Free consultation
Deliverability

Why emails go to spam: SPF, DKIM, and DMARC in plain English

Lukas Vincevičius, Founder of MailyScaly · Updated 2026-06-03 · ~9 min read

You can write the best email in the world — if it lands in spam, its value is exactly zero. Deliverability is the invisible foundation of email marketing: while it works, nobody thinks about it, and when it breaks, every campaign and every automation crashes at once. In this guide: how spam filters really work, and what those three cryptic acronyms Gmail demands actually mean.

How spam filters really work

The popular myth: "my email went to spam because I wrote FREE in all caps". The reality: modern filters (Gmail, Outlook, Yahoo) make their decision mostly based on the sender, not the content. In simplified order of importance:

  1. Authentication — is it technically proven that the email really comes from your domain (SPF, DKIM, DMARC)? Without this, these days you don't even get off the starting line.
  2. Sender reputation — your domain's and sending IP's "credit history": how many complaints, how many nonexistent addresses, whether volumes are stable.
  3. Recipient behavior — do people open, read, and reply to your emails? Or delete them unread and mark them as spam? Gmail sees this and learns.
  4. Content — yes, it gets evaluated too, but it usually becomes decisive only once the first three points are already limping.

That's why avoiding "spam words" while your domain reputation is poor is tilting at windmills — you need to fix the foundations.

SPF, DKIM, DMARC — three gatekeepers, in plain English

SPF — the guest list

What it does: publicly declares, in your domain's DNS record, which servers are allowed to send email on your behalf. The receiving server checks: "this email came from server X — is X on mailyscaly.com's guest list?" If not — suspicion.

What it looks like (a DNS TXT record):

v=spf1 include:_spf.google.com include:spf.omnisend.com ~all

Translation: "Google (your work email) and Omnisend (your marketing platform) may send on our behalf; don't trust anyone else". Every platform that sends on your behalf must be added here via include:.

DKIM — the signature and seal

What it does: signs every email with a cryptographic signature, which the recipient verifies against the public key published in your domain's DNS. This proves two things: the email is genuinely yours, and nobody altered it in transit. The analogy — a notary's seal on a document.

How to set it up: in your email platform (Omnisend: Store settings → Sender domains) you add your domain, the platform gives you a few DNS records (usually CNAME), you add them at your domain registrar — and the platform starts signing emails with your domain instead of a generic "via omnisend.com". This is the single most important setting in all of deliverability.

DMARC — the rules and the reports

What it does: tells receiving servers what to do with emails that impersonate your domain but fail the SPF/DKIM checks — and sends you reports about everyone attempting to send in your name.

v=DMARC1; p=none; rua=mailto:dmarc@mailyscaly.com
PolicyMeansWhen to use
p=noneDo nothing, just send reportsThe start — you monitor for a few weeks
p=quarantinePut failures in spamOnce reports show all legitimate senders pass
p=rejectReject failures outrightThe end goal — full protection against spoofing

The most common mistake: switching straight to p=reject without checking the reports. If your accounting system or store platform sends on your behalf but wasn't added to SPF/DKIM, its emails (invoices! order confirmations!) will start disappearing. Always start with p=none and tighten gradually.

Gmail and Yahoo requirements: no longer a recommendation

Since February 2024, Gmail and Yahoo have enforced mandatory requirements for bulk senders (5,000+ emails per day to Gmail; Outlook later introduced similar rules), and for smaller senders they have become the de facto standard:

The practical consequence: unauthenticated sending in 2026 no longer means "somewhat worse deliverability" — it means emails that simply never reach Gmail users. And for most consumer audiences, Gmail dominates.

Check yourself in 5 minutes

  1. mail-tester.com — send your campaign email to the address it gives you and get a score with specific issues flagged (SPF? DKIM? blacklists?). Free, no registration.
  2. Gmail "Show original" — open your own email in Gmail → three dots → "Show original". At the top you should see SPF: PASS, DKIM: PASS, DMARC: PASS. Even one FAIL — you've found your problem.
  3. MXToolbox (mxtoolbox.com) — checks your domain's SPF/DMARC records and whether your IP is on any blacklists.
  4. Google Postmaster Tools — shows how Gmail rates your domain's reputation and your complaint rate. A must-have for anyone who sends regularly.

Authentication is fixed, but emails still land in spam?

Then the problem is reputation and behavior. The most common causes, based on our client work:

Why we write about this: deliverability care (DKIM/SPF/DMARC, domain reputation, list hygiene) is a standard part of our monthly retainer — because all 7 flows and every campaign are worthless if the emails never reach the inbox. These are the foundations we check first in every audit.

Frequently asked questions

Why do my emails land in spam even though the content is good?

Because modern filters judge the sender first, not the content: whether the domain is authenticated (SPF, DKIM, DMARC), what its reputation is, and how recipients react to your emails — do they open them, ignore them, or mark them as spam. A brilliant email from an unauthenticated domain with a poor reputation will land in spam, while an average email from a trusted sender will reach the inbox.

Do "spam words" (FREE, SALE) really hurt?

Far less than the popular myths claim. Modern filters rely on sender reputation and recipient behavior, not keyword lists — e-commerce stores successfully send emails with the words "sale" and "discount" every day. The only case where content genuinely hurts is when a poor reputation already exists and the email also looks like classic spam (all caps, lots of exclamation marks, links to suspicious domains).

What are DMARC p=none, p=quarantine, and p=reject?

It's an instruction to the receiving server on what to do with an email that fails your SPF/DKIM checks: p=none — do nothing, just send reports (the starting mode), p=quarantine — put it in spam, p=reject — reject it outright. The right sequence: start with p=none, watch the reports for a few weeks to confirm all your legitimate senders (store, email platform, accounting) pass the checks, and only then tighten the policy.

How long does it take to repair a damaged sender reputation?

Realistically — from a few weeks to 2–3 months of consistent work: authentication fixed, list cleaned, sending only to your most engaged recipients (so open rates climb), and volumes increased gradually. There is no shortcut — reputation is earned through behavior, not settings. In severe cases it's cheaper to start sending from a new subdomain and warm it up from scratch.

Not sure your emails are reaching the inbox?

In a free consultation we'll check your domain's authentication and reputation — fixing deliverability alone often lifts email revenue by a double-digit percentage.

Book a free consultation