Why your email goes to spam
Legitimate mail lands in spam for a small set of fixable reasons. Here's the diagnosis, how SPF, DKIM, and DMARC actually work together, and how to get back to the inbox.
Two judges decide: authentication & reputation
When you send a message, the receiving provider (Gmail, Outlook, Yahoo) asks two questions before it picks a folder. Can you prove you sent it? (authentication) and do people want your mail? (reputation). Almost every “my legitimate email goes to spam” case is a failure of the first, an authentication gap that makes you look spoofable, or a dent in the second. The good news: both are diagnosable and fixable, and the authentication half is pure configuration.
The 4 most common reasons
| Reason | What's wrong | Fix |
|---|---|---|
| No SPF | Receivers can’t tell which servers may send for you | Publish an SPF record |
| No DKIM | Messages aren’t signed, so forgery/tampering is undetectable | Enable DKIM signing |
| No DMARC | No policy ties SPF/DKIM together or reports abuse | Publish a DMARC record |
| Poor reputation | Complaints, stale lists, spammy content, cold IP | Clean lists, warm up, fix content |
The first three are DNS records you publish once. The fourth is an ongoing discipline. Here is each in turn.
SPF, who may send for you
SPF (Sender Policy Framework) is a DNS TXT record that lists the servers and
services authorized to send mail using your domain. The receiver checks the sending server against that list.
; SPF: a DNS TXT record listing who may send as your domain
example.com. IN TXT "v=spf1 include:_spf.google.com include:mailgun.org ~all" ~all means “soft-fail everything else.” SPF’s weakness: it breaks when mail is
forwarded (the forwarding server isn’t in your list), which is exactly why DKIM and DMARC exist.
Full SPF guide →
DKIM, a tamper-proof signature
DKIM (DomainKeys Identified Mail) has your mail server cryptographically sign each message with a private key; the matching public key lives in DNS under a selector. The receiver verifies the signature, proving the message really came from you and wasn’t altered in transit. Unlike SPF, DKIM survives forwarding.
; DKIM: a public key in DNS; the mail server signs each message with the private key
selector1._domainkey.example.com. IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSq...AQAB"
The selector (here selector1) is chosen by your sending provider, which is why you
can’t look up a domain’s DKIM without knowing it. Full DKIM guide →
DMARC, the policy that ties it together
DMARC (Domain-based Message Authentication, Reporting & Conformance) is the umbrella. It
tells receivers what to do when SPF or DKIM fail, and asks them to report who
is sending as your domain. Its policy (p=) is the lever: none (monitor),
quarantine (spam folder), or reject (block).
; DMARC: policy + reporting, tells receivers what to do when SPF/DKIM fail
_dmarc.example.com. IN TXT "v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com; pct=100"
Start at p=none with reporting, confirm your real senders pass, then tighten to
quarantine and finally reject. Google and Yahoo now require DMARC for
bulk senders, so this is no longer optional. Full DMARC guide →
The fourth judge: reputation
Perfect authentication still loses to a bad reputation. Mailbox providers watch complaint rates (people hitting “spam”), list quality (sending to dead or purchased addresses), engagement (opens, replies), and sending history (a brand-new IP/domain has no trust). Keep lists clean and permission-based, warm up new senders gradually, and don’t mail people who never asked, no DNS record fixes a list nobody wants.
How to diagnose & fix
The fastest check: send yourself a message and read the Authentication-Results header.
Authentication-Results: mx.google.com;
spf=pass smtp.mailfrom=example.com;
dkim=pass header.d=example.com;
dmarc=pass header.from=example.com
Three pass lines mean your authentication is sound. Any fail points straight at the
record to fix. You can also query DNS directly: a TXT at your domain (SPF), at
_dmarc.yourdomain (DMARC), and at selector._domainkey.yourdomain (DKIM). For the
background on how the message itself travels, see how SMTP works; for retrieving
mail, POP3 vs IMAP. Deep guides:
SPF, DKIM, DMARC.
Or skip ahead: run your domain through the
deliverability checker for a live SPF/DKIM/DMARC
score and the single biggest fix to make.
FAQ
Why do my emails go to spam even though they're legitimate?
Mailbox providers (Gmail, Outlook, Yahoo) decide placement from two things: authentication (can they prove you sent it?) and reputation (do recipients want it?). Most 'legit mail in spam' cases are an authentication gap, no SPF, no DKIM, or no DMARC, which makes you look spoofable, or a reputation problem from complaints, bad lists, or spammy content.
What's the difference between SPF, DKIM, and DMARC?
SPF lists which servers may send for your domain. DKIM cryptographically signs each message so tampering and forgery are detectable. DMARC ties them together: it tells receivers what to do when SPF or DKIM fail (nothing, quarantine, or reject) and sends you reports. You want all three.
Do I need all three, or is one enough?
All three. SPF alone breaks on forwarding; DKIM alone has no policy; DMARC needs at least one of them aligned to do anything. Together they give receivers both proof (SPF/DKIM) and instructions (DMARC), which is what modern providers expect, Google and Yahoo now require them for bulk senders.
What is a good DMARC policy to start with?
Start at p=none (monitor only) with a rua reporting address so you can see who sends as your domain without risking real mail. Once your legitimate sources all pass aligned SPF/DKIM, tighten to p=quarantine, then p=reject. Moving straight to reject before monitoring is how you accidentally block your own invoices.
How do I check if my email authentication is set up?
Read the Authentication-Results header of a message you sent to yourself, it shows spf=, dkim=, and dmarc= results. Or query your DNS: a TXT record at your domain (SPF), at _dmarc.yourdomain (DMARC), and at selector._domainkey.yourdomain (DKIM, you need the selector). A checker tool can automate SPF and DMARC; DKIM needs the selector your provider uses.
Does authentication alone guarantee the inbox?
No. Authentication gets you considered; reputation gets you delivered. Even perfectly authenticated mail lands in spam if recipients mark you as spam, you mail stale lists, or your content trips filters. Authentication is necessary, not sufficient, you also need clean lists, low complaint rates, and a warmed-up sending history.
Email is original KB Cafe territory, this domain ran Rmail and documented SMTP back when getting a message delivered was a craft. Deliverability is that craft today: same goal, now governed by SPF, DKIM, and DMARC. This is the vendor-neutral reference for getting your mail back to the inbox.