You send a proposal to a potential client. They never respond. A week later you follow up and they say, “I never got your first email.”
Sound familiar? There’s a good chance your emails are landing in spam folders — not because of what you wrote, but because of how your domain is configured.
Why Emails Go to Spam
Email providers like Gmail, Outlook, and Yahoo use a set of authentication checks to decide whether an email is legitimate or suspicious. These checks look at your domain’s DNS records to verify that the email actually came from an authorized sender.
If those records aren’t set up correctly — or don’t exist at all — your emails look unverified. And unverified emails get treated like spam.
There are three key authentication protocols that matter:
SPF (Sender Policy Framework)
SPF tells email providers which servers are allowed to send email on behalf of your domain. It’s a DNS record that lists your authorized senders — your email host, your marketing platform, etc.
Without SPF: Anyone can send emails that look like they’re from your domain, so email providers can’t tell your real emails from fakes.
What to do: Add an SPF record to your domain’s DNS. If you use Google Workspace, for example, your SPF record should include Google’s mail servers.
DKIM (DomainKeys Identified Mail)
DKIM adds a digital signature to your outgoing emails. The receiving server checks that signature against a public key in your DNS records to verify the email wasn’t tampered with in transit.
Without DKIM: Email providers can’t verify that your emails are authentic and unmodified. This lowers your trust score.
What to do: Enable DKIM signing in your email provider’s settings and add the corresponding DNS record. Most email hosts (Google Workspace, Microsoft 365) have straightforward guides for this.
DMARC (Domain-based Message Authentication, Reporting, and Conformance)
DMARC ties SPF and DKIM together and tells email providers what to do when an email fails authentication — let it through, quarantine it, or reject it. It also lets you receive reports about who’s sending email using your domain.
Without DMARC: Even if you have SPF and DKIM set up, email providers have no clear instruction on how to handle failures. This ambiguity hurts your deliverability.
What to do: Add a DMARC record to your DNS. Start with a “none” policy (monitoring only) so you can see what’s happening before enforcing stricter rules.
The Consequences of Ignoring This
Email authentication isn’t just a technical nicety. As of early 2024, Gmail and Yahoo made these records mandatory for bulk senders. But even if you only send a few emails a day, missing authentication records hurt your deliverability.
Real consequences include:
- Client emails going to spam — Proposals, invoices, and follow-ups that never get seen
- Domain reputation damage — Once your domain gets flagged, it takes time to recover
- Spoofing vulnerability — Without these records, anyone can send emails pretending to be you
How to Check Your Setup
The simplest way is to send a test email to a Gmail account and check the headers. Click the three dots on the message, select “Show original,” and look for SPF, DKIM, and DMARC results. You want to see “PASS” for all three.
You can also use free tools like MXToolbox or Google’s Check MX to scan your domain’s email configuration.
Or if you’d rather not dig through DNS records yourself, I include email health checks as part of my free site audit. It takes 60 seconds and tells you exactly what’s missing.