Person working on a laptop with email interface visible on screen
Cybersecurity

Why Your Business Emails Are Going to Spam and How to Fix It

PN
Peter Nelson
· · 6 min read

A practical guide to email deliverability for Australian SMBs - covering SPF, DKIM, and DMARC configuration, sender reputation management, and how to check if your domain is blacklisted.

Your proposal goes into spam. Your invoice doesn’t reach the client. Your follow-up email is silently filtered before anyone reads it. Email deliverability problems cost businesses real money, and the frustrating part is that they’re often caused by missing technical configurations that your IT team could resolve in a day.

Here’s why it happens and exactly what to fix.

Why Email Deliverability Has Become More Demanding

The receiving infrastructure - Google, Microsoft, and the major ISPs - has become substantially more sophisticated at filtering spam and phishing over the past five years. This is mostly good news for everyone, but it means that legitimate business email is held to a higher standard than it used to be.

In February 2024, Google and Yahoo introduced mandatory requirements for bulk senders: SPF, DKIM, and DMARC must be configured. Microsoft followed with similar enforcement. If you’re sending email in volume without these records, your messages are being filtered or rejected.

Beyond the technical requirements, your domain’s reputation - built over time through sending behaviour, engagement rates, and spam complaint rates - is a key factor in whether your email lands in the inbox.

SPF: Authorise Your Sending Servers

Sender Policy Framework (SPF) is a DNS record that lists which servers are authorised to send email on behalf of your domain. When a receiving mail server gets an email from your domain, it checks your SPF record to see if the sending server is on the list.

What a correct SPF record looks like:

v=spf1 include:spf.protection.outlook.com include:sendgrid.net -all

This record says: email from this domain is authorised if it comes from Microsoft 365 (Outlook) servers or SendGrid (a common bulk email platform). The -all at the end means reject anything that doesn’t match.

Common SPF problems:

  • No SPF record at all - your domain has no authorisation policy, which is a significant red flag for receiving servers
  • Multiple SPF records - only one SPF record is allowed per domain. Multiple records cause failures
  • Missing third-party senders - if you use a CRM, marketing platform, or ticketing system that sends email on your behalf, those services need to be included in your SPF record
  • Too many lookups - SPF has a limit of 10 DNS lookups. Complex records with many include: statements can exceed this limit and cause failures

DKIM: Cryptographically Sign Your Emails

DomainKeys Identified Mail (DKIM) adds a cryptographic signature to your outgoing emails. The receiving server can verify that the email genuinely came from your domain and hasn’t been tampered with in transit.

DKIM requires:

  1. Your mail platform generates a public/private key pair
  2. The public key is published as a DNS TXT record on your domain
  3. Outgoing emails are signed with the private key
  4. Receiving servers check the signature against the DNS record

For Microsoft 365, DKIM is enabled through the Defender portal (Security > Email & Collaboration > Policies). For Google Workspace, it’s enabled in the Admin console under Apps > Google Workspace > Gmail > Authenticate email.

For third-party email platforms (Mailchimp, Klaviyo, Salesforce, etc.), each platform has its own DKIM setup process requiring you to add specific DNS records they provide.

Verify DKIM is working by sending a test email to mail-tester.com or using MXToolbox’s DKIM checker.

DMARC: Tell the World What to Do With Failures

Domain-based Message Authentication, Reporting & Conformance (DMARC) builds on SPF and DKIM. It tells receiving servers what to do when an email fails authentication checks, and sends you reports on what’s happening with your domain’s email.

A basic DMARC record:

v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com.au

The p=none policy means “monitor but don’t block” - useful when first implementing DMARC to understand your email flows without risk. As you gain confidence, you progress to:

  • p=quarantine - send failing emails to spam
  • p=reject - reject failing emails outright

Start with p=none and review the reports for 30 days before moving to quarantine or reject. The reports will show you all the sources sending email on behalf of your domain - some may be legitimate platforms you hadn’t accounted for in your SPF record.

DMARC also specifies the alignment requirement: the domain in the “From” header must match the domain that passed SPF or DKIM. This is what prevents spoofing attacks where someone fakes your email address.

Sender Reputation: The Long-Term Factor

Technical authentication (SPF, DKIM, DMARC) establishes that your email is legitimate. Sender reputation determines whether it’s wanted.

Reputation is built (or damaged) by:

  • Spam complaint rate - if recipients mark your emails as spam, receiving servers take note. Google recommends keeping spam complaints below 0.1%
  • Engagement rate - emails that get opened, replied to, and clicked signal positive engagement; emails that are ignored or deleted unread signal the opposite
  • Sending consistency - sudden spikes in sending volume look suspicious. If you’re starting a new domain, warm it up gradually
  • Bounce rate - sending to invalid addresses damages reputation. Clean your lists regularly
  • Unsubscribe management - make unsubscribing easy and process unsubscribes promptly

Check Whether Your Domain is Blacklisted

If email delivery problems appeared suddenly, check whether your domain or sending IP is on a blacklist. Common tools:

  • MXToolbox Blacklist Check - checks your domain or IP against 100+ blacklists
  • Talos Intelligence - Cisco’s reputation lookup tool
  • Google Postmaster Tools - shows your domain and IP reputation with Google specifically (very useful if your emails aren’t reaching Gmail addresses)

Getting de-listed from a blacklist requires submitting a removal request to each blacklist individually, which is straightforward for reputable lists if the underlying issue has been resolved.

A Quick Deliverability Audit Checklist

  • SPF record exists, includes all sending sources, ends with -all or ~all
  • DKIM is enabled in your email platform (Microsoft 365 or Google Workspace)
  • DKIM is configured for any third-party platforms that send email on your behalf
  • DMARC record exists (start with p=none and a reporting address)
  • DMARC reports are being reviewed regularly
  • Domain is not on major blacklists (checked via MXToolbox)
  • Bounce and spam complaint rates are monitored for bulk sending
  • Mailing lists are clean and unsubscribes are processed

What About Business Email Compromise?

Properly configured SPF, DKIM, and DMARC don’t just improve deliverability - they also protect your domain from being spoofed in phishing attacks targeting your clients and suppliers. Business Email Compromise (BEC) - where attackers send fraudulent emails appearing to come from your domain - is significantly harder when DMARC with a reject policy is in place.

This is both a deliverability fix and a security measure. Two good reasons to prioritise it.

Need help auditing your email configuration? Contact CX IT Services - our team regularly resolves email deliverability issues for Melbourne businesses and implements proper authentication from scratch.

Related Articles

Free Clarity Call

Want to Talk Through What This Means for Your Business?

Book a free 15-minute Right Fit Call. No obligation - just a straight conversation about your IT situation.

  • No lock-in contracts - ever
  • Valued at $250 - completely free
  • 4.5-star Google rated
  • Answer in 60 seconds or less

See If You Qualify

Takes 2 minutes · No obligation · Free

Apply Now
4.5 Google Rated No Lock-In Contracts