# SPF, DKIM & DMARC: The Complete Cold Email Setup Guide for 2026 *Published: 02/12/2026* Learn how to set up SPF, DKIM, and DMARC records correctly. Step-by-step guide with screenshots to improve cold email deliverability and avoid spam folders. # SPF, DKIM & DMARC: The Complete Cold Email Setup Guide for 2026 **Meta Title:** SPF, DKIM & DMARC Setup Guide for Cold Email | Buzzlead**Meta Description:** Learn how to set up SPF, DKIM, and DMARC records correctly. Step-by-step guide with screenshots to improve cold email deliverability and avoid spam folders.**Target Keyword:** SPF DKIM DMARC setup**Secondary Keywords:** email authentication, cold email deliverability, DNS records cold email --- ## Introduction Your cold emails are landing in spam. Not because your copy is bad—because your email authentication is broken. We've audited 500+ cold email infrastructures. The same mistakes show up every time: missing SPF records, broken DKIM signatures, and DMARC policies set incorrectly. This guide shows you exactly how to set up SPF, DKIM, and DMARC the right way. No fluff. Just the steps that actually matter for cold email deliverability. **What you'll learn:** - What SPF, DKIM, and DMARC actually do (in plain English) - Step-by-step setup for each record - Common mistakes that destroy deliverability - How to verify everything is working Let's fix your inbox placement. --- ## Table of Contents - Why Email Authentication Matters for Cold Email - SPF: Who Can Send From Your Domain - DKIM: Digital Signature for Your Emails - DMARC: The Policy That Ties It Together - Step-by-Step Setup Guide - Common Mistakes (And How to Avoid Them) - How to Verify Your Setup - FAQ --- ## Why Email Authentication Matters for Cold Email Email providers don't trust you by default. They trust DNS records. When you send a cold email, Gmail and Outlook ask three questions: - **SPF:** Is this sender authorized to use this domain? - **DKIM:** Was this email tampered with in transit? - **DMARC:** What should we do if SPF or DKIM fails? If you can't answer all three correctly, your emails go to spam. Simple as that. **The numbers:** - Emails without proper authentication see 10-20% lower inbox placement - Google's 2024 bulk sender requirements made authentication mandatory - 98% of spam filters check these records before anything else Your subject line doesn't matter if you never reach the inbox. --- ## SPF: Who Can Send From Your Domain **SPF (Sender Policy Framework)** tells email providers which servers are allowed to send emails from your domain. Think of it like a guest list. If the sending server isn't on the list, the email gets flagged. ### What an SPF Record Looks Like `v=spf1 include:_spf.google.com include:sendgrid.net -all`Breaking it down: - `v=spf1` — This is an SPF record (version 1) - `include:_spf.google.com` — Google Workspace can send from this domain - `include:sendgrid.net` — SendGrid can send from this domain - `-all` — Reject anything not on this list ### SPF Qualifiers Explained | Qualifier | Meaning | Use Case | |-----------|---------|----------| | `+all` | Allow everything | Never use this | | `-all` | Hard fail (reject) | Recommended for cold email | | `~all` | Soft fail (mark suspicious) | Okay during testing | | `?all` | Neutral | Pointless, avoid | **For cold email, always use **`**-all**`**.** Soft fail (`~all`) is for companies still figuring out their sending infrastructure. You're not testing—you're sending at scale. ### The 10 DNS Lookup Limit SPF has a hard limit: **10 DNS lookups maximum.** Every `include:` statement counts as a lookup. Nested includes count too. **What happens if you exceed 10?** Your SPF record breaks. Completely. Email providers treat it as if you have no SPF at all. **How to check your lookup count:** Use [MXToolbox SPF Lookup](https://mxtoolbox.com/spf.aspx) — it shows your total lookups. **How to fix it:** - Flatten your SPF record (replace includes with IP addresses) - Remove services you no longer use - Use an SPF flattening service for complex setups --- ## DKIM: Digital Signature for Your Emails **DKIM (DomainKeys Identified Mail)** adds a cryptographic signature to every email you send. It proves two things: - The email actually came from your domain - Nobody modified it in transit ### How DKIM Works - Your email server signs outgoing emails with a private key - You publish the public key in your DNS - Receiving servers verify the signature matches If the signature is valid, the email passes DKIM. If it's invalid (or missing), it fails. ### What a DKIM Record Looks Like `selector._domainkey.yourdomain.com TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQ..."`Breaking it down: - `selector` — Identifies which key to use (you can have multiple) - `_domainkey` — Standard DKIM identifier - `v=DKIM1` — DKIM version - `k=rsa` — Key type (RSA encryption) - `p=...` — The actual public key ### DKIM Best Practices for Cold Email - **Use 2048-bit keys** — 1024-bit is outdated and less secure - **Rotate keys annually** — Old keys can be compromised - **Set up DKIM for every sending service** — Each tool (Instantly, Smartlead, etc.) needs its own DKIM record - **Use unique selectors** — Don't reuse selectors across services **Common mistake:** Adding DKIM for Google Workspace but forgetting your cold email tool. Now half your emails fail DKIM. --- ## DMARC: The Policy That Ties It Together **DMARC (Domain-based Message Authentication, Reporting & Conformance)** tells email providers what to do when SPF or DKIM fails. It's the enforcement layer. Without DMARC, your SPF and DKIM records are suggestions. With DMARC, they're rules. ### What a DMARC Record Looks Like `_dmarc.yourdomain.com TXT "v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com; pct=100"`Breaking it down: - `v=DMARC1` — DMARC version - `p=reject` — Policy: reject emails that fail - `rua=mailto:...` — Where to send aggregate reports - `pct=100` — Apply policy to 100% of emails ### DMARC Policies Explained | Policy | What It Does | When to Use | |--------|--------------|-------------| | `p=none` | Monitor only, don't enforce | First 2-4 weeks of setup | | `p=quarantine` | Send failures to spam | After confirming setup works | | `p=reject` | Block failures entirely | Once you're confident | ### The DMARC Progression **Week 1-4:** Start with `p=none` - Collect reports - Identify any legitimate emails failing authentication - Fix issues before enforcing **Week 5-8:** Move to `p=quarantine` - Failures go to spam instead of inbox - Monitor for any problems - Should see minimal false positives **Week 9+:** Move to `p=reject` - Full enforcement - Unauthorized emails are blocked - Maximum protection for your domain reputation **Don't skip to **`**p=reject**`** immediately.** You'll block legitimate emails and damage your own campaigns. ### DMARC Alignment DMARC checks that your SPF and DKIM domains **align** with your From address. Two alignment modes: - **Strict (**`**aspf=s**`**, **`**adkim=s**`**):** Exact domain match required - **Relaxed (**`**aspf=r**`**, **`**adkim=r**`**):** Subdomains okay **For cold email, use relaxed alignment.** Strict alignment breaks if you send from `mail.yourdomain.com` but your From address is `yourdomain.com`. --- ## Step-by-Step Setup Guide ### Prerequisites - Access to your domain's DNS settings - Admin access to your email provider (Google Workspace, Microsoft 365, etc.) - Admin access to your cold email tool (Instantly, Smartlead, etc.) ### Step 1: Set Up SPF - Log into your DNS provider (GoDaddy, Cloudflare, Namecheap, etc.) - Find DNS settings for your domain - Look for an existing TXT record starting with `v=spf1` - If none exists, create a new TXT record: - **Host/Name:** `@` (or leave blank) - **Type:** TXT - **Value:** `v=spf1 include:_spf.google.com -all` - Add includes for each sending service: - Google Workspace: `include:_spf.google.com` - Microsoft 365: `include:spf.protection.outlook.com` - Instantly: `include:_spf.instantly.ai` - Smartlead: `include:_spf.smartlead.ai` - SendGrid: `include:sendgrid.net` **Example combined SPF:** `v=spf1 include:_spf.google.com include:_spf.instantly.ai -all` ### Step 2: Set Up DKIM **For Google Workspace:** - Go to Admin Console → Apps → Google Workspace → Gmail - Click "Authenticate email" - Select your domain - Click "Generate new record" - Choose 2048-bit key length - Copy the TXT record value - Add it to your DNS: - **Host/Name:** `google._domainkey` - **Type:** TXT - **Value:** [paste the key] - Wait 24-48 hours for DNS propagation - Return to Admin Console and click "Start authentication" **For your cold email tool:** Check their documentation for specific DKIM setup. Most provide: - A selector name (e.g., `instantly`, `smartlead`) - A DKIM key value to add to DNS ### Step 3: Set Up DMARC - Add a new TXT record to your DNS: - **Host/Name:** `_dmarc` - **Type:** TXT - **Value:** `v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com` - Replace `dmarc@yourdomain.com` with a real email address to receive reports - Monitor reports for 2-4 weeks - Once confident, update to `p=quarantine`: ` v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com; pct=100 ` - After another 2-4 weeks with no issues, update to `p=reject`: ` v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com; pct=100 `--- ## Common Mistakes That Destroy Deliverability ### Mistake 1: Multiple SPF Records **Problem:** You can only have ONE SPF record per domain. Multiple records = both are invalid.**Fix:** Combine all includes into a single SPF record. ❌ Wrong: `v=spf1 include:_spf.google.com -all

v=spf1 include:sendgrid.net -all

`✅ Right: `v=spf1 include:_spf.google.com include:sendgrid.net -all` ### Mistake 2: Exceeding 10 DNS Lookups **Problem:** SPF breaks silently when you exceed 10 lookups.**Fix:** Audit your includes. Remove unused services. Flatten if needed. ### Mistake 3: Forgetting DKIM for Your Cold Email Tool **Problem:** Google Workspace DKIM doesn't cover emails sent through Instantly/Smartlead.**Fix:** Set up separate DKIM records for each sending service. ### Mistake 4: Starting DMARC with p=reject **Problem:** You'll block your own legitimate emails before finding issues.**Fix:** Always start with `p=none`, monitor, then escalate. ### Mistake 5: Using Soft Fail (~all) Forever **Problem:** Soft fail doesn't actually protect your domain reputation.**Fix:** Move to hard fail (`-all`) once your setup is confirmed working. ### Mistake 6: Not Setting Up DMARC at All **Problem:** Without DMARC, SPF and DKIM failures are just logged, not acted on.**Fix:** Even `p=none` is better than nothing. Set it up. --- ## How to Verify Your Setup ### Free Tools to Check Your Records **MXToolbox:** [mxtoolbox.com](https://mxtoolbox.com) - SPF lookup: mxtoolbox.com/spf.aspx - DKIM lookup: mxtoolbox.com/dkim.aspx - DMARC lookup: mxtoolbox.com/dmarc.aspx **Google Admin Toolbox:** [toolbox.googleapps.com/apps/checkmx](https://toolbox.googleapps.com/apps/checkmx) - Comprehensive check for Google Workspace users **Mail-tester:** [mail-tester.com](https://mail-tester.com) - Send a test email, get a deliverability score - Shows exactly what's passing/failing ### What "Passing" Looks Like **SPF Check:** - Status: Pass - Record found: Yes - Lookups: Under 10 - Mechanism: `-all` **DKIM Check:** - Status: Pass - Key found: Yes - Key size: 2048-bit - Signature valid: Yes **DMARC Check:** - Status: Pass - Policy: `reject` (or `quarantine`) - Alignment: Passing ### Send a Test Email - Send an email to a Gmail account you control - Open the email - Click the three dots → "Show original" - Look for: - `SPF: PASS` - `DKIM: PASS` - `DMARC: PASS` If any show FAIL, go back and fix it. --- ## Frequently Asked Questions ### How long does DNS propagation take? Usually 15 minutes to 4 hours. Sometimes up to 48 hours. Check with multiple tools before assuming it's not working. ### Do I need all three (SPF, DKIM, DMARC)? Yes. They work together. Missing any one weakens the others. ### Can I use the same SPF record for multiple domains? No. Each domain needs its own SPF record tailored to its sending services. ### What if I'm using multiple cold email tools? Add includes for all of them in your SPF record. Set up separate DKIM records for each. ### How often should I audit my records? Quarterly, minimum. More often if you're adding new sending services or seeing deliverability drops. ### My emails still go to spam after setup. Why? Authentication is necessary but not sufficient. You also need: - Proper email warmup - Good sender reputation - Quality content (no spam triggers) - Clean lists (low bounces) Authentication gets you in the door. Everything else keeps you there. --- ## Next Steps Email authentication is the foundation. Without it, nothing else matters. But it's just the first step. Once your SPF, DKIM, and DMARC are set up correctly, you need to: - Warm up your domains properly - Build quality lists - Write copy that converts - Monitor deliverability continuously **Need help with your cold email infrastructure?** We've set up deliverability for 50+ B2B companies, sending millions of emails monthly. [Book a free audit](https://buzzlead.io/contact) and we'll review your current setup. --- *Last updated: February 2026* --- **Related Articles:** - Why Your Cold Emails Land in Spam (And How to Fix It) - Email Warmup: The Definitive Timeline for 2026 - How to Choose a Cold Email Agency (Buyer's Guide) --- Source: https://buzzlead.io/blogs/spf-dkim-dmarc-complete-guide