I’ve seen it a thousand times. A marketing manager wakes up to a panic-stricken Slack message: “Our emails are going to spam! I checked MxToolbox and there are red alerts everywhere!” They immediately start tweaking records without a plan, usually making things worse. Before we dive into the technical troubleshooting, I need to ask the golden question: What did you send right before this started?
Deliverability isn't just about syntax. It’s about trust. Before you touch a single DNS record, open your internal log—the one where you track every change made to your setup—and note the current state. If you don't have one, start today. Now, let’s triage those MxToolbox errors.
Understanding the Hierarchy: DNS vs. Reputation
When you see an error on MxToolbox, it’s a symptom of a technical configuration gap. However, fixing your SPF record or DKIM setup is only the baseline requirement for entry. It doesn’t guarantee inbox placement. Think of authentication as your ID card; it proves who you are, but it doesn't prove you’re a good guest at the party.
Mailbox providers (MBPs) evaluate you using two primary buckets:
- Technical Authentication: SPF, DKIM, and DMARC. This is the "ID check." Sender Reputation: Engagement signals, spam complaints, and hitting spam traps. This is the "behavioral check."
If you have a DMARC policy of p=reject but your engagement signals are in the gutter, you are still going to the spam folder. Authentication prevents spoofing; reputation prevents noise.
Step 1: The "Big Three" Technical Audit
If MxToolbox is flagging your authentication, fix it in this specific order. Do not skip steps.
1. SPF Record (The "Who is authorized to send")
SPF lists the IP addresses and services authorized to send mail on your behalf. The most common error is the "Too many lookups" (exceeding the 10-lookup limit). If you are using more than 10 includes, you are likely failing SPF validation for your downstream services.
2. DKIM Setup (The "Is this message authentic?")
DKIM adds a digital signature to your emails. If your DKIM setup is failing, it usually means your ESP’s public key doesn't match the private key used to sign the email. Check your CNAME records; if you recently migrated ESPs, you likely have stale keys hanging around in your DNS.
3. DMARC Policy (The "What do I do if they fail?")
DMARC is the policy layer. If your SPF and DKIM are correct, your DMARC policy acts as the instruction manual for the receiving server. If you aren’t at p=reject, you’re leaving the door open for bad actors to spoof your domain, which eventually tanks your reputation.
Step 2: Checking the "Health" via Google Postmaster Tools
MxToolbox is great for DNS, but it’s blind to how Gmail feels about your traffic. For that, you need Google Postmaster Tools (GPT). If your authentication is perfect but your reputation is "Low" or "Bad," you are suffering from a reputation issue, not a DNS issue.
Use the following table to map your GPT metrics to your next action:
GPT Dashboard What it tells you Fix Domain Reputation General trust level from Google Lower volume, improve list hygiene. Spam Rate User complaints Remove unengaged subscribers immediately. Delivery Errors Permanent/Transient failures Review list acquisition (Stop buying lists!).The Truth About List Hygiene and Engagement
One of the biggest pet peeves I have in this industry is companies "buying lists and pretending it is lead gen." When you send to purchased lists, you are inevitably hitting spam traps—email addresses that are no longer in use and have been repurposed https://www.engagebay.com/blog/domain-reputation/ by mailbox providers to identify spammers. Once you hit a spam trap, your domain reputation plummets. MxToolbox can’t fix that; only better list acquisition practices can.
Engagement Signals are King
Gmail and Outlook track how users interact with your mail. They look at:
- Opens: Note: Apple Mail Privacy Protection has muddied this, but it’s still a factor. Replies: The strongest positive signal. Deletes without reading: A strong negative signal. Marking as "Not Spam": The ultimate reputation booster.
Domain vs. IP Reputation
In the "old days," we focused almost exclusively on IP reputation. If your IP was blocked, you just warmed up a new one. Today, domain reputation is the primary driver of deliverability. If you burn your domain, changing your IP won't save you. You must protect your domain’s reputation by ensuring your sending volume is consistent and your audience is legitimately opted-in.
The Deliverability Checklist
Before you call "Gmail a problem," run this sequence:
Check MxToolbox: Resolve any SPF/DKIM/DMARC syntax errors. Log the change: Document what you updated in DNS. Check Postmaster Tools: Is your Domain Reputation "High"? If yes, the issue is likely content-related. Audit your list: Are you emailing people who haven't opened in 6 months? Suppress them. Review content: Are you using aggressive sales language? Is your subject line simple or "clickbaity"?Final Thoughts
Stop looking for a "magic fix" for deliverability. Deliverability is the result of years of consistent, respectful behavior toward your subscribers. If you fix your SPF, DKIM, and DMARC records but continue to send unwanted emails to unverified lists, you will continue to see blocklist entries and spam folder placements.
Fix the technical foundation, clean your lists, and focus on sending value. If you do that, the mailbox providers will stop viewing you as a nuisance and start viewing you as a sender worth letting into the primary tab.
```