Skip to content
Tanner
Preserve
All guides
Security and trust

Why your invoices land in spam: SPF, DKIM, and DMARC

8 min readUpdated July 1, 2026
01

Why your emails get flagged

When you email an invoice and the customer swears they never got it, the problem usually isn't your wording. It's that your domain fails one or more of three checks that Gmail, Outlook, and Yahoo run on every incoming message: SPF, DKIM, and DMARC.

In February 2024, Google and Yahoo started enforcing these checks. Every sender now needs at least SPF or DKIM to reach Gmail inboxes reliably, and high-volume senders need all three. A domain with none of them gets treated like a possible forgery, and forgeries go to spam.

In plain terms: SPF is a public list of the mail servers allowed to send email for your domain. DKIM is a tamper-proof signature stamped on each message. DMARC tells the receiving server what to do with mail that claims to be from you but fails the other two checks. All three are short text records you add to your domain's DNS settings. No code, nothing to install, and they're free.

02

Run a two-minute test first

Before changing anything, find out what's actually broken. Go to learndmarc.com (free, no signup). It shows you a one-time email address. Send any message to that address from the account you use for invoices, and the page updates live with a pass or fail for SPF, DKIM, and DMARC, plus a play-by-play of what the receiving server saw.

A second way, if you'd rather stay in your inbox: send a test to any Gmail address, open the message, click the three-dot menu at the top right of it, and pick Show original. The summary at the top shows SPF, DKIM, and DMARC each marked PASS or FAIL.

If all three already pass, your spam problem is something else (see the FAQ). If any of them fail, keep going.

03

Open your DNS settings

Every fix in this guide is a record you add wherever your domain's DNS lives. That's usually the company you bought the domain from:

  • GoDaddy: sign in at godaddy.com > My Products > Domains > click DNS next to your domain
  • Namecheap: Domain List > Manage > Advanced DNS
  • Cloudflare: dash.cloudflare.com > click your domain > DNS > Records
  • Wix or Squarespace: your domain dashboard > look for DNS Records or Advanced DNS
Field note

Not sure who manages your domain? Type it into lookup.icann.org, check the registrar name in the result, and log in there.

04

Add SPF (10 minutes)

SPF is a single TXT record listing every service allowed to send mail as your domain. In your DNS panel, click Add record and enter:

  • Type: TXT
  • Name or Host: @ (some panels want your bare domain typed out instead)
  • Value if your email runs on Google Workspace: v=spf1 include:_spf.google.com ~all
  • Value if your email runs on Microsoft 365: v=spf1 include:spf.protection.outlook.com -all
Field note

Hard rule: a domain gets exactly ONE SPF record. If a TXT record starting with v=spf1 already exists, edit it instead of adding a second one. Two SPF records cancel each other out and both fail. To allow another sender, add its include: value into the same record, separated by a space, before the ~all.

05

Turn on DKIM (10 minutes)

DKIM lives inside your email provider's admin area, then gets published in DNS.

Google Workspace: go to admin.google.com > Apps > Google Workspace > Gmail > Authenticate email. Pick your domain and click Generate new record, keeping the 2048-bit default. Google gives you a host name (google._domainkey) and a long TXT value. Add that as a TXT record in your DNS panel, wait for it to publish, then return to the same Admin page and click Start authentication.

Microsoft 365: go to security.microsoft.com > Email & collaboration > Policies & rules > Threat policies > Email authentication settings > DKIM. Select your domain and switch on Sign messages for this domain with DKIM signatures. Microsoft shows two CNAME records, selector1._domainkey and selector2._domainkey. Add both in your DNS panel, then flip the toggle on.

The values are long and a single dropped character breaks the whole thing. Copy and paste, never retype.

06

Add DMARC in monitor mode (5 minutes)

DMARC is one more TXT record in the same DNS panel:

  • Type: TXT
  • Name or Host: _dmarc
  • Value: v=DMARC1; p=none; rua=mailto:you@yourdomain.com (swap in a real address you check)
Field note

p=none means monitor only. Nothing gets blocked, and providers send you reports on who's sending as your domain. The raw reports are unreadable XML, so point the rua address at a free digest service like Postmark's DMARC monitoring (dmarc.postmarkapp.com) and read the weekly summary instead. Once everything legitimate passes for a few weeks, change p=none to p=quarantine so forgeries go to spam. Don't jump straight to p=reject; if a tool you forgot about sends as your domain, reject gets its mail refused outright.

07

Prove it worked

DNS changes usually show up within an hour but can take up to 48 hours, so if a check still fails right away, test again the next day before touching anything.

Rerun the learndmarc.com test from the account you send invoices with. You want three green passes. Then do the Gmail Show original check on a real invoice email, since your invoicing app may send differently than your inbox does.

Last step, and people skip it: ask two or three regular customers to drag your most recent invoice out of their spam folder, click Not spam, and add your address to their contacts. Authentication fixes how new mail gets judged. It doesn't instantly repair the reputation your domain built while it was failing, and a few Not spam clicks from real customers speed that repair up.

Common questions

Questions that come up

My invoices come from QuickBooks or Jobber, not my email. Does this still matter?

Check the From line on an invoice email. If it shows the software company's domain (like notification.intuit.com), authentication is their job and your records don't apply to those messages. If the app sends from your own domain, its help pages list the exact SPF include and DKIM records to add, and they go in the same DNS panel this guide uses.

I use a plain @gmail.com address for the business. Do I need any of this?

No. Google authenticates its own addresses, so SPF and DKIM aren't your problem. If your invoices still land in spam from a gmail.com address, look at attachments, links, or the wording instead. Worth knowing: a domain of your own (you@yourcompany.com) reads as more legitimate to customers, and this guide is the checklist for setting one up right.

All three checks pass and mail still goes to spam. Now what?

Authentication is the entry ticket, not the whole game. The usual leftover causes: a newly registered domain with no sending history, a link to a website that's been flagged, attachment-heavy messages, or suddenly blasting a big list from a domain that normally sends ten emails a day. Send a test to mail-tester.com (free for a few checks per day). It scores your message out of 10 and lists exactly what the filters dislike.

Or skip the homework

Rather I just did this?

Fair. The audit shows where your site actually stands in about a minute, then you decide. No email required, no pressure, just the truth.