How to Fix Email Deliverability: SPF, DKIM, and DMARC for Business Owners (Google Workspace + Microsoft 365)

If your invoices, quotes, or customer updates keep landing in spam—or someone is impersonating your domain to send “new payment details” emails—this is almost always fixable. In most cases, your domain isn’t “burned.” It’s simply not authenticated end-to-end, so inbox providers can’t reliably tell your real mail from a forgery.

Most failures fall into three buckets:

  • Policy gap: DMARC is missing (or never tightened), so spoofing has no consequences.

  • Config gap: SPF/DKIM exists but is wrong (multiple SPF records, DKIM not signing).

  • Tool sprawl: Google/M365 is authenticated, but your billing/CRM/support tools aren’t.

Think of DKIM as your digital signature and DMARC as the enforcement contract inbox providers follow when someone tries to fake your brand.

👉 Best Business Password Managers in 2026 (US): Top 5 Picks + Passkeys, SSO Costs, and Emergency Access

Step 0: Diagnosis (pick the right path)

  • If you use Google Workspace → go to 1)–6)

  • If you use Microsoft 365 → go to 1), 3)–6)

  • If you send from third-party tools (Stripe/QuickBooks/CRM/newsletter/support/WordPress) → go to 2) + 5)

  • If you already have SPF/DKIM/DMARC but deliverability is still weak → go to 4) + 6)

1) Publish ONE SPF record (the baseline authorization list)

Do this
In your DNS provider, publish a single SPF TXT record for your root domain (yourdomain.com). Start with an initial configuration that covers only your primary email host.

Google Workspace baseline

v=spf1 include:_spf.google.com ~all

Why it works
Proper SPF configuration removes “unauthorized sender” signals that trigger spam filtering and helps receivers detect obvious spoofing.

Watch out / Next
The #1 mistake is publishing more than one SPF record. SPF must be a single TXT string.

[Source: Set up SPF – Google Workspace Admin Help]

2) Inventory every service that sends “from @yourdomain.com” (where most teams lose control)

Do this
List anything that sends email as your domain:

  • invoices/receipts/payout notices

  • CRM sequences and newsletters

  • support desk replies

  • website transactional email (forms, WooCommerce, membership plugins)

Why it works
Deliverability doesn’t fail because Google/M365 is broken. It fails because one tool is sending unauthenticated mail and training inbox providers to distrust your domain.

Watch out / Next
If you can’t identify every sender, DMARC enforcement will be painful later. This list is your map.

👉 Stripe Instant Payout Fees Are a Cash-Flow Tax — Here’s How to Stop Bleeding 1.5% (2026 Playbook

3) Turn on DKIM signing (the gold standard “this is really us” signal)

Do this
Enable DKIM for your domain in Google Workspace or Microsoft 365 and publish the DNS record(s) the platform provides.

Why it works
DKIM is your digital signature. When inbox providers can verify the signature, your mail looks materially less like a forgery—even if IPs change over time.

Watch out / Next
If you change DNS providers or migrate tenants, DKIM can quietly stop signing. Put a recurring check on your ops calendar.

[Source: Set up DKIM – Google Workspace Admin Help]

[Source: Configure DKIM in Microsoft 365]

4) Add DMARC in monitoring mode (then enforce)

Do this
Publish a DMARC TXT record at _dmarc.yourdomain.com. Start with monitoring:

v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

Why it works
DMARC gives receivers a rulebook and gives you visibility (reports) into who is sending as your domain—legitimately or not.

One crucial concept: Alignment
DMARC can still fail even when SPF or DKIM “passes” if the authenticated domain doesn’t align with the domain in your visible From: address. Alignment is the difference between “a sender is authenticated” and “this sender is authenticated as you.”

Watch out / Next
Don’t jump straight to reject until you’ve confirmed all legitimate senders are authenticated and aligned.

[Source: Set up DMARC – Google Workspace Admin Help]

5) Fix third-party senders without bloating SPF

Do this
For each tool from step 2:

  • Prefer the vendor’s domain authentication method (often DKIM via CNAME records).

  • Keep SPF lean. Too many include: entries creates operational risk.

Why it works
SPF is a useful baseline, but it doesn’t scale cleanly when you have multiple platforms. DKIM-based authentication is typically the more stable long-term control.

Watch out / Next
If SPF is growing fast, you may hit the practical DNS lookup limit. If you must reduce lookups, “SPF flattening” tools exist—but treat them as an ops commitment (vendors can change sending infrastructure).

6) Enforce DMARC: quarantine → reject (the point where spoofing stops working)

Do this
After your DMARC reports show only authorized, aligned senders:

  • Move to p=quarantine

  • Then move to p=reject (optionally ramp with pct=)

Why it works
Monitoring tells you what’s happening. Enforcement tells the internet what to do about it. This is the step that makes invoice impersonation dramatically harder to deliver.

Watch out / Next
Enforce too early and you can break legitimate workflows (receipts, support replies, password resets). Enforcement comes after coverage.

👉 QuickBooks Online Bank Feed Not Updating? Fix Sync Errors Fast (2026)

What changes over time

  • Admin console wording changes, but the order doesn’t: SPF → DKIM → DMARC reports → DMARC enforcement.
    UI wording may vary by version, but the flow is the same.

  • Third-party platforms regularly change their exact DNS record values (selectors, CNAME targets). Always pull current values from the vendor’s official instructions.

  • SPF optimization tactics (including flattening) evolve; use them only to solve a specific lookup problem and treat them as a maintained control.

FAQ

Q1) Will this fix spam placement immediately?
It removes the biggest authentication red flags fast. Reputation improvements can take time, but authentication is the prerequisite for consistent inbox placement.

Q2) Can I publish multiple SPF records (one per tool)?
No. SPF must be one record. For additional tools, prefer DKIM-based domain authentication to avoid SPF bloat.

Q3) Why would DMARC fail if SPF/DKIM “passed”?
Usually because of alignment: the passing authentication is for a different domain than the one in your visible From: address. DMARC cares about “passing as you,” not just “passing.”

Q4) When is it safe to set DMARC to reject?
When DMARC reports show only legitimate, aligned senders. If you enforce while you still have unauthenticated tools, you will break real mail.

Key Takeaways

  • DKIM is your digital signature. DMARC is the enforcement policy that stops impersonation from reaching inboxes.

  • Most business deliverability problems come from one unauthenticated third-party sender, not your main mailbox provider.

  • DMARC success requires authentication and alignment with your From domain.

Do these two things now:

  • ☐ Publish one SPF record for your primary email provider.

  • ☐ Enable DKIM signing and add DMARC with p=none to start collecting reports—then tighten to quarantine/reject after coverage.

[Business Tools] Category