We are running in a testing phase — please be patient and share your feedback.
Why Emails Go to Spam and How to Fix It

Why Emails Go to Spam and How to Fix It

· 5 min read · Tomas Hojgr · email-security
email-deliverability spf dkim dmarc email-authentication

Why Your Emails End Up in Spam

You send invoices, proposals, or important messages — and the recipient never sees them. They sit in the spam folder instead. The problem usually isn't the content of the message but the configuration of your domain.

Email deliverability depends on a combination of technical factors: sender authentication, domain reputation, and recipient behavior. When any of these fail, mail servers penalize your messages — silently, without notification.

Missing or Misconfigured Email Authentication

The most common cause of emails landing in spam is missing or improperly configured authentication. Major providers (Gmail, Outlook, Yahoo) now require senders to set up three protocols:

  • SPF — defines which servers are authorized to send emails on behalf of your domain
  • DKIM — adds a digital signature to each email, verifying message integrity and sender origin
  • DMARC — ties SPF and DKIM to the From header address and specifies what to do when authentication fails

Without these records, your emails have no proof of legitimacy. The recipient's mail server cannot distinguish them from forged messages and routes them to spam — or rejects them outright.

Google and Yahoo Requirements Since 2024

Since February 2024, stricter rules apply. Gmail and Yahoo introduced these requirements, and Microsoft followed with similar rules from May 2025. For all senders:

  • SPF or DKIM must be configured

For bulk senders (over 5,000 messages per day to Gmail addresses):

  • Both SPF and DKIM must be configured
  • DMARC record with at least p=none policy and alignment with one of the protocols
  • Easy one-click unsubscribe
  • Spam complaint rate below 0.3%

Since November 2025, Gmail has moved from warnings to active enforcement — emails without proper authentication receive permanent rejection codes and bounce back to the sender.

The Alignment Problem

Setting up SPF, DKIM, and DMARC isn't enough — they must be properly connected. DMARC requires that the domain in the From header matches the domain verified by SPF or DKIM. This match is called alignment.

A common scenario: a company uses an external service for sending emails (marketing, helpdesk, invoicing). The service sends emails with the company's address in the From header, but SPF and DKIM are configured for the service provider's domain. SPF and DKIM both pass — but DMARC fails because the domains don't align.

How to fix it:

  1. Configure DKIM signing using your own domain (most services support this via CNAME records in DNS)
  2. Verify alignment using DMARC reports — they show exactly which messages pass and which fail

Sender Reputation

Every domain and IP address has a reputation with email providers. Reputation builds gradually based on sending history and recipient behavior.

What damages reputation:

  • High complaint rate — recipients marking your emails as spam. Exceeding 0.3% on Gmail leads to delivery throttling.
  • Bounce rate — sending to non-existent addresses. High bounce rates (generally above 2–5%) significantly damage reputation and can lead to blacklisting.
  • Sudden volume spikes — if you normally send 50 emails per day and suddenly send 5,000, spam filters flag this as suspicious.
  • Domain abuse — if someone uses your domain for spoofing or phishing, reputation drops for legitimate emails too.

What improves reputation:

  • Properly configured authentication (SPF, DKIM, DMARC)
  • Low complaint and bounce rates
  • Gradual volume increases (warm-up)
  • Active list management — removing inactive and non-existent addresses

Message Content and Formatting

Even with perfect authentication and reputation, a specific email can land in spam because of its content:

  • Suspicious formatting — image-only emails with no text, hidden text, excessive HTML code
  • Suspicious links — URL shorteners, links to domains different from the sender, too many links
  • Attachments — especially executable files (.exe, .js, .bat) or Office documents with macros
  • Missing text version — email contains only HTML without an alternative text version (multipart/alternative)

Spam filters evaluate content in context — the same text from a sender with good reputation passes, while from an unknown sender it doesn't. Authentication and reputation always matter more than content tweaking.

DNS Technical Issues

Properly functioning DNS records are a prerequisite for email authentication. Common problems:

  • Missing or invalid SPF record — syntax typos, missing v=spf1, duplicate TXT records
  • Exceeding the 10 DNS lookup limit in SPF — complex configurations with many include mechanisms cause PermError and SPF checks fail
  • Expired DKIM key — the public key in DNS doesn't match the private key on the server, and the signature fails verification
  • Malformed DMARC record — missing v=DMARC1, incorrect syntax for p, rua, or ruf parameters
  • Slow DNS response — if the DNS server doesn't respond in time, authentication can fail with a temperror result

All these problems manifest as silent failures — the email appears to send successfully, the sender sees no error, but the message ends up in spam or never gets delivered.

How to Diagnose the Problem

Diagnosing deliverability issues requires a systematic approach:

  1. Check authentication — verify your domain's SPF record, DKIM signature, and DMARC record. All three must be present and correctly configured.

  2. Review DMARC reports — if your DMARC record includes a reporting address (rua), you receive daily XML reports from mail providers. These reports show which emails passed and which failed SPF, DKIM, or alignment checks. Reports arrive at the address specified in the rua tag.

  3. Inspect email headers — in a delivered (or spam) email, find the Authentication-Results, Received-SPF, and DKIM-Signature headers. They show the exact result of each check.

  4. Check reputation — Google offers Postmaster Tools where you can see your domain and IP reputation with Gmail.

  5. Check blacklists — verify whether your IP address or domain is on public blacklists (Spamhaus, Barracuda, SORBS).

Prevention — How to Stay Out of the Spam Folder

A one-time authentication setup is a good start, but it's not enough. DNS records change, new sending services get added, keys expire.

Systematic prevention includes:

  • Set up SPF, DKIM, and DMARC — if you haven't already, start with SPF setup, DKIM, and DMARC
  • Enable DMARC reports — without them, you have no visibility into what happens to your emails
  • Monitor continuously — a DNS change, new mail provider, or expired key can disrupt deliverability at any time
  • Maintain a clean recipient list — regularly remove non-existent addresses and inactive contacts
  • Ramp up volume gradually — when launching a new campaign or switching to a new IP address, start with low volume

Run a full domain analysis to see the status of all your records in one place and identify issues before they result in undelivered emails.

Read in another language: Čeština

Related articles

What Is an SPF Record and Why Do You Need One
spf

What Is an SPF Record and Why Do You Need One

An SPF record protects your domain from being used to send fraudulent emails. Learn how SPF works, how to set it up, and why it's essential for…

· 5 min read
What is DKIM and How Does It Work
dkim

What is DKIM and How Does It Work

DKIM verifies email integrity and origin using digital signatures. Learn how it works, how to set it up, and why it's essential for DMARC and…

· 7 min read
What Is DMARC and How Does It Work
dmarc

What Is DMARC and How Does It Work

DMARC ties SPF and DKIM together and adds a policy for unauthenticated emails. Learn how it works, how to deploy it, and why Google and Yahoo require…

· 6 min read