Stop Your Emails Going to Spam: A simple guide to DMARC for small businesses
Have you ever sent an important invoice or a friendly follow-up to a client, only to hear weeks later, “Sorry, I never saw that: it must have gone to my spam folder”?
It’s frustrating, isn’t it? For a small business in Yorkshire, your email is your lifeline.
When your messages disappear into the digital abyss, it’s more than just a nuisance; it’s a lost opportunity and a potential hit to your reputation.
In 2026, the rules of the road for email have changed. Giants like Google and Yahoo have tightened their security, meaning “standard” emails are now being scrutinised more than ever. But don’t worry: you don’t need to be a coding genius to fix this.
At Fresh Mango, we believe in speaking plain English. We’ve put together this simple guide to help you understand the three “magic” acronyms: SPF, DKIM, and DMARC that will keep your emails out of the bin and in the inbox.
Why is your email suddenly being treated like junk?
The internet can be a bit like the Wild West. Scammers often “spoof” email addresses, making it look like a message came from your business when it actually came from a server in a different country. To fight this, email providers now require digital “ID cards” for every email sent.
If you don’t have these ID cards set up correctly, Google or Outlook might look at your perfectly legitimate email and think, “I don’t recognise this sender: straight to the spam folder it goes!”
Why is this a problem now? Because as of late 2024 and throughout 2025/2026, these security checks are no longer optional. If you send more than a handful of emails a day, having these records in place is essential for your business to stay visible.
1. SPF: Your Approved Guest List
Imagine you’re throwing a party at a venue in Leeds. You give the bouncer a list of names. If someone isn’t on the list, they aren’t getting in.
SPF (Sender Policy Framework) is exactly that. It is a simple text record that sits in your website’s settings (the DNS). It tells the world: “These specific servers are allowed to send email on behalf of my business.”
Why it matters:
If you use Microsoft 365, Google Workspace, and maybe a newsletter tool like Mailchimp, they all need to be on your list. If they aren’t, the receiving server will see the email and think it’s an imposter.
The Action Plan:
- Identify every service you use to send email.
- Update your SPF record to include them all.
- Tip: You should only ever have one SPF record. If you have two, they can actually cancel each other out!
2. DKIM: The Digital Wax Seal
Back in the day, important letters were closed with a wax seal. If the seal was broken, the recipient knew someone had tampered with the message.
DKIM (DomainKeys Identified Mail) is the digital version of that seal. It adds a hidden “cryptographic signature” to every email you send. When the email arrives, the receiving server checks the signature against a public key on your website.
Why it matters:
It proves two things: the email really came from you, and it wasn’t altered while it was travelling across the internet. It’s a huge “trust signal” for email providers.
The Action Plan:
Most modern email providers (like Google or Microsoft) have a button in their admin settings to “Generate DKIM.” You simply copy a piece of code they give you and add it to your website settings.
3. DMARC: The Bouncer's Instructions
If SPF and DKIM are the ID cards, DMARC (Domain-based Message Authentication, Reporting, and Conformance) is the instruction manual you give to the bouncer.
DMARC tells the receiving server what to do if an email fails the SPF or DKIM checks. You have three choices:
- “None”: Do nothing, just let it through but tell me about it (Great for testing).
- “Quarantine”: Send it to the spam folder.
- “Reject”: Don’t deliver it at all (The ultimate protection).
Why it matters:
Without DMARC, a hacker could still try to pretend to be you. With DMARC set to “Reject,” you are effectively telling the world: “If it doesn’t have my ID cards, it’s a fake. Kill it.”
Even better, DMARC sends you a report every day telling you who is trying to send email as your domain. It’s like having a security camera on your front door.
How to get started (The Fresh Mango Way)
We know this sounds like a lot of “tech-speak.” But at Fresh Mango, our job is to handle the complicated bits so you can get back to running your business.
We recommend a simple, three-step approach for any small business:
- Audit: List every tool that sends your email (including your website contact forms!).
- Implement: Set up your SPF and DKIM records properly.
- Monitor: Start with a DMARC policy of “None” to make sure your legitimate emails are passing the test before you move to “Reject.”
We’re here to help
Managing DNS records can be a bit nerve-wracking: one wrong character can bring your website or email down. That’s why we offer proactive systems management. We don’t just wait for things to break; we ensure your security settings are up-to-date and compliant with the latest industry standards.
If you’re a Fresh Mango customer, you have peace of mind knowing we’re watching these things for you. If you ever notice a delivery issue, just reach out!
- SLA Guarantee: Our support Service Level Agreement is 4 hours, but we pride ourselves on a much faster pace. Most of our requests are picked up within minutes, and 95% of issues are resolved within just one hour.
- The Fresh Mango App: Need a hand? Don’t wait on hold. Use the Fresh Mango App or Portal to submit a ticket 24/7.
- Meet our AI Agent: For simple queries or quick status updates, our AI Agent is available instantly to guide you through common issues.
Ready to secure your inbox?
We hope this advice has helped clarify some of the mysteries around email delivery.
If you’re worried your emails aren’t reaching your customers, or you’d like a professional “health check” of your cybersecurity, contact Fresh Mango today.
We’re your local, Yorkshire-based IT experts, and we’re always happy to have a plain-English chat about your business needs.
