Your email looks fine to you. It arrives as spam to the person you sent it to. That’s not a content problem - it’s an authentication problem. Gmail, Outlook, and every other inbox provider run three quick checks before they decide where your message lands. Fail any one of them and you’re in junk. Here’s how to pass all three.
Why providers distrust your email
Anyone can send an email that claims to be from you@yourdomain.com. Spammers do it constantly. So inbox providers invented three DNS records that let you prove you actually control the domain you’re sending from. Think of them as a stamp of authenticity that lives in your domain settings, not in the email itself.
You add the records once. Every email you send after that carries the proof automatically.
Record 1: SPF - who is allowed to send on your behalf
SPF (Sender Policy Framework) is a TXT record on your domain that lists the mail servers allowed to send email from it. If a server not on that list sends a message claiming to be you, receiving servers can reject it.
Log in to wherever you manage your DNS - that’s usually your domain registrar (GoDaddy, Namecheap, 123-reg) or your hosting provider (Cloudflare, etc). Find the DNS settings, create a new TXT record, and set the Name field to @ (which means your root domain). Paste this into the Value field, swapping the include for whatever your email provider tells you to use:
v=spf1 include:YOUR_MAIL_PROVIDER_DOMAIN ~all
Examples by provider:
Google Workspace: include:_spf.google.com
Microsoft 365: include:spf.protection.outlook.com
Mailchimp (sends): include:servers.mcsv.net
The ~all at the end means “soft fail anything not on the list” - most providers recommend this over -all (hard fail) until you’re confident nothing legitimate is missing. You can only have one SPF record on a domain. If you already have one, add extra include: entries to it rather than creating a second record.
Record 2: DKIM - a digital signature on every message
DKIM (DomainKeys Identified Mail) adds a cryptographic signature to each email. The receiving server checks the signature against a public key stored in your DNS. If they match, the email hasnt been tampered with in transit.
Your email provider generates the key pair for you. In Google Workspace, go to Admin console › Apps › Google Workspace › Gmail › Authenticate email, select your domain, and click Generate new record. You’ll see something like this:
DNS record Name (the selector - Google uses “google” by default):
google._domainkey.yourdomain.com
DNS record Value (your actual key will be much longer):
v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA...
For Microsoft 365, go to Security › Email & collaboration › Policies & rules › Threat policies › Email authentication settings › DKIM, select your domain, and toggle DKIM on. It will show you the two CNAME records to add (Microsoft uses CNAMEs rather than a TXT for DKIM).
Copy whatever your provider gives you exactly. Paste it into a new TXT (or CNAME) record in your DNS. The Name is the selector your provider specifies - dont change it.
Record 3: DMARC - what to do when checks fail
DMARC ties SPF and DKIM together and tells receiving servers what to do if either check fails. It also sends you reports so you can see who’s sending email using your domain.
Create one more TXT record. Set the Name to _dmarc and the Value to this:
v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com
p=none - monitor only, dont block anything yet (safe starting point)
p=quarantine - send failures to spam (use this once you’re confident)
p=reject - block failures outright (the end goal)
rua= - where to send aggregate reports (use a real mailbox you check)
Start with p=none. You’ll receive weekly XML reports at the address you set. After a couple of weeks, check nothing legitimate is failing. Then move to p=quarantine, wait another fortnight, and finally p=reject.
How to check your records are working
DNS changes can take up to 48 hours to propagate, though usually it’s under an hour. Once they’re live, check them here:
https://mxtoolbox.com/SuperTool.aspx
Run these three lookups, replacing yourdomain.com with your domain:
SPF: SPF:yourdomain.com
DKIM: DKIM:google._domainkey.yourdomain.com (swap selector if not Google)
DMARC: DMARC:yourdomain.com
Each one should return a green result with the record you just added. If SPF shows “too many DNS lookups”, you’ve got more than ten include: entries - that’s a separate problem to fix, but a rare one for most small businesses.
The ten-minute version
- Log into your DNS provider.
- Add a TXT record at
@with your SPF value. - Get your DKIM record from your email provider’s admin panel and add it.
- Add a TXT record at
_dmarcwithv=DMARC1; p=none; rua=mailto:you@yourdomain.com. - Wait an hour, then check all three on MXToolbox.
- After two weeks of clean reports, move DMARC to
p=quarantine.
Thats genuinely it. No plugin, no agency, no monthly fee. Three records and your emails start landing where they should.
If you’d rather have someone run through your whole email setup - deliverability, automations, the lot - our audit starts at £750 and covers exactly this kind of thing.



