DEV Community

Cover image for Why your emails go to spam (and how to check SPF, DKIM and DMARC in 60 seconds)
InboxGreen
InboxGreen

Posted on

Why your emails go to spam (and how to check SPF, DKIM and DMARC in 60 seconds)

#email #webdev #devops #tutorial

Every developer has been there. You send a transactional email, a password reset, an invoice and it lands in spam. Or worse, it disappears completely.

The reason is almost always one of three DNS records: SPF, DKIM, or DMARC. Here is what each one does and how to check them instantly.

SPF (Sender Policy Framework)

SPF tells receiving mail servers which IP addresses are allowed to send email for your domain. If your email goes out through SendGrid, Mailgun, or Google Workspace but your SPF record does not include them, the receiving server has no way to verify the email is legitimate.

A basic SPF record looks like this:

v=spf1 include:sendgrid.net include:_spf.google.com ~all

The ~all at the end means "soft fail" emails from unlisted sources are accepted but flagged. Use -all for a strict policy.

DKIM (DomainKeys Identified Mail)

DKIM adds a cryptographic signature to every email you send. The receiving server looks up your public key in DNS and verifies the signature matches. If it does, the email is confirmed as untampered.

Without DKIM, Outlook in particular will silently move your emails to junk , even if SPF passes.

DMARC (Domain-based Message Authentication)

DMARC ties SPF and DKIM together and tells receiving servers what to do when emails fail both checks. It also sends you reports so you can see who is sending email from your domain.

A basic DMARC record:

v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

Start with p=none to collect data, then move to p=quarantine and eventually p=reject once you are confident all your legitimate senders are covered.

How to check all three in 60 seconds

You can look up each record manually with dig or nslookup, but the fastest way is to use a free checker that tests all three at once and explains what each result means.

I built InboxGreen (https://inboxgreen.email) specifically for this. Paste your domain, hit check, and you get a plain-English breakdown of every pass, fail, and warning no account needed.

It also checks major blacklists, analyzes email headers, and has 28 free DNS tools including a DMARC analyzer, SPF generator, DKIM generator, and more.

The order of operations

If you are starting from scratch:

  1. Set up SPF first, add your sending providers
  2. Enable DKIM in your email provider dashboard, they generate the keys
  3. Add DMARC with p=none to start collecting reports
  4. Check your results and fix any failures
  5. Move DMARC to p=quarantine after 2-3 weeks of clean reports

Most deliverability problems are fixed at step 1 or 2. DMARC is the layer that protects your domain long term.

One more thing

Check your domain now even if you think everything is fine. It is common to have a working SPF record that was set up years ago but no longer includes a sending service you added later. Silent failures are the worst kind.

Top comments (0)