How to Fix Email Deliverability Issues - Complete Guide

Your company sends an important email to a client. It never arrives. No bounce notification, no error message - the email simply vanishes into the recipient's spam folder or gets silently dropped by their mail server. The client waits, you wait, and a deal stalls because of a technical problem nobody on your team knows how to diagnose.

Email deliverability problems are among the most common and most misunderstood IT support issues. They affect transactional emails (invoices, password resets, order confirmations), internal communications forwarded externally, and every email your sales and support teams send. This guide covers the complete troubleshooting process, from DNS authentication records to content issues to reputation recovery.

Understanding Why Emails Go to Spam

Email providers (Gmail, Outlook, Yahoo, corporate mail servers) use multiple signals to decide whether an incoming email reaches the inbox, lands in spam, or gets rejected entirely. The three main categories are:

• Authentication failures. The receiving server cannot verify that your email was actually sent by an authorized sender for your domain. This is controlled by SPF, DKIM, and DMARC records in your DNS.
• Reputation problems. Your sending IP address or domain has a history of sending spam or unwanted email, as tracked by blacklists and reputation databases.
• Content triggers. The email itself contains patterns that spam filters associate with unwanted messages - certain words, formatting, link structures, or attachment types.

Most deliverability problems involve a combination of these factors. A missing DKIM record alone might not send every email to spam, but combined with a new sending IP and a link-heavy email body, the cumulative score tips the message over the spam threshold.

Step 1: Check and Fix Your SPF Record

SPF (Sender Policy Framework) tells receiving mail servers which IP addresses and services are authorized to send email on behalf of your domain. Without a valid SPF record, any server can claim to send email from your domain, and receiving servers have no way to verify legitimacy.

How to Check Your SPF Record

Look up your domain's SPF record using a DNS query tool. The record is a TXT record on your root domain. It looks like this:

v=spf1 include:_spf.google.com include:sendgrid.net -all

This example authorizes Google Workspace and SendGrid to send email for the domain, and tells receivers to reject (-all) email from any other source.

Common SPF Mistakes

• No SPF record at all. This is the most basic failure. Without an SPF record, receiving servers treat your email as unverified. Create one immediately.
• Multiple SPF records. A domain must have exactly one SPF TXT record. If you have two (which happens when different people add records at different times), both are invalid per the RFC specification. Merge them into a single record.
• Missing a sending service. If your company uses Google Workspace for email, SendGrid for transactional email, and Mailchimp for newsletters, all three must be included in the SPF record. A message sent through SendGrid that is not listed in SPF will fail authentication.
• Too many DNS lookups. SPF records are limited to 10 DNS lookups. Each "include:" directive counts as one or more lookups. Exceeding 10 causes the entire SPF evaluation to fail with a "permerror" result. Use SPF flattening tools or consolidate sending services to stay under the limit.
• Using +all instead of -all or ~all. The "+all" mechanism tells receivers to accept email from any source as authorized. This completely defeats the purpose of SPF. Use "-all" (hard fail - reject unauthorized senders) or "~all" (soft fail - mark as suspicious but deliver).

Step 2: Set Up DKIM Signing

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to every outgoing email. The receiving server checks this signature against a public key published in your DNS. If the signature is valid, it proves the email was sent by an authorized system and was not modified in transit.

How DKIM Works

1. Your email server or provider generates a key pair - a private key (kept secret on the sending server) and a public key (published in DNS).
2. When an email is sent, the server uses the private key to sign specific headers and the message body, creating a DKIM-Signature header.
3. The receiving server extracts the signature, retrieves the public key from your DNS, and verifies the signature mathematically. If it matches, the email passes DKIM.

Setting Up DKIM

The process varies by email provider:

• Google Workspace: Go to Admin Console, then Apps, then Google Workspace, then Gmail, then Authenticate Email. Generate a DKIM key, copy the DNS record provided, and add it as a TXT record at the specified selector subdomain (usually google._domainkey.yourdomain.com). Then click "Start authentication" in the admin console.
• Microsoft 365: Go to the Microsoft Defender portal, then Policies, then Email Authentication, then DKIM. Select your domain and enable DKIM signing. Microsoft will provide two CNAME records to add to your DNS.
• SendGrid, Mailchimp, and other transactional providers: Each provider has a DKIM setup page in their dashboard that provides DNS records to add. Every service that sends email on your behalf needs its own DKIM configuration.

Verifying DKIM

Send a test email to a Gmail address, open it, click the three dots menu, and select "Show original." Look for the "DKIM:" line in the authentication results. It should say "PASS." If it says "FAIL" or is absent, the DKIM record is not configured correctly or has not propagated.

Step 3: Configure DMARC

DMARC (Domain-based Message Authentication, Reporting, and Conformance) ties SPF and DKIM together and tells receiving servers what to do when an email fails both checks. Without DMARC, receiving servers make their own judgment about failed emails. With DMARC, you explicitly instruct them to deliver, quarantine, or reject unauthenticated messages.

Creating a DMARC Record

DMARC is published as a TXT record at _dmarc.yourdomain.com. A starter record looks like this:

v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; pct=100

This tells receivers to take no action on failures (p=none) but send aggregate reports to your specified email address. This monitoring-only mode lets you see who is sending email as your domain - both legitimate services you forgot to authorize and potential spoofing attempts.

DMARC Enforcement Path

1. p=none (monitoring). Start here. Run for 2-4 weeks while reviewing reports. Identify all legitimate sending sources and ensure they pass SPF and DKIM.
2. p=quarantine (soft enforcement). Emails that fail DMARC go to the recipient's spam folder. This catches spoofing attempts without permanently losing legitimate email that you may have missed in the monitoring phase.
3. p=reject (full enforcement). Emails that fail DMARC are rejected outright. This is the target state - it prevents anyone from successfully spoofing your domain. Only move here after confirming all legitimate sources pass authentication.

Step 4: Check Blacklists

Email blacklists (also called blocklists or DNSBLs) are databases of IP addresses and domains known to send spam. Major email providers check incoming email against multiple blacklists. If your sending IP or domain appears on one, your deliverability drops significantly.

How to Check

Use MXToolbox Blacklist Check (mxtoolbox.com/blacklists.aspx) or MultiRBL (multirbl.valli.org). Enter your sending IP address or domain name. These tools check against 50-100 blacklists simultaneously and report which ones list you.

Common Reasons for Blacklisting

• Compromised account. An employee's email account was compromised and used to send spam. Change the password, enable MFA, and check for mail forwarding rules the attacker may have created.
• Shared IP reputation. If you use a shared sending IP (common with small business email providers and low-volume transactional email services), another sender on the same IP may have gotten it blacklisted. Contact your provider to request a different IP or upgrade to a dedicated sending IP.
• Purchased email list. Sending to purchased or scraped email lists results in high bounce rates and spam complaints, both of which trigger blacklisting. Never send to contacts who did not explicitly opt in.
• Sudden volume spike. Jumping from 100 emails per day to 10,000 emails per day looks like a compromised account or spam operation. If you need to increase sending volume, ramp up gradually over 2-4 weeks.

How to Get Delisted

Each blacklist has its own removal process. Most require you to visit their website, submit a delisting request, and provide evidence that the underlying problem has been resolved. Some blacklists automatically delist after a period of clean sending (usually 1-2 weeks). Others require manual requests. The critical step is to fix the root cause before requesting removal - if the problem recurs, you will be relisted and future removals become harder.

Step 5: Review Email Content

Even with perfect authentication and a clean reputation, email content can trigger spam filters. Modern filters use machine learning rather than simple keyword matching, but certain patterns still increase the spam score:

• Excessive capitalization and exclamation marks. Subject lines like "FREE OFFER!!!" or "ACT NOW!!!" are classic spam indicators.
• Image-heavy emails with little text. Spam filters flag emails that are primarily images because spammers use images to bypass text-based filtering. Maintain a reasonable text-to-image ratio.
• URL shorteners. Links using bit.ly, tinyurl, or similar shorteners are flagged because spammers use them to hide malicious destinations. Use full URLs or branded short domains.
• Missing unsubscribe link. Marketing and bulk emails legally require an unsubscribe mechanism (CAN-SPAM, GDPR). Missing it is both a legal violation and a spam signal.
• Mismatched From address and Reply-To. If the From address says sales@yourdomain.com but the Reply-To points to a Gmail address, filters treat it as suspicious.
• Attachments. Executable files (.exe, .bat, .cmd, .ps1) are blocked by most email providers. Large attachments increase spam scores. Use cloud storage links for file sharing instead of attachments.

Step 6: Fix Reverse DNS (PTR Record)

If your company runs its own mail server (as opposed to using Google Workspace, Microsoft 365, or another hosted provider), the server's IP address needs a reverse DNS (PTR) record that resolves back to a hostname matching your sending domain. Without this, many receiving servers will reject or spam-filter your email.

Contact your hosting provider or ISP to set up the PTR record for your mail server's IP address. The PTR record should resolve to the hostname in your mail server's HELO/EHLO greeting, and that hostname should resolve forward (A record) back to the same IP address. This forward-confirmed reverse DNS (FCrDNS) is a baseline requirement for running a legitimate mail server.

Step 7: Monitor Ongoing Deliverability

Email deliverability is not a one-time fix. Authentication records can break when someone updates DNS without understanding the existing records. Sending IPs can get blacklisted due to a single compromised account. New email services added to the company stack can fail authentication if nobody adds them to SPF and DKIM.

Set Up Monitoring

• DMARC reports. Configure the rua= tag in your DMARC record to receive aggregate reports. Use a free DMARC report analyzer (such as dmarcian, Postmark DMARC, or DMARC Analyzer) to visualize the data. Review reports weekly to catch new authentication failures early.
• Bounce monitoring. Track your email bounce rate. A hard bounce rate above 2% degrades your sender reputation. Remove invalid addresses from your lists immediately. Implement email verification at sign-up points.
• Spam complaint rate. Google Postmaster Tools (for Gmail deliverability) and Microsoft SNDS (for Outlook/Hotmail deliverability) provide spam complaint data. Keep complaint rates below 0.1%. If complaints spike, investigate the source - it usually means you are sending to people who did not expect your email.
• Inbox placement testing. Services like Mail-Tester, GlockApps, or Litmus send test emails to seed addresses across major providers and report whether they hit the inbox or spam folder. Run these tests monthly or after any DNS or infrastructure change.

Quick Troubleshooting Checklist

When a specific email is not being delivered, work through this checklist in order:

1. Check the sender's outbox and sent folder - did the email actually send, or is it stuck in the outbox?
2. Check for bounce-back messages - the NDR (non-delivery report) often contains the specific rejection reason.
3. Verify SPF, DKIM, and DMARC records are valid using MXToolbox or Google Admin Toolbox.
4. Check if the sending IP or domain is blacklisted.
5. Ask the recipient to check their spam/junk folder and add the sender to their contacts.
6. Review the email headers (from the recipient side if possible) for authentication results - which checks passed and which failed.
7. Check if the recipient's mail server is running - a server outage on their end looks like a deliverability problem on yours.
8. Test with a different recipient at a different domain - if the email delivers to Gmail but not to the client's corporate server, the issue may be on the recipient's end.