Currently taking new orders · average turnaround under 36 hours
ConfiguredMail
Get started
Services
All services Google Workspace Zoho Business Email Self-Hosted Mail Server SPF · DKIM · DMARC
Site
How it works Deliverability Results Pricing About Contact
Sign in Get started
Deliverability 101

Why your email lands in spam — and how to fix it.

A short, plain-English guide to the three records that decide whether your invoice reaches the customer or rots in their junk folder.

What goes wrong

Three quiet failures that kill deliverability.

You bought a domain and started sending — that's it

Without authentication records, Gmail and Outlook treat your domain as untrusted by default. Your mail might land, might land in spam, might bounce — there's no consistency, and the bigger your audience the worse it gets.

Two SPF records on the same domain

SPF is a TXT record listing approved senders. The spec allows only one. The moment you add a second (typical when adding a new sender like Mailchimp or HubSpot), every receiver fails authentication for every send. This is the most common deliverability bug we see.

DMARC stuck at p=none — forever

Most setup guides walk you through adding "p=none" so DMARC reporting starts. Then nobody ever raises it. Until you reach "p=reject", spoofers can impersonate your domain and there's no enforcement when authentication fails.

The three records

SPF, DKIM, DMARC — in plain English.

SPF

Sender Policy Framework

"Here's the list of servers allowed to send mail from my domain. Anything else is forged."

a typical, healthy SPF
$ dig TXT yourdomain.com +short
"v=spf1 include:_spf.google.com include:mailgun.org ~all"
v=spf1 SPF version 1
include:… approved sender (one per service)
~all softfail anyone not listed
DKIM

DomainKeys Identified Mail

"Every email I send is cryptographically signed. Verify it against my public key in DNS."

DKIM public key (TXT)
$ dig TXT google._domainkey.yourdomain.com +short
"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAO…IDAQAB"
v=DKIM1 DKIM version 1
k=rsa key algorithm
p=… the public key (base64)
DMARC

Domain-based Message Authentication

"If a message fails SPF or DKIM, here's what to do, and please email me a daily report of what failed."

production-grade DMARC
$ dig TXT _dmarc.yourdomain.com +short
"v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com; adkim=s; aspf=s"
v=DMARC1 DMARC version 1
p=reject reject mail that fails
rua=… send aggregate reports here
adkim=s strict DKIM alignment
aspf=s strict SPF alignment
Our fix

The actual repair, in 4 steps.

  1. 1
    Audit your domain
    We pull your existing DNS, list every legitimate sender, and map them against your SPF, DKIM, and DMARC records. You get a written summary of what's broken or missing.
  2. 2
    Write the records
    Single, valid SPF covering every sender. DKIM key generated and published. DMARC policy raised from p=none to p=reject with reporting routed to a mailbox you control.
  3. 3
    Publish + propagate
    Either we add records via your registrar (encrypted access) or you copy-paste from the runbook we send. Then we wait for global DNS propagation.
  4. 4
    Verify with MXToolbox
    Once propagated, we re-run the audit. You receive a clean MXToolbox report and a test-send confirmation showing spf=pass, dkim=pass, dmarc=pass in the headers.
Get this fixed

Authentication-only setup

If you already have Workspace, Zoho, or another mail provider and just need the deliverability stack repaired, we have a focused engagement for exactly that.

SPF · DKIM · DMARC service Or get an audit first