SPF, DKIM and DMARC — Why Your Emails Go to Spam and How to Fix It

Administrator 49 3 min read
SPF, DKIM and DMARC — Why Your Emails Go to Spam and How to Fix It

You send an important email to a client and it lands in spam. Or worse — it never arrives. Sound familiar? In 2024, Google and Microsoft introduced strict email authentication requirements. If your domain doesn't have properly configured SPF, DKIM and DMARC records, your emails will be blocked.

Why Google and Microsoft Started Blocking Emails

In February 2024, Google announced that anyone sending more than 5,000 emails per day to Gmail users MUST have SPF, DKIM and DMARC. Microsoft followed with similar requirements. Since April 2025, these rules apply to ALL senders.

3.4Bphishing emails daily
91%of cyber attacks start with email
85%of world emails are spam
99%filtering with proper config

What is SPF?

SPF (Sender Policy Framework) is a DNS record that tells the world which servers are authorized to send emails from your domain.

Example: Your company uses Microsoft 365 for email and Mailchimp for newsletters. The SPF record says: "Only Microsoft and Mailchimp servers can send from our domain. Reject everything else."

v=spf1 include:spf.protection.outlook.com include:servers.mcsv.net -all

👉 Check your SPF record or generate a new one

What is DKIM?

DKIM (DomainKeys Identified Mail) adds a digital signature to every email you send, proving it hasn't been tampered with in transit.

Analogy: If SPF is the list of approved couriers, DKIM is the wax seal on the letter. Even if the courier is approved (SPF pass), the seal proves the letter hasn't been opened.

👉 Check your DKIM configuration

What is DMARC?

DMARC tells receiving servers what to do when an email fails SPF or DKIM checks. It has three policies:

Emails in spam folder due to missing DMARC
p=none (Monitor)

Don't take action, but send me reports. Perfect for starting out.

p=quarantine

Put suspicious emails in spam folder.

p=reject

Fully block unauthenticated emails. Maximum protection.

v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com; adkim=r; aspf=r

👉 Check your DMARC record or generate a new one

How They Work Together

1. SPFChecks if server is authorized
2. DKIMVerifies digital signature
3. DMARCDecides what to do on fail
✅ InboxEmail reaches recipient

Step-by-Step Setup

  1. Use our Full Security Scan to check current state
  2. Use SPF Generator to create your SPF record
  3. Enable DKIM in Microsoft Defender or Google Admin
  4. Use DMARC Generator — start with p=none
  5. Monitor for 2-4 weeks, then move to quarantine, finally reject

Common Mistakes

More than 10 DNS lookups in SPF

SPF has a limit of 10 DNS lookups. Exceeding this makes SPF completely non-functional.

Two SPF records for one domain

You can have ONLY ONE SPF TXT record. Two records = invalid configuration.

DMARC reject without testing

Jumping straight to p=reject can block legitimate third-party emails.

Our Free Tools

🔍Full Security Scan
⚙️SPF Generator
🛡️DMARC Generator
🔑DKIM Check

Don't have time to do it yourself?

Our Email Defence service includes full SPF, DKIM, DMARC configuration and monitoring. Or request a free consultation

Related Services

Financial Analytics & BI AI Solutions for Business Endpoint Protection
Secured Site

Free Consultation

Choose a topic and tell us about your needs. We'll get back within 24 hours.

Your data is protected and will not be shared with third parties.