Your emails are going to spam. Here's exactly why — and how to fix it with three DNS records that take 10 minutes to set up.
20% of legitimate business emails never reach the inbox. They're filtered to spam, blocked entirely, or silently dropped. The reason? Missing or misconfigured email authentication records: SPF, DKIM, and DMARC.
If you're sending email from a custom domain (anything@yourbusiness.com), you need all three. Without them, Gmail, Outlook, and Yahoo assume your emails might be spoofed — and they're right to be cautious. Email spoofing accounts for billions of malicious messages daily.
Email was designed in 1982. The original SMTP protocol had no authentication — anyone could send email claiming to be from any address. Spam and phishing exploited this for decades. SPF, DKIM, and DMARC were added later as a layered defense:
| Protocol | What It Does | Added |
|---|---|---|
| SPF | Lists authorized sending IPs | 2006 |
| DKIM | Cryptographic signature per email | 2007 |
| DMARC | Policy for SPF/DKIM failures | 2012 |
As of 2024, Google and Yahoo require all bulk senders to have SPF, DKIM, and DMARC configured. No exceptions. If you send more than 5,000 emails per day, you must comply or your emails will be rejected outright.
SPF is a DNS TXT record that tells the world which IP addresses are allowed to send email from your domain. Think of it as a guest list for your email server.
v=spf1 ip4:178.156.211.159 include:_spf.google.com ~all
Breaking this down:
v=spf1 — SPF versionip4:178.156.211.159 — Your server's IP is authorizedinclude:_spf.google.com — Google's servers are also authorized (if you use Google Workspace)~all — Soft fail for anything else (recommended for testing)Use~all(soft fail) when setting up SPF for the first time. Once you've confirmed everything works for a few weeks, switch to-all(hard fail) for maximum protection.
include or a mechanism counts. Use ip4 where possible.+all — This authorizes the entire internet to send from your domain. Never do this.DKIM adds a cryptographic signature to every email you send. The receiving server uses your public key (published in DNS) to verify the signature. This proves the email wasn't modified in transit and came from an authorized server.
default._domainkey.yourdomain.com. TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3..."
The default part is the selector — you can have multiple DKIM keys for different sending services. The p= value is your base64-encoded public key.
DMARC is the policy layer. It tells receiving servers what to do when SPF and/or DKIM fail. Without DMARC, failed authentication is silently ignored. With DMARC, you control the outcome.
_dmarc.yourdomain.com. TXT "v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com; pct=100;"
Breaking this down:
p=quarantine — Failed emails go to spam (recommended starting point)p=reject — Failed emails are rejected entirely (maximum protection)p=none — Monitor only, no action taken (for testing)rua=mailto:... — Where to send daily aggregate reportspct=100 — Apply policy to 100% of emailsp=none — Monitor only. Collect reports, see what's failing.p=quarantine; pct=25 — Quarantine 25% of failures.p=quarantine; pct=100 — Quarantine all failures.p=reject; pct=100 — Reject all failures. Full protection.DMARC reports are XML files sent daily to your rua address. Use a free tool like dmarcian or Postmark's DMARC analyzer to parse them.
Your mail server's IP must have a reverse DNS record that matches its hostname. If your server says mail.yourdomain.com but the PTR resolves to something else, many providers will reject your email.
Your domain and IP have reputation scores with Gmail, Outlook, and Yahoo. Factors include:
Every TyTe Hosting email account comes with SPF, DKIM, and DMARC pre-configured. We also provide:
Ready to switch? See our Business Email Hosting page or check city-specific pages like business email in Orlando.
Email deliverability is the ability to successfully land emails in the recipient's inbox rather than the spam folder. It depends on sender reputation, authentication records (SPF, DKIM, DMARC), content quality, and infrastructure.
SPF (Sender Policy Framework) is a DNS TXT record that lists which IP addresses and servers are authorized to send email on behalf of your domain. Receiving servers check SPF to verify the sender is legitimate.
DKIM (DomainKeys Identified Mail) adds a cryptographic signature to your emails that proves the message was not modified in transit and was sent by an authorized server.
DMARC (Domain-based Message Authentication, Reporting, and Conformance) ties SPF and DKIM together and tells receiving servers what to do if both checks fail: reject, quarantine, or take no action.
DNS changes typically propagate within 4-24 hours. Once propagated, email providers immediately start checking your records for authentication.
SPF, DKIM, DMARC — all pre-configured. 50 mailboxes for $69.99/month. No per-user pricing.
Get Business Email →