a Monitoring Policy

v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; ruf=mailto:dmarc-forensic@yourdomain.com; fo=1

Escalate to Enforcement After 30 Days

Policy Action When to Use
p=noneMonitor onlyStarting out β€” collect reports
p=quarantineSend to spamAfter 2–4 weeks of clean reports
p=rejectBlock completelyFull enforcement β€” highest protection

Step 4: Fix Your Sending Reputation

Even with perfect authentication, a bad sending reputation will land you in spam. Check these:

  • Check blacklists β€” Use MXToolbox to see if your IP or domain is listed on any RBL (Real-time Blackhole Lists)
  • Reverse DNS (PTR record) β€” Your sending IP must have a PTR record matching your mail server hostname
  • Bounce rate β€” Keep hard bounces under 2% or ISPs will throttle your email
  • Spam complaint rate β€” Google Postmaster Tools shows your complaint rate; keep it under 0.1%
  • Warm up new IPs β€” Never start sending bulk email from a new IP. Gradually ramp up volume over 4–6 weeks.

βœ… Email Deliverability Checklist

  • SPF record published with all sending sources
  • DKIM enabled and keys published in DNS
  • DMARC policy set (start with p=none, escalate to p=reject)
  • PTR/rDNS record configured for sending IP
  • Domain not on any blacklists (MXToolbox check)
  • Bounce rate below 2%
  • DMARC reports reviewed weekly

Emails Still Landing in Spam?

CloudShift360 audits and fixes email deliverability issues within 2 weeks. We configure SPF, DKIM, DMARC, and monitor your sender reputation β€” guaranteed inbox placement.

Get a Free Email Audit β†’
FREE CONSULTATION

🚀 Need Help With Your Cloud Infrastructure?

We have optimized AWS, Azure, and GCP environments for 88+ enterprise clients reducing costs by an average of 35% and achieving 99.9% uptime SLA. Let us audit your setup for free.

  • ✓ Free 30-minute cloud audit
  • ✓ Written action plan, no obligation
  • ✓ Available this week
📅 Book Free Audit ✉ Email Directly

Response within 24 hours

📚 Continue Reading

IT Security

Zero Trust Security in 2025: Why Your Cloud Infrastructure Can’t Afford to Wait

Mar 18, 2026 · 4 min read

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *