authentication failures are the #1 cause of deliverability problems across our customer base.

i've seen it in 3,000+ support tickets. someone sets up their domains, skips DNS configuration, and wonders why everything lands in spam.

the good news is this is the easiest problem to fix. it's technical, but it's a one-time setup.

the 6-point DNS audit

run this audit on every sending domain you own. use MXToolbox (free, browser-based) or Google Admin Toolbox.

1. SPF record check

Look up: yourdomain.com
Record type: TXT
Look for: v=spf1 include:[your-provider] ~all

• [ ] SPF record exists
• [ ] SPF record includes your email provider's servers
• [ ] only ONE SPF record on the domain (critical, the most common mistake)
• [ ] SPF doesn't exceed 10 DNS lookups (providers reject it if you exceed the limit)

common fix: if you have two SPF records (happens when you switch providers and forget to remove the old one), merge them into a single record. for example, two separate records like v=spf1 include:_spf.google.com ~all and v=spf1 include:spf.protection.outlook.com ~all should become one combined record: v=spf1 include:_spf.google.com include:spf.protection.outlook.com ~all

2. DKIM record check

Look up: [selector]._domainkey.yourdomain.com
Record type: TXT
Look for: v=DKIM1; k=rsa; p=[long key string]

• [ ] DKIM record exists
• [ ] key length is 2048-bit (not 1024, which is outdated and some providers reject)
• [ ] selector matches what your email provider expects

common fix: if your DKIM key is 1024-bit, regenerate it through your email provider's admin panel. Google Workspace: Admin > Apps > Google Workspace > Gmail > Authenticate Email.

3. DMARC record check

Look up: _dmarc.yourdomain.com
Record type: TXT
Look for: v=DMARC1; p=none; rua=mailto:[email protected]