How to Configure SPF, DKIM & DMARC for Cold Email
If you've ever sent a cold email campaign and wondered why 40% of your emails never made it to the inbox — misconfigured DNS authentication is one of the most likely causes. SPF, DKIM, and DMARC are not just best practices. Since Google and Yahoo's February 2024 mandate, they're mandatory for bulk senders.
This guide explains exactly what each record does, how to configure it correctly, and how to verify your setup before you send a single cold email.
Why DNS Authentication Makes or Breaks Cold Email
Inbox providers like Gmail, Outlook, and Yahoo authenticate every incoming email against the sending domain's DNS records. This authentication answers one question: Is this email actually from who it claims to be from?
When authentication fails:
- Gmail rejects the email outright (with
p=rejectDMARC policy) - Gmail quarantines it (sends to spam with
p=quarantine) - The domain's reputation score drops with every failed authentication
- Subsequent campaigns from the same domain face increasing scrutiny
For cold email, where inbox placement is already challenging, authentication failures are catastrophic. A missing DMARC record can cut your inbox rate in half overnight.
What Is SPF and How to Configure It
SPF (Sender Policy Framework) is a DNS record that specifies which IP addresses and servers are authorized to send email on behalf of your domain.
When a receiving server gets an email from user@yourdomain.com, it checks the SPF record on yourdomain.com. If the sending IP is listed in the SPF record, authentication passes. If not, it fails.
SPF Record Syntax
SPF records are TXT records in your domain's DNS. The basic components:
v=spf1 [mechanisms] [qualifier]all
Common mechanisms:
include:_spf.google.com— Authorizes Google's sending IPs (for Google Workspace)include:spf.protection.outlook.com— Authorizes Microsoft's sending IPs (for M365)ip4:203.0.113.0/24— Authorizes a specific IP rangea— Authorizes the domain's A record IP
Qualifiers:
~all— Soft fail: emails from unauthorized IPs are flagged but not rejected-all— Hard fail: emails from unauthorized IPs are rejected?all— Neutral: no opinion (not recommended)
For Google Workspace only:
v=spf1 include:_spf.google.com ~all
For Microsoft 365 only:
v=spf1 include:spf.protection.outlook.com ~all
For both (common for hybrid setups):
v=spf1 include:_spf.google.com include:spf.protection.outlook.com ~all
SPF has a 10 DNS lookup limit. Each include: mechanism consumes one lookup. Adding too many includes (include:mailgun.org, include:sendgrid.net, etc.) can push you over the limit, causing SPF to fail. Use an SPF flattening tool if needed.
How to Verify Your SPF Record
- Go to MXToolbox SPF Lookup
- Enter your sending domain
- Verify: Record exists, no syntax errors, under 10 DNS lookups, ends with
-allor~all - Confirm the sending IP of your mailbox is authorized
What Is DKIM and How to Configure It
DKIM (DomainKeys Identified Mail) adds a cryptographic signature to every outgoing email. This signature:
- Proves the email was sent by an authorized sender
- Proves the email content wasn't tampered with in transit
- Links the email to a specific domain (which builds reputation)
DKIM uses a public/private key pair. The private key signs outgoing emails. The public key is published in your DNS. Receiving servers use the public key to verify the signature.
DKIM Setup Process
DKIM is configured in your email provider's admin console, not manually.
For Google Workspace:
- Go to Google Admin Console → Apps → Google Workspace → Gmail → Authenticate email
- Select your domain
- Click "Generate new record"
- Copy the TXT record (hostname like
google._domainkey.yourdomain.com) - Add it to your domain's DNS as a TXT record
- Wait for DNS propagation (up to 72 hours)
- Click "Start Authentication" in Google Admin Console
For Microsoft 365:
- Go to Microsoft 365 Defender → Policies & Rules → Threat Policies → Email Authentication
- Select your domain → Enable DKIM
- Copy the two CNAME records provided
- Add them to your domain's DNS
- Click "Enable" after DNS propagation
Common DKIM Configuration Errors
| Error | Cause | Fix |
|---|---|---|
| "DKIM record not found" | DNS hasn't propagated or record added to wrong domain | Wait 24–48hrs; verify correct domain |
| "DKIM signature invalid" | Wrong DKIM selector in email headers | Confirm selector matches DNS record |
| "Multiple DKIM records conflict" | Old and new records both present | Remove old records |
| "Key too short (512-bit)" | Old 512-bit key (less secure) | Regenerate with 2048-bit key |
Always use 2048-bit DKIM keys in 2026. 1024-bit keys are being deprecated by major inbox providers and will trigger warnings in the near future. When setting up a new domain, always select 2048-bit during key generation.
What Is DMARC and How to Configure It
DMARC (Domain-based Message Authentication, Reporting & Conformance) is the policy layer that sits on top of SPF and DKIM. It tells receiving servers what to do when an email fails SPF or DKIM authentication.
DMARC also introduces the concept of alignment — the "From" domain in the email must match the domains used in SPF and DKIM authentication.
DMARC Policy Options
| Policy | What It Does | When to Use |
|---|---|---|
p=none | Monitor only — emails pass regardless of auth failures | Starting out, gathering reports |
p=quarantine | Failed emails go to spam | Standard for cold email |
p=reject | Failed emails are rejected outright | Maximum protection; use after monitoring confirms everything works |
DMARC Record Syntax
DMARC records are added as TXT records at _dmarc.yourdomain.com.
Minimum viable DMARC (start here):
v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com
Standard cold email DMARC:
v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com; pct=100
Maximum enforcement:
v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com; ruf=mailto:dmarc@yourdomain.com; pct=100
Tag explanations:
p=— Policy (none/quarantine/reject)rua=— Email address to receive aggregate reportsruf=— Email address to receive forensic (per-email) reportspct=— Percentage of messages the policy applies to (100 = all)sp=— Subdomain policy (defaults top=value if omitted)adkim=— DKIM alignment (r=relaxed, s=strict)aspf=— SPF alignment (r=relaxed, s=strict)
Start with p=none and collect aggregate reports for 2 weeks before moving to p=quarantine. DMARC reports show you exactly which emails are failing authentication and why — before you start rejecting legitimate emails.
DMARC Alignment: The Requirement Most People Miss
DMARC doesn't just require SPF and DKIM to pass — it requires alignment. The domain in the email's "From" header must align with the domain verified by SPF and DKIM.
Example of alignment failure:
- Email "From:"
user@yourcompany.com - SPF passes for
mail.yourcompany.com(not aligned) - DKIM signed by
subprocessor.com(not aligned) - DMARC fails despite SPF and DKIM both passing
Fix: Ensure your email is sent From: the same domain that your SPF and DKIM authenticate.
Complete DNS Configuration Checklist
Before any cold email campaign, verify all three records for every sending domain:
SPF Checklist:
- TXT record exists at root domain (
yourdomain.com) - Record starts with
v=spf1 - Includes the sending provider (Google or M365 or both)
- Ends with
~allor-all - Under 10 DNS lookups total
- No duplicate SPF records (only one TXT record with
v=spf1)
DKIM Checklist:
- DKIM key generated in email provider admin console
- TXT/CNAME record added at correct hostname (
selector._domainkey.yourdomain.com) - DNS propagation confirmed (72 hours max)
- Authentication started/enabled in email provider console
- 2048-bit key used (not 1024-bit)
DMARC Checklist:
- TXT record at
_dmarc.yourdomain.com -
v=DMARC1tag present - Policy set (
p=noneminimum;p=quarantinerecommended) -
rua=aggregate report address configured - Check with
p=nonefirst; then escalate top=quarantineafter 2 weeks of clean reports
Verify with these tools:
Google & Yahoo Bulk Sender Requirements (2024 Mandate)
As of February 2024, Google and Yahoo require bulk senders (sending ≥5,000 emails/day to Gmail/Yahoo) to:
- SPF: Pass SPF authentication
- DKIM: Pass DKIM authentication with 1024-bit key minimum (2048-bit recommended)
- DMARC: Have a DMARC policy of at least
p=none - One-click unsubscribe: List-Unsubscribe header in email
- ≤0.10% spam rate: Keep Google Postmaster Tools spam rate below 0.10%
Even if you send fewer than 5,000 emails/day, these requirements are best practice and will become effectively universal.
The Auto-DNS Alternative
For agencies or teams managing 10+ domains, manually configuring DNS for every domain is error-prone and time-consuming.
Auto-DNS platforms automatically configure SPF, DKIM, and DMARC on every provisioned domain — correctly, aligned, with the right policies — within minutes of domain registration.
This eliminates:
- Human error in DNS entry
- Forgot-to-configure domains
- Mismatched selectors
- Wrong alignment settings
- The 30-minute-per-domain configuration overhead
At 5 domains, manual DNS is manageable. At 50 domains, it's a 25-hour job. At 150 domains, it requires a dedicated person.
Key Takeaways
- SPF, DKIM, and DMARC are all mandatory for cold email deliverability — missing any one of them reduces inbox placement by 30–50%
- SPF authorizes sending IPs; use
include:_spf.google.comfor Google Workspace andinclude:spf.protection.outlook.comfor M365 - DKIM adds a cryptographic signature; always use 2048-bit keys; configured in email provider admin, not manually
- DMARC sets the policy for authentication failures; start with
p=none, collect reports for 2 weeks, then escalate top=quarantine - DMARC alignment requires the "From" domain to match the SPF/DKIM authenticated domain
- Google and Yahoo now require DMARC for bulk senders (≥5,000 emails/day)
- Verify all three records with MXToolbox before any campaign
For the complete infrastructure stack guide, see Cold Email Infrastructure Tools. For how to avoid DNS errors at scale, see How to Set Up a Scalable Cold Email Infrastructure.
coldBirds automatically configures SPF, DKIM, and DMARC on every domain you provision — correct, aligned, and verified. No manual DNS entry, no configuration errors.
Start Free with 20 Isolated Mailboxes →