Skip to main content

IT Support

Why your business email keeps landing in spam

If your quotes, invoices, or replies quietly land in customers' junk folders, it's usually three invisible settings — not you. Here's what they are, in plain English.

· 9 min read

You send a quote, an invoice, or a simple reply — and it never lands. No bounce, no error, just silence. Days later the customer mentions it went to their junk folder, or never showed up at all. For a small business, that isn't a nuisance; it's lost work and a quiet dent in how reliable you look.

Here's the reassuring part: when your genuine email keeps getting flagged as spam, it's almost never because of what you wrote. It's usually three small, invisible settings that were never switched on — and once they are, your email quietly starts arriving where it should.

Why spam filters distrust real email

Email was built in a more trusting time. By default, anyone can send a message that claims to be from your address — which is exactly what scammers do. So mail providers like Gmail and Outlook now ask a simple question of every message that arrives: can you prove you really are who you say you are? If your email can't answer, it gets treated with suspicion — filed as junk, or blocked outright.

The good news is there's a standard way to prove it. It comes down to three checks, and they're easiest to picture as the security features on a piece of physical mail.

The three checks, in plain English

SPF — the approved-senders list

SPF is a public list of which servers are allowed to send email for your business — like telling the post office, 'legitimate mail from us only comes from these locations.' When your message arrives, the receiver checks the list. If the sending server isn't on it, that's a red flag.

DKIM — the tamper-proof seal

DKIM adds an invisible signature to every message — a wax seal that proves the email genuinely came from your domain and wasn't altered along the way. If the seal is missing or broken, the receiver knows something's off.

DMARC — the instructions when a check fails

DMARC ties the first two together and tells receivers what to do when a message doesn't pass: let it through, send it to junk, or reject it — and it can quietly report anyone trying to impersonate you. It's both a delivery boost and a shield against scammers using your name.

CheckIn plain EnglishIf it's missing or wrong
SPFThe list of servers allowed to send as youMail from a real sender may be treated as suspicious
DKIMA tamper-proof signature on each messageReceivers can't confirm the message wasn't altered
DMARCThe rule for what to do when a check failsNo protection against people impersonating your domain

If you've ever wondered what these actually look like, they're just short lines of text stored in your domain's settings. An SPF record reads a bit like 'v=spf1 include:spf.protection.outlook.com -all' — the middle part lists who may send, and the end says how strict to be. A DMARC record starts with 'v=DMARC1; p=none' and a report address. You never need to memorise any of this; the point is only that they exist as small, checkable records — and when they're absent, there's simply nothing there to vouch for you.

How to tell if yours are missing

You don't need to read technical records to get a strong hint. A few tells: your emails reach some people but land in spam for others; a provider bounces a message with a note about 'authentication' or 'SPF/DKIM'; or nobody ever asked you to add anything to your domain's settings when your email was first set up. Any of those, and it's worth a proper check.

There are free tools that read your domain and show which checks pass — but the results are written for technicians. If it looks like alphabet soup, that's normal; it's the sort of thing worth handing to someone who does it every week.

Check your domain's email health

Enter your domain and we'll read its public DNS records for SPF, DKIM, and DMARC — right here in your browser. Nothing is stored.

A quick DNS read, not a full deliverability audit. DKIM can use many possible record names, so a “no key” result may just mean a custom selector.

The situations we see most

Most deliverability trouble is one of a handful of familiar stories. If any of these sounds like yours, you're in good company — they come up constantly.

Your newsletter or booking tool sends 'as you' — and lands in spam

This is the most common one by far. You sign up for an email newsletter service, a CRM, a booking system, or an invoicing tool, and set it to send from your address. But because that outside service isn't on your SPF list, receivers see mail claiming to be you from a server you never approved — and quietly bin it. The fix isn't to stop using the tool; it's to add that service to your SPF record (and usually switch on its DKIM signing too), so its mail is properly blessed as coming from you.

One important message is stuck in quarantine

Sometimes a genuine email isn't rejected outright, just held in a 'quarantine' waiting room that nobody thinks to check. A one-off can be released and the sender added to a safe-senders list. But if legitimate mail keeps landing there, that's a sign the underlying checks need sorting properly, rather than playing a daily game of whack-a-mole.

You've tweaked the spam filter and still get too much

Filters help, but they treat the symptom. If junk keeps pouring in after you've nudged the settings, the more durable fixes are tightening your own authentication (so scammers can't spoof your domain to your own staff, which is a favourite trick), and turning on the stronger filtering that usually already comes with your plan — not endlessly adjusting sliders.

A sudden flood of spam after a password scare

A spike in spam right after a breach often means an address was exposed. Beyond the clean-up — new password, two-factor, checking for rogue mailbox rules — a properly enforcing DMARC policy makes it far harder for anyone to send convincing mail in your name afterwards.

What you're seeingUsual causeWhat fixes it
Mail to some people is fine, others get junkInconsistent or missing authenticationSet up SPF, DKIM and DMARC correctly
Your newsletter/CRM mail goes to spamThat sender isn't on your SPF listAdd the service to SPF and enable its DKIM
A bounce mentions 'SPF' or 'authentication'A missing or broken recordCorrect the DNS record
Real mail keeps sitting in quarantineFiltering distrusts unauthenticated mailFix authentication; safe-list the sender
Spam spike after a breachAddress exposed; domain spoofableSecure the account; enforce DMARC

How it gets fixed

The fix lives in your domain's DNS settings — a few small records added or corrected. It's quick for someone who knows the ropes and fiddly if you don't, since a single stray character in an SPF record can make delivery worse rather than better. DMARC especially is best introduced gently, so you don't accidentally block your own mail while it settles in.

Once all three are in place and verified, most businesses watch the junk-foldering fade over a day or two as providers start trusting their mail again. It's one of those fixes you do once and stop thinking about.

There's one part worth doing slowly on purpose: DMARC's enforcement level. It's usually switched on in 'monitoring' mode first (written as p=none), which watches without blocking anything. After a couple of weeks of confirming your own legitimate mail all passes, it's tightened to send failures to junk (quarantine), and finally to reject them outright. That gentle ramp is how you get the impersonation protection without ever risking your own messages — and it's exactly the step people skip when they set DMARC up in a hurry.

Frequently asked questions

What are SPF, DKIM, and DMARC?
Three behind-the-scenes settings on your domain that prove your email is genuinely from you. SPF lists which servers may send for you, DKIM adds a tamper-proof signature, and DMARC tells receivers what to do if a message fails those checks. Together they're why modern email providers trust — or distrust — your mail.
Why do my legitimate emails go to spam?
Usually because those three checks aren't set up, so providers like Gmail and Outlook can't confirm the mail is really from you and play it safe by filing it as junk. It's rarely about what you wrote.
Can I fix this myself?
You can, if you're comfortable editing your domain's DNS records — but small mistakes (a typo in SPF, or too strict a DMARC policy) can make delivery worse. Many owners would rather have it checked and set once, correctly, and never think about it again.
We use Mailchimp / a CRM / a booking tool — why does its mail go to spam?
Because that service sends 'as you' from its own servers, which aren't on your SPF list, so receivers can't confirm it's really you. The fix is to add the service to your SPF record and switch on its DKIM signing — then its mail is recognised as legitimately yours.
How long does a fix take to work?
DNS changes usually take effect within a few minutes to a few hours, and most businesses see spam-foldering improve within a day or two. DMARC enforcement is deliberately ramped up over a couple of weeks so it never blocks your own mail.
What does 'p=none' mean on my DMARC?
It means DMARC is in monitoring mode — watching, but not yet blocking anyone impersonating you. It's the safe first step, but the protection only kicks in once it's moved to 'quarantine' and then 'reject' after confirming your legitimate mail passes.

Keep reading

Book a consult

Let's talk about what's not working

The first conversation is free and pressure-free. You talk, we listen, and by the end you'll have at least one concrete thing you can act on — whether you work with us or not.

30 minutes, via phone or video

We come prepared if you share your brief first

Flexible scheduling, including evenings and weekends

What to expect

0–5 min

Context

We learn about your business and what's not working

5–20 min

Diagnosis

We ask specific questions and share our initial read

20–30 min

Next steps

You leave with at least one concrete recommendation

“James created something that I have no doubt is the reason my practice has been at capacity for years.”

— Donovan Bigelow, LMHC