SPF, DKIM and DMARC Setup for Cold Email
Updated June 17, 2026
SPF, DKIM, and DMARC are three DNS records that authenticate your email. SPF lists the servers allowed to send for your domain, DKIM cryptographically signs each message, and DMARC ties them together and tells receivers what to do with mail that fails. Since February 2024, Gmail and Yahoo require all three from bulk senders — missing any one routes you to spam.
Email authentication is the part of deliverability that is pure mechanics: three records, set once per domain, that prove your mail is genuinely from you. Get them exactly right and they disappear into the background. Get one of them subtly wrong and your campaigns land in spam with no obvious explanation.
These three records — SPF, DKIM, and DMARC — moved from best practice to hard requirement in early 2024 when Gmail, Yahoo, and later Microsoft made them mandatory for bulk senders. This is the most common single cause of cold email failing, and also the most completely fixable.
What each record actually does
SPF (Sender Policy Framework) is a TXT record listing the mail servers authorized to send on your domain's behalf. When a receiver gets your email, it checks whether the sending server appears in your SPF record. If it does not, that is an authentication failure.
DKIM (DomainKeys Identified Mail) adds a cryptographic signature to every message using a private key, and publishes the matching public key in DNS. The receiver verifies the signature, which proves the message was genuinely signed by your domain and was not altered in transit. DMARC (Domain-based Message Authentication, Reporting and Conformance) is the policy layer: it tells receivers what to do when SPF or DKIM fails, and sends you reports on who is sending mail as your domain.
| Record | DNS type | What it proves | Set how often |
|---|---|---|---|
| SPF | TXT | Which servers may send for you | Once per domain |
| DKIM | TXT (or CNAME) | The message was signed and unaltered | Once per sending source |
| DMARC | TXT | What to do on failure, plus reporting | Once per domain |
The three authentication records compared
Setting them up correctly
SPF goes in as a single TXT record at the root of your domain, beginning with v=spf1 and ending in an all mechanism — typically ~all (soft fail) while testing. A critical and common mistake: you may have only one SPF record per domain, and it may contain at most ten DNS lookups. Two SPF records, or too many includes, breaks SPF silently.
DKIM is usually provided by your sending platform as a record to paste into DNS — often a CNAME that points at the provider's key, or a TXT record containing the public key. DMARC goes in as a TXT record at _dmarc.yourdomain.com, starting with v=DMARC1 and a policy (p=none to monitor, p=quarantine or p=reject to enforce). Start at p=none with reporting, read the reports, then tighten.
Verifying and common failure modes
After adding the records, wait an hour or two for DNS to propagate, then verify with a free authentication checker or by sending a test to a Gmail account and viewing the original message headers — you want to see PASS for SPF, DKIM, and DMARC. Do not assume; a malformed SPF record fails quietly and you will only see it in spam-folder placement.
The frequent failures are: two SPF records on one domain (only one is allowed), SPF exceeding the ten-lookup limit, a DKIM record pasted with extra spaces or line breaks, and a DMARC record left at p=none forever without the SPF/DKIM alignment that p=none was meant to help you verify. Each of these passes a casual glance and fails a real check.
Frequently asked
Do I really need all three records?
Yes. Since the February 2024 bulk-sender rules, Gmail and Yahoo require SPF, DKIM, and DMARC together. SPF and DKIM alone no longer clear the bar — DMARC is mandatory, and missing it routes bulk mail to spam regardless of how clean everything else is.
What DMARC policy should I use for cold email?
Start at p=none with an rua reporting address so you can read the aggregate reports and confirm SPF and DKIM are aligned. Once you see consistent passes, move to p=quarantine. The policy protects your domain from spoofing; it does not throttle your own legitimate sends.
Why does my SPF record fail when it looks correct?
The two usual causes are having more than one SPF record on the domain — only one is permitted — or exceeding the ten-DNS-lookup limit through too many includes. Both fail silently. Flatten your includes or consolidate into a single record and recheck.
How long do these records take to work?
DNS changes typically propagate within an hour or two of being added at your host, sometimes faster. They only need to be set once per domain, but they have to be exactly right — verify with a checker or by reading the headers of a test message rather than assuming.
The takeaway
SPF, DKIM, and DMARC are three DNS records that authenticate every cold email you send, and since 2024 all three are required by the major inbox providers. SPF authorizes your servers, DKIM signs your messages, and DMARC sets the failure policy and reporting. Set them once per domain, verify them with a real check rather than a glance, and they quietly underpin everything above them.