Why Your Business Emails Might Be Going to Spam (And How to Fix It)
SPF, DKIM, and DMARC sound like government agencies, but they're actually the reason scammers can — or can't — send email pretending to be you.
You send an invoice. Your client never sees it — it went straight to their spam folder. Or worse: a scammer sends an email pretending to be you, and your client wires money to the wrong account.
Both of these problems have the same root cause: your email isn’t authenticated. And the fix has three parts — SPF, DKIM, and DMARC.
I know those sound like government acronyms. Stick with me. This will take five minutes and could save your business from a very bad day.
The Problem: Anyone Can Fake Your Email Address
Here’s something that surprises most people: by default, anyone in the world can send an email that appears to come from your domain. There’s no lock on the door. A scammer can put invoices@yourcompany.com in the “From” field and send it to your clients.
This is called email spoofing, and it’s one of the most common ways businesses get defrauded. SPF, DKIM, and DMARC are the three locks you put on that door.
SPF — The Guest List
Sender Policy Framework (SPF) works like a guest list for your email.
Imagine your domain name is your nightclub. SPF is a published list you post on the front door that says: “Only these specific servers are allowed to send email from this address.” Your email host (Google Workspace, Microsoft 365, etc.) is on the list. A scammer’s server is not.
When someone receives an email claiming to be from you, their email system checks the guest list. If the server that sent the email isn’t on it, the message gets flagged.
What it protects against: Emails sent from unauthorized servers pretending to be you.
The limitation: SPF only checks where the email was sent from — it doesn’t verify that the email itself wasn’t tampered with in transit.
DKIM — The Wax Seal
DomainKeys Identified Mail (DKIM) is like a wax seal on an envelope.
Back when important documents were sent by courier, a wax seal proved two things: it came from the right person, and nobody opened it along the way. If the seal was broken or missing, the recipient knew something was wrong.
DKIM does the same thing electronically. When you send an email, your mail server stamps it with a hidden digital signature. When the email arrives, the recipient’s system checks whether the seal is intact. If the email was intercepted and changed — even by a single character — the seal breaks and the email is flagged.
What it protects against: Emails that were tampered with after they were sent, and forgeries that pass SPF but lack your real signature.
DMARC — The Policy
Domain-based Message Authentication, Reporting, and Conformance (DMARC) is the policy that ties SPF and DKIM together.
Going back to the nightclub analogy: SPF is the guest list, DKIM is the stamp on the guest’s hand. DMARC is the instruction you give the bouncer: “If someone shows up without being on the list AND without a stamp, what do you do? Turn them away? Let them in but flag it? Send me a report?”
DMARC lets you tell receiving email servers:
- Monitor: Let everything through, but send me a weekly report of anything suspicious. (Good starting point.)
- Quarantine: Send suspicious emails to the spam folder.
- Reject: Block them entirely. Don’t deliver them at all.
It also tells mail servers where to send reports — so you can actually see if someone is out there trying to spoof your address.
What it protects against: Everything SPF and DKIM protect against, coordinated into one enforceable policy. It’s the piece that turns your security from passive to active.
Why This Matters for Your Business (Not Just Security)
Beyond stopping spoofing, these three things directly affect whether your legitimate emails reach your clients.
Gmail, Outlook, and most major email providers now actively deprioritize email from domains that don’t have SPF, DKIM, and DMARC configured. If you’re wondering why your invoices or follow-ups sometimes don’t get a response — this might be why.
A properly configured domain: - Lands in the inbox instead of spam - Builds long-term sending reputation - Tells receiving servers you’re a legitimate business, not a scammer
How to Check If You’re Protected
You can test your domain right now. Head to MXToolbox’s Email Health Check and enter your domain name. It will show you whether SPF, DKIM, and DMARC are configured — and what’s missing.
If you see red X’s, you’re not protected.
What Fixing It Looks Like
Setting up SPF, DKIM, and DMARC involves adding a few records to your domain’s DNS settings. If you’re already using Google Workspace or Microsoft 365, the values are well-documented and the setup is straightforward — typically 30 to 60 minutes for someone comfortable in DNS.
If DNS settings sound like a foreign language, that’s exactly the kind of thing we help small businesses sort out quickly — without overcomplicating it.
The short version: this is a one-time fix with permanent protection. There’s no ongoing maintenance, no subscription, and no hardware to buy. It’s one of the highest-value security improvements a small business can make.
Quick Reference
| What | Plain-English Job | Protects Against |
|---|---|---|
| SPF | Guest list — which servers can send your email | Unauthorized senders using your domain |
| DKIM | Wax seal — proves the email wasn’t tampered with | Forgeries and email tampering in transit |
| DMARC | The policy — what to do when SPF/DKIM fail | Spoofing at scale; gives you visibility and control |
If your business sends email — invoices, quotes, client updates — and you’re not sure whether these are set up, it’s worth finding out today. The cost of not having them is a scammer impersonating you to your best client.