SPF, DKIM, and DMARC: Why Your Email Lands in Spam
Three settings that tell the world your email is really from you.
The problem they solve
Email was built in a more trusting time. Out of the box, anyone can put your address in the "from" line of a message they send. Scammers do exactly that.
So mail providers like Gmail and Outlook got suspicious. They now look for proof that an email really came from who it claims. SPF, DKIM, and DMARC are that proof. Get them right and your email arrives. Get them wrong and it can land in spam - or let someone impersonate you.
You don't need to understand the technical details. You just need to know what each one does.
SPF: who's allowed to send
SPF is a list, published for your domain, of the servers allowed to send email as you. When a message arrives, the receiver checks: "Did this come from a server on the approved list?"
Think of it as a guest list at the door.
DKIM: a tamper-proof seal
DKIM adds an invisible digital signature to each message you send. The receiver checks the signature to confirm two things: the email really came from your domain, and nobody changed it along the way.
Think of it as a wax seal on an envelope.
DMARC: what to do with fakes
DMARC ties the first two together. It's your instruction to receivers: "If a message claiming to be from me fails these checks, here's what to do with it" - ignore the failure, send it to spam, or reject it outright.
DMARC can also send you reports showing who is sending email using your name. That's how you find out if someone is impersonating your business.
Why you should care
Without these set up, two things can happen. Your own legitimate email is more likely to get filtered into spam, where customers never see it. And scammers have an easier time sending fake invoices or messages that look like they came from you.
Both are bad for a small business that runs on trust.
You probably won't set these up yourself
These live in technical settings for your domain, and your email provider or web person usually handles them. Some providers turn them on automatically; many don't.
The useful thing you can do is ask the question: "Are SPF, DKIM, and DMARC set up for my domain?" If the answer is a blank stare, that's worth following up on.
The bottom line
SPF, DKIM, and DMARC are three settings that prove your email is really from you. They keep your messages out of spam and make it harder for anyone to impersonate your business.
You don't have to configure them yourself. You just have to make sure someone has.
Want help applying this to your business?
The Small Business Efficiency Checkup covers this and more - a practical review of your systems, tools, and workflows with a plain-English action plan.
Get practical notes on small business operations in your inbox.
Practical notes on running a small business more efficiently - tools, workflows, and the occasional observation from 30 years of systems work. Short, useful, and infrequent.