01/22/2026
Learn how to set up SPF, DKIM, and DMARC records correctly. Step-by-step guide with screenshots to improve cold email deliverability and avoid spam folders.
SPF, DKIM & DMARC: The Complete Cold Email Setup Guide for 2026
Your cold emails are landing in spam. Not because your copy is bad—because your email authentication is broken.
We've audited 500+ cold email infrastructures. The same mistakes show up every time: missing SPF records, broken DKIM signatures, and DMARC policies set incorrectly.
This guide shows you exactly how to set up SPF, DKIM, and DMARC the right way. No fluff. Just the steps that actually matter for cold email deliverability.
What you'll learn:
What SPF, DKIM, and DMARC actually do (in plain English)
Step-by-step setup for each record
Common mistakes that destroy deliverability
How to verify everything is working
Let's fix your inbox placement.
Why Email Authentication Matters for Cold Email
Email providers don't trust you by default. They trust DNS records.
When you send a cold email, Gmail and Outlook ask three questions:
SPF: Is this sender authorized to use this domain?
DKIM: Was this email tampered with in transit?
DMARC: What should we do if SPF or DKIM fails?
If you can't answer all three correctly, your emails go to spam. Simple as that.
The numbers:
Emails without proper authentication see 10-20% lower inbox placement
Google's 2024 bulk sender requirements made authentication mandatory
98% of spam filters check these records before anything else
Your subject line doesn't matter if you never reach the inbox.
SPF: Who Can Send From Your Domain
SPF (Sender Policy Framework) tells email providers which servers are allowed to send emails from your domain.
Think of it like a guest list. If the sending server isn't on the list, the email gets flagged.
What an SPF Record Looks Like
v=spf1 include:_spf.google.com include:sendgrid.net -all
Breaking it down:
v=spf1 — This is an SPF record (version 1)
include:_spf.google.com — Google Workspace can send from this domain
include:sendgrid.net — SendGrid can send from this domain
-all — Reject anything not on this list
SPF Qualifiers Explained
Qualifier | Meaning | Use Case |
|---|---|---|
+all | Allow everything | Never use this |
-all | Hard fail (reject) | Recommended for cold email |
~all | Soft fail (mark suspicious) | Okay during testing |
?all | Neutral | Pointless, avoid |
For cold email, always use -all. Soft fail (~all) is for companies still figuring out their sending infrastructure. You're not testing—you're sending at scale.
The 10 DNS Lookup Limit
SPF has a hard limit: 10 DNS lookups maximum.
Every include: statement counts as a lookup. Nested includes count too.
What happens if you exceed 10? Your SPF record breaks. Completely. Email providers treat it as if you have no SPF at all.
How to check your lookup count: Use MXToolbox SPF Lookup (mxtoolbox.com/spf.aspx) — it shows your total lookups.
How to fix it:
Flatten your SPF record (replace includes with IP addresses)
Remove services you no longer use
Use an SPF flattening service for complex setups
DKIM: Digital Signature for Your Emails
DKIM (DomainKeys Identified Mail) adds a cryptographic signature to every email you send.
It proves two things:
The email actually came from your domain
Nobody modified it in transit
How DKIM Works
Your email server signs outgoing emails with a private key
You publish the public key in your DNS
Receiving servers verify the signature matches
If the signature is valid, the email passes DKIM. If it's invalid (or missing), it fails.
What a DKIM Record Looks Like
selector._domainkey.yourdomain.com TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQ..."
Breaking it down:
selector — Identifies which key to use (you can have multiple)
_domainkey — Standard DKIM identifier
v=DKIM1 — DKIM version
k=rsa — Key type (RSA encryption)
p=... — The actual public key
DKIM Best Practices for Cold Email
Use 2048-bit keys — 1024-bit is outdated and less secure
Rotate keys annually — Old keys can be compromised
Set up DKIM for every sending service — Each tool (Instantly, Smartlead, etc.) needs its own DKIM record
Use unique selectors — Don't reuse selectors across services
Common mistake: Adding DKIM for Google Workspace but forgetting your cold email tool. Now half your emails fail DKIM.
DMARC: The Policy That Ties It Together
DMARC (Domain-based Message Authentication, Reporting & Conformance) tells email providers what to do when SPF or DKIM fails.
It's the enforcement layer. Without DMARC, your SPF and DKIM records are suggestions. With DMARC, they're rules.
What a DMARC Record Looks Like
_dmarc.yourdomain.com TXT "v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com; pct=100"
Breaking it down:
v=DMARC1 — DMARC version
p=reject — Policy: reject emails that fail
rua=mailto:... — Where to send aggregate reports
pct=100 — Apply policy to 100% of emails
DMARC Policies Explained
Policy | What It Does | When to Use |
|---|---|---|
p=none | Monitor only, don't enforce | First 2-4 weeks of setup |
p=quarantine | Send failures to spam | After confirming setup works |
p=reject | Block failures entirely | Once you're confident |
The DMARC Progression
Week 1-4: Start with p=none
Collect reports
Identify any legitimate emails failing authentication
Fix issues before enforcing
Week 5-8: Move to p=quarantine
Failures go to spam instead of inbox
Monitor for any problems
Should see minimal false positives
Week 9+: Move to p=reject
Full enforcement
Unauthorized emails are blocked
Maximum protection for your domain reputation
Don't skip to p=reject immediately. You'll block legitimate emails and damage your own campaigns.
Step-by-Step Setup Guide
Prerequisites
Access to your domain's DNS settings
Admin access to your email provider (Google Workspace, Microsoft 365, etc.)
Admin access to your cold email tool (Instantly, Smartlead, etc.)
Step 1: Set Up SPF
Log into your DNS provider (GoDaddy, Cloudflare, Namecheap, etc.)
Find DNS settings for your domain
Look for an existing TXT record starting with v=spf1
If none exists, create a new TXT record:
Host/Name: @ (or leave blank)
Type: TXT
Value: v=spf1 include:_spf.google.com -all
Add includes for each sending service:
Google Workspace: include:_spf.google.com
Microsoft 365: include:spf.protection.outlook.com
Instantly: include:_spf.instantly.ai
Smartlead: include:_spf.smartlead.ai
SendGrid: include:sendgrid.net
Example combined SPF:
v=spf1 include:_spf.google.com include:_spf.instantly.ai -all
Step 2: Set Up DKIM
For Google Workspace:
Go to Admin Console → Apps → Google Workspace → Gmail
Click "Authenticate email"
Select your domain
Click "Generate new record"
Choose 2048-bit key length
Copy the TXT record value
Add it to your DNS:
Host/Name: google._domainkey
Type: TXT
Value: (paste the key)
Wait 24-48 hours for DNS propagation
Return to Admin Console and click "Start authentication"
For your cold email tool: Check their documentation for specific DKIM setup. Most provide:
A selector name (e.g., instantly, smartlead)
A DKIM key value to add to DNS
Step 3: Set Up DMARC
Add a new TXT record to your DNS:
Host/Name: _dmarc
Type: TXT
Value: v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com
Replace dmarc@yourdomain.com with a real email address to receive reports
Monitor reports for 2-4 weeks
Once confident, update to p=quarantine
After another 2-4 weeks with no issues, update to p=reject
Common Mistakes That Destroy Deliverability
Mistake 1: Multiple SPF Records
Problem: You can only have ONE SPF record per domain. Multiple records = both are invalid.
Fix: Combine all includes into a single SPF record.
❌ Wrong:
v=spf1 include:_spf.google.com -all
v=spf1 include:sendgrid.net -all
✅ Right:
v=spf1 include:_spf.google.com include:sendgrid.net -all
Mistake 2: Exceeding 10 DNS Lookups
Problem: SPF breaks silently when you exceed 10 lookups.
Fix: Audit your includes. Remove unused services. Flatten if needed.
Mistake 3: Forgetting DKIM for Your Cold Email Tool
Problem: Google Workspace DKIM doesn't cover emails sent through Instantly/Smartlead.
Fix: Set up separate DKIM records for each sending service.
Mistake 4: Starting DMARC with p=reject
Problem: You'll block your own legitimate emails before finding issues.
Fix: Always start with p=none, monitor, then escalate.
Mistake 5: Using Soft Fail (~all) Forever
Problem: Soft fail doesn't actually protect your domain reputation.
Fix: Move to hard fail (-all) once your setup is confirmed working.
Mistake 6: Not Setting Up DMARC at All
Problem: Without DMARC, SPF and DKIM failures are just logged, not acted on.
Fix: Even p=none is better than nothing. Set it up.
How to Verify Your Setup
Free Tools to Check Your Records
MXToolbox: mxtoolbox.com
SPF lookup: mxtoolbox.com/spf.aspx
DKIM lookup: mxtoolbox.com/dkim.aspx
DMARC lookup: mxtoolbox.com/dmarc.aspx
Google Admin Toolbox: toolbox.googleapps.com/apps/checkmx
Comprehensive check for Google Workspace users
Mail-tester: mail-tester.com
Send a test email, get a deliverability score
Shows exactly what's passing/failing
What "Passing" Looks Like
SPF Check:
Status: Pass
Record found: Yes
Lookups: Under 10
Mechanism: -all
DKIM Check:
Status: Pass
Key found: Yes
Key size: 2048-bit
Signature valid: Yes
DMARC Check:
Status: Pass
Policy: reject (or quarantine)
Alignment: Passing
Send a Test Email
Send an email to a Gmail account you control
Open the email
Click the three dots → "Show original"
Look for:
SPF: PASS
DKIM: PASS
DMARC: PASS
If any show FAIL, go back and fix it.
Frequently Asked Questions
How long does DNS propagation take? Usually 15 minutes to 4 hours. Sometimes up to 48 hours. Check with multiple tools before assuming it's not working.
Do I need all three (SPF, DKIM, DMARC)? Yes. They work together. Missing any one weakens the others.
Can I use the same SPF record for multiple domains? No. Each domain needs its own SPF record tailored to its sending services.
What if I'm using multiple cold email tools? Add includes for all of them in your SPF record. Set up separate DKIM records for each.
How often should I audit my records? Quarterly, minimum. More often if you're adding new sending services or seeing deliverability drops.
My emails still go to spam after setup. Why? Authentication is necessary but not sufficient. You also need:
Proper email warmup
Good sender reputation
Quality content (no spam triggers)
Clean lists (low bounces)
Authentication gets you in the door. Everything else keeps you there.
Next Steps
Email authentication is the foundation. Without it, nothing else matters.
But it's just the first step. Once your SPF, DKIM, and DMARC are set up correctly, you need to:
Warm up your domains properly
Build quality lists
Write copy that converts
Monitor deliverability continuously
Need help with your cold email infrastructure?
We've set up deliverability for 50+ B2B companies, sending millions of emails monthly. Book a free audit and we'll review your current setup.
[Book Your Free Audit →] (link to buzzlead.io/contact or calendar)
Related Articles: