Business email that actually lands: SPF, DKIM, and DMARC for founders.

You sent the proposal. They never saw it. Somewhere between your "send" and their inbox, a spam filter judged your domain and lost. Here is what it was checking, in plain English, and how to pass.

Email is the only channel where your message gets silently judged before anyone reads it. Big providers ask one question: can this domain prove the message really came from it? Three DNS records answer that question. Most small businesses have none of them, one of them misconfigured, or all three copied from a forum post in 2019.

First, the one-sentence versions

  • SPF is a public list of the servers allowed to send email for your domain.
  • DKIM is a cryptographic signature on each message proving it was not altered and really came from you.
  • DMARC is your published instruction telling receivers what to do when a message fails those checks, and where to send you reports about it.

Think of SPF as the guest list, DKIM as the ID check, and DMARC as the standing order you give the bouncer.

Why this suddenly matters more

Since 2024, Google and Yahoo require bulk senders to have all three configured, and they increasingly junk mail from domains with none. The practical effect for a small firm: a missing DMARC record now costs you inbox placement even if you only send twenty emails a day. The good news is that a correct setup is a one-time job measured in an afternoon.

SPF: the guest list

SPF lives in a single TXT record on your domain. It lists, by reference, every service that legitimately sends as you: your mail provider (Microsoft 365 or Google Workspace), your newsletter tool, your invoicing software if it emails clients.

The mistakes that break it:

  • Two SPF records. The standard allows exactly one. A second one (usually left over from an old host) makes both invalid. This is the single most common small-business email bug.
  • The 10-lookup limit. Each included service costs DNS lookups, and past ten the whole record fails. If you have accumulated years of tools, the record needs pruning, not another include.
  • Ending with a soft fail you never tighten. "~all" is fine while testing; the end state should be a policy you actually mean.

DKIM: the tamper-proof signature

Your mail provider signs every outgoing message with a private key; the matching public key sits in your DNS so any receiver can verify the signature. Without DKIM, you are asking strangers to take your word for it. With it, Gmail can mathematically confirm the message left your account intact.

Setup is provider-specific but always the same shape: turn signing on in the admin console, publish the key records it gives you, and confirm the provider shows "signing active". The classic failure is turning it on for the primary domain and forgetting the alias domain you also send from.

DMARC: the standing order and the feedback loop

DMARC is one more TXT record with two jobs. First, policy: tell receivers to do nothing ("p=none"), quarantine failures to spam ("p=quarantine"), or reject them outright ("p=reject"). Second, reporting: receivers send you daily summaries of who is sending as your domain, including the impostors.

The right rollout for a small firm is a ramp:

  1. Publish with "p=none" and a reporting address. Nothing changes for your mail; you start receiving intelligence.
  2. Read two weeks of reports. Confirm everything legitimate passes SPF or DKIM in an aligned way.
  3. Move to "p=quarantine", then "p=reject". At reject, nobody on earth can convincingly spoof your domain to a major provider, which is also a real phishing defense for your clients.

The mistakes we fix most often

  • Sending business mail from a free Gmail address. Filters treat it accordingly, and clients notice. Your own domain is table stakes.
  • Website contact forms sending "from" the visitor's address. That is spoofing your own visitors and fails every check. Forms should send from your domain (ours does; the reply-to carries the visitor).
  • Old website hosts left in SPF years after the site moved, keeping the door open and the lookup count high.
  • No DMARC report address, so nobody ever learns the setup is broken. Silence is not success; it is the absence of data.
  • MX records forgotten during a hosting move, killing inbound mail for a weekend. Migrations need an email checklist, not just a website checklist.

How to check yourself in five minutes

Send a message from your business address to a Gmail account you control, open it, and choose "Show original". Gmail grades SPF, DKIM, and DMARC right at the top: three passes and you are in good shape. Anything else, you now know exactly which of the three layers to fix.

What we do here at Alpha Momin

Email authentication is part of our IT and admin setup: business email on your own domain, SPF pruned to one valid record, DKIM signing on every sending domain, DMARC ramped to reject with reports monitored, and a migration checklist that keeps inbound mail alive during any host move. Done once, documented in plain English, checked after.

This post is general information. Provider consoles move their buttons around, and multi-domain setups have edge cases; that is what the discovery call is for.

Want your proposals to reach the inbox?

Tell us your domain and your mail provider. We will tell you exactly what is missing within one business day.

Start with IT setup