Emails not arriving? Check SPF, DKIM and DMARC first
Invoices that never arrive, quotes that end up in spam — it almost always comes down to three technical settings. Here's how to find out if yours are correct.
A customer calls: "I just emailed you a quote, but I can't see it on your end." Your colleague checks the inbox, spam, the "other" folder — nothing. It turns out the email was sent, but it never reached the recipient. Or the other way around: you send out invoices, and some customers say "I never received that."
Nine times out of ten, the cause lies in how your email is configured — specifically in three small, technical settings: SPF, DKIM and DMARC. Sounds dull. It is. But the difference between an email that lands in the inbox and one that gets caught by the spam filter is right there.
What do SPF, DKIM and DMARC actually do?
Think of them as three types of stamps on an envelope. They prove to the recipient that your email genuinely comes from your organisation — and not from someone impersonating it.
- SPF is a list of servers authorised to send email on behalf of your domain. For example: "Microsoft 365 and Mailchimp may send email on behalf of betergeregeld.nl — no one else."
- DKIM is a digital signature. The recipient can verify that the email hasn't been tampered with in transit.
- DMARC is the instruction that tells recipients what to do if SPF or DKIM fail: ignore it, send it to spam, or reject it outright. And: report it back to us.
Without these three settings, Gmail, Outlook or any other mail provider can't be sure your email is genuine. And when in doubt? Spam. Or a straight-up rejection.
Why this matters more than ever in 2026
Since 2024, Google and Yahoo have tightened their requirements. Anyone sending more than a few hundred emails per day must have DMARC in place — otherwise mail simply won't be delivered to Gmail users. Microsoft is following the same line in 2025 and 2026 for Outlook and Hotmail.
For SMBs, this means: even if you only send a handful of invoices and quotes per day, things can still go wrong. Especially if you send email from multiple systems — your accounting package, your newsletter tool, your webshop, and regular Outlook. Every one of those systems needs to be listed in your SPF record.
How to recognise when things are going wrong
You often don't notice straight away. Customers don't always complain; they just assume you didn't respond. Signs to watch out for:
- Customers or suppliers regularly say "I never got that email."
- Invoices are frequently "forgotten."
- Newsletter open rates drop without you having changed anything.
- You receive bounce messages with errors like "SPF fail" or "DMARC policy."
- A colleague sends email from a new system (such as a new CRM) and those emails don't arrive.
What you can check yourself
You don't need an IT specialist to see whether the basics are in order. A few simple steps:
- Send a test email from your business address to your own Gmail account (or a personal Outlook).
- Open the email, click the three dots → "Show original" (Gmail) or "View message source" (Outlook).
- Look for the lines SPF, DKIM and DMARC. Every one of them should show PASS.
If you see FAIL, SOFTFAIL or NONE anywhere, there's work to be done. "DMARC: none" in particular is a sign that you probably have no DMARC record at all.
The three classic pitfalls
1. New tool, outdated SPF. You start using a new invoicing system, but no one adds it to the SPF record. Result: invoices end up in spam.
2. Copying and pasting from the internet. Someone finds an SPF example online, pastes it straight into the DNS, and overwrites the existing settings in the process. Suddenly nothing gets through.
3. Setting DMARC to "reject" without testing first. DMARC has three modes: none (report only), quarantine (send to spam) and reject (block entirely). Going straight to reject without first checking which systems are sending email on your behalf can silently block part of your own outgoing mail.
What's the sensible approach?
The order we follow in practice:
- Inventory which systems send email on behalf of your domain. Think Microsoft 365, accounting software, newsletter tool, webshop, ticketing system, and possibly an old server you'd forgotten about.
- Set up SPF and DKIM correctly for each of those systems.
- Start DMARC on "none" with a reporting address. This gives you a few weeks of data on what's going wrong, without any email disappearing.
- Gradually move to quarantine and eventually reject, once you're confident all legitimate email is passing the checks.
It's not rocket science, but the details matter. A typo in a DNS record and you could spend a day with no working email.
What you get out of it
More than just "emails get delivered." Once SPF, DKIM and DMARC are properly configured:
- No one can easily send emails pretending to be from you (think invoice fraud).
- You receive reports if someone tries anyway.
- Your sender reputation with mail providers improves — which also benefits your newsletters and quote emails.
- You meet the requirements set by major providers — no nasty surprises the next time Google or Microsoft tightens the screws.
In short: it's one of those invisible jobs you only realise you haven't done when it's too late.
Want to know whether your email setup is correct right now? We offer a email security check in which we review SPF, DKIM and DMARC for your domain and, where needed, get everything in order — without any email going missing in the process.
Volledige gids: Security for SMBs without an IT department: what should you do this quarter?
Dit artikel is onderdeel van onze uitgebreide Security zonder IT-afdeling-gids. Lees de pillar voor het complete plaatje.
Lees de pillar →