Turbo Digital
Insights
Email deliverability • DNS • Security

Why Your Business Emails Go to Spam (SPF, DKIM, DMARC Explained for UK SMEs)

By Mike Burns • Technical Director Turbo Digital Updated: 2025-11-06 Reading time: ~6–8 mins

What’s really happening

If customers tell you they didn’t receive your email, or it’s landing in junk, the cause is usually authentication or reputation rather than your message wording. Modern mail systems rely on SPF, DKIM and DMARC to verify that your email is legitimate and hasn’t been tampered with. When any of these are missing or misconfigured, your mail is treated as higher risk.

Quick definition: your domain must prove two things:
  • Authorisation — “Is this server allowed to send for this domain?” (SPF)
  • Integrity — “Was this message altered in transit?” (DKIM)
  • Policy — “What should I do if checks fail?” (DMARC)

What actually triggers spam filtering

  • Missing/incorrect SPF (sender not authorised).
  • DKIM failing due to DNS issues, wrong selector, or signing not enabled.
  • No DMARC policy, or DMARC misalignment between header and envelope domains.
  • Shared IP reputation issues (common on low-cost hosts).
  • Reverse DNS / HELO mismatch on self-hosted or misconfigured SMTP servers.

SPF, DKIM and DMARC in plain English

SPF

SPF is a DNS record that lists which servers are allowed to send email for your domain. If your provider changes and SPF isn’t updated, messages may fail SPF and be marked suspicious.

DKIM

DKIM attaches a cryptographic signature to each message. The receiving server checks the signature against a public key stored in your DNS. If the key is wrong, missing, or signing is disabled, DKIM fails.

DMARC

DMARC ties SPF and DKIM together and enforces alignment with the visible From: domain. It also tells receiving servers what to do when checks fail (monitor, quarantine, reject) and where to send reports.

Common real-world faults we see

  • Multiple SPF records instead of one consolidated record (this breaks SPF).
  • DKIM published but not signing — keys exist, but outbound signing is disabled.
  • DMARC stuck on p=none forever (monitoring only, little protection).
  • Migration leftovers — stale MX/SPF/DKIM/Autodiscover records after moving providers.

A practical fix plan

  1. Audit DNS: SPF, DKIM selectors, DMARC policy and reporting.
  2. Check alignment: ensure the visible From: domain aligns with SPF and/or DKIM.
  3. Introduce DMARC gradually: p=nonep=quarantinep=reject as reports confirm legitimate sending sources.
  4. Monitor and tune: DMARC aggregate reports reveal unknown senders and misconfigurations.

Want this fixed properly (without breaking mail flow)?

Turbo Digital can audit your email deliverability, correct SPF/DKIM/DMARC, and set up ongoing monitoring so your mail reliably reaches inboxes.

Request an Email Deliverability Audit
Written by Mike Burns • Turbo Digital • Drive Your Business.