BOSTON × BANGALOREBook a call
If your Microsoft 365 mail keeps landing in spam, the problem is rarely what you wrote. It is almost always that the receiving server cannot confirm the mail is really from you. Three records fix that, and getting them right is the single highest-return hour you can spend on email.
SPF (Sender Policy Framework) is a DNS record listing the servers permitted to send email for your domain. When mail arrives, the receiver checks whether it came from an approved source.
The most common mistake is an incomplete SPF record, one that lists Microsoft 365 but forgets a newsletter tool, ticketing system or app that also sends on your behalf. Every legitimate sender must be included, and SPF has a hard limit of ten lookups, so it must be kept tidy.
DKIM (DomainKeys Identified Mail) adds a cryptographic signature to every message. The receiver uses a public key published in your DNS to confirm the mail genuinely came from your domain and was not altered in transit.
In Microsoft 365, DKIM is not always on by default, you enable it in the admin centre and publish the corresponding records. Mail without DKIM is far easier to spoof and far more likely to be distrusted.
DMARC ties SPF and DKIM together. It tells receiving servers what to do when a message fails those checks, monitor it, quarantine it to spam, or reject it outright, and it sends you reports on who is sending mail as your domain.
SPF and DKIM are the locks. DMARC decides what happens when someone tries the wrong key, and tells you they tried.
A sensible path is to start DMARC in monitoring mode, read the reports to confirm all your real senders pass, then tighten to quarantine and eventually reject. Move straight to reject without monitoring and you risk blocking your own legitimate mail.
DMARC requires alignment, the domain a human sees in the “from” field must match the domain that passed SPF or DKIM. Plenty of setups pass SPF and DKIM in isolation but fail DMARC because the domains do not line up. If your mail authenticates but still fails DMARC, alignment is the usual culprit.
These records are also a critical step in any Microsoft 365 migration, getting them wrong on cutover is a classic cause of bounced mail. If your deliverability is shaky or you are about to migrate, our infrastructure team can audit and fix it. Get in touch.
Almost always because of authentication, not content. If SPF is incomplete, DKIM is not enabled, or DMARC is missing or misaligned, receiving servers treat your mail as suspicious. Fixing the three records usually resolves it.
Yes. Without DMARC, anyone can spoof your domain and you have no visibility into who is sending as you. A DMARC policy protects your brand and, increasingly, is required by major mailbox providers before they will trust bulk mail.
Reading is one thing. Let's map it to your actual workflows in a free 30-minute working session, no commitment.