You send an invoice. The client says they never received it. You check your sent folder - it went out fine. What happened?
Most likely: your email landed in their spam folder, or was rejected entirely. The culprit is usually missing or misconfigured email authentication records.
The Problem: Email Trust
Email was invented without identity verification. Anyone can send an email claiming to be from any address. Your bank, your accountant, your domain - anyone can fake the "from" field.
To combat this, email providers like Gmail and Outlook use authentication checks. If your domain doesn't pass these checks, your emails look suspicious - even if they're genuine.
The result: legitimate business emails get filtered as spam.
The Three Records That Matter
Three DNS records tell email providers that your messages are authentic:
SPF: Who Can Send Email From Your Domain
SPF lists the servers authorised to send email using your domain name. When Gmail receives an email "from" you, it checks whether the sending server is on your approved list.
Without SPF: Email providers assume anyone could be spoofing your address.
DKIM: Cryptographic Signatures
DKIM adds an encrypted signature to every email you send. The receiving server uses a key published in your DNS to verify the signature matches.
Without DKIM: There's no proof the email wasn't modified in transit.
DMARC: What to Do When Checks Fail
DMARC tells email providers what action to take when SPF or DKIM fails. It also sends you reports about authentication failures.
Without DMARC: Email providers make their own decisions about suspicious emails - usually filtering them.
Most businesses have partial configuration. SPF might be set up, but DKIM is missing. Or DMARC is set to "none" and never reviewed. Partial setup often creates more problems than no setup at all. I can audit your email configuration and fix the gaps.
Signs Your Email Authentication Is Broken
- Clients say they didn't receive your emails
- Emails consistently land in spam folders
- You've received "delivery failed" messages from addresses that exist
- Your domain was recently migrated or your email provider changed
- You've added new services (CRM, newsletter tools) that send email on your behalf
Why This Gets Complicated
Modern businesses don't just send email from one place. You might have:
- Your main email (Google Workspace, Microsoft 365)
- Your CRM sending follow-ups
- Your accounting software sending invoices
- Your website sending contact form notifications
- Your newsletter platform sending marketing emails
Every one of these services needs to be included in your SPF record. Every one needs DKIM configured. Miss one and those emails fail authentication.
Common Mistakes
Multiple SPF Records
You can only have one SPF record. If you have two (because someone added one without checking), both fail. Your email authentication is broken.
Services Missing From SPF
Added a new newsletter tool? If it's not in your SPF record, those newsletters fail authentication.
DKIM Never Enabled
Many email providers support DKIM but don't enable it by default. You have to generate keys and add DNS records - and most people skip this step.
DMARC Set to "None" Forever
"None" is for monitoring. It doesn't protect you. But businesses set it to "none" and never progress to enforcement.
Email problems are invisible. You don't know when emails don't arrive. Your clients don't always tell you. The first sign is often a missed deadline or lost opportunity. Get your email configuration checked.
What Proper Configuration Looks Like
A well-configured domain has:
- One SPF record listing all legitimate senders
- DKIM enabled and signing for each sending service
- DMARC set to quarantine or reject, with reporting enabled
- Regular review of DMARC reports to catch new issues
This takes time to set up correctly, but the payoff is reliable email delivery.
Can You Fix This Yourself?
If you're technically comfortable:
- Audit your current SPF, DKIM, and DMARC records using MXToolbox
- List every service that sends email from your domain
- Update SPF to include all of them
- Enable DKIM in each service and add the DNS records
- Set DMARC to none, review reports, then tighten to quarantine/reject
The process takes several hours and requires care. One typo can break your email.
When to Get Help
Consider professional help if:
- Email deliverability is affecting your business
- You use multiple email-sending services
- You've tried fixing it yourself and it's still broken
- You don't have time to learn DNS and email authentication
I configure email authentication for businesses regularly. I know the common pitfalls, the provider-specific quirks, and how to test properly before going live.