SYSTEMS OPERATIONAL
Domains

Email Going to Spam? Fix SPF, DKIM & DMARC Records

Getwebup 5 min read

A customer emails your sales inbox from Gmail, hits send, and it's the last you ever hear from them — because their reply landed in your spam folder, or your first email never left your server's queue. Nine times out of ten, this isn't a hosting problem. It's a missing or broken DNS record. Here's how to actually fix it, not just "try again later".

Symptom: mail bounces, or lands in spam

You'll usually see one of these:

  • Emails you send go straight to the recipient's spam/junk folder
  • You get a bounce-back like 550 5.7.1 SPF check failed or 550 5.7.26 Unauthenticated email is not accepted
  • Gmail shows a red question mark next to your name and "via getwebup.in" under it
  • Your own domain's mail arrives fine internally but never reaches @gmail.com or @outlook.com addresses

All of these point to the same root cause: the receiving mail server can't verify that your email actually came from you.

Cause: your domain's DNS doesn't say who's allowed to send mail

Every mail server that receives your email checks three things before deciding whether to trust it, deliver it, or bin it: SPF, DKIM, and DMARC. If even one is missing or misconfigured, providers like Gmail, Outlook, and Yahoo start treating your mail as suspicious — and since February 2024, Gmail and Yahoo actively enforce this for anyone sending more than ~5,000 emails/day, and apply it loosely to everyone else too.

Here's what each record actually does:

RecordPurposeWhat breaks without it
MXTells the internet which server accepts incoming mail for your domainYou can't receive email at all, or it silently disappears
SPFLists which servers are allowed to send mail as your domainReceiving servers see an unauthorized sender and reject or flag the mail
DKIMSigns outgoing mail with a private key so receivers can verify it wasn't tampered withMail looks unsigned/unverified — a strong spam signal
DMARCTells receivers what to do if SPF/DKIM fail, and where to send reportsReceivers fall back to their own judgment, which usually means spam

Fix: set up the records correctly, in the right order

Do this from your domain's DNS zone. If your domain is hosted through Getwebup, that's cPanel → Zone Editor; if your nameservers point elsewhere (Cloudflare, GoDaddy, etc.), add these records there instead — MX and email records must live wherever your domain's authoritative DNS actually is.

Step 1: Confirm your MX record exists and is correct

In cPanel, go to Zone Editor → Manage and look for an MX entry. For Getwebup-hosted email it should look like:

yourdomain.com.  MX  10  mail.yourdomain.com.

If you're using Google Workspace or Microsoft 365 instead, delete any old hosting-provider MX record first, then add the provider's exact MX records — running two sets of MX records is a common cause of mail vanishing entirely.

Step 2: Add or fix your SPF record

SPF is a single TXT record at the root of your domain. Only one SPF record is allowed — if you already have one, edit it rather than adding a second (that's an automatic SPF failure).

Type: TXT
Host: @
Value: v=spf1 include:secureserver.net include:_spf.google.com ~all

Adjust the include: entries for whatever actually sends mail on your behalf — your hosting mail server, Google Workspace, Mailchimp, SendGrid, whatever you use. Missing one of these is the #1 reason "we sent a newsletter and it all bounced" tickets show up.

Step 3: Enable DKIM

In cPanel, go to Email → Email Deliverability. It scans your domain and tells you exactly which records are missing. Click Repair next to DKIM and cPanel will generate the key pair and publish the public key as a TXT record automatically, something like:

Type: TXT
Host: default._domainkey
Value: v=DKIM1; k=rsa; p=MIGfMA0GCSq...

If you're on Google Workspace instead, generate the DKIM key from Admin Console → Apps → Gmail → Authenticate Email, then add that TXT record to your DNS instead of cPanel's.

Step 4: Publish a DMARC policy

Start conservative — monitor before you enforce:

Type: TXT
Host: _dmarc
Value: v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com

p=none means "just tell me what's happening, don't reject anything yet." Watch the aggregate reports for a week or two, confirm your legitimate mail is passing, then tighten it:

v=DMARC1; p=quarantine; pct=100; rua=mailto:dmarc-reports@yourdomain.com

Once you're confident nothing legitimate is failing, move to p=reject for the strongest protection against spoofing.

Step 5: Verify it actually worked

Don't just trust that you typed it right. Two quick checks:

  • Send a test email to mail-tester.com and check the SPF/DKIM/DMARC lines in the report
  • In cPanel, revisit Email → Email Deliverability — all three should show green

DNS changes can take anywhere from a few minutes to a few hours to propagate, so if a record still shows as missing right after you add it, wait 30–60 minutes and re-check before assuming it failed.

Prevention: keep it healthy going forward

  • Whenever you add a new email tool (a CRM, a transactional email API, a marketing platform), add its SPF include and DKIM selector before you start sending from it, not after the bounces start
  • Review your DMARC aggregate reports occasionally — they'll show you if someone else is trying to spoof your domain
  • Never let SPF grow past 10 DNS lookups (nested includes count) — it silently fails validation if it does; keep the include list trimmed
  • If you migrate mail providers, update MX, SPF, and DKIM together in the same change window so nothing sends unauthenticated in between

Get these four records right once and your mail just works — no more guessing why a customer never replied.

Frequently asked questions

Do I need SPF, DKIM, and DMARC, or is one enough?

You need all three. SPF and DKIM each verify the mail in a different way, and DMARC ties them together by telling receiving servers what to do when a check fails. Having only SPF, for example, still leaves your domain open to spoofing and doesn't stop mail from landing in spam.

I added the DNS records but mail is still going to spam. Why?

Give it a few hours for DNS to propagate, then re-check with mail-tester.com. If the records show as valid but mail still lands in spam, look at content-based spam triggers (too many links, spammy subject lines) and your sending reputation — a domain with no sending history or a shared IP with a poor reputation can still get flagged even with perfect DNS.

Can I have two SPF records if I use two email providers?

No — having two separate SPF TXT records causes an automatic SPF failure (a "permerror"). Combine every sending source into one record using multiple include: mechanisms, e.g. v=spf1 include:_spf.google.com include:sendgrid.net ~all.

What does the ~all vs -all at the end of an SPF record mean?

~all (soft fail) tells receivers to accept but flag mail from unlisted senders as suspicious; -all (hard fail) tells them to reject it outright. Start with ~all while you confirm your SPF include list is complete, then switch to -all once you're confident nothing legitimate is being missed.

Where do I add these DNS records if my domain uses Cloudflare nameservers?

Add them in the Cloudflare DNS dashboard instead of cPanel's Zone Editor — whichever service holds your domain's authoritative nameservers is where MX, SPF, DKIM, and DMARC records need to live. Make sure the TXT and MX records are set to "DNS only" (grey cloud), not proxied.

#dns #spf #dkim #dmarc #email-deliverability #mx-records

Keep reading

Chat with Support