← Back to writing

21 May 2026

Your business email is probably landing in spam (and you'd never know)

I set up a new domain a while back. Sent a test email to my personal Gmail to check everything looked right.

Spam folder.

More recently, working with a client: sent an email from their business domain, the recipient never received it. Not spam. Not quarantined. Just gone. The sender's inbox showed it as delivered. No error. No bounce. Completely invisible from their end.

Both cases: same root cause. Three DNS records that almost nobody sets up when they connect a custom domain to their email - and that no one tells you about.

SPF. DKIM. DMARC.

Before the technical bit, here's what they actually mean.

Imagine your business email is a formal letter. The email servers receiving that letter don't know you. They have to make a judgment call: is this legitimate, or is this spam - or worse, someone impersonating a real business?

These three records are how you prove the letter is real.

SPF is the return address on the envelope. It tells the receiving mail server which sending servers are authorised to send email from your domain. Without it, there's nothing stopping someone from spoofing your address - and no way for a receiving server to check if the email is genuinely from you.

DKIM is the wax seal on the letter. It adds a cryptographic signature to every outbound email. The receiving server checks that signature against a public key stored in your DNS. If it matches, the email hasn't been tampered with and actually came from you.

DMARC is the instructions you leave with the post office. It tells receiving servers what to do when an email fails the SPF or DKIM check - quarantine it, reject it, or just flag it and let it through while you monitor. It also sends you reports so you can see what's happening with your domain's email.

All three together: the receiving server has what it needs to trust your email is legitimate. Missing any one of them, and it's guessing.

Here's how to set them up.

A quick note first: these records all live in your DNS settings - that's the control panel for your domain, usually found wherever you bought your domain name (Namecheap, GoDaddy, Squarespace Domains, Cloudflare, etc.). If you're not sure where that is, search for "DNS settings" in your domain registrar's help centre.

SPF - add one TXT record in your DNS:

host: @
value: v=spf1 include:_spf.google.com ~all

(The value above is for Google Workspace / Gmail. If you're on a different email provider, check their documentation for the correct SPF value - search "[your provider] SPF record setup".)

DKIM - the setup here depends on your email provider. For Google Workspace, Google has a step-by-step guide here.

The short version:

  1. Generate the key in your Google Workspace Admin Console (Apps > Google Workspace > Gmail > Authenticate Email > "Generate New Record")

  2. Copy and paste the record value as a new TXT record in your DNS.

  3. Go back to the Admin Console, and trigger Begin Authentication.

  4. Important: wait up to 48 hours after adding the record - until Google finishes authenticating it on their end, outbound emails may still land in spam.

For other providers (Microsoft 365, Zoho, etc.), search "[your provider] DKIM setup" for their current instructions - linking to their official docs is safer than writing steps that may go out of date.

DMARC - one more TXT record:

host: _dmarc
value: v=DMARC1; p=none; rua=mailto:you@yourdomain.com

(Replace the email address with one you actually check - this is where the monitoring reports will go.)

Start with p=none - this monitors without blocking anything. You'll start receiving reports on your domain's email without risking legitimate emails getting rejected while you're still getting set up.

The whole thing takes about 20 minutes once you know what you're doing. Check what's currently set up on your domain with MXToolbox - free, paste in your domain, tells you immediately what's missing.

This gap exists on almost every small business domain I've looked at. It's not because people haven't bothered - it's because Squarespace, Shopify, and even Google Workspace don't walk you through it when you connect a domain. It's assumed knowledge that never gets passed on.

It's the kind of quiet, invisible gap I end up finding all the time when I'm untangling someone's setup - the sort that costs you something while staying completely off your radar.

Set these up before your next important email doesn't arrive.