Insight
Business email going to spam is almost always missing SPF, DKIM and DMARC records. Here is what they are and how to fix it so your email lands.
Business email going to spam is almost always missing SPF, DKIM and DMARC records. Here is what they are and how to fix it so your email lands.
Business email usually goes to spam because your domain is missing three security records - SPF, DKIM and DMARC - that prove your email is genuinely from you. Without them, providers like Gmail and Outlook cannot verify your mail, so they treat it as suspicious. Setting up all three, correctly, fixes the problem in most cases within a day or two.
If your quotes, invoices and replies keep landing in clients' junk folders, it is rarely bad luck and almost never the message. It is your domain's reputation and, most often, missing authentication records. Here is what is going wrong and how to fix it.
Spam filters send your email to junk when they cannot confirm it really came from your domain. The three records that confirm it - SPF, DKIM and DMARC - are the single most common thing small businesses have set up wrong or not at all.
In plain terms:
Get all three right and you are telling Gmail and Outlook, in a language they trust, that your mail is legitimate. Google and Yahoo now require them for anyone sending in volume, as detailed in Microsoft's email authentication guidance.
Best practice: Set up SPF, DKIM and DMARC together rather than one at a time, because providers only trust your mail once all three line up.
Send an email from your business address to a Gmail account, open it, and use the show original option to see whether SPF, DKIM and DMARC each say pass. If any say fail or none, that is your culprit.
Tip: Send yourself a test to a Gmail account and read the authentication results before changing anything, so you fix the record that is actually failing.
This two-minute check tells you more than an hour of guessing. If all three pass and mail still lands in spam, the problem is more likely your domain's reputation or the content of the message, covered below.
Beyond authentication, a handful of habits quietly wreck deliverability. The usual suspects:
That last one links straight to security. A compromised account is one of the fastest ways to land on a blocklist, which is why multi-factor authentication matters, see what is MFA and the cyber security essentials guide.
Warning: A hacked mailbox can get your whole domain onto a blocklist, so turning on MFA protects your deliverability as much as your data.
Set up SPF, DKIM and DMARC correctly for your domain, then keep bulk email off your main mailbox. On Microsoft 365, DKIM and SPF take a few minutes each in the admin centre, and DMARC is a single DNS record you add gradually.
The catch is that a wrong SPF record is worse than none, and DMARC set too strict on day one can block your own legitimate mail. It is worth doing carefully or having someone do it once, properly. This is part of every setup in our Microsoft 365 service, and it ties into the wider guide, Microsoft 365 for small business, done right.
Business email going to spam is almost always missing or broken SPF, DKIM and DMARC records. Check them with a Gmail test, set all three up correctly, keep your accounts secure and your bulk sending separate, and your mail will start landing where it should.
A sudden change usually means a broken authentication record, a new blocklisting, or a compromised account sending spam in your name. Check SPF, DKIM and DMARC first, then confirm no mailbox has been hacked.
They are three DNS records that prove your email is genuinely from your domain. SPF lists allowed senders, DKIM signs each message, and DMARC tells receivers what to do if the first two fail.
Once the records are set correctly, most improvement shows within 24 to 48 hours as DNS updates spread. Rebuilding a badly damaged domain reputation can take a few weeks of consistent, legitimate sending.
You can, but you should not. Bulk email from your main mailbox hurts your domain reputation and lands in spam. Use a dedicated marketing platform that handles authentication for bulk sending.
No. Microsoft 365 makes SPF and DKIM easy to configure, but you still have to set them up and add DMARC yourself. They are not switched on correctly by default.
Not sure whether your email is set up right? Take the free business health check and we will test your deliverability for you.
Tell us where your business is at, and we will tell you where we would start.