You send an email to a potential client. They never reply. Weeks later you find out they never even saw it — it went straight to their spam folder. This is happening to thousands of small businesses every day, and most of them have no idea why. The good news? It's almost always fixable.
When you send an email, the receiving mail server doesn't just look at your message — it runs a series of checks to decide whether your email is legitimate or suspicious. If your domain fails these checks, your email gets flagged as potential spam or phishing, regardless of what you actually wrote.
The three most common technical causes are broken or missing SPF, DKIM, and DMARC records. These are DNS records — small pieces of text stored against your domain name — that tell receiving mail servers who is allowed to send email on your behalf and how to verify your emails are genuine.
Most small businesses have never set these up correctly. It's not their fault — when you register a domain or sign up for email hosting, nobody tells you about this. But in 2024 and beyond, major email providers like Gmail and Outlook have significantly tightened their requirements, meaning the problem is only getting worse for businesses without proper authentication.
⚠️ Important change in 2024 Google now requires valid SPF, DKIM, and DMARC for all emails sent to Gmail addresses. Without these, your emails may be rejected or sent to spam automatically — regardless of your content or reputation.
SPF stands for Sender Policy Framework. It's a DNS record that lists all the mail servers that are authorised to send email on behalf of your domain.
Think of it like a guest list at a venue. When an email arrives claiming to be from yourcompany.ca, the receiving server checks the SPF record to see if the server that sent it is on the approved list. If it's not — or if the record doesn't exist — the email fails the SPF check and is more likely to be flagged as spam or rejected.
v=spf1 include:_spf.google.com include:servers.mcsv.net ~allThis example tells receiving servers that Google Workspace and Mailchimp are authorised to send email for this domain. The ~all at the end means emails from unlisted servers should be treated as a "soft fail" — suspicious but not automatically rejected.
+all instead of ~all or -all — this tells servers to trust anyone, which spam filters flag as suspiciousI'll audit your domain and tell you exactly what's wrong — and how to fix it.
Get a free diagnosis →Flat fee $200–$500 · 24–48hr turnaround · No login credentials required
DKIM stands for DomainKeys Identified Mail. It works like a digital signature on every email you send — a way for the receiving server to verify that the email genuinely came from you and hasn't been modified in transit.
When you send an email with DKIM enabled, your mail server adds an invisible cryptographic signature to the email header. The receiving server looks up your public key in your DNS records and uses it to verify the signature. If the signature is valid, the email passes the DKIM check. If it's missing or invalid, the email looks suspicious.
Without DKIM, spam filters have no way to verify that an email claiming to be from yourcompany.ca is actually from you. Anyone could send a spoofed email pretending to be from your domain. Spam filters know this — which is why emails without DKIM are increasingly likely to be flagged or rejected, especially at Gmail and Outlook.
v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC...The long string after p= is your public key. It's generated by your email provider and needs to be added to your DNS as a TXT record. The specific location (called the "selector") depends on your email platform.
💡 Tip If you use Google Workspace, Microsoft 365, or Mailchimp, they each have their own DKIM keys that need to be added to your DNS separately. Many businesses only set up DKIM for their main email provider and forget about their marketing tool — causing marketing emails to fail authentication.
DMARC stands for Domain-based Message Authentication, Reporting and Conformance. It's the final layer of email authentication — and the one most commonly missing entirely.
DMARC ties SPF and DKIM together and tells receiving mail servers what to do when an email fails one or both checks. It also gives you visibility into who is sending email using your domain — including potential fraudsters or spammers who might be spoofing your address.
| Policy | What it means | Recommended for |
|---|---|---|
p=none | Monitor only — emails still deliver but reports are sent | Starting out / testing |
p=quarantine | Failing emails go to spam folder | Most businesses — good starting point |
p=reject | Failing emails are blocked entirely | After 30+ days of clean reports |
v=DMARC1; p=quarantine; rua=mailto:[email protected]; pct=100This record tells receiving servers to quarantine (send to spam) any emails from your domain that fail SPF and DKIM checks, and to send reports to your DMARC email address.
⚠️ Don't skip DMARC Even if your SPF and DKIM are correctly configured, without DMARC your domain has no policy in place for handling failures. Major email providers are increasingly treating domains without DMARC as higher risk — especially for bulk senders.
The good news is you can check your own domain for free using publicly available tools. Here's how:
Go to mxtoolbox.com and run the following checks for your domain:
Go to mail-tester.com, copy the unique test address, and send a regular email to it from your business email. You'll get a score out of 10 with a detailed breakdown of every issue. Aim for 9/10 or higher.
| Check | Good result | Problem result |
|---|---|---|
| SPF | ✓ SPF Pass | ✗ SPF Fail / No record found |
| DKIM | ✓ DKIM Valid | ✗ DKIM Fail / No record found |
| DMARC | ✓ DMARC Pass | ✗ No DMARC record / Policy: none |
| Blacklists | ✓ Not listed | ✗ Listed on [blacklist name] |
Fixing SPF, DKIM, and DMARC requires making changes to your domain's DNS records — the settings managed through your domain registrar (e.g. GoDaddy, IONOS, Namecheap) or hosting provider's control panel.
The exact steps vary depending on your email provider, but the general process is:
💡 Not sure where to start? The hardest part is knowing exactly what values to put in each record — especially DKIM, which requires getting the public key from your specific email platform. If you get something wrong, you can actually make deliverability worse. When in doubt, get a professional to audit and advise you first.
SPF, DKIM, and DMARC are the most common technical causes — but they're not the only ones. Here are other factors that can affect deliverability:
| Issue | What it means |
|---|---|
| Domain or IP blacklisting | Your domain or sending IP has been added to a spam blacklist — often from previous spam complaints or a compromised account |
| Spam trigger words | Certain words in subject lines (FREE, URGENT, $$) trigger spam filters regardless of authentication |
| High spam complaint rate | If too many recipients mark your emails as spam, your sending reputation suffers |
| No unsubscribe link | Required by law in Canada (CASL) and flagged by spam filters if missing from marketing emails |
| Sending volume spikes | Suddenly sending large volumes from a new domain looks suspicious to spam filters |
| Shared IP reputation | If you're on shared hosting, other senders on the same IP can affect your deliverability |
I'll audit your domain remotely, identify exactly what's broken, and give you a clear written report with step-by-step fix instructions. No jargon. No login credentials needed. 23 years IT experience.
Get my email fixed →From $200 flat fee · 24–48hr turnaround · Guided walkthrough included