How to troubleshoot email spam issues with Outlook and Hotmail in Klaviyo and Mailgun?

Key findings

• Authentication failures: The primary cause of spam placement in Outlook and Hotmail is often due to SPF, DKIM, or DMARC authentication failures. Tools that report these statuses, even if not fully accurate, can point to the right area.
• SPF record misconfiguration: An SPF record showing 'neutral' or 'softfail' indicates that the sending IPs are not properly authorized, such as missing an include: directive for all sending services, including Google Workspace for organizational emails.
• DKIM alignment issues: Emails failing DKIM validation, particularly when using default keys or not setting up custom DKIM signatures (e.g., for Google Workspace), can lead to non-alignment and spam filtering.
• DMARC policy impact: A DMARC policy set to 'quarantine' or 'reject' without fully aligned SPF and DKIM will cause legitimate emails to go to spam or be blocked, even if previous SPF and DKIM tests show as passing.
• Multiple sending platforms: Using various platforms like Klaviyo, Mailgun, and others (e.g., Go HighLevels) complicates DNS records. Each platform needs its own correct authentication records in the main domain's DNS.

Key considerations

• Comprehensive DMARC reporting: Implementing a DMARC reporting service is crucial for gaining visibility into authentication results, helping to identify which emails are failing and why. Before enforcing a DMARC policy, switch to p=none to collect reports without impacting delivery. You can learn more about simple DMARC examples.
• Accurate SPF records: Ensure your SPF record includes all legitimate sending sources. For Google Workspace, this typically means adding include:_spf.google.com within your v=spf1 statement, before the ~all or -all mechanism.
• Correct DKIM implementation: Each sending platform requires its own DKIM setup. Verify that the correct DKIM keys provided by Klaviyo, Mailgun, and Google Workspace (if applicable) are published and aligned with your sending domain. For Google Workspace, follow their specific directions to turn on DKIM for your domain.
• Utilize diagnostic tools: Use tools like AboutMy.Email to get a quick snapshot of your email's authentication status as it leaves your system. This helps confirm whether the mail is passing before it reaches the recipient's inbox filters.
• Systematic troubleshooting: Address one authentication issue at a time. Correct SPF, then DKIM, then monitor DMARC reports. This methodical approach helps in isolating the root cause and preventing further deliverability problems. See our guide on how to diagnose email deliverability issues.

Key opinions

• GlockApps accuracy: While useful, some marketers question the absolute accuracy of tools like GlockApps for real-time authentication status, emphasizing the need for direct DMARC reports.
• SPF `~all` for testing: Switching SPF to ~all (softfail) can sometimes appear to resolve immediate SPF passing issues, but it's not a long-term solution and can still lead to deliverability problems. Marketers need to understand what SPF TempError means for their reports.
• DKIM alignment is critical: Even if individual DKIM records appear to pass, if they are not correctly aligned with the From domain, DMARC will still fail, resulting in spam placement. This is a common oversight when using third-party sending services.
• DMARC policy caution: Moving to a DMARC policy of 'quarantine' or 'reject' prematurely, without ensuring all legitimate sending sources are properly authenticated and aligned, is a significant risk that can severely impact email delivery.
• Gmail Workspace DKIM setup: A frequent issue is not correctly setting up the custom DKIM signature for Google Workspace emails, even if other platforms are correctly configured. This often leads to DKIM alignment failures for internal or sales-related emails.

Key considerations

• DMARC reports as truth: Marketers should rely on DMARC Aggregate Reports (RUA) for the most accurate picture of their email authentication status. If not already, point your DMARC record to a reporting service to gain these insights.
• Full SPF inclusion: Ensure your SPF record includes every service that sends email on behalf of your domain. This means adding include: statements for Klaviyo, Mailgun, Google Workspace, and any other ESPs or services. Our guide on why your emails fail at Microsoft can provide further insights.
• Dedicated DKIM for each platform: Implement DKIM for each distinct sending platform. Klaviyo and Mailgun will provide specific CNAME records for this. For Google Workspace, ensure you generate and publish their unique DKIM key.
• Start with p=none for DMARC: Before moving to stricter DMARC policies, always start with p=none and analyze reports for several weeks to identify all legitimate email streams and their authentication status. This preventative step can save significant deliverability headaches.
• Content and reputation: While authentication is foundational, marketers should also review their email content for spammy triggers and maintain a healthy sender reputation. Tools for spam filtering can help optimize email content to avoid deliverability issues.

Key opinions

• DMARC reports are essential: Experts advise marketers to read DMARC RUA reports to understand their email authentication status. Without a reporting service, it's difficult to know what is actually failing.
• Avoid premature DMARC enforcement: Moving to a 'quarantine' policy without full alignment work is a common mistake that leads to legitimate emails being marked as spam. Start with p=none until all sources are aligned. Our guide on how to safely transition your DMARC policy outlines this process.
• SPF record completeness: An SPF record must contain all IP ranges and includes for every service sending on your behalf. A missing include:_spf.google.com is a frequent cause of soft fails for Google Workspace users.
• DKIM domain alignment: Even if DKIM records are published, they must be signed with your domain for proper DMARC alignment. This is a common oversight, particularly with default ESP settings.
• Platform-specific DKIM setup: DKIM configuration is unique to each sending platform (Klaviyo, Mailgun, Google Workspace). If you see unaligned DKIM, it's typically because the platform-specific steps were missed. Check our guide on DKIM setup issues in Klaviyo.

Key considerations

• External diagnostic tools: Use tools like AboutMy.Email to confirm that your email is correctly authenticated (SPF, DKIM, DMARC) as it leaves your system, providing valuable diagnostic data.
• Iterative fixes: Fix SPF first, then DKIM. Confirm each step is correctly implemented before moving to the next. This systematic approach is critical for resolving complex authentication problems and ensures a smoother path to DMARC enforcement.
• DNS TTL management: Be mindful of DNS Time-To-Live (TTL) settings when making changes to SPF or DKIM records. Changes can take time to propagate globally, so allow sufficient time before retesting. Learn more about resolving Outlook email deliverability issues.
• Domain reputation: Beyond technical setup, experts highlight the importance of maintaining a strong sender reputation. This includes managing bounce rates, keeping lists clean, and avoiding spam traps, as Outlook and Hotmail heavily weigh reputation in their filtering decisions.

Key findings

• SPF record requirements: Documentation specifies that SPF records must explicitly list all authorized sending IP addresses and included domains. Failure to do so results in 'softfail' or 'neutral' results, impacting deliverability.
• DKIM setup procedures: Each email sending platform (e.g., Klaviyo, Mailgun, Google Workspace) provides specific DKIM records that must be published as CNAME or TXT records in your DNS. These records are crucial for cryptographic signing and verification.
• DMARC alignment rules: DMARC policies rely on SPF and DKIM 'alignment,' meaning the domain in the From header must match the authenticated SPF or DKIM domain. Discrepancies lead to DMARC failures and policy enforcement (quarantine/reject).
• Importance of reporting: DMARC documentation emphasizes the necessity of 'rua' (aggregate) and 'ruf' (forensic) reporting to gain visibility into email authentication results and identify misconfigurations.

Key considerations

• Follow specific setup guides: Refer to the exact documentation provided by Klaviyo, Mailgun, Google Workspace, and any other ESPs for their specific SPF and DKIM record values and setup instructions. These are critical for proper authentication and compliance.
• Regular DNS review: Periodically review your domain's DNS records to ensure all sending services are correctly authorized and there are no conflicting or outdated entries. This is especially important when adding new sending platforms or discontinuing old ones.
• Implement DMARC gradually: Begin with a p=none DMARC policy to gather reports without affecting deliverability. Progress to p=quarantine and then p=reject only after verifying all legitimate emails pass DMARC.
• Content compliance: Documentation also often covers content best practices. Even with perfect authentication, spammy content, broken links, or misleading subject lines can trigger filters. Use tools like Mailgun's spam testing tools to optimize email content.