every email you send goes through 4 invisible checkpoints before it reaches the recipient's inbox. Gmail and Outlook run these checks automatically. fail any one of them and your email gets routed to spam or silently dropped.
these aren't optional. they're the foundation everything else in this guide builds on.
this is where email providers verify that you are who you say you are.
SPF (Sender Policy Framework): tells receiving servers which IP addresses are allowed to send email from your domain.
DKIM (DomainKeys Identified Mail): adds a digital signature to every email you send. the receiving server checks this signature against your DNS records to make sure the email wasn't tampered with in transit.
DMARC (Domain-based Message Authentication, Reporting & Conformance): tells receiving servers what to do if SPF or DKIM checks fail. without DMARC, the server makes its own decision. with it, you're in control.
for each sending domain, verify the following:
how to check: use MXToolbox (free) or Google Admin Toolbox. paste your domain, check SPF, DKIM, and DMARC. takes 2 minutes.
<aside> 💡 pro tip: the #1 mistake i see across 3,000+ support tickets is multiple SPF records on the same domain. DNS allows it technically, but email providers treat it as a fail. you need one SPF record per domain. merge them if you have multiple senders.
</aside>
email providers maintain a trust score for every sending domain and IP address. new domains start with zero reputation. if you go from zero sends to 100 emails on day one, you get flagged immediately.
trust is built incrementally: