SPF, DKIM, and DMARC Explained: The Complete Email Authentication Setup Guide for Cold Email (2026)
Without SPF, DKIM, and DMARC, your cold emails land in spam no matter how good they are. Here's what each record does, exact setup steps, and how to verify everything works.
By Mostmailer Team · 2026-07-19
Quick answer: SPF, DKIM, and DMARC are three DNS records that prove your emails actually come from you. SPF lists which servers are allowed to send email for your domain, DKIM adds a cryptographic signature that proves the message wasn't altered, and DMARC tells receiving inboxes what to do when a message fails those checks. Since 2024, Gmail and Yahoo require authentication from bulk senders — without these records, cold email lands in spam or gets rejected outright, regardless of how good the content is. Setup takes about 30–60 minutes in your domain's DNS settings and is the single highest-leverage deliverability fix available.
Here's what each record does, how to set them up, and how to confirm they're working.
Why Authentication Decides Deliverability
Email was designed decades ago with no built-in way to verify a sender's identity — anyone could send mail claiming to be anyone. Spammers exploited this for years, so inbox providers built a verification layer on top: SPF, DKIM, and DMARC.
Today the situation is simple:
- Authenticated senders start with baseline trust and get judged on their actual behavior (engagement, complaints, volume patterns)
- Unauthenticated senders are treated as suspicious by default — best case spam folder, worst case rejected before delivery
Google and Yahoo formalized this in their bulk sender requirements: senders above certain volume thresholds must have SPF, DKIM, and DMARC configured, must keep spam complaint rates low, and must support one-click unsubscribe. For anyone doing cold outreach, these records aren't optional hygiene — they're the entry ticket.
SPF: Who Is Allowed to Send for Your Domain
What it is: A DNS TXT record listing every server authorized to send email on behalf of your domain. When your email arrives, the receiving server checks whether it came from a server on that list.
What it looks like:
v=spf1 include:_spf.google.com ~all
Breaking that down:
| Part | Meaning |
|---|---|
v=spf1 |
This is an SPF record |
include:_spf.google.com |
Google's servers may send for this domain (Google Workspace users) |
~all |
Anything not listed: treat with suspicion (softfail) |
Setup steps:
- Log in to your DNS provider (Cloudflare, Namecheap, GoDaddy — wherever your domain's DNS lives)
- Add a TXT record on your root domain (
@) - Value depends on your email provider — Google Workspace uses
v=spf1 include:_spf.google.com ~all; Microsoft 365 usesv=spf1 include:spf.protection.outlook.com ~all; other providers publish their own include string in their docs - If multiple services send email for you (e.g., your inbox provider plus a transactional service), combine them in one record:
v=spf1 include:_spf.google.com include:otherservice.com ~all
Critical rules:
- Only ONE SPF record per domain. Two separate SPF records is an automatic fail — merge them into one.
- Maximum 10 DNS lookups. Each
includecosts lookups; exceeding 10 breaks validation. Keep the record lean.
DKIM: Proof the Message Wasn't Tampered With
What it is: A cryptographic signature added to every outgoing email. Your sending server signs each message with a private key; the matching public key sits in your DNS. Receiving servers verify the signature — if it checks out, the message provably came from your domain and wasn't modified in transit.
Setup steps (Google Workspace example):
- Google Admin Console → Apps → Google Workspace → Gmail → Authenticate email
- Select your domain → Generate new record (2048-bit key)
- Google gives you a TXT record — host will look like
google._domainkey - Add that TXT record in your DNS provider
- Back in Admin Console → Start authentication
Other providers (Microsoft 365, Zoho, etc.) follow the same pattern: generate the key in the provider's admin panel, publish the TXT record they give you, then activate. The host name always contains ._domainkey.
Verification note: DKIM can take up to 24–48 hours to activate after the DNS record is published. If activation fails immediately, wait and retry before troubleshooting.
DMARC: The Policy That Ties It Together
What it is: A DNS record that tells receiving servers what to do when a message fails SPF and DKIM checks — and, crucially, requires that the "From" address actually aligns with the authenticated domain. Without DMARC, a spammer can pass SPF/DKIM on their own domain while displaying your domain in the From line. DMARC closes that hole.
What it looks like:
v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com
| Part | Meaning |
|---|---|
v=DMARC1 |
This is a DMARC record |
p=none |
Policy: take no action on failures yet, just report |
rua=mailto:... |
Send aggregate reports to this address |
The three policy levels:
| Policy | Effect | When to use |
|---|---|---|
p=none |
Monitor only — failures still delivered | Start here; watch reports for 2–4 weeks |
p=quarantine |
Failures go to spam | After confirming legitimate mail passes |
p=reject |
Failures are refused entirely | Final state — strongest protection |
Setup steps:
- Add a TXT record with host
_dmarc - Start with:
v=DMARC1; p=none; rua=mailto:your-address@yourdomain.com - Let it run 2–4 weeks; review the reports (they show every source sending as your domain)
- Once you've confirmed all legitimate sending sources pass, tighten to
p=quarantine, thenp=reject
The mistake to avoid: jumping straight to p=reject before verifying every legitimate sender (your inbox provider, your outreach tool, your transactional email service) passes authentication. Do that and your own real email starts getting rejected.
How to Verify Everything Works
After setup, confirm all three records from the receiving side:
- Send a test email to a Gmail address you control
- Open the message → three-dot menu → Show original
- At the top, Gmail displays the verdict for each check:
SPF: PASS
DKIM: PASS
DMARC: PASS
All three showing PASS means authentication is done. Any FAIL points to exactly which record needs fixing. Free online checkers (search "SPF checker" / "DMARC checker") can also validate record syntax directly from DNS.
Common Mistakes That Break Authentication
- Two SPF records — merge into one; duplicates cause automatic failure
- Adding SPF/DKIM values as CNAME instead of TXT (unless your provider explicitly says CNAME) — wrong record type silently fails
- Forgetting the outreach tool — if a separate service sends your cold email, its servers must be in your SPF and its DKIM must be configured, or your cold email specifically fails while regular email passes
- Copy-paste artifacts — stray spaces or quote marks inside the record value break parsing
- Setting DMARC
p=rejecton day one — tighten gradually, after reviewing reports - Authenticating the main domain but sending from an unconfigured subdomain — each sending domain/subdomain needs its own records
Authentication + Warmup: The Complete Foundation
Authentication proves identity; it doesn't build reputation. A fully authenticated brand-new domain still has zero sending history, which is why authentication and inbox warmup work together — records first, then warmup builds trust on top of the verified identity, then cold outreach begins. Skipping either half undermines the other: warmup without authentication builds reputation on an unverifiable identity, and authentication without warmup is a verified identity with no track record.
This ordering is exactly how MostMailer structures onboarding: sending accounts are connected and verified first, the built-in warmup system then builds reputation on the authenticated identity with day-by-day progress tracking, and cold campaigns unlock only once the account is genuinely ready. Authentication is the one piece that lives in your DNS — set it up once correctly, and every campaign after that stands on it.
Frequently Asked Questions
Do I need all three records, or is SPF enough? All three. Gmail and Yahoo's bulk sender requirements expect SPF and DKIM both, with DMARC on top. SPF alone also breaks on forwarded email — DKIM survives forwarding, which is why they complement each other.
How long do DNS records take to propagate? Anywhere from a few minutes to 48 hours, depending on your DNS provider and TTL settings. Most changes are visible within an hour; DKIM activation specifically can take up to 48 hours.
Do I need separate records for every domain I send from? Yes. Each domain — and each subdomain used for sending — needs its own SPF, DKIM, and DMARC configuration. This is also why many cold email senders use separate domains for outreach: authentication (and reputation) stays isolated from the main company domain.
Will SPF/DKIM/DMARC alone keep me out of spam? No — they're necessary, not sufficient. Authentication gets you judged fairly; from there, warmup, list quality, content, and complaint rates determine where your email lands. Think of authentication as the ID check at the door, not the whole reputation.
What's the difference between ~all and -all in SPF? ~all (softfail) marks unlisted senders as suspicious; -all (hardfail) tells receivers to reject them outright. ~all is the safer default while confirming all legitimate senders are listed; -all is stricter once your record is complete and verified.
Should cold email be sent from my main company domain? Common practice is a separate but related domain (e.g., getyourbrand.com alongside yourbrand.com) with its own full authentication setup. This protects the main domain's reputation while outreach reputation is being built — though the separate domain then needs its own warmup from scratch.
Ready to put your authenticated domain to work? Create a free MostMailer account — connect your sending account, let the built-in warmup build on your setup, and launch your first campaign on a foundation that actually deliverers.