Sign In
Cold Outreach

Modern How to avoid spam filters for 2025

By Article Monster
October 5, 2025
25 min read

How to Avoid Spam Filters: Mastering Email Authentication

hubspot-email-marketing-tactics-to-boost-roi/" class="internal-link" title="3 Hubspot Email Marketing Tactics to Boost ROI">Email marketing remains a powerful tool for businesses, but its effectiveness hinges on reaching the intended recipients’ inboxes. Spam filters, constantly evolving to combat unwanted messages, can inadvertently block legitimate emails. This article delves into a crucial aspect of avoiding spam filters: implementing and maintaining robust email authentication protocols. We’ll explore SPF, DKIM, and DMARC, providing practical examples and step-by-step instructions to ensure your emails reach their destination.

Understanding SPF: Sender Policy Framework

How to avoid spam filters - An illustration showing how SPF works: an email is sent, the recipient server checks the sender's SPF record against the sending IP address, and either accepts or rejects the email based on the policy.

SPF, or Sender Policy Framework, is an email authentication method that helps prevent spammers from forging the “From” address on your emails. It works by creating a DNS record that specifies which mail servers are authorized to send emails on behalf of your domain. When a receiving mail server receives an email claiming to be from your domain, it checks your SPF record to verify if the sending server is permitted. If the sending server isn’t listed in the SPF record, the receiving server may mark the email as spam or reject it outright.

Creating an SPF Record

An SPF record is a TXT record that you add to your domain’s DNS settings. The syntax can seem a bit cryptic, but understanding the basic components makes it easier to manage. Here’s a breakdown of common SPF record elements:

  • v=spf1: This declares the record as an SPF record, using version 1. It’s mandatory and should always be the first element.
  • ip4: and ip6: These mechanisms specify individual IPv4 or IPv6 addresses that are authorized to send email. For example, ip4:192.0.2.0 authorizes the IP address 192.0.2.0.
  • a: This mechanism authorizes the IP address(es) associated with a specified hostname. For example, a:mail.example.com authorizes the IP address(es) of mail.example.com.
  • mx: This mechanism authorizes the IP address(es) of the MX records for the domain. For example, mx:example.com authorizes the IP addresses listed in the MX records for example.com.
  • include: This mechanism includes the SPF record of another domain. This is often used for third-party email providers. For example, include:spf.example.com includes the SPF record of spf.example.com.
  • -all: This qualifier, used with the all mechanism, signifies a hard fail. Any email that doesn’t match the other mechanisms should be rejected. This is the recommended setting for most domains.
  • ~all: This qualifier, used with the all mechanism, signifies a soft fail. Any email that doesn’t match the other mechanisms should be accepted but marked as potentially spam. This is less strict than -all.
  • +all: This qualifier, used with the all mechanism, authorizes all sending servers. Never use this! It effectively disables SPF.

Example 1: Basic SPF Record

v=spf1 ip4:192.0.2.0 -all

This SPF record authorizes only the IP address 192.0.2.0 to send emails for the domain. Any other server sending email claiming to be from this domain should be rejected.

Example 2: SPF Record with Multiple Authorized Servers

v=spf1 ip4:192.0.2.0 ip4:198.51.100.0 a:mail.example.com -all

This record authorizes two specific IP addresses (192.0.2.0 and 198.51.100.0) and any IP address associated with the hostname mail.example.com. This covers scenarios where you have multiple email servers.

Example 3: SPF Record Including a Third-Party Email Provider

v=spf1 include:_spf.google.com -all

This record is typically used if you’re sending emails through Google Workspace. It delegates the SPF authorization to Google’s SPF record. Always consult your email provider’s documentation for their specific SPF include string. Using an incorrect include string will invalidate your SPF record.

Example 4: SPF Record with MX records and an additional IP address

v=spf1 mx ip4:203.0.113.0 -all

This record authorizes any server listed as an MX record for the domain, plus the individual IP address 203.0.113.0. This is useful when your mail server is not listed in the MX records, but is still a legitimate sender.

Testing Your SPF Record

Once you’ve created and added your SPF record to your DNS, it’s crucial to verify that it’s correctly configured. Several online tools can help with this. You can use tools like:

  • MXToolbox SPF Record Check (mxtoolbox.com/spf.aspx)
  • Dmarcian’s SPF Surveyor (dmarcian.com/spf-survey/)
  • EasyDMARC’s SPF Record Lookup (easydmarc.com/tools/spf-record-lookup/)

These tools allow you to enter your domain name and retrieve your SPF record, then analyze it for errors. They will also check if the record is syntactically correct and if all authorized IP addresses and domains are properly included.

For example, using a command-line tool like `dig` (available on most Linux and macOS systems), you can query your DNS server directly:

dig txt example.com

This command will return all TXT records for example.com. Look for the record that starts with `v=spf1`. If you don’t see one, your SPF record is not properly configured. Examine the output carefully to confirm that the record is correct and that there are no syntax errors.

Expert Tip: Limit the number of DNS lookups in your SPF record to a maximum of 10. Each include, a, mx, and ptr mechanism triggers a DNS lookup. Exceeding the limit can cause SPF checks to fail, even if your record is otherwise valid.

DKIM: DomainKeys Identified Mail

How to avoid spam filters - An illustration showing how DKIM works: the sending server signs the email with a private key, the recipient server verifies the signature with the public key stored in DNS, and either accepts or rejects the email.

DKIM, or DomainKeys Identified Mail, is another crucial email authentication method. It uses cryptographic signatures to verify that an email was indeed sent from the domain it claims to be from and that the message content hasn’t been altered during transit. Unlike SPF, which focuses on authorizing sending servers, DKIM focuses on verifying the integrity of the email itself.

Generating a DKIM Key Pair

DKIM relies on a pair of cryptographic keys: a private key and a public key. The private key is used by the sending server to digitally sign the email. The public key is published in your domain’s DNS records and is used by receiving servers to verify the signature. You should never share your private key!

Many email service providers (ESPs) will automatically generate a DKIM key pair for you and guide you through the process of adding the public key to your DNS. However, if you’re managing your own email servers, you’ll need to generate the key pair yourself. You can use tools like OpenSSL to do this.

Example 1: Generating a DKIM Key Pair using OpenSSL

openssl genrsa -out private.key 2048
openssl rsa -in private.key -pubout -out public.key

The first command generates a 2048-bit RSA private key and saves it to a file named `private.key`. The second command extracts the corresponding public key from the private key and saves it to a file named `public.key`. Keep the `private.key` file secure!

After generating the key pair, you will need to configure your mail server software (e.g., Postfix, Sendmail, Exim) to use the private key to sign outgoing emails. The exact steps vary depending on the mail server software you’re using. Consult the documentation for your specific mail server for detailed instructions.

Adding the DKIM Public Key to Your DNS

The next step is to add the DKIM public key to your domain’s DNS records. This is typically done as a TXT record. The name of the TXT record follows a specific format:

selector._domainkey.example.com

Where “selector” is a unique identifier you choose to distinguish between multiple DKIM keys if you ever need to rotate them. It can be any string, but it’s common to use something descriptive like “mail” or “dkim”. Replace “example.com” with your actual domain name.

The value of the TXT record is the DKIM public key, formatted in a specific way. The key typically starts with `v=DKIM1; k=rsa; p=`. After the `p=`, paste the public key you extracted earlier, removing any line breaks or extra spaces.

Example 2: DKIM DNS Record

mail._domainkey.example.com.  IN TXT  "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuL...."

In this example, the selector is “mail”, and the public key is a long string of characters starting with “MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuL…”. The actual public key will be much longer. Make sure the entire key is included in the record, without any breaks or extra characters.

Example 3: DKIM DNS Record with line breaks

mail._domainkey.example.com. IN TXT ( "v=DKIM1; k=rsa; "
 "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuL/..." )

Some DNS providers require you to break up long TXT records into multiple strings enclosed in quotes. This example demonstrates how to handle this situation correctly. Make sure there are no spaces between the opening parenthesis and the first quote, or between the closing parenthesis and the last quote.

Testing Your DKIM Configuration

After adding the DKIM record to your DNS, it’s essential to test that it’s working correctly. You can use online DKIM checkers to verify your configuration. Some of the same tools that check SPF records also check DKIM records, such as:

  • MXToolbox DKIM Record Lookup (mxtoolbox.com/dkim.aspx)
  • Dmarcian’s DKIM Inspector (dmarcian.com/dkim-inspector/)
  • EasyDMARC’s DKIM Record Lookup (easydmarc.com/tools/dkim-record-lookup/)

These tools will query your DNS for the DKIM record and check if it’s valid. They will also send a test email to an address they provide, allowing you to examine the email headers to confirm that the DKIM signature is present and verified.

You can also send an email to an account you control (e.g., a Gmail account) and examine the email headers. Look for a header that starts with `DKIM-Signature`. If the signature is present and the “Authentication-Results” header shows that DKIM passed, your DKIM configuration is likely working correctly.

Authentication-Results: mx.google.com;
       dkim=pass header.i=@example.com header.s=mail header.b=...;
       spf=pass (google.com: domain of sender@example.com designates 192.0.2.0 as permitted sender) client-ip=192.0.2.0;
       dmarc=pass (p=REJECT sp=REJECT dis=REJECT) header.from=example.com

In this example, `dkim=pass` indicates that the DKIM signature was successfully verified. The `header.i` field indicates the domain that signed the email, and the `header.s` field indicates the selector used. The `dmarc=pass` line indicates that DMARC validation also passed, which relies on both SPF and DKIM.

Expert Tip: Rotate your DKIM keys periodically (e.g., every year) to enhance security. Generating a new key pair and updating your DNS record reduces the risk of your DKIM key being compromised. Remember to update your mail server configuration with the new private key as well.

DMARC: Domain-based Message Authentication, Reporting & Conformance

DMARC, or Domain-based Message Authentication, Reporting & Conformance, builds upon SPF and DKIM to provide a more comprehensive email authentication system. It allows domain owners to specify how receiving mail servers should handle emails that fail SPF and DKIM checks. DMARC also provides a reporting mechanism that allows domain owners to receive feedback on their email authentication performance.

Creating a DMARC Record

Like SPF and DKIM, DMARC relies on a DNS TXT record. The name of the DMARC record is always:

_dmarc.example.com

The value of the TXT record specifies the DMARC policy for your domain. The basic components of a DMARC record are:

  • v=DMARC1: This declares the record as a DMARC record, using version 1. It’s mandatory and should always be the first element.
  • p=: This specifies the policy for handling emails that fail SPF and DKIM checks. Possible values are:
    • none: The receiving server should take no specific action. This is typically used for monitoring purposes.
    • quarantine: The receiving server should move the email to the recipient’s spam folder.
    • reject: The receiving server should reject the email outright.
  • sp=: This specifies the policy for subdomains. If not specified, the policy applies to the main domain only. The possible values are the same as for the `p` tag (none, quarantine, reject).
  • rua=: This specifies the email address(es) to which aggregate reports should be sent. Aggregate reports provide a summary of email authentication results.
  • ruf=: This specifies the email address(es) to which forensic reports (also known as failure reports) should be sent. Forensic reports provide detailed information about individual emails that failed authentication. Use with caution, as forensic reports can contain personally identifiable information (PII).
  • adkim=: This specifies the alignment mode for DKIM. Possible values are:
    • r: Relaxed alignment. The DKIM domain can be a subdomain of the “From” domain.
    • s: Strict alignment. The DKIM domain must exactly match the “From” domain.
  • aspf=: This specifies the alignment mode for SPF. Possible values are:
    • r: Relaxed alignment. The SPF domain can be the “From” domain or a subdomain of the “From” domain.
    • s: Strict alignment. The SPF domain must exactly match the “From” domain.
  • rf=: Format for the forensic reports. Usually set to afrf (Authentication Failure Reporting Format).
  • pct=: Percentage of messages to which the DMARC policy is applied. You can start with pct=10 and gradually increase it to pct=100.

Example 1: DMARC Record for Monitoring

_dmarc.example.com.  IN TXT  "v=DMARC1; p=none; rua=mailto:dmarc-reports@example.com"

This DMARC record instructs receiving servers to take no action on emails that fail SPF and DKIM checks (`p=none`). It also specifies that aggregate reports should be sent to dmarc-reports@example.com. This is a good starting point for implementing DMARC, as it allows you to monitor your email authentication performance without impacting deliverability.

Example 2: DMARC Record for Quarantine

_dmarc.example.com.  IN TXT  "v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@example.com"

This DMARC record instructs receiving servers to move emails that fail SPF and DKIM checks to the recipient’s spam folder (`p=quarantine`). Aggregate reports are still sent to dmarc-reports@example.com. This provides a stronger level of protection against email spoofing than the `p=none` policy.

Example 3: DMARC Record for Reject

_dmarc.example.com.  IN TXT  "v=DMARC1; p=reject; rua=mailto:dmarc-reports@example.com"

This DMARC record instructs receiving servers to reject emails that fail SPF and DKIM checks (`p=reject`). Aggregate reports are still sent to dmarc-reports@example.com. This provides the strongest level of protection against email spoofing, but it’s crucial to ensure that your SPF and DKIM configurations are correct before implementing this policy, as legitimate emails may be inadvertently rejected.

Example 4: DMARC Record with subdomain policy and forensic reports

_dmarc.example.com. IN TXT "v=DMARC1; p=reject; sp=quarantine; rua=mailto:dmarc-aggregate@example.com; ruf=mailto:dmarc-forensic@example.com; rf=afrf"

This record sets a policy of “reject” for emails failing authentication from the main domain, and “quarantine” for failing emails from subdomains. Aggregate reports are sent to dmarc-aggregate@example.com, and forensic reports in AFRF format are sent to dmarc-forensic@example.com. Remember to handle forensic reports carefully to avoid exposing sensitive data.

Analyzing DMARC Reports

DMARC reports provide valuable insights into your email authentication performance. Aggregate reports are typically XML files that contain summary information about email authentication results, including:

  • The number of emails that passed and failed SPF and DKIM checks.
  • The DMARC policy applied to those emails.
  • The sending IP addresses and organizations.

Analyzing these reports can help you identify and address any issues with your SPF and DKIM configurations. For example, you may discover that some legitimate emails are failing authentication because they’re being sent from servers that aren’t authorized in your SPF record. You can then update your SPF record to include those servers.

Several tools and services can help you analyze DMARC reports, including:

  • Dmarcian (dmarcian.com)
  • EasyDMARC (easydmarc.com)
  • Valimail (valimail.com)

These tools provide user-friendly interfaces for visualizing and interpreting DMARC data. They can also help you automate the process of analyzing DMARC reports and identifying potential issues.

Expert Tip: Start with a `p=none` policy and gradually increase the stringency to `p=quarantine` and then `p=reject` as you gain confidence in your email authentication configuration. This phased approach minimizes the risk of inadvertently blocking legitimate emails.

Maintaining and Monitoring Your Authentication

Implementing SPF, DKIM, and DMARC is not a one-time task. Email authentication requires ongoing maintenance and monitoring to ensure optimal deliverability. Changes to your infrastructure, third-party services, and evolving spam filter algorithms can all impact your authentication results. Regular monitoring and proactive adjustments are critical.

Regularly Reviewing SPF Records

Your SPF record should be reviewed and updated whenever you make changes to your email infrastructure or start using new third-party email services. This includes:

  • Adding or removing email servers.
  • Changing your email hosting provider.
  • Using new marketing automation platforms.
  • Integrating with new CRM systems that send emails.

Failing to update your SPF record can result in legitimate emails being flagged as spam. Remember to test your SPF record after making any changes to ensure that it’s still valid and covers all authorized sending sources.

Example 1: Adding a New IP Address to your SPF Record

Suppose you’ve added a new email server with the IP address 203.0.113.10. Your existing SPF record is:

v=spf1 ip4:192.0.2.0 -all

You would need to update your SPF record to include the new IP address:

v=spf1 ip4:192.0.2.0 ip4:203.0.113.10 -all

This ensures that emails sent from the new server are also authorized to send emails on behalf of your domain.

Example 2: Including a New Third-Party Email Service in your SPF Record

Suppose you’re now using a third-party email marketing service whose SPF record you need to include. Their documentation indicates you should include `include:servers.examplemarketing.com`. Your existing SPF record is:

v=spf1 ip4:192.0.2.0 -all

You would update your SPF record to:

v=spf1 ip4:192.0.2.0 include:servers.examplemarketing.com -all

This delegates SPF authorization to the third-party service, allowing them to send emails on your behalf.

Monitoring DMARC Reports Regularly

Continuously monitoring your DMARC reports is essential for identifying and addressing email authentication issues. Pay close attention to:

  • Emails that are failing SPF or DKIM checks.
  • Unexpected sending sources.
  • Authentication failures from legitimate services.

Use the insights gained from DMARC reports to fine-tune your SPF and DKIM configurations, identify potential security threats, and prevent email spoofing.

Example 3: Identifying Unauthorized Sending Sources from DMARC Reports

Suppose you receive a DMARC report indicating that a significant number of emails are failing SPF checks and originating from an IP address you don’t recognize. This could indicate that someone is attempting to spoof your domain. Investigate the source of the emails and take appropriate action, such as blocking the IP address or implementing stricter DMARC policies.

Example 4: Identifying Configuration Issues from DMARC Reports

Suppose you receive a DMARC report indicating that emails sent from your CRM system are failing DKIM checks. This suggests that there’s an issue with the DKIM configuration for your CRM system. Contact your CRM provider to troubleshoot the issue and ensure that DKIM is properly configured for all outgoing emails.

Keeping Up with Evolving Standards

Email authentication standards and spam filter algorithms are constantly evolving. Stay informed about the latest best practices and updates to SPF, DKIM, and DMARC. Subscribe to industry newsletters, follow relevant blogs, and participate in online forums to stay ahead of the curve.

Authentication MethodFunctionMaintenance
SPFAuthorizes sending servers.Regularly review and update to reflect changes in email infrastructure.
DKIMVerifies email integrity.Rotate DKIM keys periodically. Ensure proper signing configuration on mail servers.
DMARCSpecifies handling of failed authentication and provides reporting.Monitor DMARC reports regularly to identify issues and adjust policies.

Expert Quote: “Email authentication is a journey, not a destination. Continuous monitoring, adaptation, and a commitment to best practices are essential for maintaining high deliverability and protecting your brand from email spoofing.” – Email Deliverability Expert

email best practicesemail deliverabilityemail marketinginbox deliveryspam filters

Share this article