Fast answer
Receiving mail servers judge your email by whether your domain publishes SPF (which servers may send as you), DKIM (a cryptographic signature proving the message wasn't altered), and DMARC (what to do with mail that fails). Missing or broken records mean the spam folder — and leave your domain open to spoofing. Most fixes take under a week including the monitoring period.
The three records, in plain English
\n- \n
- SPF lists which mail servers are allowed to send email for your domain. If your newsletter tool or CRM sends as you but isn\'t in the list, those messages fail. \n
- DKIM attaches a cryptographic signature to each message proving it genuinely came from your domain and wasn\'t modified in transit. \n
- DMARC tells receiving servers what to do when a message fails those checks — and, crucially, sends you reports about who is sending email claiming to be you. \n
Gmail and Microsoft tightened enforcement sharply in the last two years: bulk senders without all three now face outright rejection, not just spam-foldering. "We\'ve always sent email fine" ended as a strategy.
\n\nWhy this breaks silently in real businesses
\nThe classic failure: the business adds a tool — marketing platform, quoting software, scanner-to-email — that sends mail as the company domain, and nobody updates SPF. Some mail delivers (keeping everyone confused), some doesn\'t. Or two IT vendors edited DNS over the years and the domain now has two SPF records, which is invalid — so everything soft-fails.
\nThe other silent killer: your domain being spoofed. Without DMARC, anyone can send email claiming to be you. Recipients get burned, mark it spam, and your legitimate mail inherits the reputation damage. DMARC reports are how you discover this is happening — most businesses are shocked at what shows up in the first week.
\n\nDiagnosing it like an engineer
\n- \n
- Pull the message headers from an email that landed in spam — they record the SPF/DKIM/DMARC verdicts explicitly. \n
- Inventory every system that sends as your domain: mail client, CRM, invoicing, marketing, scanners, website forms. \n
- Check your sending IPs and domain against public blacklists. \n
- Publish or repair the three records, then run DMARC in monitoring mode for 1–2 weeks before enforcing. \n
The order matters — enforcing DMARC before the inventory is complete quarantines your own legitimate mail. This is exactly the kind of job where an hour of engineering beats a month of trial and error; it\'s a standard fix in our managed IT service.
\n\nWhat good looks like when it\'s done
\nAll three records published and passing. DMARC at an enforcement policy, with weekly reports reviewed for new senders and spoofing attempts. Every legitimate sending tool authenticated. And an internal rule: no new tool sends email as the company domain until it\'s added to SPF/DKIM — which turns deliverability from a recurring crisis into a solved problem.
\n\n