You send a quote, an invoice, or a simple reply — and it never lands. No bounce, no error, just silence. Days later the customer mentions it went to their junk folder, or never showed up at all. For a small business, that isn't a nuisance; it's lost work and a quiet dent in how reliable you look.
Here's the reassuring part: when your genuine email keeps getting flagged as spam, it's almost never because of what you wrote. It's usually three small, invisible settings that were never switched on — and once they are, your email quietly starts arriving where it should.
Why spam filters distrust real email
Email was built in a more trusting time. By default, anyone can send a message that claims to be from your address — which is exactly what scammers do. So mail providers like Gmail and Outlook now ask a simple question of every message that arrives: can you prove you really are who you say you are? If your email can't answer, it gets treated with suspicion — filed as junk, or blocked outright.
The good news is there's a standard way to prove it. It comes down to three checks, and they're easiest to picture as the security features on a piece of physical mail.
The three checks, in plain English
SPF — the approved-senders list
SPF is a public list of which servers are allowed to send email for your business — like telling the post office, 'legitimate mail from us only comes from these locations.' When your message arrives, the receiver checks the list. If the sending server isn't on it, that's a red flag.
DKIM — the tamper-proof seal
DKIM adds an invisible signature to every message — a wax seal that proves the email genuinely came from your domain and wasn't altered along the way. If the seal is missing or broken, the receiver knows something's off.
DMARC — the instructions when a check fails
DMARC ties the first two together and tells receivers what to do when a message doesn't pass: let it through, send it to junk, or reject it — and it can quietly report anyone trying to impersonate you. It's both a delivery boost and a shield against scammers using your name.
| Check | In plain English | If it's missing or wrong |
|---|---|---|
| SPF | The list of servers allowed to send as you | Mail from a real sender may be treated as suspicious |
| DKIM | A tamper-proof signature on each message | Receivers can't confirm the message wasn't altered |
| DMARC | The rule for what to do when a check fails | No protection against people impersonating your domain |
If you've ever wondered what these actually look like, they're just short lines of text stored in your domain's settings. An SPF record reads a bit like 'v=spf1 include:spf.protection.outlook.com -all' — the middle part lists who may send, and the end says how strict to be. A DMARC record starts with 'v=DMARC1; p=none' and a report address. You never need to memorise any of this; the point is only that they exist as small, checkable records — and when they're absent, there's simply nothing there to vouch for you.
How to tell if yours are missing
You don't need to read technical records to get a strong hint. A few tells: your emails reach some people but land in spam for others; a provider bounces a message with a note about 'authentication' or 'SPF/DKIM'; or nobody ever asked you to add anything to your domain's settings when your email was first set up. Any of those, and it's worth a proper check.
There are free tools that read your domain and show which checks pass — but the results are written for technicians. If it looks like alphabet soup, that's normal; it's the sort of thing worth handing to someone who does it every week.
Check your domain's email health
Enter your domain and we'll read its public DNS records for SPF, DKIM, and DMARC — right here in your browser. Nothing is stored.
A quick DNS read, not a full deliverability audit. DKIM can use many possible record names, so a “no key” result may just mean a custom selector.
The situations we see most
Most deliverability trouble is one of a handful of familiar stories. If any of these sounds like yours, you're in good company — they come up constantly.
Your newsletter or booking tool sends 'as you' — and lands in spam
This is the most common one by far. You sign up for an email newsletter service, a CRM, a booking system, or an invoicing tool, and set it to send from your address. But because that outside service isn't on your SPF list, receivers see mail claiming to be you from a server you never approved — and quietly bin it. The fix isn't to stop using the tool; it's to add that service to your SPF record (and usually switch on its DKIM signing too), so its mail is properly blessed as coming from you.
One important message is stuck in quarantine
Sometimes a genuine email isn't rejected outright, just held in a 'quarantine' waiting room that nobody thinks to check. A one-off can be released and the sender added to a safe-senders list. But if legitimate mail keeps landing there, that's a sign the underlying checks need sorting properly, rather than playing a daily game of whack-a-mole.
You've tweaked the spam filter and still get too much
Filters help, but they treat the symptom. If junk keeps pouring in after you've nudged the settings, the more durable fixes are tightening your own authentication (so scammers can't spoof your domain to your own staff, which is a favourite trick), and turning on the stronger filtering that usually already comes with your plan — not endlessly adjusting sliders.
A sudden flood of spam after a password scare
A spike in spam right after a breach often means an address was exposed. Beyond the clean-up — new password, two-factor, checking for rogue mailbox rules — a properly enforcing DMARC policy makes it far harder for anyone to send convincing mail in your name afterwards.
| What you're seeing | Usual cause | What fixes it |
|---|---|---|
| Mail to some people is fine, others get junk | Inconsistent or missing authentication | Set up SPF, DKIM and DMARC correctly |
| Your newsletter/CRM mail goes to spam | That sender isn't on your SPF list | Add the service to SPF and enable its DKIM |
| A bounce mentions 'SPF' or 'authentication' | A missing or broken record | Correct the DNS record |
| Real mail keeps sitting in quarantine | Filtering distrusts unauthenticated mail | Fix authentication; safe-list the sender |
| Spam spike after a breach | Address exposed; domain spoofable | Secure the account; enforce DMARC |
How it gets fixed
The fix lives in your domain's DNS settings — a few small records added or corrected. It's quick for someone who knows the ropes and fiddly if you don't, since a single stray character in an SPF record can make delivery worse rather than better. DMARC especially is best introduced gently, so you don't accidentally block your own mail while it settles in.
Once all three are in place and verified, most businesses watch the junk-foldering fade over a day or two as providers start trusting their mail again. It's one of those fixes you do once and stop thinking about.
There's one part worth doing slowly on purpose: DMARC's enforcement level. It's usually switched on in 'monitoring' mode first (written as p=none), which watches without blocking anything. After a couple of weeks of confirming your own legitimate mail all passes, it's tightened to send failures to junk (quarantine), and finally to reject them outright. That gentle ramp is how you get the impersonation protection without ever risking your own messages — and it's exactly the step people skip when they set DMARC up in a hurry.