Why Your Business Emails Are Landing in Spam — and How to Fix It

You send a quote to a potential customer. It goes into their spam folder. They don’t see it. You follow up a week later wondering why you haven’t heard back. They’re baffled — they thought you weren’t interested.

This scenario is increasingly common. In 2024, both Google and Microsoft significantly tightened the email authentication requirements for senders, meaning businesses without properly configured email authentication are increasingly likely to have their emails filtered or rejected entirely.

The good news: this is a solvable technical problem. The bad news: most small businesses don’t know it’s happening to them.

Why Email Deliverability Has Changed

Email spam and phishing are enormous problems. To address them, the major email providers (Google, Microsoft, and others) have progressively raised the bar for what they’ll accept from sending domains.

In early 2024, Google announced that senders of bulk email to Gmail addresses must have proper SPF, DKIM, and DMARC authentication in place. Microsoft followed with similar requirements for Outlook. The practical effect: email from domains without proper authentication is increasingly treated as suspicious, filtered, or rejected.

This affects small businesses directly — not because they’re bulk senders, but because their domains may be missing or misconfiguring these records, which are now expected of all legitimate senders.

What SPF, DKIM, and DMARC Actually Are

These are DNS records that tell receiving mail servers how to handle email claiming to come from your domain.

SPF (Sender Policy Framework). An SPF record lists the mail servers that are authorised to send email on behalf of your domain. If an email claiming to come from your domain originates from a server not on the list, receiving mail servers know it’s suspicious. Many small businesses have an SPF record — but it may be missing services they actually use (their CRM, their email marketing tool, their billing software) or may be configured incorrectly.

DKIM (DomainKeys Identified Mail). DKIM adds a cryptographic signature to your outgoing emails. The receiving mail server can check this signature against a public key in your DNS records to verify the email hasn’t been tampered with and actually came from your domain. This requires configuration at both your email provider and your DNS.

DMARC (Domain-based Message Authentication, Reporting and Conformance). DMARC ties SPF and DKIM together and tells receiving mail servers what to do if either check fails: nothing, quarantine the email, or reject it. Crucially, DMARC also provides reporting — you receive reports showing what’s sending email from your domain, which helps identify misconfigurations and potential abuse.

The Deliverability and Security Connection

These records serve a dual purpose: they improve deliverability for legitimate email, and they prevent attackers from spoofing your domain in phishing campaigns.

Without DMARC (or with DMARC set to p=none, which means “report but take no action”), an attacker can send an email appearing to come from [email protected] to your customers, and there’s nothing to stop it. With DMARC set to p=quarantine or p=reject, those spoofed emails are filtered or rejected.

This matters more than it might seem. Business Email Compromise attacks — where attackers impersonate company email addresses to redirect payments or extract information — are among the most financially damaging cyber attacks targeting SMBs. Proper DMARC configuration removes a significant attack vector.

What a Correct Configuration Looks Like

A correctly configured email domain has:

An SPF record that lists all legitimate sending sources (your email provider, plus any other services that send email in your name)
DKIM configured with your email provider (Microsoft 365, Google Workspace, and most email providers support this — it just needs to be enabled and the DNS records added)
A DMARC record that at minimum collects reports (p=none), and ideally enforces policy (p=quarantine or p=reject)
A DMARC aggregate report receiver — somewhere the reports go so you can review them

How to Check Your Current Status

Several free tools allow you to check your domain’s email authentication:

MXToolbox (mxtoolbox.com) — checks SPF, DKIM, and DMARC records
Google’s Email Sender Guidelines — check whether you meet their requirements
DMARC Analyser — provides a detailed breakdown of your DMARC configuration

If your domain has no DMARC record, or your SPF record is misconfigured, or DKIM isn’t set up with your email provider, those are immediate action items.

W3IT includes email authentication assessment in every security and infrastructure review. It’s an area where a relatively small amount of configuration work has meaningful impact on both security and the reliability of your day-to-day business communications.

If your business emails are ending up in spam, or you want to ensure your domain can’t be spoofed in attacks on your customers, this is where to start.

Book a free security check →

More on Cloud

Concerned about your business security?

W3IT provides monitoring, support and practical security guidance for small businesses — wherever you are. Start with a free security check.

Book Free Security Check