Email going to spam is one of the most frustrating deliverability problems because the symptoms are invisible — you send the email, it appears to deliver, but the recipient never sees it in their inbox. Here's how to find the cause and fix it.
1. SPF Record Missing or Failing
SPF (Sender Policy Framework) is a DNS record that lists which servers are allowed to send email from your domain. If your sending server isn't in the SPF record — or if you don't have one at all — receiving mail servers treat your email as suspicious.
An SPF record looks like this in DNS:
v=spf1 include:_spf.google.com include:sendgrid.net ~allThe ~all at the end means "soft fail" — emails from unlisted servers are accepted but marked. Using -all is stricter: unlisted servers are rejected outright.
How to check: Look up your domain's TXT records. You should see exactly one record starting with v=spf1. Multiple SPF records cause validation failures — merge them into one.
Common SPF problems:
- No SPF record at all
- More than one SPF record (only one is allowed)
- More than 10 DNS lookups in the SPF chain (the limit)
- Sending through a new service (SendGrid, Mailchimp, HubSpot) without adding it to SPF
- SPF includes the wrong domain or a typo
Fix it: Use the SPF Checker to see your current record and any failures. Use the DNS Record Builder to generate the correct SPF for your email provider.
2. DKIM Not Configured
DKIM (DomainKeys Identified Mail) adds a cryptographic signature to your outgoing emails. The receiving server verifies this signature against a public key published in your DNS. If the signature is missing or invalid, spam filters raise their suspicion level significantly.
DKIM doesn't prevent email from being delivered, but its absence — especially combined with other issues — is enough to tip a borderline message into spam.
How to check: Send yourself an email and check the raw headers. Look for a DKIM-Signature header and an Authentication-Results header showing dkim=pass.
To enable DKIM: Log into your email provider's admin console (Google Workspace, Microsoft 365, SendGrid, etc.) and find the DKIM setup page. They'll give you a CNAME or TXT record to add to your DNS. After adding it, enable DKIM signing in the admin console.
Fix it: Check your DKIM status for your domain, or paste a received email's headers into the Email Header Analyzer to see the exact DKIM result.
3. DMARC Policy Blocking Mail
DMARC builds on SPF and DKIM to tell receiving servers what to do when authentication fails. If you have a DMARC record with p=quarantine or p=reject, emails that fail SPF or DKIM alignment will be filtered or bounced.
The tricky part: DMARC requires alignment, not just passing. The domain in the From: header must match the domain that passed SPF or DKIM. Sending through a third-party service that uses its own domain for SPF will fail DMARC alignment unless you've configured DKIM on your own domain.
The most common scenario: You set up a p=reject DMARC policy before properly configuring DKIM. Now legitimate emails sent through your ESP fail DMARC and get rejected.
Warning: Never jump straight to p=reject. Start with p=none to monitor, then move to p=quarantine, then p=reject only after confirming all legitimate senders pass.
Fix it: Check your DMARC record with the SPF/DMARC Checker. If you're getting failures, temporarily set p=none while you fix your DKIM and SPF alignment.
4. Sending IP on a Blacklist
If your mail server's IP address appears on a DNS blacklist (DNSBL) like Spamhaus, Barracuda, or SpamCop, major email providers will reject or filter your email before they even look at the content.
This is especially common with:
- New dedicated IPs that inherited a poor reputation
- Shared hosting where a neighboring user spammed
- VPS providers with IP ranges that were previously used for spam
- Self-hosted mail servers on residential or dynamic IPs
- IPs assigned from cloud providers (AWS, Azure, GCP) — many email providers block these by default
A single Spamhaus listing will cause Gmail, Outlook, and Yahoo to reject your mail outright. Most providers re-check blacklists in real time on every inbound connection.
Fix it: Check your sending IP against 30+ blacklists instantly with the IP Blacklist Checker. Each listing shows a direct link to the delist request page.
5. High Spam Score from Content
Even with perfect authentication, spam filters score your email content. Common content triggers include:
- ALL CAPS in the subject line
- Excessive exclamation points
- Words like "FREE", "GUARANTEED", "ACT NOW", "LIMITED TIME"
- Too many images, not enough text (image-heavy emails are a spam signal)
- Mismatched link URLs (display text says one domain, href points to another)
- Shortlinked URLs (bit.ly, tinyurl) hiding the real destination
- HTML with hidden text (white text on white background)
- Large attachments
The X-Spam-Score header in received emails shows SpamAssassin's score for your message. Scores above 5 usually land in spam; above 10 are almost always filtered.
Diagnose it: Paste your received email headers into the Email Header Analyzer to see the exact spam score and which rules fired.
6. Poor Sender Reputation
Gmail, Outlook, and Yahoo track your sending history. Low engagement rates (nobody opens your emails), high spam complaints, and high unsubscribe rates all damage your sender reputation over time.
Google Postmaster Tools (free) shows your domain reputation and spam rate for email delivered to Gmail. If you're above 0.1% spam complaint rate, you're at risk. Above 0.3% and Google will start filtering you heavily.
Reputation issues are harder to fix than technical issues — they require sending wanted email consistently over time. But technical fixes (SPF, DKIM, DMARC) are prerequisites for any reputation improvement.
7. High Bounce Rate
Sending to lots of invalid addresses signals to providers that you're either using purchased lists or have poor list hygiene. Hard bounces (permanent delivery failures) above 2% will get your account flagged by most ESPs, and the IP reputation damage affects all your future sends.
Clean your list regularly. Remove hard bounces immediately. Use double opt-in for new subscribers to ensure valid addresses.
How to Diagnose Your Specific Issue
The fastest way to find the exact cause is to look at the email headers from a message that landed in spam:
Get the raw headers
In Gmail: open the spam email → ⋮ menu → Show original. In Outlook: File → Properties → Internet headers. Copy everything.
Analyze the headers
Paste into NetDig's Email Header Analyzer. Check the authentication summary — SPF, DKIM, DMARC results are shown clearly with pass/fail indicators.
Check your sending IP
Find the originating IP in the headers (look for the first "Received: from" entry). Run it through the Blacklist Checker.
Audit your domain authentication
Run your domain through the Email Deliverability Tester for a complete SPF, DKIM, DMARC, and MX audit with an A–F grade.
Fix and verify
After making DNS changes, allow 30–60 minutes for propagation, then re-test. Use the DNS Propagation Checker to confirm your changes have updated globally.
FAQs
The most effective fixes: (1) Add a valid SPF record, (2) enable DKIM signing through your email provider, (3) set up DMARC starting with p=none, (4) check your sending IP against blacklists, (5) clean your email list regularly.
Different providers use different filters. Gmail, Outlook, and Yahoo each weight authentication, engagement, and content signals differently. Borderline spam scores or partial authentication setups tend to fail some filters and pass others.
Yes. NetDig's Email Deliverability Tester checks your domain's authentication setup. The Email Header Analyzer diagnoses a received email's spam result. Mail-Tester.com also lets you send a test email and get a full spam score breakdown.