Since 2024, Google, Yahoo, and Microsoft require SPF, DKIM, and DMARC from bulk senders, plus a spam complaint rate under 0.3 percent. Missing records mean rejection before anyone reads your subject line.
Run outbound on secondary domains with 2 to 3 mailboxes each, capped at 15 emails per day on Google and 10 to 12 on Outlook, sized at 1.5x your target volume.
A fresh cold email domain starts at p=none with reporting on, then moves to p=quarantine after 4 to 6 weeks of clean reports. Reject belongs on your corporate domain, not a two-week-old sender.
Validate records in MXToolbox, send a test to Gmail and check Show original for SPF, DKIM, and DMARC passes, then register in Google Postmaster Tools to watch reputation over time.
Records take 15 minutes, but a new domain still needs 30 days of warmup before real volume. Reachly holds client campaigns to bounce rates under 3 percent and deliverability above 97 percent on this exact setup.
You can write the sharpest cold email of your career and it will still land in spam if three DNS records are missing. Since February 2024, Google and Yahoo require SPF, DKIM, and DMARC from anyone sending 5,000 or more messages a day, and Microsoft added the same requirement for Outlook inboxes in May 2025. Below that volume you still need SPF and DKIM to pass basic filtering. No authentication, no inbox, and the copy never gets a chance.
This guide walks through the full SPF, DKIM, DMARC setup for cold email: what each record does, the exact values to paste into your DNS, the DMARC policy that makes sense for a cold email domain, and how to test everything before the first send. It is written for operators sending real outbound volume, not for IT admins protecting a corporate domain.
We run cold email infrastructure for 50+ B2B clients at Reachly and hold client campaigns to a bounce rate under 3 percent and a deliverability score above 97 percent. The setup below is the one we run on every new sending domain, every time.
What SPF, DKIM, and DMARC actually do
SPF, DKIM, and DMARC are three DNS TXT records that together prove your email is legitimate. Receiving servers like Gmail and Outlook check them on every message, and email authentication is the first gate your cold email has to clear before content, sending behavior, or list quality even get evaluated.
Think of them as three separate proofs. SPF (Sender Policy Framework) is the guest list: it names the servers allowed to send email for your domain. DKIM (DomainKeys Identified Mail) is the tamper-proof seal: a cryptographic signature that proves the message was not altered in transit and really came from your domain. DMARC (Domain-based Message Authentication, Reporting and Conformance) is the security policy: it tells receiving servers what to do with messages that fail the first two checks, and it sends you reports on everyone sending mail as your domain.
| Record | What it proves | What breaks without it |
|---|---|---|
| SPF | The sending server is on your domain's approved list | Receivers cannot tell your mail server from a spammer spoofing your domain, so filtering gets aggressive |
| DKIM | The message carries a valid cryptographic signature from your domain and was not altered in transit | Messages fail integrity checks, and Gmail flags or junks mail from bulk senders that lack a signature |
| DMARC | You have published a policy for handling failures, and SPF or DKIM aligns with your From address | You fail Google, Yahoo, and Microsoft bulk sender requirements outright, and you fly blind on spoofing |
People search for SPF vs DKIM vs DMARC as if it were a choice. It is not. The three records answer different questions, and DMARC does not work without at least one of the other two, because it only passes when SPF or DKIM passes and aligns with the domain in your From address. For cold email you set up all three, in that order.
Why cold email dies without email authentication
The 2024 bulk sender rules changed the math. Google and Yahoo now require SPF and DKIM on every bulk sender, a published DMARC record, a spam complaint rate under 0.3 percent (with 0.1 percent as the working target), and one-click unsubscribe. Microsoft rolled out matching requirements for Outlook, Hotmail, and Live inboxes in May 2025. Miss the records and your mail gets rejected or junked before a human ever sees the subject line.
Cold email feels these rules harder than marketing email does. You are sending from young domains with no engagement history, to people who never opted in, at a complaint-rate margin measured in fractions of a percent. Authentication does not earn you the inbox on its own, but missing it disqualifies you instantly. That is why SPF, DKIM, and DMARC sit at the top of our email deliverability guide, and why infrastructure is the first thing we check when a campaign gets zero replies, before subject line, length, tone, or offer. The same diagnostic order shows up in our cold email best practices.
Set up your sending domains before the records
One rule before any DNS work: never send cold email from your main domain. If a sending domain gets burned, you want to retire it and move on, not watch your company's transactional and sales email go down with it. Buy secondary domains that are close to your brand (yourcompany-hq.com, tryyourcompany.com, getyourcompany.com) and run all outbound from those. A tool like ZapMail handles domain purchase, mailbox creation, and all three authentication records automatically, which removes most of the manual work in this guide.
Size the infrastructure conservatively. We run 2 to 3 mailboxes per domain and cap sending at 15 emails per mailbox per day on Google and 10 to 12 on Outlook. Build capacity at roughly 1.5x your target volume so underperforming mailboxes can rotate out. And match the sending ESP to the recipient ESP where you can: Google to Google, Outlook to Outlook. Smartlead handles that matching at the campaign level.
How to set up SPF for cold email
SPF is a single TXT record in your DNS that lists the servers allowed to send for your domain. Setup takes five minutes.
Log in to your DNS provider (GoDaddy, Namecheap, Cloudflare, or wherever the domain lives), open the DNS records for your sending domain, and add a new TXT record. Set the host to @ (the root domain) and paste the value that matches your email provider.
For Google Workspace: v=spf1 include:_spf.google.com ~all
For Microsoft 365: v=spf1 include:spf.protection.outlook.com ~all
Three rules keep SPF out of trouble. First, one SPF record per domain, ever. Two records is an automatic fail, so if a record already exists, merge the include statements into it instead of adding a second one. Second, stay under 10 DNS lookups. Every include counts toward the limit, and a fresh secondary domain used only for cold email should carry exactly one. Third, use ~all (softfail) rather than -all. The tilde version tells receivers to treat unlisted servers with suspicion without hard-bouncing edge cases like forwarded mail.
How to set up DKIM
DKIM is a signature key pair. Your email provider holds the private key and signs every outgoing message; the public key sits in your DNS so receivers can check the signature.
On Google Workspace: open the Admin console, go to Apps, then Google Workspace, then Gmail, then Authenticate email. Generate the record, choose the 2048-bit key length (use 1024 only if your DNS provider cannot handle the longer string), and copy the TXT record. In your DNS, add it with host google._domainkey and the generated value. Back in the Admin console, click Start authentication once the record has propagated.
On Microsoft 365: open the Defender portal, go to Email authentication settings under Policies and rules, select your domain, and turn on DKIM signing. Microsoft gives you two CNAME records (selector1 and selector2) to add in your DNS instead of a TXT record.
Propagation usually completes within an hour but can take up to 48 hours. Do not start warmup until DKIM shows as active, because every unsigned message you send is a small withdrawal from your domain reputation.
How to set up DMARC for cold email
DMARC is the record most cold email senders get wrong, usually in one of two directions: they skip it entirely and fail the bulk sender rules, or they copy a p=reject policy from a security blog and torch their own deliverability.
Add a TXT record with host _dmarc and this value:
v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com; pct=100
The p tag is the policy, and the right policy depends on the domain's job. For a fresh cold email domain, start at p=none. That satisfies the Google and Yahoo minimum, turns on aggregate reporting to the rua address, and applies no enforcement while your SPF and DKIM setup proves itself. After 4 to 6 weeks of clean reports, move to p=quarantine, which sends failing mail to spam and reads as a stronger trust signal to receivers. Reserve p=reject for your main corporate domain, where spoofing protection matters more than delivery edge cases. Jumping a two-week-old sending domain straight to reject solves a problem you do not have and creates several you do.
DMARC also enforces alignment: the domain that passes SPF or DKIM must match the domain in your From address. If you send through Google Workspace on your own domain with the records above, alignment takes care of itself. It usually only breaks when a tool sends on your behalf from its own infrastructure, which is one more reason cold email runs on your mailboxes, not a shared sending pool.
Here are all three records side by side for a Google Workspace sending domain.
| Record | Type | Host | Value (Google Workspace example) | Watch out for |
|---|---|---|---|---|
| SPF | TXT | @ | v=spf1 include:_spf.google.com ~all | Only one SPF record per domain, max 10 lookups |
| DKIM | TXT | google._domainkey | v=DKIM1; k=rsa; p=[your 2048-bit public key] | Generate in Admin console, then click Start authentication |
| DMARC | TXT | _dmarc | v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com; pct=100 | Start at p=none, move to quarantine after clean reports |
The setup order, from new domain to first send
Records in isolation do not get you to the inbox. The sequence around them does. This is the order we run for every client domain.
Cold email domain setup in six steps
How to test your SPF, DKIM, and DMARC setup
Never trust a record you have not tested. A checker takes two minutes and catches the typo that would otherwise cost you a month of domain reputation.
Run your domain through MXToolbox, which has free SPF, DKIM, and DMARC lookups that flag syntax errors, duplicate records, and lookup-limit problems. Google's Admin Toolbox Check MX does the same from Google's point of view, and dmarcian's inspector tools read your DMARC record back to you in plain English.
Then run the real-world test. Send a message from your sending mailbox to a Gmail address you control, open it, and click Show original. You want three lines: SPF PASS, DKIM PASS, DMARC PASS. Anything else means a record is wrong or has not propagated yet. Repeat the same test to an Outlook address, since Microsoft evaluates independently.
Finally, register the domain in Google Postmaster Tools. It shows your spam complaint rate, domain reputation, and authentication pass rates over time, which is how you catch a slow slide before it becomes a blacklist entry. We re-check every client domain monthly, the same cadence we use to re-validate any lead list older than 3 months through ZeroBounce.
Authentication is the floor, not the finish line
Passing SPF, DKIM, and DMARC gets you to the starting line. What happens next is behavioral: how old the domain is, how fast you ramp, who you send to, and whether people reply.
Two weeks of warmup is the legacy advice. Thirty days is the 2026 number. Google flags any domain younger than that with a yellow banner above your email, and no DNS record saves you from it. Authentication is table stakes: SPF, DKIM, DMARC, and a custom tracking domain, none of them optional. The campaigns that stay out of spam are the ones that get the records right and then respect the warmup clock.
The rest of the deliverability stack looks like this. Warm up every new mailbox for 30 days before real volume. Add a custom tracking domain so open and click tracking runs on your subdomain instead of a shared one. Keep sequences short: two emails, 6 to 7 days apart, then stop and re-engage the list 1.5 to 2.5 months later with a fresh angle, the pattern we break down in our guide to automated email follow-ups. Keep the copy at 70 to 80 words so it reads like a human wrote it. And treat list quality as an authentication issue, because bounces and spam traps undo everything the records built. Our modern outbound sales strategy guide shows how infrastructure, list building, and copy fit together, and our breakdown of outbound lead generation covers the channel mix around it.
Get the setup handled and skip the learning curve
Everything in this guide is learnable, and most founders learn it by burning their first domain. That is a real cost: a torched domain means new domains, new mailboxes, another 30-day warmup, and a month of pipeline that never happened.
Reachly runs the whole stack as a done-for-you service: domains, mailboxes, SPF, DKIM, DMARC, custom tracking domains, warmup, and the campaigns on top, across cold email, LinkedIn, and cold calling. Client campaigns hold bounce rates under 3 percent and deliverability above 97 percent, and for Primal that infrastructure produced an 8 percent average positive reply rate and a 4.57x ROI. If you would rather send than configure DNS, our cold email agency team sets up the machine and runs it, typically live within 2 to 3 weeks. You can sanity-check the economics on the ROI calculator first.
SPF, DKIM, DMARC setup for cold email FAQ
Three DNS records that authenticate your email. SPF lists the servers allowed to send for your domain, DKIM adds a cryptographic signature proving the message was not altered, and DMARC publishes a policy for handling failures plus reports on who is sending as your domain. Gmail, Outlook, and Yahoo check all three on every message you send.
Yes. Since February 2024, Google and Yahoo require a published DMARC record from bulk senders, and Microsoft added the same requirement in May 2025. A minimal record with p=none satisfies the requirement, turns on reporting, and applies no enforcement, so there is no reason for any cold email domain to skip it.
Start at p=none on a fresh sending domain and watch the aggregate reports. After 4 to 6 weeks of clean SPF and DKIM passes, move to p=quarantine, which reads as a stronger trust signal. Keep p=reject for your main corporate domain, where anti-spoofing matters more than delivery edge cases.
Adding the three records takes about 15 minutes per domain, and DNS propagation usually finishes within an hour, though it can take up to 48 hours. The real timeline is the warmup that follows: 30 days before a new domain sends real cold email volume, because Google flags domains younger than that.
Run the domain through MXToolbox or Google's Admin Toolbox to validate syntax, then send a test email to a Gmail address and click Show original. You want SPF PASS, DKIM PASS, and DMARC PASS on one screen. Register the domain in Google Postmaster Tools afterward to monitor reputation and complaint rates over time.




.webp)