security

guide

Why your business emails land in spam (and how to fix it)

11 min read · 15-Jan-2025

the 11-minute guide

villagehosting.in team

15 January 2025

You send a quote, a proposal, or a customer welcome email — and it vanishes into the recipient's spam folder. They never see it. This is one of the most costly invisible problems for Indian businesses. Here is the complete fix.

A new Gmail account flag you may not know about

Since early 2024, Gmail automatically sends email from domains that fail SPF+DMARC checks to the Promotions or Spam tab. Even a single missing record can drop your inbox placement rate from 90%+ to under 30%. Check your SPF and DMARC records today before your next campaign.

Why emails go to spam

Email providers (Gmail, Outlook, Yahoo) use hundreds of signals to decide whether an email is spam. The main ones:

1. Missing or incorrect SPF record SPF (Sender Policy Framework) tells receiving servers which IP addresses are allowed to send email for your domain. Without it, Gmail cannot verify you are who you say you are.

2. Missing DKIM signature DKIM (DomainKeys Identified Mail) cryptographically signs your emails. Without it, email cannot be verified as genuinely from your domain.

3. Missing DMARC policy DMARC ties SPF and DKIM together and tells receiving servers what to do when checks fail.

4. Shared hosting IP on a spam blacklist On shared hosting, you share an IP with other users. If any of them sent spam, the IP may be blacklisted. Emails from that IP go directly to spam.

5. Low domain reputation A new domain sending large volumes of email immediately looks suspicious. Reputation builds over months.

6. Content triggers Words like "free", "guarantee", "click here", excessive exclamation marks, ALL CAPS — these trigger spam filters.

7. No unsubscribe link (for marketing emails) Marketing emails without an unsubscribe link are automatically treated as spam by most providers. Required by law in most jurisdictions.

Step 1: Set up SPF

An SPF record is a TXT record in your domain's DNS that lists authorised mail servers.

For cPanel hosting:

v=spf1 include:yourhostingprovider.com ~all

Ask your host for the exact SPF string. VillageHosting customers should use: (check with support for your server's SPF string)

For Google Workspace:

v=spf1 include:_spf.google.com ~all

For multiple senders (hosting + Google Workspace):

v=spf1 include:yourhostingprovider.com include:_spf.google.com ~all

Add the SPF record:

Log into your DNS provider (Cloudflare, your registrar, or cPanel Zone Editor)
Add a TXT record:
- Name: @ (or yourdomain.com)
- Value: the SPF string above
- TTL: 3600

Verify SPF: mxtoolbox.com/spf.aspx — enter your domain and check for "SPF Record Found"

Step 2: Enable DKIM

DKIM requires your hosting provider to generate a key pair and publish the public key in your DNS.

On cPanel:

cPanel → Email → Email Deliverability
Find your domain → "Repair" if DKIM is missing, or verify the status is "Valid"
cPanel automatically generates DKIM keys and publishes them in your DNS

For Google Workspace:

Google Admin → Apps → Google Workspace → Gmail → Authenticate Email
Generate a new record → follow the steps to add the TXT record to your DNS

Verify DKIM: mxtoolbox.com/dkim.aspx — enter your domain and selector (usually "google" for Google Workspace, "default" for cPanel)

Step 3: Add DMARC

DMARC builds on SPF and DKIM. Start with a monitoring-only policy, then tighten it:

Start here (monitoring only, no emails rejected):

v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

After 2–4 weeks, move to quarantine:

v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com; pct=50

Finally, move to reject (full enforcement):

v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com

Add DMARC as a TXT record:

Name: _dmarc.yourdomain.com
Value: the DMARC string above
TTL: 3600

The rua email receives reports from receiving mail servers about who is sending email from your domain. These reports help you identify legitimate senders you may have missed in your SPF record.

DMARC monitoring tools: Postmark's free DMARC monitoring, or mxtoolbox.com/dmarc.aspx

Step 4: Check if your IP is blacklisted

Check mxtoolbox.com/blacklists.aspx — enter your mail server's IP address.

If your IP is listed:

On shared hosting: Contact your host. They can switch your emails to a different IP or have the IP delisted.
On VPS: Request delisting directly from each blacklist. Most have online delisting forms.
On Google Workspace/Office 365: Your IP is not listed — these providers maintain clean IP ranges.

If your shared hosting IP is frequently listed: Consider using a transactional email service (SendGrid, Mailgun, AWS SES) for sending email instead of your cPanel mail server. These services maintain pristine IP reputations.

Step 5: Test your email score before sending

Send an email to: check@mail-tester.com

Visit mail-tester.com to see your score out of 10 and a breakdown of every issue:

SPF: pass/fail
DKIM: pass/fail
DMARC: pass/fail
IP reputation
Content score

Aim for 8/10 or higher before sending marketing campaigns.

Also use: Google Postmaster Tools (google.com/postmaster) — shows your domain reputation with Gmail specifically. Register and verify your domain.

Transactional vs marketing emails: different rules

Transactional emails: Order confirmations, password resets, invoice delivery. Sent in response to user actions.

Do not require an unsubscribe link
Must still have SPF/DKIM
Use your hosting SMTP or a transactional service

Marketing emails: Newsletters, promotional campaigns, bulk sends.

Require an unsubscribe link (legal requirement in most countries)
Must have explicit consent from recipients
Should use a dedicated email marketing service: Mailchimp, SendinBlue (Brevo), Zoho Campaigns

Do not send marketing emails from your hosting SMTP. Shared hosting mail servers are not designed for bulk sending and will quickly get blacklisted.

Setting up SendGrid for transactional email (WordPress)

For WordPress sites that need reliable transactional email:

Create a free SendGrid account (100 emails/day free)
Generate an API key in SendGrid → Settings → API Keys
Install WP Mail SMTP plugin in WordPress
Configure: Mailer = SendGrid → enter API key → from email = your@yourdomain.com
Send a test email and verify delivery

This routes all WordPress email (contact forms, WooCommerce, membership) through SendGrid's infrastructure, bypassing your hosting mail server entirely.

Common spam triggers to avoid in email content

In subject lines:

"FREE" in capitals
Excessive punctuation (!!!)
"Guaranteed", "Click now", "Act now", "Limited time"
All caps subject lines

In email body:

Large images with very little text (spam filters cannot read images)
"Click here" as link text — use descriptive text instead
URL shorteners (bit.ly, t.co) — suspicious to spam filters
Unbalanced HTML (missing closing tags)

Technical:

Image-only emails (add text)
Emails without a plain-text version
Emails sent from an IP that is not in your SPF record

How long to fix deliverability

SPF + DKIM + DMARC: Immediate effect — once DNS propagates (15–60 minutes)

IP delisting: 24–72 hours after requesting removal

Domain reputation: 2–4 months of consistent, complaint-free sending. Domain reputation is slow to build and slow to repair.

Inbox vs spam rate: After fixing all technical issues, you should see immediate improvement. Domain reputation improvement is gradual.

After implementing SPF, DKIM, and DMARC, the majority of Indian businesses see their email move from spam to inbox within 24 hours.

security

guide

Why your business emails land in spam (and how to fix it)

11 min read · 15-Jan-2025

the 11-minute guide

villagehosting.in team

15 January 2025

A new Gmail account flag you may not know about

Why emails go to spam

Email providers (Gmail, Outlook, Yahoo) use hundreds of signals to decide whether an email is spam. The main ones:

2. Missing DKIM signature DKIM (DomainKeys Identified Mail) cryptographically signs your emails. Without it, email cannot be verified as genuinely from your domain.

3. Missing DMARC policy DMARC ties SPF and DKIM together and tells receiving servers what to do when checks fail.

4. Shared hosting IP on a spam blacklist On shared hosting, you share an IP with other users. If any of them sent spam, the IP may be blacklisted. Emails from that IP go directly to spam.

5. Low domain reputation A new domain sending large volumes of email immediately looks suspicious. Reputation builds over months.

6. Content triggers Words like "free", "guarantee", "click here", excessive exclamation marks, ALL CAPS — these trigger spam filters.

7. No unsubscribe link (for marketing emails) Marketing emails without an unsubscribe link are automatically treated as spam by most providers. Required by law in most jurisdictions.

Step 1: Set up SPF

An SPF record is a TXT record in your domain's DNS that lists authorised mail servers.

For cPanel hosting:

v=spf1 include:yourhostingprovider.com ~all

Ask your host for the exact SPF string. VillageHosting customers should use: (check with support for your server's SPF string)

For Google Workspace:

v=spf1 include:_spf.google.com ~all

For multiple senders (hosting + Google Workspace):

v=spf1 include:yourhostingprovider.com include:_spf.google.com ~all

Add the SPF record:

Log into your DNS provider (Cloudflare, your registrar, or cPanel Zone Editor)
Add a TXT record:
- Name: @ (or yourdomain.com)
- Value: the SPF string above
- TTL: 3600

Verify SPF: mxtoolbox.com/spf.aspx — enter your domain and check for "SPF Record Found"

Step 2: Enable DKIM

DKIM requires your hosting provider to generate a key pair and publish the public key in your DNS.

On cPanel:

cPanel → Email → Email Deliverability
Find your domain → "Repair" if DKIM is missing, or verify the status is "Valid"
cPanel automatically generates DKIM keys and publishes them in your DNS

For Google Workspace:

Google Admin → Apps → Google Workspace → Gmail → Authenticate Email
Generate a new record → follow the steps to add the TXT record to your DNS

Verify DKIM: mxtoolbox.com/dkim.aspx — enter your domain and selector (usually "google" for Google Workspace, "default" for cPanel)

Step 3: Add DMARC

DMARC builds on SPF and DKIM. Start with a monitoring-only policy, then tighten it:

Start here (monitoring only, no emails rejected):

v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

After 2–4 weeks, move to quarantine:

v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com; pct=50

Finally, move to reject (full enforcement):

v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com

Add DMARC as a TXT record:

Name: _dmarc.yourdomain.com
Value: the DMARC string above
TTL: 3600

The rua email receives reports from receiving mail servers about who is sending email from your domain. These reports help you identify legitimate senders you may have missed in your SPF record.

DMARC monitoring tools: Postmark's free DMARC monitoring, or mxtoolbox.com/dmarc.aspx

Step 4: Check if your IP is blacklisted

Check mxtoolbox.com/blacklists.aspx — enter your mail server's IP address.

If your IP is listed:

On shared hosting: Contact your host. They can switch your emails to a different IP or have the IP delisted.
On VPS: Request delisting directly from each blacklist. Most have online delisting forms.
On Google Workspace/Office 365: Your IP is not listed — these providers maintain clean IP ranges.

Step 5: Test your email score before sending

Send an email to: check@mail-tester.com

Visit mail-tester.com to see your score out of 10 and a breakdown of every issue:

SPF: pass/fail
DKIM: pass/fail
DMARC: pass/fail
IP reputation
Content score

Aim for 8/10 or higher before sending marketing campaigns.

Also use: Google Postmaster Tools (google.com/postmaster) — shows your domain reputation with Gmail specifically. Register and verify your domain.

Transactional vs marketing emails: different rules

Transactional emails: Order confirmations, password resets, invoice delivery. Sent in response to user actions.

Do not require an unsubscribe link
Must still have SPF/DKIM
Use your hosting SMTP or a transactional service

Marketing emails: Newsletters, promotional campaigns, bulk sends.

Require an unsubscribe link (legal requirement in most countries)
Must have explicit consent from recipients
Should use a dedicated email marketing service: Mailchimp, SendinBlue (Brevo), Zoho Campaigns

Do not send marketing emails from your hosting SMTP. Shared hosting mail servers are not designed for bulk sending and will quickly get blacklisted.

Setting up SendGrid for transactional email (WordPress)

For WordPress sites that need reliable transactional email:

Create a free SendGrid account (100 emails/day free)
Generate an API key in SendGrid → Settings → API Keys
Install WP Mail SMTP plugin in WordPress
Configure: Mailer = SendGrid → enter API key → from email = your@yourdomain.com
Send a test email and verify delivery

This routes all WordPress email (contact forms, WooCommerce, membership) through SendGrid's infrastructure, bypassing your hosting mail server entirely.

Common spam triggers to avoid in email content

In subject lines:

"FREE" in capitals
Excessive punctuation (!!!)
"Guaranteed", "Click now", "Act now", "Limited time"
All caps subject lines

In email body:

Large images with very little text (spam filters cannot read images)
"Click here" as link text — use descriptive text instead
URL shorteners (bit.ly, t.co) — suspicious to spam filters
Unbalanced HTML (missing closing tags)

Technical:

Image-only emails (add text)
Emails without a plain-text version
Emails sent from an IP that is not in your SPF record

How long to fix deliverability

SPF + DKIM + DMARC: Immediate effect — once DNS propagates (15–60 minutes)

IP delisting: 24–72 hours after requesting removal

Domain reputation: 2–4 months of consistent, complaint-free sending. Domain reputation is slow to build and slow to repair.

Inbox vs spam rate: After fixing all technical issues, you should see immediate improvement. Domain reputation improvement is gradual.

After implementing SPF, DKIM, and DMARC, the majority of Indian businesses see their email move from spam to inbox within 24 hours.