All guides

Gmail Spam With SPF, DKIM, and DMARC Passing

InboxRadar grades your email deliverability free and emails you when it changes. Check your domain.

Why Gmail can spam mail that passes

A clean SPF, DKIM, and DMARC result does not buy inbox placement. It only tells Gmail the sender identity checked out.

SPF, DKIM, and DMARC are identity checks. SPF checks whether the sending host is allowed for the envelope sender or HELO domain. DKIM checks whether a signed part of the message still matches the public key in DNS. DMARC checks whether SPF or DKIM passes and aligns with the visible From domain. Gmail can accept those signals and still place the message in spam if the mail looks unwanted or risky.

Start with the exact message that landed in spam. In Gmail, open the message, choose Show original, then read Authentication-Results. A top-line pass is useful, but the details matter more. Compare the visible From domain, the smtp.mailfrom domain used by SPF, and each DKIM d= domain. DMARC passes only when SPF or DKIM passes and aligns with the visible From domain.

  • Confirm DMARC passed for the same domain the recipient sees in From.
  • Check whether DMARC passed through SPF alignment, DKIM alignment, or both.
  • Look for forwarding. Forwarding often breaks SPF, while DKIM may survive if the message is not changed.
  • Check Google Postmaster Tools for domain reputation, IP reputation, and spam rate.

Fix the authentication details first

A domain can pass one test and still have brittle DNS. Clean up the basics before you rewrite copy or switch tools.

SPF is defined in RFC 7208. Publish one SPF TXT record for each sending domain. Include every platform that sends mail for that domain. Keep the record within the SPF limit of 10 DNS lookups. The include, a, mx, ptr, exists, and redirect terms can count toward that limit. Too many lookups can cause a permanent SPF error at receivers. Use ~all while you are still finding real senders. Move to -all only after the record covers them. Do not use +all, because it says any server is allowed.

DKIM is defined in RFC 6376. Make sure each sending service signs mail with a selector that exists in DNS. The selector in the DKIM-Signature header has to match the public key record. Google says DKIM keys should be at least 1024 bits and recommends 2048 bits where supported. If you send through Microsoft 365 with a custom domain, enable DKIM for that domain so the d= value can align with the From address.

DMARC was first published as RFC 7489 and is now covered by RFC 9989, with reporting in RFC 9990 and RFC 9991. It checks the domain in the visible From header against SPF and DKIM. A p=none policy monitors. p=quarantine asks receivers to place failing mail in spam. p=reject asks receivers to reject failing mail. Add a rua address so aggregate reports show which services send as your domain. Tighten the policy after reports show your real mail aligns.

  • SPF: one record, all real senders listed, no more than 10 DNS lookups.
  • DKIM: every sender signs, selectors resolve, keys are current.
  • DMARC: record exists at _dmarc, alignment passes, rua reports are watched.
  • MX: inbound mail routes to the right provider. MX does not authorize outbound mail, but broken MX can make replies and bounces fail.

Check the reasons Gmail still dislikes the mail

When authentication passes, Gmail usually filters because of reputation, recipient behavior, infrastructure, or message risk.

Google's sender guidelines say authenticated messages are less likely to be rejected or marked as spam, but they also list other requirements: low spam complaints, valid forward and reverse DNS, TLS, correct message format, clear sender identity, and steady sending volume. Bulk senders have extra rules, including DMARC and aligned authentication. Google says spam rates in Postmaster Tools should stay below 0.10% and should avoid 0.30% or higher.

Outlook uses the same broad idea. Microsoft's email authentication guidance explains that SPF checks the MAIL FROM domain, while DMARC connects authentication to the visible From domain. Microsoft also uses composite authentication and reputation signals, so a technical pass is one input in a larger filter decision.

  • Reputation: review Google Postmaster Tools for domain and IP reputation drops.
  • Complaints: stop mailing people who did not ask for the message or keep ignoring it.
  • Volume: warm new domains and IPs slowly. Sudden spikes look risky.
  • Infrastructure: confirm forward and reverse DNS exist and point consistently for the sending IP.
  • Blocklists: check the sending IP and domain, but weigh Gmail's own reputation data first.
  • Content: remove misleading subjects, hidden text, link shorteners, and domains that do not match your brand.

Use this order of operations

Do the checks in order. Guessing wastes days, and each wrong change can hide the real signal.

  • Send one fresh test to a Gmail account and save the full original headers.
  • Verify SPF, DKIM, DMARC, MX, and DNS drift with a live check. InboxRadar can give you a free domain scorecard at the domain checker.
  • If DMARC passes through only one path, fix the other path too. SPF and DKIM should both align for your main senders.
  • If DNS is clean, inspect Postmaster Tools, complaint rate, recent volume changes, and shared IP reputation.
  • Split mail streams. Receipts, product alerts, newsletters, and sales mail should use clear From addresses and steady patterns.
  • When a result is unclear, read the official SPF, DKIM, and DMARC RFCs, plus the Google and Microsoft sender rules.

For a wider checklist, see the related guide index at InboxRadar guides.

Common questions

If SPF, DKIM, and DMARC pass, is Gmail wrong?

No. Gmail can believe the sender is real and still think the message is unwanted. Authentication answers who sent it. Spam filtering also looks at complaints, reputation, recipient behavior, infrastructure, and message risk.

Does p=reject improve Gmail inbox placement?

It can help protect your domain from spoofing after every real sender is aligned. It can also break real mail if you rush. Start with p=none and rua reports, fix the senders, then move to p=quarantine or p=reject when the reports are clean.

Will changing SPF from ~all to -all fix spam?

No. ~all is a soft fail for unauthorized SPF sources. -all is a hard fail. Use -all when your sender list is complete, but do not expect it to repair reputation, complaints, or bad content. DKIM alignment can still pass DMARC even when SPF fails.

What header should I check first?

Read Authentication-Results. Look for spf=, dkim=, and dmarc=. Then compare smtp.mailfrom, header.from, and each DKIM d= value. If the domains do not align, the pass you saw may not be the pass Gmail needs for the visible sender.

Related guides

Check your domain free

InboxRadar grades your email setup A to F in about three seconds, then watches it and emails you the moment something breaks. Free, no login.

Check your domain