How to Set Up SPF, DKIM & DMARC for Cold Email (2026 Guide)

⚠️ 2025-2026 Enforcement Update Google requires DMARC for senders of 5,000+ messages/day. Microsoft (Outlook.com) began enforcing similar rules in early 2025. Even if you send fewer emails, proper authentication is now table stakes for inbox placement.

Why This Matters for Cold Email

Cold email is harder than warm email. Your recipients didn't ask to hear from you, so mailbox providers are extra suspicious. Without authentication:

Gmail will quarantine or reject unauthenticated messages
Outlook will send you straight to Junk
Your domain reputation starts at zero and drops fast with spam complaints
Other senders can spoof your domain (phishing attacks using your brand)

The fix is three DNS records: SPF, DKIM, and DMARC. Think of them as a three-part ID check that proves you are who you say you are.

The Three Records Explained

Record	What It Does	Type
SPF	Lists which servers are allowed to send email for your domain	TXT
DKIM	Adds a digital signature to every email, proving it wasn't tampered with	TXT (CNAME)
DMARC	Tells receiving servers what to do when SPF/DKIM fail, and sends you reports	TXT

All three go in your domain's DNS settings. Most domain registrars (Namecheap, Cloudflare, GoDaddy) have a DNS management panel where you add these.

1 Set Up SPF

SPF (Sender Policy Framework) tells the world: "Only these servers can send email from my domain." Add a single TXT record at your domain root.

For Google Workspace

v=spf1 include:_spf.google.com ~all

For Microsoft 365

v=spf1 include:spf.protection.outlook.com ~all

For cold email tools (Instantly, Smartlead, etc.)

Each tool has its own SPF include. Example with Google Workspace + Instantly:

v=spf1 include:_spf.google.com include:sendgrid.net ~all

❌ Common Mistake: Multiple SPF Records You can only have one SPF record per domain. If you need multiple senders, combine them in one record with multiple include: statements. Two separate SPF TXT records = both break.

SPF Lookup Limit

SPF allows a maximum of 10 DNS lookups. Each include: counts as one, plus any nested includes. If you exceed 10, SPF fails silently. Cold emailers with many tools often hit this limit.

Fix: Use an SPF flattening service (like include:_spf.yourtool.com instead of listing individual IPs), or consolidate sending through fewer providers.

2 Set Up DKIM

DKIM (DomainKeys Identified Mail) cryptographically signs each email. The receiving server checks the signature against a public key in your DNS.

DKIM setup varies by email provider, but the pattern is always:

Generate a DKIM key pair in your email provider's admin panel
They give you a CNAME or TXT record to add to DNS
Add it, wait for DNS propagation (5-60 minutes)
Verify in the provider's panel

Google Workspace DKIM

Go to Admin Console → Apps → Google Workspace → Gmail → Authenticate Email
Click Generate New Record (choose 2048-bit)
Copy the TXT record value
Add a TXT record in DNS:
Host: google._domainkey
Value: v=DKIM1; k=rsa; p=MIIBIj... (the long key they gave you)
Click Start Authentication in Google Admin

Microsoft 365 DKIM

Go to Microsoft 365 Defender → Email & Collaboration → Policies → DKIM
Select your domain and enable DKIM signing
Add the two CNAME records they provide to DNS

Cold Email Tool DKIM

Tools like Instantly, Smartlead, and Lemlist usually handle DKIM through your email provider (Google Workspace or Microsoft 365). Your provider's DKIM covers emails sent through their servers.

If your cold email tool sends through their own servers (e.g., via SendGrid, AWS SES), they'll provide separate DKIM records to add.

✅ Pro Tip: Use 2048-bit Keys Always choose 2048-bit DKIM keys over 1024-bit when given the option. Longer keys are harder to crack and increasingly expected by mailbox providers.

3 Set Up DMARC

DMARC (Domain-based Message Authentication, Reporting & Conformance) ties SPF and DKIM together. It tells receiving servers: "If an email from my domain fails SPF and DKIM, here's what to do."

Add a TXT record at _dmarc.yourdomain.com:

Start with monitor mode (recommended)

v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com

This doesn't block anything — it just sends you reports so you can see who's sending as your domain. Run this for 2-4 weeks before tightening.

Then upgrade to quarantine

v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@yourdomain.com; pct=100

This sends failing emails to spam instead of the inbox.

Finally, enforce reject (strongest)

v=DMARC1; p=reject; rua=mailto:dmarc-reports@yourdomain.com; pct=100

This tells receiving servers to reject any email that fails both SPF and DKIM. Only do this once you're confident all legitimate sending is authenticated.

💡 The Upgrade Path p=none (monitor) → p=quarantine (spam) → p=reject (block). Don't jump straight to reject on a cold email domain. Start with none, verify your reports are clean, then escalate over 2-4 weeks.

4 Verify Everything Works

After adding all three records, you need to verify they're working. DNS can take up to 48 hours to propagate, but usually it's under an hour.

⚡ Check All Your Domains at Once

Paste up to 25 sending domains and get SPF, DKIM, DMARC, blacklist, and MX status for each one. Free, instant results.

Open Batch Domain Checker →

What you're looking for in a healthy domain check:

SPF: Pass ✓ — your sending server's IP is covered by the SPF record
DKIM: Pass ✓ — a valid DKIM selector was found and the key is published
DMARC: At least "warn" ⚠️ (p=none is fine to start, but upgrade over time)
Blacklist: Pass ✓ — your sending IPs aren't on major blacklists
MX: Pass ✓ — your domain can receive email (some cold email setups forget this)

Cold Email Domain Setup Checklist

If you're setting up new sending domains for cold email, follow this order:

Buy the domain — use a reputable registrar (Namecheap, Cloudflare, Porkbun)
Set up email hosting — Google Workspace ($7.20/user/mo) or Microsoft 365 ($6/user/mo)
Add SPF record — include your email provider + any cold email tool servers
Enable DKIM — generate keys in your email provider's admin panel
Add DMARC record — start with p=none
Set up MX records — usually auto-configured by your email provider
Add a website — even a simple landing page helps reputation. Bare domains look suspicious.
Warm up the domain — send gradually increasing volume over 2-4 weeks before cold outreach
Verify with MailVital — run a batch check on all your domains
Monitor ongoing — set up monitoring alerts for score drops

Managing Multiple Cold Email Domains

Cold email operators typically rotate across 5-50+ domains. Here are the challenges and how to handle them:

Domain Rotation Strategy

Why rotate: Spreading volume across domains protects each one's reputation. If one gets burned, the others survive.
How many: Rule of thumb — 1 domain per 50-100 emails/day. Sending 500/day? Use 5-10 domains.
Naming: Use variations of your brand (getbrandname.com, trybrandname.io, brandnamemail.com). Avoid random strings — they look spammy.

DNS Template

Create a template for each new domain. Every domain needs identical records:

# SPF (adjust includes for your stack)
v=spf1 include:_spf.google.com ~all

# DKIM (generated per-domain in Google Workspace)
# Host: google._domainkey
# Value: v=DKIM1; k=rsa; p=... (unique per domain)

# DMARC
# Host: _dmarc
v=DMARC1; p=none; rua=mailto:dmarc@yourbrand.com

Monitoring at Scale

The biggest risk with many domains is silent failures. A DNS record expires, a provider changes their SPF, or a domain lands on a blacklist — and you don't know until replies dry up.

🔔 Get Alerts When a Domain Drops

Monitor all your sending domains from one dashboard. Get email alerts the moment SPF, DKIM, or DMARC breaks.

Set Up Domain Monitoring →

Common Mistakes (and How to Fix Them)

1. Multiple SPF records

Symptom: SPF check fails even though you added the record.
Cause: Two TXT records starting with v=spf1.
Fix: Merge into one record. Use include: for each sender.

2. DKIM not enabled after adding DNS record

Symptom: DKIM record is in DNS but emails aren't signed.
Cause: You added the DNS record but didn't click "Enable" in the provider.
Fix: Go back to Google Admin / Microsoft 365 and toggle DKIM signing on.

3. Jumping straight to DMARC p=reject

Symptom: Legitimate emails getting rejected.
Cause: DMARC reject policy blocks emails that fail alignment (common with forwarding).
Fix: Start with p=none, review reports for 2 weeks, then escalate.

4. No MX record on cold email domain

Symptom: Low inbox rate even with SPF/DKIM/DMARC perfect.
Cause: No MX record = domain can't receive email = looks suspicious to filters.
Fix: Set up MX records (your email provider configures these when you add the domain).

5. Not warming up new domains

Symptom: Everything passes authentication but emails still land in spam.
Cause: Brand new domains have zero reputation. Sending 500 cold emails day one looks like spam.
Fix: Gradual warmup: 10-20 emails/day for week 1, doubling each week for 2-4 weeks. Use warm-up tools if needed.

TL;DR — Quick Setup

Add SPF TXT record → v=spf1 include:_spf.google.com ~all
Enable DKIM in Google Admin / Microsoft 365 → add DNS record they provide
Add DMARC TXT record → v=DMARC1; p=none; rua=mailto:you@yourdomain.com
Verify all records → MailVital Batch Checker
Warm up for 2-4 weeks before cold outreach
Monitor ongoing → MailVital Dashboard

Total time: 15-30 minutes per domain (less with a template). The payoff: dramatically higher inbox rates and protected domain reputation.

⚡ Check Your Domains Now

Paste all your sending domains and see which ones need fixes. Takes 30 seconds.

Open Batch Domain Checker →

Get tips like this every Tuesday

The Mail Vitals Report — weekly deliverability tips, policy updates, and fix guides. Free, no spam (ironic, we know).

Subscribe Free →