SPF, DKIM, and DMARC: How to Set Them Up for Cold Email
SPF, DKIM, and DMARC are the three email authentication protocols that determine whether ISPs trust your emails enough to deliver them to the inbox. Getting them right isn't optional for cold email in 2026 — Google now requires all three for bulk senders. Here's what each one does and exactly how to set them up.
What Each Protocol Does
SPF (Sender Policy Framework): SPF is a DNS record that lists which mail servers are authorized to send email on behalf of your domain. When an ISP receives an email claiming to be from your domain, it checks your SPF record to verify that the sending server is on your approved list.
Related guide: cold email deliverability tool
DKIM (DomainKeys Identified Mail): DKIM adds a cryptographic signature to every outgoing email. The receiving server uses a public key in your DNS to verify the signature — confirming the email wasn't tampered with in transit and genuinely came from your domain.
DMARC (Domain-based Message Authentication, Reporting and Conformance): DMARC tells receiving mail servers what to do when an email fails SPF or DKIM checks — either do nothing (p=none), quarantine it (p=quarantine), or reject it (p=reject). It also enables reporting so you can see who is sending email claiming to be from your domain.
Why All Three Matter
Each protocol alone is insufficient. SPF can be bypassed by spoofing the visible From address. DKIM alone doesn't tell ISPs what to do with failures. DMARC without SPF and DKIM has nothing to enforce. You need all three.
Related guide: cold email deliverability tool
How to Set Up SPF
Log into your domain registrar's DNS management (GoDaddy, Namecheap, Cloudflare, etc.).
Add a TXT record: Type: TXT Host/Name: @ (or your domain) Value: v=spf1 include:[your-email-provider] ~all
For Google Workspace: v=spf1 include:_spf.google.com ~all For Microsoft 365: v=spf1 include:spf.protection.outlook.com ~all For SalesOutreach: add include:salesoutreach.io to your existing SPF record
Related guide: how to improve email outreach platform
Important: You can only have one SPF record per domain. If you already have one, edit the existing record to add the new include rather than creating a second record.
How to Set Up DKIM
DKIM is generated by your email sending platform, not written manually.
For Google Workspace: Go to Admin Console → Apps → Gmail → Authenticate Email → Generate new record. Copy the DKIM key and add it as a TXT record in your DNS.
For SalesOutreach: The platform generates your DKIM keys in Settings → Email Authentication. Follow the provided instructions to add the two TXT records to your DNS.
Related guide: sales engagement platform guide by SalesOutreach
DKIM propagation takes 24-48 hours. Verify it's working at mxtoolbox.com/dkim.aspx.
How to Set Up DMARC
Add a TXT record to your DNS: Type: TXT Host/Name: _dmarc Value: v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com
Start with p=none (monitor only) — this sends you reports without blocking any emails while you verify your SPF and DKIM are working correctly.
After 2-4 weeks of reviewing reports and confirming legitimate emails are passing authentication, upgrade to p=quarantine, then eventually p=reject.
Verifying Your Setup
Use these free tools to verify everything is configured correctly:
MXToolbox DMARC Checker: mxtoolbox.com/dmarc Google Admin Toolbox: toolbox.googleapps.com Mail-tester: mail-tester.com (send yourself a test email to get a full authentication score)
Your goal is a clean bill of health on all three. Any misconfiguration — especially in DKIM key format — will cause authentication failures and deliverability problems.
Common Setup Mistakes
Multiple SPF records: Only one allowed per domain. Combine all includes into one record. DKIM key copy errors: The key must be copied exactly, including any underscores or equals signs. A single character error invalidates the signature. Starting DMARC at p=reject: Start at p=none and work up gradually. Going straight to p=reject before verifying your authentication is working correctly will block legitimate emails. Forgetting sending subdomains: If you send from sales.yourdomain.com as well as yourdomain.com, both need their own SPF and DKIM configurations.