Website-Pflichtencheckby Jurono
WebsiteTechnicalMaintenanceSecurityNews

Email deliverability: why website forms can fail on SPF, DKIM, and DMARC

Contact forms, booking flows, and transactional emails need clean DNS and sender configuration. SPF, DKIM, and DMARC belong in every website check.

By Jurono
Updated: July 3, 2026

A website can technically work and still lose business because emails do not arrive reliably. Contact forms, quote requests, password resets, booking confirmations, invoices, and newsletters all depend on one basic question: do receiving mail servers trust the sender?

Many teams only test whether the form says "sent". That is not enough. What matters is whether the message reaches the inbox, lands in spam, can be replied to, and is authenticated for the sending domain.

Why SPF, DKIM, and DMARC matter

SPF defines which servers are allowed to send email for a domain. DKIM cryptographically signs messages so recipients can check whether they were changed and whether they align with the domain. DMARC builds on both and tells receiving servers what to do when messages fail SPF or DKIM.

For website owners, this may sound like mailserver trivia. In practice it means: if a website sends through a form provider, CMS, SMTP service, or newsletter tool, DNS and sender logic must match.

Common mistakes

Website projects often show the same problems:

  • The contact form sends as the visitor address instead of the site domain.
  • SPF includes too many or wrong providers.
  • DKIM is active for newsletters but not transactional mail.
  • DMARC is missing or remains in test mode for years.
  • Subdomains such as mail.example.com or app.example.com are undocumented.
  • Several tools send for the same domain, but nobody knows the full list.
  • Forms work in a test but land in spam at Gmail, Yahoo, or corporate inboxes.

That is not cosmetic. For lead generation and customer communication, it is business-critical.

What a website check should include

A pragmatic email check covers:

  1. DNS: SPF, DKIM, and DMARC for the main domain and relevant subdomains.
  2. Sender identity: which address does the website actually use?
  3. Tool inventory: CMS, SMTP, newsletter, CRM, booking, shop, support.
  4. Test mails: send to Gmail, Outlook, Yahoo, and a corporate mailbox.
  5. Reply path: can the recipient reply meaningfully?
  6. Error logs: bounces, SMTP errors, form logs.
  7. DMARC reporting: for larger setups, reports help find misconfigurations.

Important: do not only test newsletters. Contact forms and password resets are often more critical.

Maintenance after changes

Deliverability is not a one-time project. New tools, domain changes, relaunches, and hosting migrations can change DNS records. After relevant changes, teams should check:

  • Was a new sending service connected?
  • Did the DNS provider change?
  • Does the CMS still use the same SMTP server?
  • Were DKIM keys rotated?
  • Are old SPF entries still needed?

Conclusion

If website forms do not deliver reliably, teams often notice only after leads are missing. SPF, DKIM, and DMARC are therefore not just IT formalities. They are part of website functionality. A good website check should show whether the domain is configured as a trustworthy sender.

Sources

Note: This article is a technical overview and does not constitute legal advice.

Jurono logo

Jurono

Technical website audits, website fixes, and AI code rescue for small businesses, practices, law firms, and founders in Germany.

Get our free security checklist before you go.

Download free PDF

Matching offers

Move forward directly

Based on the topics in this article — without a long search.

Website Quick Scan

When nobody is sure which scripts, cookie signals, or technical risks are currently running on the site.

249

Technical first assessment and clear priorities within two business days.

  • Quickly see whether tracking, cookies, external services, or HTTPS look suspicious
  • Mobile, load time, and technical issues explained in plain language
  • The most important points in a short priority list
Continue with Website Quick Scan

Pflichtencheck Pro

When the website matters, but nobody knows which technical required signals, risks, and fixes actually have priority.

549

Audit, assessment, and concrete action plan within 3-5 business days.

  • Everything from the Quick Scan, assessed and documented in more depth
  • Concrete findings for cookie, tracking, and external service signals
  • Visible required areas checked technically, without legal advice
Start Pflichtencheck Pro

Website Protection & Maintenance

For small businesses without an internal web team that need ongoing technical calm instead of occasional emergencies.

279/month

Monthly technical support after a short onboarding check.

  • Updates and backups supported in a controlled way depending on system access
  • Monthly short check for new technical findings
  • Up to 90 minutes of small changes or fixes per month
Start Website Protection & Maintenance

Get clarity before you commit to fixes.

Start with a technical check. If the findings are minor, you can stop there, hand the report to your existing team, or book targeted fixes later.

Technical audit and implementation, not legal advice. I check visible signals, integrations, and delivery issues; legal texts and binding legal assessments remain the work of lawyers or privacy consultants.

Email deliverability: why website forms can fail on SPF, DKIM, and DMARC