Why your business email lands in spam

When a business sends an email, the receiving server checks three DNS records before deciding whether to deliver it to the inbox or send it to spam. Since Google and Yahoo began enforcing authentication requirements in February 2024, and Microsoft followed in May 2025, more businesses have basic records in place. But having a record and having it configured correctly are different things. Most businesses we audit have at least one of the three missing, misconfigured, or set to a monitoring-only policy that does nothing to prevent spoofing.

SPF (Sender Policy Framework)

SPF tells receiving servers which mail servers are allowed to send email on behalf of your domain. Without it, anyone can send email that looks like it came from your business. Receiving servers see the missing record and flag the message as suspicious.

SPF is a single TXT record in your domain's DNS. It lists the IP addresses and services authorized to send for you. If you send through Gmail, your SPF record needs to include Google's servers. If you also use Mailchimp, it needs Mailchimp's servers too.

DKIM (DomainKeys Identified Mail)

DKIM adds a cryptographic signature to every outgoing email. The receiving server checks this signature against a public key published in your DNS. If the signature matches, the email hasn't been tampered with and it actually came from your domain.

Without DKIM, there is no way for a receiving server to verify that an email from your domain is legitimate. This is one of the most common reasons business email lands in spam on services like iCloud, Outlook, and Yahoo.

DMARC (Domain-based Message Authentication)

DMARC ties SPF and DKIM together and tells receiving servers what to do when an email fails both checks. Without a DMARC policy, each receiving server makes its own decision. With one, you control the outcome: reject the email, quarantine it, or let it through.

DMARC also enables reporting. You get data on who is sending email using your domain, which lets you catch spoofing attempts and misconfigured services.

What the major providers require now

Google and Yahoo began enforcing email authentication in February 2024. Bulk senders (5,000+ emails per day) must have SPF, DKIM, and DMARC configured. Non-bulk senders need at minimum SPF or DKIM. Microsoft followed in May 2025 and now rejects non-compliant mail outright rather than sending it to junk.

Having a DMARC record set to p=none satisfies the minimum requirement, but it does not actually protect your domain. It tells receiving servers to take no action when authentication fails. Moving to p=quarantine or p=reject is what stops spoofing.

How to check

You can check all three records in under a minute. Open a terminal or use an online DNS lookup tool and query your domain for TXT records. Look for entries starting with v=spf1, a record at _dmarc.yourdomain.com, and DKIM selector records (these vary by provider).

If any of those come back empty, that is the problem. If your DMARC policy is set to p=none, you have a record but no protection. The fix is DNS configuration, and it usually takes under an hour.