SPF, DKIM, and DMARC Setup Guide for Cold Email
SPF, DKIM, and DMARC are the three DNS authentication protocols that determine whether your cold emails reach the inbox. In 2026, configuring all three correctly is mandatory — not optional. Email providers reject or spam-flag messages that fail authentication checks.
This guide provides step-by-step setup instructions for both Google Workspace and Microsoft 365.
Why All Three Matter
- SPF (Sender Policy Framework) — Declares which servers are allowed to send email from your domain
- DKIM (DomainKeys Identified Mail) — Adds a digital signature proving the email was not altered in transit
- DMARC (Domain-based Message Authentication, Reporting & Conformance) — Tells receivers what to do when SPF or DKIM fails
Without SPF: servers cannot verify you authorized the email. Without DKIM: servers cannot verify the email was not tampered with. Without DMARC: servers have no policy guidance for handling failures.
SPF Setup
For Google Workspace Add this TXT record to your domain's DNS: - **Type:** TXT - **Host:** `@` - **Value:** `v=spf1 include:_spf.google.com ~all` - **TTL:** 3600
For Microsoft 365 - **Type:** TXT - **Host:** `@` - **Value:** `v=spf1 include:spf.protection.outlook.com ~all` - **TTL:** 3600
SPF Best Practices - Only one SPF record per domain (combine with `include:` if multiple services) - Use `~all` (softfail) rather than `-all` (hardfail) for cold email - Keep total DNS lookups under 10 (SPF has a 10-lookup limit)
DKIM Setup
For Google Workspace 1. Go to Google Admin → Apps → Google Workspace → Gmail → Authenticate email 2. Select your domain 3. Click "Generate New Record" — choose 2048-bit 4. Copy the TXT record value 5. Add it to your DNS as a TXT record with the host Google provides (usually `google._domainkey`) 6. Go back to Google Admin and click "Start Authentication"
For Microsoft 365 1. Go to Microsoft 365 Defender → Email & collaboration → Policies → DKIM 2. Select your domain 3. Click "Create DKIM keys" 4. Add the two CNAME records Microsoft provides to your DNS 5. Toggle DKIM signing to "Enabled"
DKIM can take 15-60 minutes to propagate. Be patient.
DMARC Setup
DMARC builds on SPF and DKIM. Set it up after both are working.
Step 1: Start with Monitoring Mode Add this TXT record: - **Type:** TXT - **Host:** `_dmarc` - **Value:** `v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; pct=100`
This tells receivers to send you reports about authentication failures without taking action. Monitor for 1-2 weeks.
Step 2: Move to Quarantine Once you confirm SPF and DKIM are passing consistently: - **Value:** `v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@yourdomain.com; pct=100`
This tells receivers to send failed emails to spam.
Step 3 (Optional): Move to Reject For maximum protection: - **Value:** `v=DMARC1; p=reject; rua=mailto:dmarc-reports@yourdomain.com; pct=100`
Only use `reject` when you are certain all legitimate sending sources are authenticated.
Verifying Your Setup
After configuring all three records, verify:
- Mail-Tester — Send a test email and check your score. Aim for 9/10 or higher.
- GlockApps — Test inbox placement across Gmail, Outlook, and Yahoo.
- Google Admin Toolbox — Check MX records at toolbox.googleapps.com/apps/checkmx
Common issues: - SPF record not found → Check you added it to the correct domain - DKIM not signing → Wait 48 hours for propagation, then re-check - DMARC alignment failure → Ensure the From domain matches SPF and DKIM domains
DNS Propagation Times
DNS changes do not take effect instantly: - SPF: Usually 15-60 minutes - DKIM: 15 minutes to 48 hours - DMARC: 15-60 minutes
Do not start sending or warmup until all records are propagated and verified.
After DNS Setup: Next Steps
- Start email warmup with Instantly, Warmbox, or MailReach
- Wait 14 days before sending campaigns
- Verify your prospect list with ZeroBounce
- Choose a sending platform and launch
See our complete infrastructure guide for the full setup walkthrough.