You spent an hour writing the perfect email. You hit send. And then — silence. Your customer never saw it because it landed straight in the spam folder. If that sounds familiar, you're not alone. Email deliverability is one of those things that seems simple until it breaks, and when it breaks, it can quietly kill your response rates, your campaigns, and your business relationships.
The frustrating part is that spam filters aren't broken — they're doing exactly what they're supposed to do. They just don't trust your domain yet. This guide explains what signals they check, why your domain might be failing those checks, and how to fix each one.
The Big Three: SPF, DKIM, and DMARC
These three DNS-based standards are the backbone of modern email authentication. Gmail, Outlook, and Yahoo all check them. Missing even one significantly increases your spam rate.
SPF — Sender Policy Framework
Think of SPF as the guest list at a venue. Your DNS record lists which mail servers are allowed to send emails "from" your domain. When an email arrives claiming to be from hello@yourcompany.com, the receiving server checks your DNS and asks: "Is the IP this message came from on the list?"
If the answer is no — SPF fails, and spam filters start getting suspicious.
What a good SPF record looks like
Breaking this down:
v=spf1— identifies this as an SPF recordinclude:_spf.google.com— Google Workspace mail servers are allowedinclude:sendgrid.net— SendGrid is allowed (if you use it for campaigns)-all— any IP not listed here should be rejected (hard fail)
~all (soft fail) instead of -all means "be suspicious but don't reject." It's better than nothing, but -all gives you stronger protection. If you're confident your SPF record covers all your sending infrastructure, use hard fail.
SPF lookup limit — the hidden trap
SPF has a rule that many people don't know about: you can only have 10 DNS lookups in a single SPF record. Each include:, a:, and mx: mechanism counts as one. If your record has too many includes — especially after adding tools like HubSpot, Mailchimp, and a transactional mail provider — you'll silently exceed the limit, and SPF will start failing even for legitimate mail.
If you're juggling many includes, look into SPF flattening tools or services like Dmarcian that consolidate them into a single include.
DKIM — DomainKeys Identified Mail
SPF verifies the sender's IP. DKIM verifies the message itself. When you set up DKIM, your mail server signs every outgoing email with a private key. The corresponding public key is published in your DNS. When the email arrives at Gmail or Outlook, they look up your public key and verify the signature. If the email was modified in transit — even a single character changed — the signature fails.
This is why DKIM is so important: it's proof that the email you sent is the exact same email your recipient received.
How to check if DKIM is set up
DKIM records are published at a specific subdomain called a "selector." If your email provider is Google Workspace, the selector is usually google. For SendGrid it might be s1 or s2. For Mailchimp it's k1. The DNS record looks like this:
"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOC..."
(The long string after p= is your public key)
p= is empty (p=), your DKIM key has been revoked. You need to generate a new key pair in your email provider and republish the DNS record. This is a surprisingly common cause of sudden deliverability drops.
What if I use multiple email providers?
Each sending service (Google Workspace, SendGrid, Postmark, Mailchimp, etc.) generates its own DKIM key pair and uses a different selector. You need to publish a separate DKIM record for each one. This is normal — having three or four DKIM selectors in your DNS is perfectly fine. What's not fine is having none of them.
DMARC — Domain-based Message Authentication, Reporting & Conformance
DMARC is the policy layer that sits on top of SPF and DKIM. It answers one question: "If SPF or DKIM fails for a message claiming to be from my domain, what should receiving servers do?"
Without DMARC, the answer is "whatever you feel like" — and spam filters feel like letting a lot of it through. With DMARC, you're in control.
The three DMARC policies
| Policy | What it means | When to use it | Protection |
|---|---|---|---|
p=none |
Monitor only — don't do anything with failures | When you're just getting started with DMARC | Weak |
p=quarantine |
Move failing messages to spam | After verifying your SPF and DKIM are solid | Good |
p=reject |
Reject failing messages outright | When you're confident everything is configured correctly | Best |
A real DMARC record
"v=DMARC1; p=quarantine; rua=mailto:dmarc@yourcompany.com; pct=100"
p=quarantine— failing messages go to spam (upgrade torejectonce stable)rua=mailto:dmarc@yourcompany.com— receive aggregate reports so you can see who's sending on behalf of your domainpct=100— apply this policy to 100% of messages (start with a lower percentage if you're worried)
p=none forever. It's like leaving your front door unlocked and calling it security. It doesn't protect your domain from spoofing and it doesn't help your deliverability."
p=none and rua for two weeks to collect reports. Check the reports for any legitimate mail sources you might have missed in your SPF. Then switch to p=quarantine; pct=25, gradually increasing pct to 100 before moving to p=reject.
How Email Authentication Actually Works — Step by Step
Blacklists — The Silent Killer
You can have perfect SPF, DKIM, and DMARC and still have deliverability problems if your domain or sending IP is on a blacklist. RBLs (Real-time Blackhole Lists) are maintained by organisations that track known spam sources. Major inbox providers check them before delivery.
The major blacklists you need to watch:
| Blacklist | What they list | Impact |
|---|---|---|
| Spamhaus ZEN | IPs of known spam sources | Very high — most ISPs use this |
| Spamhaus DBL | Domains linked to spam | Very high |
| Barracuda BRBL | IPs with poor reputation | High — used by many corporate mail servers |
| SpamCop | User-reported spam sources | Medium |
| SORBS | Compromised servers and open relays | Medium |
How do you end up on a blacklist?
- You sent a bulk campaign to old or purchased email addresses with high bounce rates
- Your server was compromised and sent spam without you knowing
- Your shared hosting IP was already on a list before you even signed up
- Recipients marked your emails as spam at a high rate
- You sent to a "spam trap" — an address maintained by anti-spam organisations to catch bulk senders
Getting delisted
Most blacklists have a self-service delisting process. Spamhaus requires you to identify why you were listed and demonstrate it's fixed. Barracuda's removal is usually quick if you fill out their form. The key is to fix the underlying problem before requesting removal — otherwise you'll just get relisted.
Email Content — The Part People Ignore
Authentication and reputation matter a lot, but spam filters also analyse what's inside your email. Here are the content signals that raise red flags:
Spam trigger words and phrases
Words like "free money," "guaranteed," "act now," "limited time offer," "click here," and "earn $$" immediately increase your spam score. These aren't banned outright, but they're associated with spam at high rates. The more of them appear together, the higher your score climbs.
You don't need to avoid them entirely — just don't lead with them, don't repeat them, and make sure the rest of your authentication is solid to compensate.
Missing unsubscribe link
This one is both a legal requirement (CAN-SPAM in the US, GDPR in Europe) and a deliverability signal. Bulk email without an unsubscribe option gets marked as spam by recipients faster. Gmail's bulk sender guidelines explicitly require a one-click unsubscribe for commercial email since 2024.
Too many links
An email with 15 links in it looks like a phishing attempt or marketing spam. Try to keep it to 3–5 relevant links maximum, and avoid link shorteners (bit.ly, tinyurl) in marketing email — they obscure the destination and are heavily associated with spam.
Excessive ALL CAPS
WRITING LIKE THIS makes spam filters nervous. Use emphasis selectively. If everything is urgent, nothing is.
Your Deliverability Score — What It Means
When you run a domain through a deliverability checker, you get a score that combines all these signals. Here's roughly how it breaks down:
| Score Range | Risk Level | What it usually means |
|---|---|---|
| 75–100 | Low | SPF, DKIM, DMARC all passing. Domain clean. |
| 50–74 | Medium | Missing or weak DMARC. Possibly no DKIM. |
| 0–49 | High | Missing authentication, blacklist hit, or serious content issues. |
New Domain? Here's What's Working Against You
If you just registered a domain in the last 30–90 days, spam filters are automatically more suspicious of you. They've seen too many disposable spam domains. This is called "domain age bias" — it's not fair, but it's real.
What helps when you're starting fresh:
- Set up SPF, DKIM, and DMARC immediately — don't wait until you start sending
- Start sending small volumes and gradually increase (known as "warming up" the domain)
- Use your domain for an actual website — a domain with no A record looks more suspicious
- Send to engaged recipients first — people who signed up explicitly and are likely to open
- Don't buy email lists — ever. This is the fastest path to a blacklist and a ruined reputation
Gmail's Bulk Sender Rules (2024–2026)
In February 2024, Google introduced mandatory requirements for anyone sending more than 5,000 emails per day to Gmail addresses. If you're a bulk sender and you're not following these rules, your email is getting rejected, not just filtered:
- Must have a valid SPF or DKIM record (both is better)
- Must have a DMARC policy of at least
p=none - Must have a working one-click unsubscribe link
- Must keep spam complaint rate below 0.3%
- Messages must have consistent From: domain alignment with DKIM or SPF
Even if you're not sending 5,000 emails a day, Google is applying these standards as quality signals more broadly. Getting ahead of them now is just good practice.
Check Your Domain Right Now
Run a complete deliverability check — SPF, DKIM, DMARC, 8 blacklists, MX records, SMTP, and content analysis — in under 3 seconds. Free, no signup.
Analyse My DomainReading Raw Email Headers
If you've already sent a test email and want to know exactly why it went to spam, the raw headers are where the answers are. Every email has a hidden set of headers that record every server it passed through and the authentication results at each hop.
How to get raw headers
What to look for in the headers
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of hello@yourco.com designates 198.51.100.1 as permitted sender)
dkim=pass header.i=@yourco.com header.s=google header.b=abc123;
dmarc=pass (p=QUARANTINE sp=REJECT) header.from=yourco.com
If any of those say fail, softfail, or none, that's your culprit. You can paste raw headers into the Email Deliverability Debugger and it'll highlight exactly which checks failed and why.
The Received chain
Headers also show every server the email passed through, newest first. If an email went through five hops before landing in the inbox, you'll see five "Received:" lines. Unusually long chains, or hops through servers in unexpected countries, can also raise spam scores.
BIMI — The Optional Bonus That's Worth Knowing About
BIMI stands for Brand Indicators for Message Identification. If your DMARC is at p=reject and you publish a BIMI record with a verified SVG logo, Gmail and Yahoo will display your brand logo next to your email in the inbox. It's not a deliverability factor yet, but it builds sender trust and improves open rates.
"v=BIMI1; l=https://yourcompany.com/logo.svg; a=https://yourcompany.com/vmc.pem"
(a= is a Verified Mark Certificate — required for Gmail, optional for Yahoo)
Quick Fixes Checklist
- ☐ Publish a valid SPF record with
-allat the end - ☐ Enable DKIM in your email provider and publish the public key in DNS
- ☐ Add a DMARC record at
_dmarc.yourdomain.com— start withp=noneand aruaaddress - ☐ Check your domain and sending IP against major blacklists
- ☐ Verify your MX records resolve correctly
- ☐ Add an unsubscribe link to all bulk/marketing email
- ☐ Test your content for spam trigger words before sending
- ☐ Make sure your sending domain has a live website (an A record)
- ☐ Gradually increase send volume on new domains (warm up)
- ☐ Monitor DMARC reports weekly and move toward
p=reject
Check Your Domain's Deliverability — Free
Our Email Deliverability Debugger checks SPF, DKIM, DMARC, 8 blacklists, SMTP, and email content in one shot. You get a score out of 100 and specific, copy-paste fixes for every issue found.
Run Free CheckFrequently Asked Questions
Why do my emails go to spam even though I'm not sending junk?
The most common reasons are a missing or weak DMARC policy, no DKIM signature, or an SPF record that doesn't cover your sending IP. Spam filters score dozens of signals — even legitimate emails fail when authentication is missing. Check your domain against all three and start there.
What's the difference between SPF, DKIM, and DMARC?
SPF tells receiving servers which IP addresses are allowed to send email for your domain. DKIM adds a cryptographic signature to prove the message wasn't tampered with in transit. DMARC ties SPF and DKIM together and tells servers what to do when they fail — monitor, quarantine, or reject the message.
How do I check if my domain is blacklisted?
Use the WebToolsz Email Deliverability Debugger — it checks your domain and sending IP against 8 major RBLs including Spamhaus, Barracuda, SORBS, and SpamCop using safe, read-only DNS lookups. If you're listed, it shows which blacklist flagged you and links to the removal process.
Does Gmail require DMARC to deliver email in 2026?
Yes. Since February 2024, Google requires bulk senders (5,000+ emails per day to Gmail) to have SPF, DKIM, and a DMARC policy. Missing these gets your bulk mail rejected. Even for lower-volume senders, missing authentication significantly hurts inbox placement.
My SPF passes but emails still go to spam. What's wrong?
SPF passing is only one of several signals. DKIM might be missing or failing. Your DMARC policy might be p=none, which means failures are just monitored, not blocked — but spam filters still use alignment failure as a negative signal. Your content might be triggering spam word filters. Or your sending IP might be on a blacklist. Check all of them, not just SPF.
How long does it take to fix email deliverability issues?
DNS changes take anywhere from minutes to 48 hours to propagate globally. Once they're in place, your sender reputation improves gradually over the following weeks as spam filters see consistent authentication from your domain. Blacklist removals can happen within hours or take a few days depending on the RBL. There's no instant fix — but the right changes start working quickly.
Last updated: April 2026 | Back to Blog | Email Deliverability Debugger | Privacy Policy