GoHighLevel emails going to spam — fix SPF, DKIM & DMARC

Emails sent through GoHighLevel (GHL) land in spam or show a “via” tag, and your DMARC reports show them failing.

Check your domain first — 10 seconds, free, no signup.
See your DMARC policy, SPF lookup count and every issue explained in plain English.
Run the free check →

What this means

A correct GHL setup publishes an SPF record that includes spf.leadconnectorhq.com (and Mailgun's mailgun.org, which GHL sends through), plus a DKIM public key at the mailo._domainkey selector. The single most common break is an empty or missing mailo._domainkey: GHL signs your outbound mail expecting a key at that selector, so when the public key isn't in your DNS no receiver can verify the signature, DKIM alignment fails, and DMARC quarantines the message. Source: HighLevel Support — Email Authentication Errors · verified 2026-07-18.

What to do about it

Step 1. Check the DKIM key is actually published: dig +short TXT mailo._domainkey.yourdomain.com should return a long k=rsa; p=… value — an empty result is the usual cause.
Step 2. Add the exact DKIM value GHL gives you at host mailo._domainkey if it's missing.
Step 3. Make sure your SPF record includes both spf.leadconnectorhq.com and mailgun.org.
Step 4. Publish DMARC on your root domain (p=none + rua to start), then run the free check below to confirm alignment.

Frequently asked

Will adding these records break the email I already send?

No. Adding SPF includes and DKIM records (whether TXT or CNAME) only adds authentication — it never blocks mail. The only step that can affect delivery is tightening your DMARC policy to quarantine or reject, and that comes later, once reports confirm every legitimate sender passes.

The platform says it “handles DMARC” — do I still need my own record?

Yes. Most platforms handle DKIM (and sometimes SPF) so their mail can pass, but the DMARC record is published on your own domain and controlled by you — it's what tells receivers to act on failures. Providers rarely publish it for you, and you want your own rua= address to see the reports.

How do I confirm it actually worked?

Send yourself a test message and check the headers for dkim=pass and dmarc=pass — or run the free check below on your domain to see SPF, DKIM and DMARC state, and which sending services currently align, in one place.

Don't want to babysit DNS records?
DMARCKeeper monitors your reports, names every sender, and walks you to full p=reject protection.
Start free monitoring →