What is SPF and do I need it?

SPF (Sender Policy Framework) is a DNS record that lists which mail servers are authorised to send email for your domain. Without SPF, anyone can send email pretending to be you, and receiving servers are likely to mark your emails as spam. Every domain that sends email should have an SPF record.

DKIM (DomainKeys Identified Mail) adds a digital signature to every email you send. Receiving servers check this signature against a public key in your DNS to verify the email was not tampered with in transit. DKIM significantly improves deliverability and is required by Gmail and Yahoo for bulk senders.

What is DMARC and why does it matter?

DMARC (Domain-based Message Authentication, Reporting and Conformance) is a policy record in your DNS that tells receiving mail servers what to do when an email fails SPF or DKIM checks — either do nothing (none), quarantine to spam, or reject outright. Without DMARC, your domain is vulnerable to email spoofing and phishing attacks.

How do I check if my email deliverability is set up correctly?

Enter your domain into InboxShield and it will instantly check your SPF, DKIM, DMARC, BIMI, and MTA-STS records, flag any problems, and give you step-by-step instructions to fix them. The tool is free and requires no account.

BIMI (Brand Indicators for Message Identification) is a DNS record that displays your brand logo in the inbox of supporting email clients like Gmail and Apple Mail. It requires a valid DMARC policy and a verified logo file. BIMI increases brand recognition and email open rates.

← Blog·Guide·February 10, 2026·9 min read

Email Deliverability Checklist: 10 Steps to Land in the Inbox

Q: Why are my emails going to spam?

Emails land in spam when your domain is missing or misconfigured email authentication records: SPF, DKIM, and DMARC. SPF tells receiving servers which IPs are allowed to send on your behalf, DKIM adds a cryptographic signature to prove authenticity, and DMARC tells servers what to do if either check fails. InboxShield checks all three instantly and shows you exactly what to fix.

Email deliverability problems are almost always fixable — once you know what to check. This step-by-step checklist covers every factor that determines whether your emails reach the inbox or disappear into spam.

Whether you're a freelancer, a small business owner, or running a marketing team, the same set of issues cause 90% of deliverability problems. Work through this checklist top to bottom. Each item takes 5–30 minutes to verify and fix.

Step 1: Check your SPF record

SPF (Sender Policy Framework) is the first thing receiving mail servers check. It's a DNS TXT record that lists the mail servers authorised to send on behalf of your domain.

Look up your domain's TXT records and find the one starting with v=spf1. If it doesn't exist, create one. Common mistakes to check for:

More than one SPF record (only one is allowed — merge them)
Using ~all (soft fail) instead of -all (hard fail)
More than 10 DNS lookup mechanisms, which causes SPF to fail
Missing include: for email services you actually use (e.g. Mailchimp, SendGrid)

Step 2: Enable and verify DKIM

DKIM (DomainKeys Identified Mail) cryptographically signs every outgoing email. Without it, your emails have no verifiable identity and are more likely to be flagged as spam.

DKIM must be enabled inside your email provider's admin panel — it cannot be configured purely through DNS. Log in to your Google Workspace, Microsoft 365, or other email service, navigate to the email authentication settings, generate a DKIM key, and add the resulting DNS record.

Verification: Once the DNS record is added, return to your email provider's admin panel and confirm DKIM authentication is showing as "active" or "verified." This usually takes up to 24 hours after the DNS record propagates.

Step 3: Set a DMARC policy

DMARC ties SPF and DKIM together into an enforceable policy. It also unlocks aggregate reporting so you can see which servers are sending email on behalf of your domain — including ones you might not have authorised.

Start with monitoring mode and upgrade once you're confident everything is aligned:

Week 1–4: v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com — collect reports, make no changes to delivery
Month 2+: v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com — failing emails go to spam
Month 3+: v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com — failing emails are rejected entirely

Step 4: Check for domain alignment

DMARC requires alignment — the domain in the visible "From" address must match the domain authenticated by SPF or DKIM. Misalignment is one of the most common causes of DMARC failures.

For example, if your "From" address is hello@company.com but your email is sent through a third-party service that authenticates on behalf of sendgrid.net, you need to confirm DKIM is set up for company.com — not just the sending service's default domain.

Step 5: Monitor your spam complaint rate

Google Postmaster Tools provides a free dashboard showing your domain's spam complaint rate — the percentage of Gmail users who click "Report spam" on your emails.

The thresholds to know:

Below 0.10% — healthy, continue as normal
0.10%–0.30% — warning zone, Google may start increasing spam placement
Above 0.30% — critical, Google may block delivery entirely

Action: Sign up for Google Postmaster Tools at postmaster.tools.google.com and verify your domain. Check the Spam Rate dashboard weekly if you send regular campaigns.

Step 6: Use a reputable sending IP

If you're sending email through your web hosting provider's shared mail server, you're sharing an IP address with potentially thousands of other senders. One bad actor on that IP can damage your deliverability.

Switch to a dedicated transactional email service: SendGrid, Postmark, Mailgun, or Amazon SES all maintain pools of high-reputation IPs. Most offer generous free tiers for transactional email (order confirmations, contact form replies, etc.).

Step 7: Warm up new sending infrastructure

If you've recently switched email providers, started using a new domain, or significantly increased your sending volume, mail servers will be suspicious until you build a track record.

Warm up gradually: start with a few hundred emails per day to your most engaged recipients, then double the volume every few days over three to four weeks. This builds a sending history that signals to Gmail and others that you're a legitimate sender.

Step 8: Clean your email list

Sending to invalid email addresses (hard bounces) or addresses that never engage (soft indicators) drags down your sender reputation. Most email platforms track bounce rates automatically — check your dashboard.

Hard bounce rate should be below 2%
Remove all hard bounces immediately after they occur
Suppress contacts who haven't opened an email in 6–12 months
Use double opt-in for new subscribers to reduce invalid addresses

Step 9: Audit your email content

Even with perfect authentication, the content of your email affects spam filter decisions. Common content red flags:

Subject lines in ALL CAPS or with excessive punctuation (!!! or ???)
Too many images and too little text (aim for 60%+ text)
Links to blacklisted domains
Missing or hard-to-find unsubscribe link in marketing emails
Missing physical address (legally required in most jurisdictions for marketing email)

Test before sending: Use mail-tester.com to get a spam score before any campaign goes out. It checks content, authentication, blacklists, and more.

Step 10: Check domain and IP blacklists

If your domain or sending IP has been blacklisted — even without your knowledge — email providers will block or filter your mail. Use a multi-blacklist checker like MXToolbox to scan both your domain and your sending IP against major blocklists.

If you find a listing, most blacklists provide a delisting form. You'll typically need to explain what caused the issue and what steps you've taken to fix it. Resolution usually takes 24–72 hours.

Run this checklist regularly

Email deliverability is not a one-time fix. DNS records get accidentally deleted. IP reputations drift. New email services get added without updating SPF. A quarterly check takes 15 minutes and can catch problems before they affect revenue.

The fastest starting point is to run an automated audit on your domain to see which records pass and which are missing or misconfigured.

Audit your domain in 30 seconds

InboxShield Mini checks SPF, DKIM, DMARC, BIMI, and MTA-STS in real-time and gives you a score out of 100 — free, no account required.

Run free scan