Email Authentication & Deliverability for Melbourne Businesses

SPF (Sender Policy Framework) is a DNS record that lists the mail servers authorised to send email from your domain. DKIM (DomainKeys Identified Mail) adds a cryptographic signature to your emails that receiving servers can verify. DMARC (Domain-based Message Authentication, Reporting and Conformance) ties SPF and DKIM together and tells receiving servers what to do with emails that fail authentication — and crucially, sends you reports showing who is sending email from your domain. Together, these three records determine whether your emails reach the inbox, whether attackers can impersonate your domain, and whether you have visibility into your email sending environment. For Melbourne businesses, incorrect or missing authentication records are the leading cause of legitimate emails landing in spam.

Emails land in spam for several reasons, and email authentication failures are the most common and fixable. If your SPF record is missing or incorrect — not including your actual mail server or Microsoft 365 — receiving servers treat your email as unauthenticated and may quarantine it. If your DKIM signature is absent or broken, similar penalties apply. If you have no DMARC record, you get no visibility into why deliverability is poor. Other contributing factors include sending from IP addresses on spam blacklists, email content triggering spam filters, and sending to stale lists with high bounce rates. CX IT Services diagnoses the specific cause for your domain and addresses authentication issues first, as they are always present and always fixable.

The DNS changes for SPF, DKIM, and DMARC typically take 24-48 hours to propagate globally and begin affecting delivery. The full process — audit, configuration, testing, and initial DMARC deployment in monitoring mode — takes 2-5 business days. Moving from DMARC monitoring (p=none) to full enforcement (p=reject) is a staged process we typically complete over 4-8 weeks, as we identify and authorise all legitimate sending sources from your DMARC reports before turning on enforcement. Rushing to enforcement without proper preparation can cause legitimate emails to be rejected.

DMARC enforcement (p=quarantine or p=reject) instructs receiving servers to block or quarantine emails from your domain that fail authentication. If you enforce before all your legitimate sending sources are correctly authenticated, legitimate emails — from your CRM, marketing platform, accounting software, or other business tools — will fail and be blocked. This is why we always start DMARC in monitoring mode (p=none), collect 4-6 weeks of reports to identify every legitimate sending source, configure DKIM and authorise each source in SPF, and only then move to enforcement. Done correctly, enforcement has no impact on legitimate email delivery.

Yes — Google and Yahoo announced in February 2024 that senders sending more than 5,000 emails per day to Gmail or Yahoo addresses must have SPF and DKIM authentication, a DMARC record at minimum p=none, easy unsubscribe mechanisms in bulk email, and spam rate below 0.3%. Microsoft has signalled similar requirements. For Melbourne businesses sending newsletters, automated notifications, or transactional emails, these are now compliance requirements — not optional best practices. CX IT Services implements all required authentication records and advises on list hygiene and unsubscribe mechanisms to meet the new standards.

Email authentication setup — SPF audit and fix, DKIM configuration, and DMARC implementation in monitoring mode — is typically a fixed-scope engagement priced between $800–$1,800 AUD for a Melbourne SMB, depending on the number of sending sources in your environment (Microsoft 365 alone is simpler; multiple CRMs, marketing platforms, and third-party senders add complexity). Ongoing DMARC monitoring and report management is included in our Domain & DNS Management service. Moving from DMARC monitoring to full enforcement (p=reject) is included in the initial engagement scope. For most Melbourne businesses, the cost is recovered within the first month through improved email deliverability and the reduced business risk of domain impersonation.

Business email compromise (BEC) fraud targeting Melbourne businesses frequently involves spoofed emails that appear to come from a trusted domain — your supplier asking you to update bank account details, or your CEO directing an urgent funds transfer. Without DMARC enforcement, anyone can send an email with your domain in the From address and it will be delivered to the recipient's inbox. DMARC with p=reject policy instructs receiving mail servers to discard any email that fails authentication and claims to be from your domain — meaning spoofed emails impersonating your business are blocked before they reach your clients, suppliers, or staff. This is one of the most cost-effective fraud prevention controls available to Melbourne businesses.

When a new sending platform — CRM, marketing tool, e-signature service, support platform — is added to your environment, it begins sending emails from your domain without being included in your SPF record or having DKIM signing configured. Receiving mail servers see email claiming to be from your domain but failing authentication checks, and treat it as suspicious. The fix is straightforward: add the new platform's sending infrastructure to your SPF record and, if the platform supports it, configure DKIM signing. CX IT Services identifies the new sending source from your DMARC reports and implements the required authentication changes — typically resolving the deliverability issue within 24–48 hours of the DNS changes propagating.

Email authentication for Microsoft 365 requires specific configuration steps that are not completed automatically when Microsoft 365 is set up. SPF requires adding Microsoft's sending infrastructure (include:spf.protection.outlook.com) to your SPF record — usually present, but often incomplete when additional Microsoft services are in use. DKIM requires enabling custom domain DKIM signing in the Microsoft 365 Defender portal and publishing two CNAME records in DNS — a step frequently missed during Microsoft 365 setup. DMARC is a separate DNS record that references your SPF and DKIM configuration. CX IT Services audits your Microsoft 365 authentication configuration specifically and ensures all three records are correctly implemented and aligned for your custom domain.

Yes — and for Melbourne law firms and medical practices, correct email authentication is particularly important. These businesses send sensitive client and patient communications by email daily, and domain impersonation creates serious professional and legal exposure. A spoofed email appearing to come from a Melbourne law firm asking a client to wire settlement funds, or from a medical practice asking a patient to provide personal health information, is a realistic and documented fraud scenario. DMARC enforcement is the primary technical control that prevents this impersonation. CX IT Services has implemented email authentication for Melbourne professional services firms and understands the specific sending environments common to legal practice management software and medical practice systems.