HomeKnowledgebase

How to Fix Email Going to Spam (SPF, DKIM, DMARC)

Back to Knowledgebase
Email 3 min read 3 views Updated Jun 2026

If mail from your own domain keeps landing in spam, the cause is almost always missing or wrong authentication records. Mailbox providers like Gmail and Outlook now expect three DNS records: SPF, DKIM and DMARC. Set all three correctly and your delivery improves fast. Here is what each one does and how to get it right.

Why your mail gets flagged

Spam filters ask a simple question: can this message be proven to come from who it claims to? Without SPF, DKIM and DMARC, the answer is "no", so your legitimate mail looks the same as a spoofer's. These records are how you prove it is really you.

All three live in your domain's DNS as records you add once. New to DNS records? See DNS records explained.

SPF: who is allowed to send

SPF (Sender Policy Framework) is a TXT record listing the servers allowed to send mail for your domain. A typical record:

v=spf1 include:_spf.yourhost.com ~all

Replace the include with the value your host or mail provider gives you. Two rules that matter:

  • You may only have one SPF record per domain. Merge multiple senders into it, do not add a second.
  • ~all (soft fail) is a safe default; -all (hard fail) is stricter once you are sure every sender is listed.

DKIM: a tamper-proof signature

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to every message, published as a TXT record. Your host generates a key and gives you a record to add, usually at a selector like default._domainkey.yourdomain.com.

Once DKIM is active, receivers can confirm the message was not altered in transit and really came from your domain. This is the strongest signal of the three.

DMARC: what to do with failures

DMARC ties SPF and DKIM together and tells receivers what to do when a message fails. It is a TXT record at _dmarc.yourdomain.com. A gentle starting policy:

v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com
  • p=none only monitors at first, so you can watch reports without blocking anything.
  • Once you confirm your real mail passes, tighten to p=quarantine and then p=reject.
  • The rua address receives reports showing who is sending as your domain.

The order to do it

  1. Add SPF with every sender you use.
  2. Turn on DKIM with your host and add its record.
  3. Add DMARC at p=none and watch the reports for a week.
  4. Tighten DMARC to quarantine, then reject, once your mail passes cleanly.

FAQ

Why is my email going to spam even though it is legitimate?

Almost always missing SPF, DKIM or DMARC. Without them, receivers cannot verify you, so they treat your mail with suspicion.

Can I have two SPF records?

No. A domain must have exactly one SPF record. Combine all your senders into a single record using multiple include statements.

Do I need all three records?

Yes. Modern providers expect all three: SPF and DKIM prove authenticity, while DMARC tells receivers what to do and gives you reporting.

Want these set up for you? Vastrox mail ships with SPF, DKIM and DMARC configured correctly. Contact support and we will check your records.

Was this guide helpful? Our engineers are here 24/7 if you get stuck.
All guides Contact support