When a business email goes to spam, the problem is rarely only the text of the message. It usually starts with the identity of the domain: who is allowed to send email for you, whether the message is signed correctly and what the recipient should do when something does not align.
The three core pieces are SPF, DKIM and DMARC. They are not minor details for the hosting provider. They are the foundation for offers, orders, invoices, contact forms and newsletters reaching the inbox. Since 2024, Gmail and Yahoo have enforced stricter sender requirements, especially for bulk email. In 2026, a business without proper authentication starts at a disadvantage.
What SPF does
SPF is a DNS record that says which servers are allowed to send mail for your domain. If you use Google Workspace, hosting SMTP, a newsletter tool and WooCommerce transactional mail, all of them must be included correctly. If one sender is missing, messages from that sender may look suspicious.
A common mistake is having two SPF records on the same domain. There should be one record that includes every legitimate sender. Another common issue is a website form sending from shared hosting while the company email lives in Google Workspace or Microsoft 365. That creates misalignment.
What DKIM does
DKIM adds a digital signature to the email. The receiving server checks the signature through DNS and verifies that the message was sent by an authorized system and was not changed in transit. For business email, DKIM should be enabled for every service that sends marketing or transactional messages.
Google Workspace notes that sending to personal Gmail accounts requires a DKIM key of 1024 bits or longer, and recommends 2048-bit keys when supported. Old or quick setups may appear fine on the surface but fail to meet what large providers expect.
What DMARC does
DMARC connects SPF and DKIM with the From domain that the user sees. It tells receivers what to do when a message does not pass alignment: take no action, quarantine it or reject it. The simple principle is that the visible sender domain should align with the authenticated domain.
DMARC also gives visibility. With reports you can see who is sending for your domain: Google, Microsoft, newsletter tools, e-shop systems, CRM platforms and possible spoofers. Without reports, you are guessing.
Why having a mailbox is not enough
Having a mailbox does not mean you have a clean sending setup. Google requires SPF or DKIM for all senders and SPF, DKIM and DMARC for bulk senders. It also requires valid forward/reverse DNS, TLS and low spam complaints. Yahoo says non-compliant mail may go to spam or be rejected, and it does not give one simple fixed volume threshold for bulk senders.
A Greek business site that sends forms, orders, offers, newsletters and automations needs a clean setup. If WooCommerce sends through unauthenticated PHP mail, a newsletter tool sends from a third-party domain, the contact form uses the wrong From address or the domain has no DMARC record, spam problems are expected.
Common causes of spam placement
The most common causes are wrong SPF, inactive DKIM, no DMARC, From domain misalignment, poor shared IP reputation, forms sending as if they were the customer, forwarding that breaks SPF, old lists, poor unsubscribe, too many links, suspicious attachments and sudden sending spikes.
Reputation also matters. If users report spam, if the domain sends irrelevant messages or if newsletters go to lists without real consent, DNS records will not fully save the sender. SPF, DKIM and DMARC are necessary foundations, not permission for poor practice.
Practical checklist
Confirm that there is one SPF record and that it includes all legitimate senders. Enable DKIM in Google Workspace, Microsoft 365, newsletter platforms and transactional mail providers. Add DMARC in monitoring mode first, for example p=none with rua reports, then move toward a stricter policy once legitimate mail passes.
Configure SMTP for WordPress and WooCommerce instead of relying on PHP mail. Separate transactional and marketing streams when volume grows. Do not use personal Gmail for company sending. Check reverse DNS if you run your own mail server. Most importantly, measure with headers and reports, not with "it arrived for me".
A safe rollout path
Email going to spam is usually a symptom of weak sender identity, not a mystery. In 2026 every serious business needs SPF, DKIM, DMARC, authenticated SMTP, clean From alignment, low complaints and a healthy recipient list. It is a small technical investment compared with lost offers, orders and customers.