Why are my emails going to spam?

Emails land in spam when your domain is missing or misconfigured email authentication records: SPF, DKIM, and DMARC. SPF tells receiving servers which IPs are allowed to send on your behalf, DKIM adds a cryptographic signature to prove authenticity, and DMARC tells servers what to do if either check fails. InboxShield checks all three instantly and shows you exactly what to fix.

What is SPF and do I need it?

SPF (Sender Policy Framework) is a DNS record that lists which mail servers are authorised to send email for your domain. Without SPF, anyone can send email pretending to be you, and receiving servers are likely to mark your emails as spam. Every domain that sends email should have an SPF record.

DKIM (DomainKeys Identified Mail) adds a digital signature to every email you send. Receiving servers check this signature against a public key in your DNS to verify the email was not tampered with in transit. DKIM significantly improves deliverability and is required by Gmail and Yahoo for bulk senders.

What is DMARC and why does it matter?

DMARC (Domain-based Message Authentication, Reporting and Conformance) is a policy record in your DNS that tells receiving mail servers what to do when an email fails SPF or DKIM checks — either do nothing (none), quarantine to spam, or reject outright. Without DMARC, your domain is vulnerable to email spoofing and phishing attacks.

How do I check if my email deliverability is set up correctly?

Enter your domain into InboxShield and it will instantly check your SPF, DKIM, DMARC, BIMI, and MTA-STS records, flag any problems, and give you step-by-step instructions to fix them. The tool is free and requires no account.

BIMI (Brand Indicators for Message Identification) is a DNS record that displays your brand logo in the inbox of supporting email clients like Gmail and Apple Mail. It requires a valid DMARC policy and a verified logo file. BIMI increases brand recognition and email open rates.

← Blog·How-to·November 20, 2025·10 min read

How to Set Up DKIM for Google Workspace, Microsoft 365, and Mailchimp

DKIM is different from SPF and DMARC in one important way: you can't configure it purely through DNS. You must generate the key inside your email provider first. Here's exactly how to do it for the three most common platforms.

What DKIM actually does

When you send an email, your email service adds a digital signature to the message header. The signature is created using a private key stored securely by your email provider. Your DNS record contains the corresponding public key.

When a receiving mail server gets your email, it:

Reads the DKIM signature from the email header
Looks up your public key in DNS (using the selector specified in the header)
Uses the public key to verify the signature
Confirms the email came from an authorised source and wasn't modified in transit

A DKIM record in DNS looks like this:

google._domainkey.yourdomain.com TXT "v=DKIM1; k=rsa; p=MIGfMA0GCS..."

The google part is the selector — it identifies which key to use. You can have multiple DKIM keys with different selectors (one per email service).

Setting up DKIM in Google Workspace

Google Workspace generates a 2048-bit RSA key pair and gives you the DNS record to add.

Sign in to admin.google.com with your administrator account
Go to Apps → Google Workspace → Gmail
Click "Authenticate email"
Select your domain from the dropdown if you have multiple
Click "Generate new record"
Choose a key length of 2048 bits (strongly recommended over 1024)
Copy the DNS Host name (something like google._domainkey) and the TXT record value

Add a TXT record to your DNS provider:

Name/Host: google._domainkey (or google._domainkey.yourdomain.com if your DNS requires the full domain)
Type: TXT
Value: The long string provided by Google
TTL: 3600 (or "Automatic")

After saving, return to the Google Admin Console and click "Start authentication."Google will periodically check for the record. Once it propagates (up to 48 hours), the status will change to "Authenticating email."

Note: Google's DKIM uses the selector google by default. If you need to rotate your key in the future, you'll generate a new record and temporarily have both the old and new keys active during the transition.

Setting up DKIM in Microsoft 365

Microsoft 365 uses CNAME records instead of TXT records for DKIM — two of them, for redundancy. This is slightly different from other providers.

Go to the Microsoft 365 Defender portal at security.microsoft.com
Navigate to Email & Collaboration → Policies & Rules → Threat policies → Email Authentication Settings
Select the DKIM tab
Find your domain and click on it
Toggle "Sign messages for this domain with DKIM signatures" to Enabled
If the record isn't already in DNS, Microsoft will show you two CNAME records to add

The two CNAME records look like this:

selector1._domainkey.yourdomain.com → selector1-yourdomain-com._domainkey.youronmicrosoft.com selector2._domainkey.yourdomain.com → selector2-yourdomain-com._domainkey.youronmicrosoft.com

Add both CNAME records to your DNS provider. After propagation (up to 48 hours), the Defender portal will confirm DKIM is enabled and signing messages.

Important: Microsoft uses two selectors (selector1 andselector2) and rotates between them automatically. Both CNAMEs must be present for DKIM to function correctly.

Setting up DKIM in Mailchimp

Mailchimp supports custom DKIM authentication through a feature called "Custom Domain Authentication" (sometimes called "Branded Links"). It's available on paid plans.

Log in to Mailchimp and go to Account → Settings → Domains
Click "Authenticate" next to your sending domain
Mailchimp will provide you with two DNS records to add:
- A CNAME record for DKIM (the key record)
- A CNAME record to verify domain ownership
Add both records to your DNS provider
Return to Mailchimp and click "Authenticate Domain"

Once Mailchimp detects the records (usually within 24 hours), your campaigns will be signed with DKIM using your own domain as the selector, rather than Mailchimp's default shared domain.

Why this matters for Mailchimp: Without custom DKIM, your Mailchimp campaigns are signed with Mailchimp's domain, not yours. This means DMARC alignment will fail for DKIM (though SPF may still pass). With custom DKIM enabled, both SPF and DKIM can align with your sending domain for full DMARC compliance.

Setting up DKIM for SendGrid

SendGrid calls this "Domain Authentication." Go to Settings → Sender Authentication → Authenticate Your Domain. Select your DNS host, enter your sending domain, and SendGrid generates three DNS records:

Two CNAME records for DKIM keys
One CNAME record for domain verification

Add all three to your DNS provider, then return to SendGrid and click "Verify." Once verified, all emails sent through SendGrid will be signed with DKIM using your domain.

Verifying DKIM is working

After adding your DNS records and waiting for propagation:

Send a test email to a Gmail address and view the original headers (More → Show original). Look for dkim=pass in the Authentication-Results header.
Use MXToolbox's DKIM lookup tool: enter your domain and selector to check the record directly.
Run an audit with InboxShield Mini — it checks your DKIM status against your live DNS.

Common DKIM setup mistakes

Generating the key but not adding it to DNS — The most common mistake. The admin panel shows "active" but the DNS record doesn't exist.
Adding the key to DNS but not activating it in the admin panel — Gmail's admin panel requires you to click "Start authentication" after adding the DNS record.
Truncating the long TXT record value — Some DNS providers have character limits. If the value is too long, split it into multiple quoted strings within the same TXT record.
Using the wrong selector in the record name — The selector prefix must exactly match what your email provider expects.

Check if DKIM is set up correctly

InboxShield Mini checks common DKIM selectors against your live DNS and shows you whether DKIM is passing — free, no account required.

Run free scan