Skip to main content
Email Deliverability Fixes

Your DMARC records are fine — so why are you still landing in spam? Common email authentication gaps shack users overlook

You've checked the boxes: SPF record published, DKIM signing active, DMARC policy set to p=reject. Yet your marketing emails still land in Promotions or, worse, spam. It's frustrating — and surprisingly common. The problem isn't that your authentication is broken; it's that authentication alone isn't enough. Deliverability depends on a chain of signals, and most teams focus only on the first links. In this guide, we walk through the gaps that slip past DMARC and show you how to close them. Field context: where authentication falls short in real sending In a typical project, a company migrates from a legacy email service provider to a new platform. They copy over SPF and DKIM records, set up DMARC, and start sending. Within days, open rates drop. A DMARC report shows all passes — SPF pass, DKIM pass, alignment pass.

You've checked the boxes: SPF record published, DKIM signing active, DMARC policy set to p=reject. Yet your marketing emails still land in Promotions or, worse, spam. It's frustrating — and surprisingly common. The problem isn't that your authentication is broken; it's that authentication alone isn't enough. Deliverability depends on a chain of signals, and most teams focus only on the first links. In this guide, we walk through the gaps that slip past DMARC and show you how to close them.

Field context: where authentication falls short in real sending

In a typical project, a company migrates from a legacy email service provider to a new platform. They copy over SPF and DKIM records, set up DMARC, and start sending. Within days, open rates drop. A DMARC report shows all passes — SPF pass, DKIM pass, alignment pass. So why is Gmail throttling them?

The answer often hides in layers that DMARC doesn't inspect: the sending IP's reputation, the content structure, the engagement history. DMARC tells a receiving server whether the message is authenticated, but it doesn't tell it whether the message is wanted. That decision rests on a separate set of signals — what we call the reputation layer.

We see this pattern repeatedly: teams treat authentication as a deliverability silver bullet. They invest weeks in record syntax, only to discover that their emails are still filtered because the new IP range has no warm-up history. Or because their HTML includes a single broken image link that triggers a spam rule. Or because their mailing list includes stale addresses that generate hard bounces, dragging down sender score.

The field context matters: B2B transactional emails (password resets, invoices) typically face fewer filters than B2C marketing blasts. But even transactional paths can break when forwarding or mailbox providers change their filtering logic. We've seen a SaaS company's password reset emails land in spam simply because the sending domain had a low volume of outbound mail relative to its age — a signal some providers interpret as suspicious.

Understanding where authentication stops and reputation begins is the first step. In the next sections, we'll break down the specific gaps that commonly trip up senders who think they've done enough.

Foundations readers confuse: what DMARC does and doesn't guarantee

DMARC (Domain-based Message Authentication, Reporting, and Conformance) builds on SPF and DKIM to give domain owners a way to tell receivers what to do with unauthenticated mail. But many readers conflate "passes DMARC" with "passes all filters." That's a dangerous shortcut.

What DMARC guarantees: if a message passes DMARC, the receiving server knows it came from a server authorized by the domain owner. That's it. It does not guarantee the content is non-spammy, that the sending IP has a clean history, or that recipients will engage. Those factors live outside the authentication layer.

Consider a common scenario: you send a newsletter from your primary domain, example.com. SPF and DKIM both pass, and DMARC alignment holds. Yet Gmail still flags it because the email contains a link to a domain that was recently compromised. Gmail's link analysis runs after authentication — DMARC never sees it. The email lands in spam, and your DMARC reports show nothing wrong.

Another confusion: DMARC policy (p=none, p=quarantine, p=reject) only applies to messages that fail authentication. If your email passes DMARC, the policy is irrelevant. Yet many senders believe setting p=reject somehow boosts deliverability for legitimate mail. It doesn't. The policy only protects your domain from spoofing; it doesn't improve your own sending reputation.

We also see teams misunderstand alignment. For SPF, alignment means the domain in the From header must match the domain used in the SPF check. For DKIM, the d= domain in the signature must match the From domain. If you use a third-party sender (like Mailchimp or SendGrid) and your From header shows your domain, but your SPF includes their domain, alignment can break unless you configure it correctly. This is one of the most common hidden failures: the email passes SPF but not SPF alignment, so DMARC fails. And the sender never notices because they only check SPF pass, not alignment.

Finally, many readers don't realize that DMARC reports (RUA/RUF) are aggregate and forensic data — they help you monitor, but they don't fix problems. If you see a spike in failed authentication from an unknown IP, that's a spoofing attempt, not a deliverability issue for your own mail. But if your own mail fails alignment due to a misconfigured third-party sender, the reports will show that too — if you read them correctly. Most teams don't.

Patterns that usually work: layered authentication with monitoring

After years of observing what works in production, we've distilled a few patterns that consistently improve deliverability beyond basic DMARC setup. These patterns don't replace authentication; they complement it.

Pattern 1: Strict SPF alignment with a flat include structure

Keep your SPF record lean. Each additional include increases DNS lookup count, and SPF has a hard limit of 10 lookups. More importantly, a flat structure (one or two includes) reduces the chance of misalignment. If you use a third-party sender, add their SPF include and ensure your From domain matches the domain used in the include's return-path. Test with a tool like MXToolbox to confirm alignment.

Pattern 2: DKIM signing on all outgoing streams

Sign every message, including transactional emails. Some platforms sign only marketing emails by default. If a password reset email isn't signed, it may pass SPF but fail DKIM alignment, causing DMARC to fail. We recommend a separate DKIM selector for each sending stream (e.g., s1._domainkey for marketing, s2._domainkey for transactional) so you can rotate keys independently.

Pattern 3: DMARC policy escalation with monitoring

Start with p=none and monitor reports for at least two weeks. Look for any legitimate sources that fail authentication. Once you've identified and fixed them, move to p=quarantine for a month, then p=reject. Many teams skip the p=none phase and immediately set p=reject, which can block legitimate mail from forgotten services (like an old CRM that still sends on your behalf).

These patterns form a solid foundation. But even with them in place, gaps remain. The next section covers the anti-patterns that cause teams to revert to p=none or abandon DMARC altogether.

Anti-patterns and why teams revert to p=none

We've watched teams implement DMARC, see a few weeks of clean reports, and then suddenly start losing legitimate email. The typical response is to drop the policy back to p=none out of panic. But the real culprit is usually one of these anti-patterns.

Anti-pattern 1: Ignoring forwarding breakage

When a recipient's email provider forwards your message to another address (e.g., Gmail forwarding to Yahoo), the forwarder may alter the message in ways that break SPF and DKIM. SPF fails because the forwarder's IP isn't in your SPF record. DKIM may fail if the forwarder modifies the body (e.g., adding a footer). The result: a legitimate email that fails DMARC after forwarding. This is a known issue with no perfect fix, but ARC (Authenticated Received Chain) helps. If your receiving provider supports ARC, forwarded messages can retain authentication. Check with your email service provider whether they support ARC and encourage recipients to use providers that do.

Anti-pattern 2: Overly complex SPF records

Some teams add every possible sending source to SPF, resulting in records with 15 includes and 20 IP ranges. Not only does this exceed the 10-lookup limit (causing SPF to permanently fail), but it also increases the attack surface. If any of those includes is compromised, an attacker can send spoofed mail that passes SPF. Keep your SPF record minimal and audit it quarterly.

Anti-pattern 3: Using the same DKIM selector for years

DKIM keys should be rotated periodically — every 6 to 12 months is a common recommendation. But many teams set up DKIM once and forget it. If a key is compromised or if the DNS record is accidentally deleted, all DKIM-signed mail from that selector will fail. We've seen this happen when a domain is transferred to a new DNS provider and the DKIM record is not migrated. Use multiple selectors so you can rotate without downtime.

Anti-pattern 4: Setting DMARC to p=reject before fixing all legitimate sources

This is the most common cause of panic reversion. A company sets p=reject, then discovers that their customer support platform (which sends ticket notifications on their behalf) uses a different From domain that doesn't align. Those notifications start bouncing. The knee-jerk fix is to drop DMARC to p=none, which leaves the domain unprotected. The better fix is to align the support platform's From domain or add proper DKIM signing for that stream.

These anti-patterns highlight why DMARC alone is insufficient. The next section looks at the ongoing maintenance that keeps authentication working over time.

Maintenance, drift, and long-term costs of authentication hygiene

Authentication isn't a set-it-and-forget-it task. Over time, records drift — new sending services are added, old ones are retired, DNS changes happen. Without regular audits, your authentication posture degrades silently.

Quarterly SPF audit

Every quarter, review your SPF record. Remove any includes or IP ranges that are no longer in use. Check the lookup count — if it's near 10, consider consolidating. For example, if you have separate includes for different regions of the same provider, see if they offer a single include. Also verify that the included domains still exist; a defunct include can cause SPF to fail with a DNS error.

Monthly DKIM report review

Most email service providers offer DKIM signing reports. Check for any sudden drop in DKIM pass rate. If you see failures, investigate whether a key was rotated without updating DNS, or if a new sending server isn't configured to sign. Also watch for messages that are signed but with an incorrect d= domain — this can happen when a developer copies a DKIM record from another domain.

DMARC report parsing

DMARC aggregate reports (RUA) are XML files that can be overwhelming. Use a free parser like dmarcian or Postmark's DMARC tool. Look for two things: (1) any source that sends on your behalf but fails authentication — this indicates a misconfigured third party; (2) any source that passes authentication but has a high volume of messages from unknown IPs — this could indicate a compromised account. Set aside 30 minutes per month to scan these reports.

Long-term costs of neglect

If authentication drifts, the immediate cost is deliverability — your emails go to spam, and you lose revenue. But there's a longer-term cost: domain reputation damage. If a spammer spoofs your domain because your DMARC policy is p=none, your domain's reputation across receivers degrades. Recovering from a reputation hit can take months of careful sending. The cost of maintenance is far lower than the cost of recovery.

Maintenance also includes staying updated on protocol changes. For example, Google and Yahoo recently announced new requirements for bulk senders (starting February 2024), including stricter DMARC enforcement and one-click unsubscribe. If you ignore these changes, your deliverability to those providers will suffer. Authentication hygiene is a moving target.

When not to rely on authentication alone: the reputation and content layers

There are situations where even perfect authentication won't save you. In these cases, focusing on authentication is a distraction from the real problem.

Scenario: Cold outreach from a new domain

If you send cold emails from a domain that has never sent mail before, authentication is irrelevant. Receivers have no history with your IP or domain, so they treat your mail as suspicious by default. The fix is not more authentication; it's gradual warm-up — start with low volume, target engaged recipients, and build reputation over weeks. Authentication is a prerequisite, not a cure.

Scenario: High bounce rates

If your list includes invalid addresses, your bounce rate climbs. Receivers track bounce rates per domain. If yours exceeds 2-3%, they may start filtering all mail from your domain, even authenticated mail. The fix is list hygiene — remove hard bounces immediately, use double opt-in, and suppress stale addresses. No amount of DMARC can override a poor sender reputation caused by bounces.

Scenario: Spammy content patterns

Even authenticated mail can be flagged if the content triggers spam filters. Common triggers: excessive use of sales language (

Share this article:

Comments (0)

No comments yet. Be the first to comment!