DKIM, SPF, and DMARC: the complete cold email setup guide
DKIM SPF DMARC setup for cold email senders, written by people who have authenticated thousands of sending domains. Exact DNS records, alignment rules, and the failures we see every week.
To send cold email in 2026 you need three DNS records on your sending domain: an SPF TXT record listing the IPs allowed to send for you, a DKIM TXT record publishing your public signing key, and a DMARC TXT record at _dmarc.yourdomain.com defining the alignment policy. Without all three correctly aligned, Gmail and Outlook will route you to spam.
Why email authentication matters in 2026
The DKIM SPF DMARC setup that used to be optional is now mandatory. In February 2024 Google and Yahoo jointly announced new requirements for bulk senders: all messages must pass both SPF and DKIM, must be aligned with the From header (DMARC), and must come from a domain with a published DMARC policy. Microsoft 365 has matched these requirements through their enhanced email authentication enforcement.
For cold email senders the practical effect is binary. With correct authentication you have a chance at the inbox. Without it, every message goes to spam regardless of how good the warmup, content, or list quality is. Cold email authentication is not a deliverability optimisation — it is the gate.
Of messages that reach Gmail inboxes (not spam) in 2025 pass both SPF and DKIM with DMARC alignment. The remaining 4% are mostly intra-domain forwards and mailing-list traffic — there is effectively no inbox path without authentication.
SPF setup: the sender policy framework
SPF (defined in RFC 7208) is a DNS TXT record on your sending domain that lists which IP addresses or services are permitted to send mail using your domain. When a receiver gets a message claiming to be from you, it checks the connecting IP against your SPF record. If the IP is not listed, SPF fails.
Step 1: identify every service that sends mail for you
List every sender: Google Workspace, Microsoft 365, Mailgun, SendGrid, Postmark, your cold email tool (Instantly, Smartlead, Lemlist, etc.), your CRM (HubSpot, Salesforce), your billing platform (Stripe, Chargebee). Each one provides an include: mechanism for SPF.
Step 2: publish a single SPF TXT record
The record lives at the apex of your sending domain (or subdomain) as a TXT record. An example for a sender using Google Workspace plus Mailgun plus Instantly:
Type: TXT Name: outreach.yourdomain.com Value: v=spf1 include:_spf.google.com include:mailgun.org include:spf.instantly.ai ~all
Three rules to follow. First: you can only have one SPF record per domain — multiple records cause a permerror. Second: keep the total DNS lookups under 10 (each include: counts as one, and some recursively count more). Third: end with ~all (softfail) during setup, then move to -all (hardfail) once verified.
DKIM setup: signing your messages
DKIM (defined in RFC 6376) attaches a cryptographic signature to every message you send. The receiver fetches your public key from DNS and verifies the signature. If the body or critical headers have been tampered with — or if the signature was forged — DKIM fails.
Step 1: generate keys in your sending service
Every modern ESP and cold email tool generates DKIM keys for you. In Google Workspace it's Admin Console → Apps → Google Workspace → Gmail → Authenticate email. In Microsoft 365 it's the Defender portal → Email & collaboration → Policies → DKIM. In cold email sequencers it's usually a settings page that gives you the exact DNS records to paste.
Step 2: publish the public key as a TXT record
DKIM records live at a selector subdomain — typically selector._domainkey.yourdomain.com. The selector is whatever the sending service tells you (Google uses google, Mailgun uses mg, etc.). Multiple selectors per domain are fine and recommended — one per sending service.
Type: TXT Name: google._domainkey.outreach.yourdomain.com Value: v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB...
Use 2048-bit keys, not 1024-bit. Some legacy DNS providers truncate TXT records over 255 characters — split the value across multiple strings if needed (your DNS provider documentation will explain the syntax). Rotate keys every 12 months to stay aligned with Gmail's recommended posture.
DMARC setup: aligning SPF and DKIM
DMARC is the policy layer that ties SPF and DKIM together. It checks that at least one of them passed AND that the passing identifier is aligned with the From header domain. Without DMARC, attackers can pass SPF for bounce.sendgrid.net while spoofing your From address — DMARC blocks that attack and tells receivers what to do when authentication fails.
The DMARC TXT record
DMARC lives at _dmarc.yourdomain.com. A starter record:
Type: TXT Name: _dmarc.outreach.yourdomain.com Value: v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; adkim=s; aspf=s; fo=1
What each tag means
| Tag | Meaning |
|---|---|
| p= | Policy: none, quarantine, or reject |
| rua= | Where to send aggregate reports |
| adkim= | DKIM alignment: s (strict) or r (relaxed) |
| aspf= | SPF alignment: s (strict) or r (relaxed) |
| pct= | Percentage of messages the policy applies to |
| sp= | Subdomain policy (defaults to inherit) |
| fo= | Forensic report options: 0, 1, d, s |
The reporting address (rua) is critical. Without it you cannot see what is failing. Forward those reports to a parser — dmarcian, Postmark's free DMARC, or your own ELK stack — they arrive as raw XML and are unreadable by hand.
Which DMARC policy to choose
The right DMARC policy for cold email depends on how confident you are that every sender on your domain is correctly aligned. The progression is the same for everyone:
- p=none for the first 30 days. This is monitor-mode: receivers report on failures but take no action. Use the reports to find every shadow sender you forgot about.
- p=quarantine once you have zero unaligned failures for 14 days. This routes failing mail to spam — good enough for almost everyone.
- p=reject if you operate a high-value brand prone to spoofing. This bounces failing mail entirely. Most cold email senders stop at quarantine.
Skipping straight to p=rejecton a new setup is the most common DMARC mistake. It usually breaks something — a forgotten HR app, a billing system, a transactional service — and you find out by your CEO's board emails bouncing on Monday morning.
How to verify your authentication is working
Five tools to confirm DKIM SPF DMARC setup is correct end to end:
- mail-tester.com — send a test email to their generated address, get a deliverability score and authentication breakdown.
- dig from the command line: dig TXT _dmarc.yourdomain.com confirms the record is live.
- Gmail's show-original view — send a real message to a Gmail account, open it, click the three dots, "Show original". The header shows PASS/FAIL for all three.
- Google Postmaster Tools — the authentication report shows aggregate pass rates per day.
- MXToolbox or Easydmarc — full DNS lookup including SPF lookup-count and DMARC validation.
The Gmail show-original test is the highest-fidelity. If it shows dkim=pass, spf=pass, and dmarc=PASS all aligned with your From domain, you are done.
Common authentication failures and fixes
SPF permerror: too many DNS lookups
SPF allows at most 10 DNS lookups. Stack five include: mechanisms that each recursively include 2-3 more and you blow the limit. Fix: flatten with a tool like SPF Flattener, or drop any services that no longer send mail for you.
DKIM signature missing
Usually means the sending service was never told to sign. Re-check the DKIM setup inside the service's admin panel and confirm the selector matches what is published in DNS.
DMARC fail despite SPF and DKIM pass
Alignment failure. The passing identifier is not the same as the From header domain. Configure a custom return-path on the sending service (sometimes called custom MAIL FROM or bounce domain) and re-test.
Multiple SPF records
You can only have one SPF TXT record per domain. If you have two, both fail. Merge into a single record with all include: mechanisms.
Once authentication is solid, the next step is warming the sending inbox so receivers trust the volume you intend to send. Read our email warmup guide for the ramp curve, and our cold email deliverability checklist for the full pre-launch list. NeverSpam pricing includes authentication checks on every connected mailbox.
Frequently asked questions
Do I need DKIM, SPF, and DMARC to send cold emails?
Yes. As of February 2024 Google and Yahoo require all three for any sender pushing more than 5,000 messages per day to their inboxes, and they apply softer enforcement to anyone below that threshold too. Microsoft 365 has followed suit. Without DKIM, SPF, and DMARC correctly configured, your cold emails will land in spam regardless of warmup, subject line, or content quality.
What is the difference between SPF, DKIM, and DMARC?
SPF lists which IP addresses are allowed to send mail for your domain. DKIM cryptographically signs each message so the receiver can verify it was not tampered with. DMARC tells receivers what to do when SPF or DKIM fails — quarantine, reject, or do nothing — and produces reports on who is sending mail using your domain. You need all three; they protect against different attack surfaces.
What should my DMARC policy be for cold email?
Start with p=none for the first 30 days so you can read the aggregate reports without blocking legitimate mail. Move to p=quarantine once you have confirmed every sending service is correctly aligned. p=reject is the safest end state but only adopt it once you are 100% certain no shadow IT (HR tools, billing systems, CRMs) is sending unaligned mail from your domain. Most cold email senders sit at p=quarantine forever and it is fine.
How long does DKIM SPF DMARC setup take to propagate?
DNS TXT records propagate within 5 minutes on most registrars (Cloudflare, Route 53, Namecheap, Google Domains). Older registrars or those with longer TTL defaults can take up to 24 hours. The records do not get applied retroactively — only messages sent after propagation will authenticate. We recommend waiting at least an hour after setup before sending a test cold email.
Can I send cold email without DMARC?
Technically yes, practically no. Gmail will accept unsigned-but-SPF-passing mail at low volume, but inbox placement is significantly worse without DMARC. Outlook is harsher. From 2024 onwards both Google and Yahoo treat the absence of DMARC as a strong negative signal. Setting up DMARC takes 5 minutes — there is no reason to skip it.
Why is my DMARC failing even though SPF and DKIM pass?
Almost always an alignment issue. DMARC requires either SPF or DKIM to pass AND to be aligned with the From header domain. If you send from hello@yourdomain.com but your SPF passes for the envelope sender bounce.sendgrid.net, that is SPF-pass but DMARC-fail. The fix is to use a custom return-path domain (most ESPs offer this) or to configure DKIM with a key in your own domain.
Do subdomains need their own DKIM SPF DMARC records?
Yes — if you send cold email from a subdomain like outreach.yourdomain.com (which we strongly recommend, to isolate cold email reputation from your transactional and marketing domains), the subdomain needs its own SPF and DKIM records. DMARC can inherit from the parent domain unless you explicitly configure a separate policy with the sp= tag.
Keep reading
All posts ↗- Cold Email Subject Lines That Get Replies (Without Triggering Spam)Cold email subject lines that get replies without triggering spam filters — 30+ tested patterns, what mailbox providers flag, and what to avoid in 2026.
- Microsoft 365 / Outlook Email Warmup: A Complete 2026 GuideMicrosoft 365 and Outlook email warmup guide for 2026 — the SmartScreen quirks, Defender for Office 365 thresholds, and the day-by-day ramp that works.
- How Many Cold Emails Per Day Can You Send Safely? (Real Limits)How many cold emails per day can you send safely in 2026? Gmail, Outlook, and Workspace hard limits, the practical reputation limits, and the ramp math.
- Google Postmaster Tools: A Complete Guide for Cold Email SendersGoogle Postmaster Tools guide for cold email senders — verify your domain, read the reputation tabs, and use Postmaster data to debug Gmail deliverability.