How to Setup SPF, DKIM, and DMARC for Cold Email (Deliverability Guide)
The Direct Answer
A complete technical guide to setting up SPF, DKIM, and DMARC DNS records to prevent your cold emails from landing in spam folders.
How to Setup SPF, DKIM, and DMARC for Cold Email (Deliverability Guide)
Since major email providers (especially Google and Yahoo) updated their compliance guidelines, cold email deliverability has become a highly technical game. If you are sending B2B outreach campaigns to US targets and haven't verified your DNS records, your messages are likely heading straight to the spam folder.
To ensure your emails land in the primary inbox, you must set up and verify three critical DNS records: SPF, DKIM, and DMARC.
1. SPF (Sender Policy Framework)
SPF is a TXT record added to your domain registrar (GoDaddy, Namecheap, Google Domains) that lists the specific IP addresses and mail servers authorized to send emails on behalf of your domain.
Without an SPF record, receiving mail servers cannot verify if an incoming email actually came from you or a hacker spoofing your address.
Example SPF Record for Google Workspace:
v=spf1 include:_spf.google.com ~all
v=spf1: Identifies the record as SPF.include:_spf.google.com: Authorizes Google's mail servers.~all: Instructs servers to flag emails that do not match the rule as "soft fail" (suspicious but not immediately blocked).
2. DKIM (DomainKeys Identified Mail)
DKIM acts as a digital signature for your emails. It adds a cryptographic key to your domain's DNS. When you send an email, the receiving server uses this public key to verify that the message content was not tampered with during transit.
How to set up DKIM:
- Log into your email admin console (e.g., Google Admin Console or Microsoft 365).
- Generate a new DKIM TXT record.
- Add the generated host name (usually
google._domainkeyor similar) and value to your DNS registrar. - Go back to your email admin console and click Start Authentication.
3. DMARC (Domain-based Message Authentication, Reporting, and Conformance)
DMARC is the policy layer that sits on top of SPF and DKIM. It tells receiving servers exactly what to do if an email fails SPF or DKIM checks.
Recommended DMARC Record for Cold Email Domains:
Add a TXT record with host name _dmarc.yourdomain.com and the following value:
v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com
p=none: Instructs servers to deliver the email even if authentication fails, but log the incident (ideal for testing new setup).rua=mailto:...: Specifies where receiving servers should send daily reports about authentication success/failure.
How to Check Your Deliverability Setup Instantly
Manually testing DNS records using command-line commands like dig is slow and error-prone. To check if your settings are correct, use our free public tool:
👉 Test Your Domain with Blue1.ai's Deliverability Checker
Simply enter your domain name, and our engine will verify:
- SPF Presence & Syntax Validity
- DMARC Conformance & Reporting configuration
- Active MX Records (Mail Exchanger)
- DKIM status validation
By keeping your SPF, DKIM, and DMARC authenticated, you protect your sender reputation and ensure your outreach campaigns consistently reach the inbox.
FAQ
What happens if I don't have DMARC configured?
Major providers like Gmail and Yahoo reject emails from domains without SPF, DKIM, and DMARC authentication, causing high bounce rates and domain blacklisting.
How can I check if my DNS records are correct?
You can use the free public Deliverability Checker tool on Blue1.ai to scan your domain's SPF, DKIM, and DMARC records instantly.
What should my DMARC policy be?
For new cold email domains, start with a policy of 'p=none'. This allows you to monitor reports without blocking emails while you verify setup.