As a website admin, you will likely be sending out emails to your customers or visitors for newsletters, account notifications, product updates, etc. Depending on the circumstances, you might start noticing your emails are ending up in customers’ spam/junk folders instead of their email inbox.
This issue can be caused by a few things, and I’ll go into detail for each:
Misconfigured DNS/absence of necessary records
For email to work, you should make sure SPF, DKIM, and (less so) DMARC are set up. These records exist for email providers to verify that the email server(s) sending email as your domain are allowed to send such email, and aren’t using your domain without permission. If you don’t have these, email providers can’t verify if email servers saying they’re your domain are actually authorized to send mail as your domain.
Both SPF and DKIM are DNS records your email provider should be able to provide you.
If they do no support these, I would recommend you move to a different email host with modern email authentication support such as Google Workspace or Office 365, which provide these at no charge. It is truly detrimental to your email deliverability if these records aren’t set up.
DMARC is also important, but not necessarily required. It is a record that tells mail servers what to do with mail that does not “PASS” your SPF and DKIM records. You should use a DMARC record creator or wizard to create this, I recommend this record wizard. For the report email, you should either send it to a secondary email inbox (since each email host sends daily report emails), or use a commercial DMARC tracking service that processes and visualizes reports.
Testing your setup
Once you’ve done all this, head to https://www.learndmarc.com/ to test your setup. It’ll show you whether or not SPF/DKIM passes and what your current DMARC record says. If you open a ticket about SPF/DKIM/DMARC, be sure to include a screenshot of this website with your email results.
Click to view how to manually verify that SPF and DKIM are set up correctly
**To verify correct record configuration in Gmail:**Also see Google’s instructions.
First, send a test email to your own email inbox.
On the message, hit the ellipsis (triple dot) and click “Show original”
See if all of these pass:
If any of these fail, your setup might be incorrect.
To verify correct record configuration in Hotmail/Outlook:
First, send a test email to your own email inbox.
On the message, hit the ellipsis (triple dot) and click “view message source”
Now look for the line starting with Authentication-Results. make sure you see spf=pass, dkim=pass and dmarc=pass.
If any of these fail, your setup might be incorrect.
Poor domain reputation
Assuming SPF and DKIM succeed, the deliverability of email to your customer’s inboxes heavily depends on the reputation of your domain and the emails you send.
Your domain’s reputation depends on (in no particular order):
- how spammy the emails you send “look”
- how many users actually open your emails and are “engaged” with it (eg. spend time looking at it, clicking a link, etc). It’s bad if most users send your emails straight to trash/archive.
- how often your emails are marked as spam/phishing by users
- how new your domain is (eg. a domain made within the last month might be spam and thus will be in a “trial” period where its trustworthiness can be changed quickly)
- a variety of other signals that are kept secret by Google/Microsoft to prevent abuse
Also, note that some systems outright block super cheap TLDs like freenom TLDs and $1-$5 TLDs like .xyz since these often are abused to send spam; they generally like traditional TLDs like com, net, org. This does NOT happen at Google/Gmail or Office 365. Only weird ‘enterprise’ email solutions might do this as a lazy way of reducing spam. You should only worry about this point if you are doing a lot of B2B emails.
Seeing how well you do in these metrics isn’t possible as, otherwise, spammers could game the system by optimizing their email to trick the grading system. If you are having deliverability issues, you’re going to have to optimize for the above metrics independently with no feedback to tell you if it works. It’s not the best system but it’s required in the modern days of email spam.
However, you should set up Google postmaster tools to track your email deliverability. This dashboard will only work for DKIM authenticated mail.
FAQ
Does being on Cloudflare, or using Cloudflare’s IP addresses impact how much of my emails go to spam?
No. Except for in extreme circumstances, email providers do not use the IP addresses set for your domain in determining whether or not your emails go to spam. They do, however, use the IP addresses of the server sending the email (eg. your web server or your SMTP provider), but this will never be Cloudflare’s IPs.
A spam blacklist marked my domain as spam based on the IP Address being one of Cloudflare’s, what can I do?
See above, the IP address is not taken into account when email providers determine if an email should go to spam. Even if a spam blacklist shows the CF IP as being “bad reputation”, it will not impact email deliverability.
Do MX records impact deliverability?
No. MX records only impact if your domain itself can receive email, not if email you send reaches your customers’ inboxes.
Does reverse DNS (rDNS) matter?
Only when you don’t have SPF and DKIM set up, as DKIM and SPF were created to become a replacement for rdns-based authentication of email.
If you absolutely need to set up reverse DNS, first make sure your email host offers this solution; most email providers charge extra for it, and as said above, rdns isn’t needed if you have SPF and DKIM, so Google Workspace and Microsoft 365 don’t provide it. Once you do that, create a DNS record in Cloudflare with the subdomain mail with the IP address being the IP address of your email server (you can get this from your host) and make sure it’s set as DNS Only. After you do that, your host simply needs to set up reverse DNS for that IP to point to mail.YOURDOMAIN.com.
Everything looks right, but my emails are still going to spam!
Chances are your domain reputation is lower than you think. Maybe your emails are spammy (either in content or in frequency; most people don’t care enough about your service to want a weekly newsletter), maybe 99% of your users keep trashing them; whatever it is, you likely can’t find out why your emails are being sent to spam since they need to prevent spammers from figuring out and abusing the spam algorithms.
The only thing you can do in this situation is to make sure your emails aren’t spammy, analyze your DMARC reports to make sure no spammers are using your domain, and track how often your own mail server is sending out emails. Over time, if you have no issues, your domain reputation will slowly come back.
Tutorial Reference: CT-49
Reviewed: 07/21
This is a Community Tutorial, most are wiki posts, so can be contributed to by Regulars and MVPs here. If there is a tutorial you would like to see, you can request one here.
If you would like to provide any feedback on this tutorial, please post in the #Meta category, tag your post #TutorialFeedback and let us know the Tutorial Reference above.
Other great resources on this community include the Community Tips . These address best practices when configuring Cloudflare, how to fix issues you may see, and tools to troubleshoot. Also you can view Expert Tips, great posts on the community from people in the know that may help you with your issue.
We encourage users to check out these great resources and the Cloudflare Support Centre before posting