Email Deliverability: Why Your Business Emails Go to Spam

Your emails not arriving is a business problem with a technical solution. When clients tell you they never received your quote, when a critical proposal goes unanswered because it was filtered to junk, or when your marketing campaign generates zero responses — email deliverability is frequently the culprit.

The good news is that the most common deliverability failures are fixable with proper email authentication configuration.

---

Why Emails Land in Spam

Email providers — Microsoft, Google, and others — use a combination of signals to decide whether an incoming email is legitimate or spam. The primary technical signals are:

1. SPF (Sender Policy Framework): Does this email come from a server authorised to send for this domain?
2. DKIM (DomainKeys Identified Mail): Has this email been cryptographically signed by the sending domain?
3. DMARC (Domain-based Message Authentication, Reporting & Conformance): Does the email pass SPF or DKIM, and what should happen if it does not?

If your domain is missing or misconfigured for any of these, your emails are at significantly higher risk of being filtered to spam — or rejected entirely.

Beyond authentication, other factors that affect deliverability include sender reputation, email volume patterns, recipient engagement rates, and the content of the email itself. But authentication is the foundation — without it, nothing else matters.

---

SPF: Authorising Your Sending Servers

An SPF record is a DNS TXT record that lists all the mail servers authorised to send email from your domain. When a receiving server gets an email claiming to be from yourcompany.com.au, it checks your DNS for an SPF record and verifies the sending server is on the list.

A correct SPF record for a Microsoft 365 environment looks like:

v=spf1 include:spf.protection.outlook.com -all

The -all at the end tells receiving servers to reject (hard fail) any email from servers not listed in the record.

Common SPF problems:

• No SPF record at all
• Multiple conflicting SPF records (you can only have one)
• The record lists ~all (softfail) instead of -all (hard fail) — softfail is less protective
• Third-party sending services (marketing platforms, invoicing software, CRM) not included in the SPF record

If you send email from any third-party service (Mailchimp, Xero, HubSpot, etc.), that service’s sending infrastructure must be included in your SPF record.

---

DKIM: Signing Your Emails

DKIM adds a cryptographic signature to every outbound email. The signature is generated using a private key held by your mail server, and verified by receiving servers using a public key published in your DNS.

This proves the email genuinely originated from your domain and has not been tampered with in transit.

For Microsoft 365: DKIM signing is enabled in the Microsoft 365 Defender portal under Email & Collaboration → Policies & Rules → Threat policies → Email authentication settings. It requires publishing two CNAME records in your DNS.

DKIM is not enabled by default in Microsoft 365 — it must be explicitly configured. Many organisations running Microsoft 365 have never turned it on.

---

DMARC: Enforcement and Reporting

DMARC builds on SPF and DKIM by telling receiving mail servers what to do with emails that fail authentication checks. It also provides a reporting mechanism — sending you aggregate reports of all emails sent from your domain, which is invaluable for identifying unauthorised senders and configuration problems.

DMARC policies:

• p=none — Monitor only; no action taken on failing emails. Good starting point for visibility.
• p=quarantine — Failing emails go to the spam folder. Standard enforcement level.
• p=reject — Failing emails are rejected entirely. Maximum protection.

A DMARC record (DNS TXT at _dmarc.yourdomain.com.au):

v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@yourdomain.com.au

The rua tag specifies where aggregate reports are sent. These reports are XML files — use a DMARC report processing service (dmarcian, EasyDMARC, or Valimail) to make them readable.

The recommended sequence:

1. Start with p=none and monitor reports for 2-4 weeks
2. Identify all legitimate sending sources appearing in the reports
3. Ensure all legitimate senders are covered by SPF and signed with DKIM
4. Move to p=quarantine, then p=reject

Moving directly to p=reject without completing steps 1-3 will break legitimate email flows.

---

Checking Your Current Status

Several free tools check your email authentication configuration:

• MXToolbox (mxtoolbox.com): Check SPF, DKIM, DMARC, and blacklist status
• mail-tester.com: Send a test email and receive a score with specific issues identified
• Google Admin Toolbox: Check MX, SPF, and DKIM for your domain

---

Other Deliverability Factors

Beyond authentication, these factors affect whether emails reach the inbox:

Sender reputation: If your domain or sending IP has been used for spam (even unknowingly — via a compromised account), your reputation score drops. Monitor blacklists via MXToolbox.

Engagement: Email providers track whether recipients open, reply to, and engage with your emails. Consistently low engagement signals your emails may be unwanted. Clean your mailing lists of inactive addresses.

Email content: Emails that trigger spam filters often contain: excessive capitalisation, spam-trigger words, heavy image-to-text ratios, or suspicious links. HTML marketing emails should have a plain-text equivalent.

Sending volume and pattern: Suddenly sending large volumes of email from a domain with no history triggers spam filters. Warm up new sending domains gradually.

---

Getting Deliverability Right

Email authentication configuration is a technical task that requires DNS access and knowledge of your mail infrastructure. CX IT Services configures SPF, DKIM, and DMARC for Melbourne businesses as part of our Microsoft 365 setup and managed service. Contact us if your emails are landing in spam or you have not verified your authentication configuration.