Why Are My Zoho CRM Emails Going to Spam?

Why are my Zoho CRM emails going to spam?

In most cases, because the receiving server can’t prove the mail is really from you. Spam filtering at Gmail, Outlook and Microsoft 365 starts with authentication: SPF, DKIM and DMARC records published in your domain’s DNS. If those records are missing, wrong or don’t cover Zoho’s servers, your mail starts every delivery attempt under suspicion. Content and subject lines matter far less than people assume.

Here is the diagnosis path, in order:

1. In Zoho CRM, open Setup (gear icon) > Channels > Email > Email Deliverability. If your domain is not added and validated there, stop. You’ve found the problem.
2. Publish the SPF and DKIM records the screen generates at your DNS host, exactly as given.
3. Add a DMARC record. Zoho doesn’t generate this one for you but it takes two minutes.
4. Send test emails through every path CRM uses (manual, workflow, mass email) and read the headers at the receiving end.
5. Only once authentication passes everywhere, look at volume, warm-up and content.

The rest of this guide walks through each step with the records to publish.

Which servers send your Zoho CRM email?

This trips people up constantly, so it’s worth getting straight first. Zoho CRM doesn’t send all email the same way.

One-to-one emails, the ones a salesperson writes from a Contact record, usually go out through whatever mailbox is connected to that user: Zoho Mail, or a Microsoft 365 or Gmail account linked via IMAP. Those messages inherit the authentication of the mailbox itself.

Workflow emails, autoresponders and mass emails are different. They leave from Zoho CRM’s own infrastructure, regardless of what mailbox a user has connected. So a business can have Zoho Mail perfectly authenticated, watch manual emails land fine and still have every workflow notification junked. Two paths, two sets of records. The Email Deliverability setup in CRM covers the second path and that’s the one this guide is about.

One more boundary worth drawing. If you’re sending newsletters or bulk marketing from CRM’s mass email feature, you are using the wrong tool. That work belongs in Zoho Campaigns, which has its own deliverability rules and its own ways of going wrong; we cover those in what to do when Zoho Campaigns suspends your account.

What is SPF and what record does Zoho CRM need?

SPF is a TXT record on your domain listing the servers permitted to send mail on its behalf. A receiving server checks the connecting IP against that list. The idea is simple but frequently botched.

A typical record for a business on Zoho’s EU data centre that also uses Microsoft 365 for staff mailboxes looks like this:

yourdomain.co.uk.  TXT  "v=spf1 include:zoho.eu include:spf.protection.outlook.com ~all"

The include value varies by data centre: zoho.com for US-hosted accounts, zoho.eu for Europe, zoho.in for India and so on. Don’t copy the value from a blog post, including this one; take it from your own Email Deliverability screen, which knows where your account lives.

Two breakages we see over and over. First, a domain with two SPF records, usually because someone added a new one instead of merging into the old. Two records is a permanent error and everything fails. Second, too many include statements. SPF allows ten DNS lookups per check; busy domains running Zoho, Microsoft 365, a helpdesk and three marketing tools blow past it without noticing.

How do I set up DKIM for Zoho CRM?

DKIM is a cryptographic signature added to each outgoing message. The private key sits with the sender, the public key sits in your DNS and the receiving server checks one against the other. Unlike SPF, the signature survives forwarding and it names a specific domain, which matters enormously for the next section.

In Zoho CRM, go to Setup > Channels > Email > Email Deliverability, add your domain under email authentication and CRM generates a selector record like this:

zmail._domainkey.yourdomain.co.uk.  TXT  "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEB..."

Publish it at your DNS host, wait for propagation, then click validate back in CRM. Once validated, CRM signs outgoing mail as your domain rather than as Zoho’s shared infrastructure. This is the custom sending domain setup and it’s the single highest-value step on this page. Without it, recipients see your mail signed by a Zoho domain they’ve never heard of, often with a “via” label next to your name.

Do I need DMARC as well?

Yes. DMARC ties the other two checks to the From address the recipient actually sees. SPF can pass against a bounce domain the reader never looks at. DKIM can carry a valid signature for some unrelated domain. DMARC asks the only question a human would ask: did anything verify against the domain in the From line? That matching is called alignment.

The record lives at _dmarc on your domain:

_dmarc.yourdomain.co.uk.  TXT  "v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.co.uk"

Start with p=none, which monitors without blocking anything. Read the reports for a couple of weeks. Once you can see all your legitimate sources passing, move to p=quarantine. Gmail and Yahoo made DMARC mandatory for bulk senders in 2024 and Microsoft applied the same requirement to high-volume senders into Outlook.com from 2025.

Why does Outlook junk my mail when Gmail delivers it?

Because Microsoft goes a step further than the published standards. Alongside SPF, DKIM and DMARC, Microsoft 365 runs its own composite authentication check, visible in message headers as compauth. It asks whether anything about the message aligns with the From domain and it junks mail that fails, even mail with a technically passing SPF result.

This is exactly the trap unauthenticated Zoho CRM mail falls into. The message leaves Zoho’s servers, SPF passes for Zoho’s bounce domain, nothing aligns with yourdomain.co.uk and Microsoft files it as probable spoofing. Gmail is somewhat more forgiving in the same situation, which is why the complaint is so often “fine in Gmail, junk in Outlook”.

The fix is the aligned DKIM signature from the previous section. Once CRM signs as your domain, compauth passes and Microsoft’s attitude changes completely. A useful rule of thumb: if your mail reliably reaches Microsoft 365 inboxes, it will reach almost anything.

Does sending volume matter?

It does, though less than authentication. Mailbox providers track reputation per domain and a domain that has never sent through Zoho before has none. If you switch on a new CRM and immediately fire workflow emails at thousands of contacts, the volume spike itself looks suspicious. Ramp up over a week or two instead, starting with your most engaged recipients.

Zoho CRM also caps mass emails per day depending on your edition. The caps exist because blasting cold lists from a CRM is how domains earn the kind of reputation that takes months to repair.

What about the email content itself?

A real factor, but a smaller one than plenty of articles suggest. Once authentication passes, content filters operate at the margins. The things worth avoiding are the obvious ones: link shorteners, a message that is one large image, attachment-heavy first contact, subject lines in capitals. None of it rescues an unauthenticated domain. Don’t spend an afternoon rewording subject lines while your DNS is broken.

How do I test whether it’s fixed?

Test every sending path CRM uses.

First, send a workflow email and a manual email from CRM to the address that mail-tester.com generates for you. It scores the message out of ten and itemises every failure, including SPF, DKIM and DMARC verdicts. It’s free.

Second, send to a Microsoft 365 mailbox you control. Open the message and view its source: File > Properties in classic Outlook, or View message source from the three-dot menu in new Outlook and Outlook on the web. Find the Authentication-Results header. You want spf=pass, dkim=pass with your own domain after d=, dmarc=pass and compauth=pass. In Gmail, Show original from the three-dot menu lays out the same verdicts in a table.

If outbound now passes but you also have email vanishing on the way in, that’s a separate failure with separate causes; see our guide to Zoho Desk emails not creating tickets.

Quick diagnostic checklist

• Is your domain added and validated under Setup > Channels > Email > Email Deliverability in CRM?
• Does your domain have exactly one SPF record and does it include the right Zoho value for your data centre?
• Is the DKIM selector record published and showing as validated in CRM?
• Is there a DMARC record at _dmarc on your domain, even at p=none?
• Have you tested workflow emails separately from manual ones? They leave through different servers.
• What does the Authentication-Results header say at a Microsoft 365 recipient, compauth included?
• Did sending volume jump recently, or is the domain brand new to Zoho?

When to get help

This is a one-off job and it’s worth doing properly, because a half-done version fails quietly for months while quotes and follow-ups sit in junk folders. Sorting authentication, DNS and the CRM email setup end to end is routine work for our Zoho CRM consultants and a developer is assigned to standard projects within 24 hours. If deliverability has collapsed mid-deal and you need it fixed today, our emergency Zoho developer service gets a senior developer responding within 30 minutes during UK business hours. Prices are published on the pricing page and the discovery call is free. Get in touch and tell us which mailbox provider is junking you; that detail usually narrows the diagnosis.