What is the difference between SPF, DKIM, and DMARC?

The primary difference is how they verify email senders . SPF verifies the sending server's IP address. DKIM verifies the email content's integrity and the sending domain's authenticity through a cryptographic signature. DMARC combines SPF and DKIM, providing instructions to receiving servers on how to handle emails that fail authentication and enabling reporting on authentication results.

My SPF record shows a 'softfail,' what does that mean for Outlook and Hotmail?

A softfail in your SPF record, typically indicated by a ~all mechanism, means that emails from unauthorized senders are not strictly rejected, but are marked as suspicious. This often leads to messages being delivered to the spam or junk folder instead of the inbox. To fix it, ensure your SPF record explicitly includes all legitimate sending services (like Klaviyo and Mailgun) and consider changing ~all to -all once you are confident all sources are included.

Why are my DKIM records showing as 'not aligned' when sending from Klaviyo or Mailgun?

DKIM alignment issues occur when the domain in the 'From' header of your email does not match the domain used in the DKIM signature. For example, if you send emails through Klaviyo , your emails might be signed with a Klaviyo domain instead of your own. To fix this, you must set up custom DKIM records for your domain within your Klaviyo and Mailgun accounts, which typically involves adding CNAME records to your DNS.

How can DMARC reports help troubleshoot spam issues?

DMARC reports (RUA and RUF) are crucial for monitoring your email authentication and deliverability. They provide data on how your emails are performing across various mailbox providers, detailing SPF and DKIM pass/fail rates, and what action was taken (e.g., delivered to inbox, sent to spam, or rejected). By analyzing these reports, you can identify which sending sources are failing authentication and make necessary adjustments to your DNS records or sending practices.

Can a DMARC policy of 'quarantine' cause emails to go to spam?

Yes, if your DMARC policy is set to 'quarantine' or 'reject' and your emails fail SPF or DKIM authentication, they will be sent to the spam folder or rejected outright. This often happens if your DMARC policy is too strict before all legitimate sending sources are properly authenticated. It is recommended to start with a 'p=none' policy to collect reports and ensure all your emails are authenticating correctly before enforcing stricter policies.

How to troubleshoot email spam issues with Outlook and Hotmail in Klaviyo and Mailgun? - Troubleshooting - Email deliverability - Knowledge base

Emails landing in spam or junk folders can be incredibly frustrating, especially when you are using robust email service providers like Klaviyo for marketing campaigns and Mailgun for transactional messages. This issue is particularly prevalent with

Outlook and Hotmail, which employ stringent filtering mechanisms. It is a common challenge that can severely impact your communication effectiveness and overall deliverability rates.

When my clients report persistent spam issues, especially with Microsoft domains, I immediately start looking at their email authentication. Often, the root cause lies in misconfigured or missing SPF, DKIM, and DMARC records. These protocols are crucial for verifying that your emails are legitimate and haven't been spoofed, which is a major factor for inbox placement.

This guide will walk you through the troubleshooting steps I take to identify and resolve email spam issues with Outlook and Hotmail when using Klaviyo and Mailgun. We will delve into common authentication pitfalls and provide actionable solutions to improve your email deliverability, helping your messages reach the inbox, not the junk folder.

Understanding email authentication

Email authentication protocols like SPF, DKIM, and DMARC are the bedrock of good email deliverability. They act as trust signals, assuring receiving mail servers, including those operated by Microsoft, that your emails are genuinely from your domain and haven't been tampered with. Without proper authentication, even legitimate emails can be flagged as suspicious and sent to spam or outright rejected.

SPF (Sender Policy Framework) lets receiving servers verify that an email claiming to come from a specific domain is authorized by that domain's owner. When an SPF record shows as 'neutral' or 'softfail', it means the receiving server isn't entirely confident about the sender's legitimacy. A common mistake I see is an SPF record that is too restrictive or missing `include` mechanisms for all sending services, like

Klaviyo and

Mailgun, leading to soft fails or even hard fails.

DKIM (DomainKeys Identified Mail) provides a way to verify that the email content hasn't been altered in transit. A frequent problem is that the DKIM signature isn't properly aligned with the sending domain. For example, if you're using

Google Workspace for some emails and Klaviyo for others, each needs its own correctly configured DKIM record. Issues often arise when a default Google DKIM key is used for emails sent through another platform, causing misalignment and authentication failures.

DMARC (Domain-based Message Authentication, Reporting, and Conformance) builds on SPF and DKIM, telling receiving servers what to do if an email fails authentication. A common scenario I encounter is when clients set their DMARC policy to 'quarantine' or 'reject' without first ensuring all legitimate sending sources are properly authenticated. This leads to valid emails being sent directly to the spam folder, or even rejected, despite the sender's intentions. Understanding your DMARC policy settings is critical.

Pinpointing authentication problems

The first step in troubleshooting is to pinpoint exactly where the authentication failures are occurring. I always recommend using a dedicated email testing tool to get a clear picture of how your emails are being authenticated. Sending an email from your problematic sending platform (Klaviyo or Mailgun) to a service that provides detailed authentication reports can offer invaluable insights.

These tools can show you the email's authentication status (SPF, DKIM, DMARC), identify any issues, and sometimes even suggest fixes. If you have multiple sending services, like Klaviyo for marketing and Mailgun for transactional emails, ensure you test emails from each platform. This will help you determine if the problem is specific to one service or affects your entire domain. You can see how your domain's email implements best practices through a tool like About My Email.

For ongoing monitoring, DMARC reports are your best friend. They provide aggregate and forensic data on how receiving mail servers are handling your emails, including detailed information on SPF and DKIM pass/fail rates. If your DMARC policy is set to 'quarantine' or 'reject' without a reporting service, you are essentially flying blind. Always point your DMARC `rua` tag to a reporting service to collect these crucial reports. This data is essential for understanding DMARC reports from Google and Yahoo.

Typical authentication statuses

SPF pass: Sender is authorized.
SPF softfail (~all): Sender is not explicitly authorized but not explicitly unauthorized. Often leads to spam folder.
SPF hardfail (-all): Sender is unauthorized. Email likely rejected.
DKIM pass: Email content integrity verified, sender domain validated.
DKIM fail: DKIM signature invalid or missing. Email likely flagged.
DMARC pass (aligned): SPF or DKIM passed, and the 'From' domain aligns. Inbox delivery likely.
DMARC fail: Both SPF and DKIM failed, or 'From' domain did not align. Action depends on DMARC policy (none, quarantine, reject).

Addressing common deliverability culprits

Once you have identified the specific authentication failures, you can address them. Here are some of the most common issues I see with SPF and DKIM, particularly for users of Klaviyo and Mailgun, and how to fix them.

SPF record issues

A common SPF problem is having a 'softfail' due to incomplete includes. If you are sending emails through multiple services, your SPF record must include all of them. For instance, if you use Google Workspace for your primary emails, Klaviyo for marketing, and Mailgun for transactional emails, your SPF record needs to authorize all three. I often see cases where the record is too generic or misses the necessary `include` mechanisms.

To fix a softfail, ensure your SPF record explicitly lists all authorized sending sources. For Google Workspace, you will need to include include:_spf.google.com. Similarly, Mailgun requires their SPF include in your DNS. Be careful not to create multiple SPF records, as this can invalidate your SPF setup altogether. All SPF directives should be in a single TXT record for your domain.

Example SPF recordDNS

v=spf1 include:_spf.google.com include:spf.klaviyo.com include:mailgun.org ~all

DKIM alignment issues

DKIM alignment failures often happen when emails are signed with a key that doesn't match the sending domain. For example, if you send emails from Klaviyo, the DKIM signature should be associated with your domain, not a generic Klaviyo or Mailgun domain. This is particularly relevant for

Google Workspace users who might inadvertently use a default Google DKIM key for emails sent via third-party platforms.

To resolve this, you need to set up custom DKIM signatures for each sending platform. Both Klaviyo and Mailgun provide instructions on how to configure DKIM for your domain. For Google Workspace, you must follow Google's instructions to add DKIM signing. This ensures that the emails sent from these services are signed with your domain's unique key, enabling proper DMARC alignment and improving your chances of inbox delivery.

SPF troubleshooting

Issue: SPF softfail or neutral. Your DNS record might be missing specific IP ranges or `include` mechanisms for all sending services. Or you might have multiple SPF records.
Action: Consolidate all SPF directives into a single SPF record including mechanisms for Klaviyo (include:spf.klaviyo.com), Mailgun (include:mailgun.org), and any other ESPs.

DKIM troubleshooting

Issue: DKIM not aligned or failing. This usually means the email is signed by the ESP's domain, not your own.
Action:Implement custom DKIM records provided by Klaviyo and Mailgun. This involves adding specific CNAME records to your DNS.

Beyond authentication: maintaining reputation

Beyond technical authentication, your sender reputation plays a massive role in whether your emails reach the inbox. Outlook and Hotmail are particularly sensitive to sender reputation metrics. High spam complaint rates, low engagement (opens, clicks), and frequent bounces can quickly damage your domain's standing.

Ensure your email lists are clean and regularly updated. Spam traps can severely harm your reputation if you hit them often. Implement double opt-in for new subscribers and segment your lists to send highly relevant content. Encouraging subscribers to add your email address to their contacts and move emails from junk to inbox can also positively influence your sender reputation with Microsoft mailboxes.

Finally, consistently monitor your deliverability. While GlockApps and similar tools can provide a snapshot, DMARC aggregate reports offer a more comprehensive, ongoing view of your authentication and delivery rates across various mailbox providers, including Microsoft. Proactive monitoring and quick action on identified issues are key to maintaining good sender reputation and avoiding blocklists.

Tips for good list hygiene

Regularly clean: Remove inactive subscribers and bounced addresses from your lists.
Use double opt-in: Verify new subscribers' email addresses to prevent spam traps and invalid addresses.
Segment your audience: Send targeted content to increase engagement and reduce spam complaints.
Monitor engagement: Pay attention to open rates, click-through rates, and unsubscribe rates.

Views from the trenches

Best practices

Always set your DMARC policy to 'p=none' initially to collect reports before moving to quarantine or reject.

Verify that your SPF record includes all IP ranges and domains from all your sending platforms.

Ensure that you are using custom DKIM signatures for your domain on all ESPs, not generic ones.

Common pitfalls

Implementing a DMARC 'quarantine' or 'reject' policy without analyzing DMARC reports first.

Having multiple SPF records, which can invalidate your entire SPF setup and cause deliverability issues.

Using default DKIM keys from ESPs like Google Workspace instead of setting up custom domain keys.

Expert tips

Use an email authentication testing tool like `aboutmy.email` to quickly diagnose SPF, DKIM, and DMARC issues.

Regularly review your DMARC aggregate reports to monitor authentication passes and failures across all mailbox providers.

If issues persist, consult the specific Postmaster Tools for Microsoft for detailed insights into your domain's performance.

Expert view

Expert from Email Geeks says to check where DMARC reports are being sent and read them. If no reporting service is in place, switch to 'p=none' and set one up to understand alignment issues before moving to 'quarantine'.

June 7, 2024 - Email Geeks

Expert view

Expert from Email Geeks says to use a diagnostic tool to confirm that email authentication passes as mail leaves the sending system.

June 7, 2024 - Email Geeks

Ensuring inbox delivery

Troubleshooting email spam issues with Outlook and Hotmail when using Klaviyo and Mailgun primarily boils down to meticulous attention to email authentication (SPF, DKIM, DMARC) and maintaining a healthy sender reputation. Ensuring these foundational elements are correctly configured across all your sending platforms is paramount.

By actively monitoring your authentication status, analyzing DMARC reports, and promptly addressing any misconfigurations or reputation dips, you can significantly improve your email deliverability. This proactive approach ensures your emails consistently reach your subscribers' inboxes, driving better engagement and campaign performance.