The Silent Threat Sending Your Business or Nonprofit Email Straight to Spam

  • Post author:
  • Post category:Security
  • Post comments:0 Comments
  • Reading time:17 mins read
You are currently viewing The Silent Threat Sending Your Business or Nonprofit Email Straight to Spam

Recently, as part of a broader leadership connection gathering with nonprofit leaders, I gave a short segment on email deliverability and domain protection. Before logging in, I decided to do a quick test: I checked the email health of ten organizational domains that were on the call.

The results? Every single one had gaps. A few weren’t protected at all.

This isn’t unusual. In fact, it’s the norm. Even well-established organizations leave the door wide open for attackers to send fake emails in their name. And here’s the urgency: large providers like Google, Microsoft, and Yahoo began strongly recommending—and in some cases requiring—DMARC between 2021-2024, while SPF has been a standard since 2005.

  • SPF (Sender Policy Framework) specifies which mail servers are authorized to send email on behalf of your domain.
  • DMARC (Domain-based Message Authentication, Reporting, and Conformance) can prevent phishing attempts and scammers from using your domain, safeguarding your domain reputation and deliverability.
  • DKIM (DomainKeys Identified Mail) uses cryptographic signatures to verify that the message content wasn’t altered in transit and that it was authorized by the domain (not covered in this article).

Email open rates are about more than a catchy subject line. Major email services increasingly treat mail from non-DMARC domains as suspicious, which drives down deliverability. If your domain isn’t set up correctly, legitimate email from your organization could be going straight to spam — without you knowing it — directly hurting your open rates.

Why This Matters

Think about the role email plays in trust. A donor receives a request that looks like it came from you. A partner gets an update on a project. A community member reads your event invitation.

Now imagine if half of those messages ended up in the spam folder—or worse, if the “email from you” wasn’t really from you at all. That’s the risk when core protections such as SPF, DKIM and DMARC (email security standards) aren’t in place.

There are roughly 3.4 billion malicious emails sent daily

This isn’t just a technical issue. It’s a leadership issue. It’s about safeguarding reputation, protecting relationships, and ensuring that when your brand appears in an inbox, people know it’s really you.

Some nonprofits think: “We’re small, who would spoof us?” But the reality is attackers often target nonprofits precisely because donors are likely to trust an email that looks like it comes from the organization. Smaller IT setups are easier to exploit, and phishing campaigns frequently use nonprofits as cover—whether for disaster relief scams or donation fraud. Without monitoring DMARC reports, you may never know who is sending mail as your brand, until the damage is already done.

What’s the cost?

$0.00 Checking your current record is free using existing online tools, monitoring doesn’t cost you, changing DNS records? No cost. (Yes, there are also some services that will charge you for monitoring and updating DNS for you.)

In 2024, phishing scams caused over $12.5 billion in losses, a jump of 25% from the prior year₂

The Bigger Picture

Technology standards like SPF and DMARC may sound like jargon, but they serve a very human purpose: trust. They’re the bouncers at the door of your digital house, letting the right messages in and keeping the imposters out.

Organizations that take these steps don’t just stop fraud—they strengthen every legitimate connection. Emails land in inboxes more consistently. Open rates improve. Most importantly, the people you serve know they can rely on your brand.

A Call to Leaders

In psychology, there’s a stage called Unconscious Incompetence — the stage where you don’t yet know what you don’t know. Many small nonprofits and businesses operate in this stage when it comes to email security. And that’s not a failure—it’s simply the starting line. Once you become aware of tools like SPF and DMARC, the path forward becomes clearer, and small steps can make a big difference in protecting your mission and your voice.

If you’re reading this as a small business owner, a church or non-profit leader, here’s the takeaway: protecting your domain is protecting your reputation, your relationships, and the trust others place in your mission.

Between 2023 and 2025, DMARC adoption grew by nearly 75%₃

You don’t need to become an IT expert overnight. What you do need is to make sure someone—whether an administrator, a trusted IT provider, or even a volunteer at your non-profit—owns this responsibility. Because ignoring it comes with a cost: lost trust.

And once trust is lost, it’s hard to earn back.

Next Steps

Check your email health using a free tool: MXToolbox Email Health and if errors are reported (specifically with “spf” or “dmarc”), forward this article (with results) to your IT administrator or managed IT service provider.

👉 I’d love to hear: how are you and your organization building digital trust with the people you serve?

For Email Marketing Managers

If you are responsible for email marketing at your organization, here are some practical next steps:

  1. Collaborate with IT – Make sure your marketing team is in close communication with whoever manages your domain and DNS records. Share the tools you use to send mail (like Mailchimp, Constant Contact, or SendGrid) so IT can include them in SPF/DMARC.
  2. Monitor Deliverability – Track open rates, bounce rates, and spam complaints. If you see sudden drops or increases, alert your IT team—it could be a sign of misconfigured DNS records.
  3. Use Subdomains Wisely – Consider sending bulk marketing or newsletters from a subdomain (like news.yourdomain.org) that is properly configured with SPF, DKIM, and DMARC. This helps protect your main domain reputation.
  4. Stay Consistent – Ensure branding, from addresses, and reply-to addresses align with what supporters expect. This consistency improves trust and works hand-in-hand with technical protections.

By working together, marketing and IT can ensure campaigns not only look good but also reliably reach the inbox.

For IT Administrators / Managed IT Service Providers

Below are detailed recommendations for reviewing and improving SPF and DMARC. I’ve also included an AI Prompt at the bottom to help guide you:

SPF and DMARC Review

  • Review existing SPF and DMARC records for accuracy.
  • If no DMARC record exists, create one.
  • If DMARC is set to a loose policy (p=none), plan to move to stricter enforcement (p=quarantine, then p=reject) once all legitimate senders are identified.

Monitoring & Reporting

  • Set up free monitoring with Valimail.
  • Use MXToolbox DMARC Lookup to validate DMARC records.
  • Update the DMARC record to include reporting addresses (example below).
  • Allow time (days to weeks) for reports to generate and review them regularly.

Example DMARC Record:

v=DMARC1; p=quarantine; rua=mailto:dmarc_agg@vali.email,mailto:dmarc_aggregate@yourdomain.com; ruf=mailto:dmarc_forensic@yourdomain.com; fo=1; pct=100; aspf=r; adkim=r;

SPF Policy

  • Use MXToolbox SPF Lookup to review SPF configuration.
  • Begin with ~all while auditing all senders.
  • Move to -all once you are confident all legitimate sending services are included.

Example SPF Record:

v=spf1 include:spf.protection.outlook.com -all

👉 What has been the biggest barrier for your organization in setting up SPF and DMARC?

If You Don’t Have an IT Person

I understand that some organizations don’t have a dedicated IT person. If that’s the case, I strongly encourage designating someone you trust to oversee your domain and email security settings — these records directly affect whether your emails are delivered and whether your domain can be misused. If you don’t have the technical skills to set this up, engage someone with the technical skills or at least use AI to assist you in updating the DNS records. I’ve even included a template prompt that you can paste into your favorite AI chat — just fill in your organization’s details (including the results from the DNS lookup tools above) to generate suggested SPF/DMARC records and next steps tailored to you.

Bonus! Check out BIMI (advanced IT setup)

Brand Indicators for Message Identification (BIMI) allows your organization’s brand to stand out and build trust with users. Free options, including a self-asserted BIMI in addition to using Apple Business Connect, are options for advanced setups. Paid options bring value to larger organizations, but can cost over $1K a year.

AI Prompt Template

Paste the below into your favorite AI chat — just fill in your organization’s details (including the results from the DNS lookup tools above) to generate suggested SPF/DMARC records and next steps tailored to you.

I need help configuring and improving the email security DNS records for my domain.

My domain is: ____________

1. Current Status
- My technology skill level is: ____________ (novice, intermediate, advanced)
- My current SPF record is: ____________ (if none, say “none”)
- My current DMARC record is: ____________ (if none, say “none”)
- Do I currently receive DMARC reports? (yes/no): ____________

Mail services I use to send email (Google, Microsoft 365, SendGrid, Wix, etc.): ____________

My DNS host / domain registrar (where I manage DNS) is: ____________

(Optional) Do I send from subdomains (e.g., newsletter.___)? List them: ____________

2. SPF Review

Please: 
- Review my SPF record for errors or inefficiencies. Explain the risk of not using an SPF record.
- Make sure only the mail services I listed above are included.

Recommend the correct ending policy:
• "~all" while still confirming all services are covered.
• "-all" once everything is verified and stable.

Confirm the SPF record stays within the 10 DNS-lookup limit (per RFC 7208).

3. DMARC Review

Please:
Explain the risk of not using a DMARC policy or a loose policy. Recommend a step-by-step deployment plan based on my current status and technology skill level:
• If I don’t have DMARC yet → start with p=none to collect reports.
• If I already have DMARC at p=none → advise when to move to p=quarantine.
• If I already have p=quarantine → advise when I can move to p=reject.

Ensure the record includes a reporting address (example: rua=mailto:security@____).

Verify DKIM is enabled and aligned for each mail service I use.

4. Testing & Timeline
Please give me a timeline that fits my current situation:

If starting fresh → begin with p=none for 2–3 weeks, then p=quarantine, then p=reject.

If I already have SPF/DMARC in place but no monitoring → keep my current policy level, but set up reporting right away and advise how long I should monitor before moving to the next level.

If I already enforce -all or p=reject → confirm if my setup is solid or if I should adjust.

5. Ongoing Monitoring

I will sign up for a free account at Valimail.com to receive/analyze DMARC reports.

I will use mxtoolbox.com for DNS lookups and SPF/DMARC checks.

Please recommend how often I should review reports (monthly/quarterly).

6. Deliverables
- Provide corrected DNS TXT records for SPF and DMARC (if needed).
- Provide a checklist of how to publish them in DNS based on my technology skill level.
- Provide provider-specific, step-by-step instructions to update SPF and DMARC TXT records at my DNS and how to verify that DKIM is also implemented.

👉 Have you ever discovered that someone spoofed your domain or sent email pretending to be you? How did you find out?

Sources: ₁ Astra Security, ₂ TechMagic, ₃ EasyDMARC

Leave a Reply