🤖Automation

Email Deliverability: Why Your Emails Land in Spam (and How SPF, DKIM, and DMARC Fix It)

Published 26 March 2026
9 min read
15 views

The Deliverability Problem Nobody Talks About

Marketing teams spend hours crafting email campaigns — subject lines, copy, design, segmentation — then wonder why results are disappointing. The assumption is usually "the content wasn't good enough" or "email marketing is dying."

More often, the real problem is simpler and more fixable: the emails aren't reaching the inbox.

Globally, about 15-20% of legitimate marketing emails never reach the inbox. They land in spam, get rejected at the server level, or quietly disappear into the void. For businesses without proper email authentication, that number can be significantly higher.

In 2024, Google and Yahoo implemented strict new requirements for bulk email senders. By 2026, these requirements have become table stakes. If you're not meeting them, your emails are increasingly likely to be rejected outright.

How Email Delivery Actually Works

When you hit send, your email doesn't fly directly to someone's inbox. It goes through a gauntlet of checks:

  1. Your email service (Mailchimp, HubSpot, etc.) sends the email from their servers
  2. The receiving server (Gmail, Outlook, etc.) receives it
  3. Authentication checks — Is this email really from who it claims to be?
  4. Reputation checks — Does this sender have a good track record?
  5. Content checks — Does the email look like spam?
  6. Placement decision — Inbox, spam folder, or rejected entirely

Authentication is step 3 — and it's where most deliverability problems start.

The Three Authentication Protocols

SPF (Sender Policy Framework)

What it does: Tells receiving servers which mail servers are authorised to send email on behalf of your domain.

Analogy: It's like a guest list at a venue. "Only these servers are allowed to send mail as @yourdomain.com."

How it works:

  1. You add a DNS TXT record to your domain
  2. The record lists all authorised sending sources
  3. When a server receives an email from your domain, it checks the SPF record
  4. If the sending server is on the list → passes SPF
  5. If not → fails SPF (likely goes to spam or gets rejected)

What your SPF record looks like:

v=spf1 include:_spf.google.com include:mailchimp.com include:sendgrid.net ~all

This says: "Google, Mailchimp, and SendGrid are allowed to send email for this domain. Soft-fail anything else."

Common issues:

  • Forgetting to add a sending service (new tool not included in SPF)
  • SPF record exceeding the 10 DNS lookup limit
  • Using +all instead of ~all or -all (effectively allowing anyone to send as you)

DKIM (DomainKeys Identified Mail)

What it does: Adds a digital signature to your emails that proves the content hasn't been tampered with in transit.

Analogy: It's like a wax seal on a letter. If the seal is intact when it arrives, the recipient knows it hasn't been opened or modified.

How it works:

  1. Your email service generates a public/private key pair
  2. The private key signs each outgoing email
  3. The public key is published as a DNS record on your domain
  4. The receiving server uses the public key to verify the signature
  5. If it matches → passes DKIM (email is authentic and unmodified)
  6. If not → fails DKIM

Setup:

  • Your email service (Mailchimp, HubSpot, etc.) provides the DKIM record
  • You add it as a DNS TXT or CNAME record
  • Each sending service needs its own DKIM record

DMARC (Domain-based Message Authentication, Reporting & Conformance)

What it does: Ties SPF and DKIM together and tells receiving servers what to do when an email fails authentication.

Analogy: SPF and DKIM are the security checks. DMARC is the policy that says "if someone fails the security check, here's what to do with them."

How it works:

  1. You publish a DMARC policy as a DNS TXT record
  2. When an email arrives claiming to be from your domain:
    • Does it pass SPF? Does it pass DKIM?
    • Does the "From" address align with the authenticated domain?
  3. If it fails, DMARC tells the server what to do:
    • p=none — do nothing (monitoring only)
    • p=quarantine — send to spam
    • p=reject — reject the email entirely

What your DMARC record looks like:

v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com; pct=100

The rollout path:

  1. Start with p=none (monitor who's sending as your domain)
  2. Review DMARC reports for 2-4 weeks
  3. Fix any legitimate senders that are failing
  4. Move to p=quarantine (spam folder for failures)
  5. Eventually move to p=reject (block failures entirely)

Never jump straight to p=reject. You might block legitimate emails from services you forgot to authenticate.

Why This Matters Now More Than Ever

Google and Yahoo Requirements (2024+)

For anyone sending over 5,000 emails per day:

  • SPF and DKIM authentication required
  • DMARC policy required (at minimum p=none)
  • One-click unsubscribe header required
  • Spam complaint rate must stay below 0.3%
  • Valid forward and reverse DNS records

Fail to meet these? Your emails get throttled, spam-foldered, or rejected.

Microsoft/Outlook (2025+)

Microsoft followed with similar requirements:

  • SPF, DKIM, and DMARC required for bulk senders
  • Stricter enforcement on authentication alignment
  • Enhanced spam filtering based on sender reputation

The Direction Is Clear

Email providers are making authentication mandatory, not optional. The businesses that set this up properly now won't have to scramble when the next round of enforcement hits.

Beyond Authentication: Other Deliverability Factors

Authentication gets you through the door. These factors determine whether you stay in the inbox.

Sender Reputation

Every sending domain and IP builds a reputation score over time.

What helps:

  • High engagement (opens, clicks, replies)
  • Low bounce rate
  • Low spam complaint rate
  • Consistent sending volume
  • Clean list with no spam traps

What hurts:

  • High bounce rate (sending to invalid addresses)
  • Spam complaints above 0.1%
  • Sudden spikes in sending volume
  • Sending to purchased or scraped lists
  • Being marked as spam by recipients

List Hygiene

Your email list decays at roughly 2-3% per month. People change jobs, abandon email addresses, and forget they signed up.

Maintain your list:

  • Remove hard bounces immediately
  • Re-engage or remove subscribers who haven't opened in 90 days
  • Never buy email lists (this alone can destroy your reputation)
  • Use double opt-in for new subscribers
  • Run list validation through a service like ZeroBounce or NeverBounce annually

Content Quality

Spam filters evaluate your email content:

Avoid:

  • ALL CAPS in subject lines
  • Excessive exclamation marks!!!
  • Spam trigger words ("free," "act now," "limited time" in excess)
  • Image-only emails (no text for filters to evaluate)
  • Misleading subject lines
  • Broken HTML

Do:

  • Maintain a healthy text-to-image ratio
  • Use clean, tested HTML
  • Personalise where possible (real personalisation, not just first name)
  • Include a plain-text version
  • Make unsubscribe easy and obvious

Sending Patterns

  • Warm up new domains/IPs: Start with small volumes and increase gradually
  • Send consistently: Don't send 50 emails one week and 50,000 the next
  • Time zone awareness: Send when recipients are awake
  • Segment and target: Sending relevant content to engaged subscribers helps reputation

Setting It All Up

Step 1: Audit Your Current State

Before changing anything, check what's already in place.

Tools:

  • MXToolbox — Check SPF, DKIM, and DMARC records
  • mail-tester.com — Send a test email and get a deliverability score
  • Google Postmaster Tools — See how Gmail views your domain reputation
  • Microsoft SNDS — See how Outlook views your sending reputation

Step 2: Set Up SPF

  1. List every service that sends email from your domain (email marketing, CRM, transactional email, Google Workspace, etc.)
  2. Create or update your SPF record to include all of them
  3. Verify with MXToolbox
  4. Ensure you're under the 10 DNS lookup limit

Step 3: Set Up DKIM

  1. For each sending service, find their DKIM setup instructions
  2. Generate the DKIM keys in the service
  3. Add the DNS records they provide
  4. Verify DKIM is passing (send a test email, check headers)

Step 4: Set Up DMARC

  1. Start with p=none (monitoring mode)
  2. Add the DMARC DNS record
  3. Set up a reporting address to receive DMARC reports
  4. Use a tool like Postmark's DMARC monitoring or dmarcian to read reports
  5. Review reports for 2-4 weeks
  6. Fix any legitimate senders failing authentication
  7. Move to p=quarantine then eventually p=reject

Step 5: Monitor Ongoing

  • Check Google Postmaster Tools weekly
  • Monitor bounce rates and spam complaints per campaign
  • Review DMARC reports monthly
  • Run mail-tester.com checks after any setup changes
  • Track inbox placement rates if your email tool provides them

Diagnosing Deliverability Issues

| Symptom | Likely Cause | Fix | |---------|-------------|-----| | Sudden drop in open rates | Emails going to spam | Check authentication, review recent content changes | | High bounce rate | Bad list data | Clean your list, remove invalid addresses | | Emails rejected by Gmail | SPF/DKIM/DMARC failure | Verify DNS records, check alignment | | Low engagement across the board | Reputation damage | Re-engage or remove inactive subscribers, reduce volume | | Specific domain rejections | Blacklisted IP | Check blacklists (MXToolbox), contact the listing service |

Common Mistakes

  1. Ignoring authentication entirely — "Our emails work fine" until they suddenly don't. By then, reputation damage is done.
  2. Jumping to DMARC reject — skipping monitoring mode blocks legitimate emails you forgot about
  3. Exceeding SPF lookup limits — your SPF record silently breaks and you don't notice
  4. Not authenticating every sending service — that form notification plugin, that CRM auto-email, that invoicing tool — they all send from your domain
  5. Buying email lists — fastest way to destroy your sender reputation
  6. No list hygiene — emailing dead addresses trains spam filters that you send unwanted mail
  7. Sending without warming up — new domain sends 10,000 emails on day one = instant spam folder
  8. Ignoring the data — deliverability requires monitoring. Set it and forget it doesn't work.

Quick Start

  1. Check your current setup at MXToolbox.com
  2. Verify SPF includes all your sending services
  3. Set up DKIM for every service that sends email from your domain
  4. Add a DMARC record with p=none to start monitoring
  5. Sign up for Google Postmaster Tools
  6. Send a test email to mail-tester.com — aim for 9/10 or higher
  7. Clean your list (remove anyone who hasn't engaged in 6+ months)
  8. Monitor monthly and tighten DMARC policy over time

Email deliverability isn't exciting. But it's the foundation everything else rests on. The best subject line in the world doesn't matter if nobody sees it.

RELATED TOPICS

email deliverabilitySPFDKIMDMARCemail authenticationspam folderinbox placementemail reputation

Related Articles

SMS Marketing: The Channel With 98% Open Rates That Most Businesses Ignore

Your emails have a 20% open rate on a good day. Your social posts reach maybe 5% of your followers. Meanwhile, text messages sit at a 98% open rate with 90% read within 3 minutes. SMS isn't new, but most businesses still aren't using it — and that's an opportunity.

9 min read

Choosing a CRM: How to Pick One Your Team Will Actually Use

The most expensive CRM is the one nobody uses. Businesses spend thousands on platforms with 200 features, then use it as a glorified spreadsheet. Here's how to choose a CRM that fits your actual workflow — not the one with the best sales pitch.

10 min read

Lead Scoring: Stop Treating Every Enquiry Like It's Ready to Buy

Your sales team calls every lead within an hour. Half aren't ready to talk. A quarter aren't even qualified. Lead scoring fixes this by ranking prospects based on who they are and what they've done — so sales talks to the right people at the right time.

10 min read

Need Help Implementing This?

Our team at Tiberius specializes in automation and can help you achieve your goals.