Why Your Emails Might Not Be Getting Delivered (And You’d Never Know)

Most ABA founders don’t think about email until something breaks.

Messages stop reaching staff.

Billing emails land in spam.

A payer says, “We never got that.”

Parents miss updates, reminders, or time-sensitive messages.

Or worse… someone impersonates your domain.

At that point, email stops feeling like a tool and starts feeling like risk.

In our Google Workspace vs Microsoft 365 breakdown, we talked about email as an identity layer, not just a communication tool.

This article goes one layer deeper, into the quiet systems that decide:

• whether your emails are trusted
• whether they’re delivered
• and whether your domain can be abused without you knowing

Those systems are called SPF, DKIM, and DMARC.

They sound technical.
They don’t need to be scary.
And you don’t need to be an IT expert to understand what they do  or why they matter.

Why Email Deliverability Is a Leadership Issue (Not a Tech One)

Email isn’t just how you communicate.

It’s how:

• payers verify identity
• staff trust instructions
• systems reset passwords
• vendors validate ownership

When email fails, the problem usually isn’t sending.

It’s trust.

SPF, DKIM, and DMARC are how the internet decides whether messages claiming to be “from you” actually deserve to be believed.

Think of them as identity proof, not email features.

SPF: “Who’s Allowed to Send on Our Behalf?”

SPF (Sender Policy Framework) answers one simple question:

Which systems are allowed to send email as this domain?

In plain English:
SPF is a guest list for your email domain.

It tells the internet:

“Only these approved senders are allowed to send mail that looks like it came from us.”

Why SPF Matters

Without SPF:

• Anyone can impersonate your domain
• Spoofed emails look legitimate
• Your real emails lose trust over time

With SPF:

• Mail servers can verify legitimacy
• Unauthorized senders get flagged
• Deliverability improves

Common SPF Problems We See in ABA Orgs

• SPF never updated after switching email platforms
• Billing platforms added but not authorized
• Marketing tools sending without approval
• Multiple vendors stacking conflicting records

None of these are malicious.
They’re normal growth issues, but they quietly weaken trust.

DKIM: “Did This Message Change After It Was Sent?”

DKIM (DomainKeys Identified Mail) verifies message integrity.

It answers this question:

Was this email altered after it left the sender?

DKIM uses a digital signature, like a tamper seal.

Why DKIM Matters

DKIM ensures:

• Messages weren’t modified in transit
• Attachments weren’t altered
• Headers weren’t manipulated

Without DKIM:

• Messages are easier to spoof
• Trust scores drop
• Spam filtering becomes aggressive

With DKIM:

• Email content is cryptographically verified
• Receiving servers can trust the message
• Your domain reputation strengthens over time

A Simple Mental Model

SPF checks who sent the email
DKIM checks whether it stayed intact

You need both.

DMARC: “What Should Happen If Something Looks Wrong?”

DMARC (Domain-based Message Authentication, Reporting & Conformance) is the decision-maker.

It answers:

If an email fails SPF or DKIM checks… what do we do about it?

DMARC lets you tell the internet whether to:

• do nothing
• quarantine suspicious messages
• reject them outright

It also provides reports showing who’s trying to send as you legitimately or not.

Why DMARC Is the Most Important (and Most Ignored)

Without DMARC:

• Failures are invisible
• Spoofing can go unnoticed
• You don’t know who’s abusing your domain

With DMARC:

• You gain visibility
• You control enforcement
• You can stop impersonation before it spreads

DMARC Is About Control, Not Punishment

Many founders worry DMARC will “break email.”

Done recklessly, it can.
Done intentionally, it protects your identity without disruption.

DMARC is not a switch you flip.
It’s a posture you mature into.

How These Three Work Together

{insert image}

• SPF = “Only these friends can send letters”
• DKIM = “This letter really came from you”
• DMARC = “If something looks fishy, throw it out”

Individually, each helps.
Together, they create a strong email trust infrastructure.

This is why deliverability, security, and compliance overlap here, especially in healthcare.

Why This Matters More in ABA Than Most Industries

ABA organizations deal with:

• PHI
• payer communication
• audit scrutiny
• staff turnover
• remote access

That combination increases risk… not because of bad intent, but because identity confusion is easy to exploit.

Email misconfiguration doesn’t usually fail loudly.

It fails quietly:

• messages delayed
• trust eroded
• impersonation unnoticed

By the time it becomes visible, damage is already done.

“How Do I Fix This?” (Conceptually, Not Technically)

You don’t need to know how to write DNS records to understand the decision.

At a conceptual level, fixing SPF, DKIM, and DMARC means:

1. Knowing who is allowed to send email as your domain
2. Ensuring those senders authenticate properly
3. Deciding how strict you want enforcement to be
4. Monitoring reports instead of assuming it’s fine

The exact steps vary depending on:

• your domain registrar
• your email platform
• your third-party tools

The principles do not.

This Isn’t About Becoming Technical, It’s About Ownership

Most founders assume email “just works.”

Until it doesn’t.

SPF, DKIM, and DMARC are not advanced security features.
They are baseline ownership controls for your digital identity.

If you don’t know whether they exist, or who configured them, you’re borrowing trust, not owning it.

If You Want Help (Without Guessing)

If this article made you think:

“I’m not sure who controls this or if it’s even set up correctly.”

That’s normal.
And it’s fixable.

We help ABA organizations:

• review email identity configuration
• improve deliverability
• reduce impersonation risk
• document ownership and control

No fear tactics.
No jargon overload.
Just clarity.

If you want a second set of eyes, reach out or start with an email assessment and we’ll tell you exactly where you stand.

Because when email is your identity layer,
trust isn’t optional. It’s infrastructure.

Schedule your email assessment here: https://meetings.hubspot.com/joshnelson/email-health-check