What is SPF and do I need it?

SPF (Sender Policy Framework) is a DNS record that lists which mail servers are authorised to send email for your domain. Without SPF, anyone can send email pretending to be you, and receiving servers are likely to mark your emails as spam. Every domain that sends email should have an SPF record.

DKIM (DomainKeys Identified Mail) adds a digital signature to every email you send. Receiving servers check this signature against a public key in your DNS to verify the email was not tampered with in transit. DKIM significantly improves deliverability and is required by Gmail and Yahoo for bulk senders.

What is DMARC and why does it matter?

DMARC (Domain-based Message Authentication, Reporting and Conformance) is a policy record in your DNS that tells receiving mail servers what to do when an email fails SPF or DKIM checks — either do nothing (none), quarantine to spam, or reject outright. Without DMARC, your domain is vulnerable to email spoofing and phishing attacks.

How do I check if my email deliverability is set up correctly?

Enter your domain into InboxShield and it will instantly check your SPF, DKIM, DMARC, BIMI, and MTA-STS records, flag any problems, and give you step-by-step instructions to fix them. The tool is free and requires no account.

BIMI (Brand Indicators for Message Identification) is a DNS record that displays your brand logo in the inbox of supporting email clients like Gmail and Apple Mail. It requires a valid DMARC policy and a verified logo file. BIMI increases brand recognition and email open rates.

← Blog·Deliverability·March 15, 2026·8 min read

Why Are My Emails Going to Spam? 7 Causes and How to Fix Them

Q: Why are my emails going to spam?

Emails land in spam when your domain is missing or misconfigured email authentication records: SPF, DKIM, and DMARC. SPF tells receiving servers which IPs are allowed to send on your behalf, DKIM adds a cryptographic signature to prove authenticity, and DMARC tells servers what to do if either check fails. InboxShield checks all three instantly and shows you exactly what to fix.

You write a professional email, hit send — and it lands in the recipient's junk folder. Or worse, it never arrives at all. Here are the seven most common culprits, ranked by how easy they are to fix.

Email deliverability is one of those invisible problems. Your email client says "Sent." But the recipient never sees it — or finds it days later buried in spam. For small businesses, this is a genuine revenue problem: proposals, invoices, follow-ups, and onboarding emails are all silently failing.

The good news is that most spam issues come from a short list of fixable causes. Let's go through them.

1. Missing or broken SPF record

SPF (Sender Policy Framework) is a DNS record that tells receiving mail servers which servers are allowed to send email on behalf of your domain. If you don't have one — or if it's misconfigured — Gmail, Yahoo, and Outlook will treat your emails with suspicion.

The most common SPF mistake is having no record at all. The second most common is having multiple conflicting SPF records (you can only have one). The third is using soft-fail (~all) instead of hard-fail (-all), which tells receiving servers "this might be legitimate" rather than enforcing your policy.

How to fix it: Add a single TXT record to your DNS with the value v=spf1 include:[your-email-provider] -all. The exact include value depends on your email service — Google Workspace uses _spf.google.com, SendGrid uses sendgrid.net, and so on.

2. No DKIM signature

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to every email you send. Receiving servers check this signature against a public key in your DNS to confirm the email actually came from you and wasn't tampered with in transit.

Without DKIM, your emails have no verifiable identity. Gmail and Yahoo now require DKIM for bulk senders, and even for lower-volume senders it's a strong ranking factor in spam filtering decisions.

How to fix it: DKIM keys are generated by your email provider, not your DNS registrar. Go to your email service's admin panel (Google Admin Console, Microsoft 365 Admin, etc.), find the DKIM settings, generate a key, and add the provided TXT record to your DNS.

3. No DMARC policy

DMARC (Domain-based Message Authentication, Reporting & Conformance) sits on top of SPF and DKIM. It tells receiving servers what to do when an email claims to be from your domain but fails authentication: ignore it, send it to spam, or reject it outright.

Without DMARC, there's no enforcement. Anyone can send email that appears to come from your domain — a tactic used in phishing attacks — and most mail servers will have no policy to act on. Gmail and Yahoo now require DMARC to be set for all senders.

How to fix it: Start with a monitoring-only DMARC policy: v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com. Once you've confirmed all your email sources are authenticated, upgrade to p=quarantine or p=reject.

4. Sending from a shared or low-reputation IP

When you send email through a provider like Mailchimp, Constant Contact, or a shared web hosting server, you share an IP address with thousands of other senders. If any of them have been flagged for spam, your emails inherit some of that bad reputation.

This is especially common with small business web hosting plans where transactional email (contact forms, order confirmations) goes through the same shared server IP as everyone else on the host.

How to fix it: Use a dedicated transactional email service (SendGrid, Postmark, Mailgun, or Amazon SES) rather than your web host's default mail server. These services maintain high-reputation IPs specifically for deliverability.

5. High spam complaint rate

Every time someone clicks "Report spam" on one of your emails, Gmail records it. Google Postmaster Tools shows your domain-level complaint rate. If it exceeds 0.3%, Gmail will start routing more of your mail to spam automatically.

This is most common for marketing or newsletter emails, but it can affect any domain. A few angry recipients marking transactional emails as spam can tank your sender reputation quickly.

How to fix it: Make unsubscribing easy — easier than clicking "spam." Use a one-click unsubscribe header. Clean your list regularly to remove non-engaged subscribers. And make sure your "From" name is recognisable so recipients remember they signed up.

6. Sending from a mismatched or newly registered domain

Mail servers look at alignment: does the domain in the "From" address match the domain in your SPF or DKIM record? Misalignment is a spam signal. Similarly, brand-new domains have no sending history, so they start with low trust.

If you recently registered a new domain or rebranded, your email reputation effectively starts at zero. You'll need to build it up gradually by starting with low send volumes and scaling up over weeks.

How to fix it: Ensure your SPF and DKIM records are aligned with your sending domain. "From: hello@company.com" should be authenticated by records on company.com. For new domains, start with small batches and warm up your sending volume gradually.

7. Spammy content or missing unsubscribe link

Even with perfect authentication, the content of your email matters. Spam filters analyse subject lines, body text, link ratios, and HTML structure. Certain patterns trigger filters: excessive capitalisation, phrases like "FREE OFFER," deceptive subject lines, or a high ratio of images to text.

For bulk email (newsletters, promotional campaigns), CAN-SPAM and GDPR both legally require an unsubscribe mechanism. Missing it will get your emails flagged immediately.

How to fix it: Write emails that look like emails, not advertisements. Use a clear, honest subject line. Include a physical address and unsubscribe link in every marketing email. Test your content with a tool like mail-tester.com before sending.

Where to start

The first three causes — missing SPF, DKIM, and DMARC — are the most common and the most fixable. They don't require any technical expertise to implement once you have the right DNS values. The authentication problems are also entirely in your control, whereas sender reputation takes time to build.

The fastest way to find out which of these apply to your domain is to run a free audit.

Check your domain in 30 seconds

InboxShield Mini checks all five authentication records on your live DNS and tells you exactly what's missing — no account required.

Run free scan