Why your email marketing messages aren’t reaching the inbox and how to fix it with SPF, DKIM, and DMARC

According to industry data, 14.3% of emails sent in 2023 disappeared or were blocked by spam filters before reaching the recipient.

Imagine this: You’ve spent weeks preparing an email marketing campaign. You define your target audience, fine-tune the subject line until it sounds perfect, design the template, and schedule the send for Tuesday at 10 a.m. – which, according to all the studies, is the best time. You click «send,» and… nothing. No opens. The click-through rate (CTR) is practically zero. Customers aren’t responding.

What went wrong?

Most likely, your emails didn’t even reach the inbox. They’re in spam. Or worse: they were rejected outright by the server and disappeared without a trace.

This isn’t a content or design problem. It’s a technical issue that most marketing teams in Mexico don’t even know they have – until it’s too late.

The most profitable channel in digital marketing… when it works

Before discussing solutions, it’s worth remembering why this matters so much.

Email marketing remains, by far, the channel with the highest return on investment in digital marketing. According to industry figures, it generates between $36 and $45 for every dollar invested – a figure no other channel can consistently match. In Mexico and Latin America, the use of automated and segmented campaigns is on the rise, especially among SMEs seeking more cost-effective alternatives to paid advertising.

But that ROI depends on a condition often taken for granted: that the email actually arrives.

And here’s the problem: according to industry data, 14.3% of emails sent in 2023 disappeared or were blocked by spam filters before reaching the recipient. That’s roughly 1 in 7 emails that simply never arrive. If you’re sending 100,000 emails in a campaign, you’re losing 14,000 contacts without even knowing it – and without any error notification.

The main reason isn’t that your content is spam. It’s that your domain isn’t properly authenticated.

The Problem Nobody Tells You About: Email Authentication

When you send an email from your email marketing platform—whether it’s Mailchimp, HubSpot, ActiveCampaign, Klaviyo, or any other—that email arrives at the destination server with an implicit question: Is this message really from who it claims to be?

The Gmail, Outlook, or Hotmail server doesn’t know you. It doesn’t know if your company is legitimate or if someone is impersonating your domain to send phishing emails. That’s why, before delivering the email, it performs a series of technical checks on your domain’s DNS.

If these checks fail—or if they don’t exist—the email goes to spam. Or it doesn’t arrive at all.

These checks are three protocols that work together: SPF, DKIM, and DMARC. And the reality is that most Mexican companies that do email marketing have one or more of these protocols misconfigured, outdated, or simply nonexistent.

How can you check? A quick way is to use PowerDMARC’s WHOIS lookup tool, which gives you public information about your domain and helps you identify basic inconsistencies in your configuration before delving into technical analysis.

SPF: Who’s Authorized to Speak on Behalf of Your Company

Think of SPF (Sender Policy Framework) as a list of employees authorized to sign documents on behalf of your company. It’s a text record you publish to your domain’s DNS, and it simply states: «These are the servers authorized to send emails from @yourcompany.com.»

When someone receives an email from you, the receiving server checks this record and verifies if the email originated from one of the authorized servers. If the answer is yes, it passes the verification. If not, it fails.

The most common problem we see in Mexican companies is that they use multiple tools to send emails—their main ESP, their CRM, their automation platform, their e-commerce notifications—and none of them appear in the SPF record. The result: legitimate emails that fail authentication and end up in spam.

Another common mistake is having an outdated SPF record. You switched email providers two years ago, but the DNS record still points to the old provider. Everything goes wrong silently.

DKIM: The Digital Signature That No One Can Forge

DKIM (DomainKeys Identified Mail) adds an extra layer of security: an encrypted digital signature embedded in every email you send.

When the receiving server receives your email, it looks up the public key corresponding to that signature in your domain’s DNS and verifies that they match. If they do, it confirms that the email wasn’t altered in transit and that it did indeed originate from your domain.

DMARC: The Policy That Ties It All Together and Gives You Real Visibility

SPF and DKIM are verifications. DMARC (Domain-based Message Authentication, Reporting & Conformance) is the policy that determines what happens when those verifications fail—and, crucially, who informs you.

A DMARC record has three essential parts:

The policy (p=): This tells the receiving server what to do with emails that fail SPF and DKIM. The options are:

-p=none – only monitors, does nothing with emails that fail

-p=quarantine – sends emails that fail to spam

-p=reject – completely rejects emails that fail

BIMI: When Authentication Becomes a Brand Advantage

Once you have DMARC configured with the p=quarantine or p=reject policy, an additional opportunity opens up that goes beyond security: BIMI (Brand Indicators for Message Identification).

BIMI is a standard that allows your brand logo to appear directly in the recipient’s inbox, next to the sender’s name, before they even open the email. In Gmail – which has supported it since 2021 – this is displayed as a verified avatar with a blue checkmark, similar to social media verification.}

Source: www.marketingdirecto.com