Sign inStart free
← BlogEmail Deliverability

SPF, DKIM, and DMARC for Cold Email: The Non-Technical Setup Guide

SPF, DKIM, and DMARC are mandatory for cold email deliverability. Miss any one and Gmail or Outlook will route your emails to spam. Here's exactly how to set them up.

YOG.io Team··12 min read

SPF, DKIM, and DMARC are three DNS records that prove to receiving mail servers that your emails are legitimate. Without them, Gmail, Outlook, and every major inbox provider will either send your emails to spam or reject them entirely. Since February 2024, Google and Yahoo have made DMARC a hard requirement for anyone sending more than 5,000 emails per day — but even if you're sending 50 emails a day, you need all three correctly configured.

This guide explains what each record does, shows you the exact DNS records to create, and tells you how to verify everything is working before you send a single campaign.

What SPF, DKIM, and DMARC Each Do

Before configuring anything, it helps to understand what each record actually checks:

  • SPF (Sender Policy Framework) answers: "Is this email coming from a server I've authorised to send on my behalf?" You publish a list of approved sending servers in DNS. If an email claims to be from your domain but originates from an unlisted server, SPF fails.
  • DKIM (DomainKeys Identified Mail) answers: "Was this email actually sent by the domain owner, and has it been tampered with in transit?" A cryptographic signature is added to every outgoing email, verified using a public key published in DNS. If the email was altered after sending, DKIM fails.
  • DMARC (Domain-based Message Authentication, Reporting and Conformance) answers: "What should receiving servers do when SPF or DKIM fail?" DMARC defines the policy (ignore, quarantine, or reject) and receives reports about what's failing and from where.

All three work together. DMARC requires at least one of SPF or DKIM to pass and be aligned with the From: domain. SPF alone or DKIM alone isn't enough — alignment matters.

Step 1: Set Up SPF

SPF is a TXT record added to the DNS zone of your sending domain. If you send email from your own mail server, Gmail, and a cold email tool like YOG.io, all three need to be listed in a single SPF record.

The SPF record format

v=spf1 [mechanisms] [all]

A complete example for a domain that sends via Google Workspace and a cold email platform:

v=spf1 include:_spf.google.com include:sendingplatform.com ~all

The mechanisms explained:

  • include:_spf.google.com — allows Google's mail servers to send on your behalf
  • include:sendingplatform.com — allows your cold email tool's servers
  • ip4:203.0.113.1 — allows a specific IP address (use this if you have a dedicated server)
  • ~all — softfail: emails from unlisted servers are marked suspicious but not rejected
  • -all — hardfail: emails from unlisted servers are rejected (use this once DMARC is in place)

SPF rule: One record per domain, maximum 10 DNS lookups

SPF allows only one TXT record per domain. If you have multiple SPF records, they will conflict and SPF will fail. Combine everything into a single record. Also, SPF limits you to 10 DNS lookups per evaluation — each include: statement counts. If you exceed 10, SPF will fail even with correctly listed servers.

How to add the SPF record

Go to your domain registrar or DNS provider (Cloudflare, GoDaddy, Route 53, Namecheap) and add a TXT record:

  • Type: TXT
  • Name/Host: @ (root of your domain)
  • Value: your SPF record string
  • TTL: 3600 (1 hour) or as low as your provider allows

Verify SPF

Use MXToolbox SPF Lookup: enter your domain and it will show whether your SPF record is valid, list all authorised senders, and flag any errors like duplicate records or lookup limit breaches.

Step 2: Set Up DKIM

DKIM requires two parts: a private key (stored on your mail server or email sending platform) and a public key (published in your DNS). The sending platform generates the key pair — you publish the public key in DNS.

How to get your DKIM key

For Google Workspace: Go to Admin console → Apps → Google Workspace → Gmail → Authenticate email → Generate new record. Google will show you a DNS record to add.

For Microsoft 365 / Outlook: Go to Microsoft 365 Defender portal → Email & collaboration → Policies & rules → Threat policies → Email authentication → DKIM. Select your domain and enable DKIM. Microsoft will provide two CNAME records to add to DNS.

For custom SMTP platforms (SendGrid, Mailgun, Postmark, AWS SES): Each has a DKIM setup section in their dashboard. They generate the key pair and give you a TXT or CNAME record to add.

The DKIM DNS record format

selector._domainkey.yourdomain.com  IN  TXT  "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3..."

The selector is a label (often google, mail, s1, 20230601) that identifies which key to use. Platforms assign selectors — you'll see it in the record name they give you. You can have multiple DKIM selectors active simultaneously (one per sending platform), which is the correct approach when using multiple senders.

Key strength

Use 2048-bit RSA keys minimum. 1024-bit keys are deprecated and some receivers will treat 1024-bit DKIM as a failure. Most modern platforms default to 2048-bit — verify before publishing.

Verify DKIM

MXToolbox DKIM Lookup: enter your domain and the selector (e.g., google) and it will confirm the key is valid and matches the published record.

Step 3: Set Up DMARC

DMARC is a single TXT record at _dmarc.yourdomain.com. Set it up after SPF and DKIM are verified — DMARC needs them to be passing first.

The correct progression: none → quarantine → reject

Never start DMARC with p=reject. Start with p=none (reporting mode), collect reports for 2–4 weeks, fix any gaps, then move to p=quarantine, then p=reject.

Week 1-4 (reporting mode):

v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1

Month 2 (quarantine):

v=DMARC1; p=quarantine; pct=25; rua=mailto:[email protected]

Start with pct=25 (applies to 25% of failing emails), increase to 100% over a few weeks.

Month 3+ (reject — the goal):

v=DMARC1; p=reject; rua=mailto:[email protected]; ruf=mailto:[email protected]

DMARC parameters explained

  • p= — policy: none, quarantine, or reject
  • rua= — aggregate report destination (you'll receive daily XML reports from each ISP showing pass/fail counts)
  • ruf= — forensic report destination (individual email-level reports on failures; not all ISPs send these)
  • pct= — percentage of emails subject to the policy (default: 100)
  • adkim= — DKIM alignment: r (relaxed, allows subdomains) or s (strict, exact domain match)
  • aspf= — SPF alignment: r (relaxed) or s (strict)
  • fo= — forensic options: 1 = report on any authentication failure

Alignment matters: DMARC checks that the domain in the From: header matches the domain that passed SPF or DKIM. Relaxed alignment allows subdomains to match. If you send from outreach.yourdomain.com, the SPF or DKIM must align with yourdomain.com under relaxed mode — or exactly match under strict mode.

Reading DMARC reports

The rua reports arrive as XML-formatted email attachments. They're not human-readable raw, but free tools like Postmark's DMARC analyser, dmarcian.com, or EasyDMARC parse them into readable summaries. Check reports weekly in the first month — they'll show you exactly which sources are failing authentication.

The Google & Yahoo 2024 Requirements (Now Enforced)

In February 2024, Google and Yahoo began enforcing stricter requirements for bulk senders (anyone sending 5,000+ emails/day to Gmail addresses):

  1. SPF or DKIM must be configured on the sending domain (both recommended)
  2. DMARC must be in place at p=none minimum
  3. Spam rate must stay below 0.10% in Google Postmaster Tools (above 0.30% leads to sending blocks)
  4. One-click unsubscribe header (List-Unsubscribe) must be present in all commercial email
  5. The From: address must align with the authenticated domain

Even if you send fewer than 5,000 emails per day, Google and Yahoo use DMARC as a trust signal. Domains with p=reject DMARC established over time get higher inbox placement scores.

Step 4: Verify Everything End-to-End

After setting up all three records, verify using two tools:

1. mail-tester.com: Send a test email to the address they generate. It returns a score (aim for 9/10 or above) with detailed breakdowns of which authentication checks passed or failed, whether your IP is on blacklists, and whether your email content has any issues.

2. MXToolbox Email Header Analyzer: Send an email to yourself, open the full headers in Gmail (click three dots → "Show original"), and paste the headers into MXToolbox. It will show SPF=pass, DKIM=pass, DMARC=pass with each domain that was checked.

What "pass" looks like in Gmail headers:

Authentication-Results: mx.google.com;
   dkim=pass [email protected];
   spf=pass smtp.mailfrom=yourdomain.com;
   dmarc=pass (p=QUARANTINE sp=QUARANTINE) header.from=yourdomain.com

If any shows "fail" or "neutral," fix that record before sending any campaign volume.

Common Mistakes That Cause Failures

  • Multiple SPF records: Having two TXT records with v=spf1 on the same domain. The receiving server selects randomly and half your emails fail. Merge into one record.
  • Exceeding 10 SPF DNS lookups: Using too many include: statements. Tools like kitterman.com/spf/validate.html show the lookup count.
  • DKIM key not propagated: DNS changes take up to 48 hours to propagate fully. Wait before testing.
  • DMARC alignment failure: Sending from a different subdomain than the one your SPF or DKIM covers, without relaxed alignment.
  • Skipping DMARC reports: Setting up DMARC without a rua address means you never know what's failing.
  • Setting p=reject immediately: If any legitimate email source isn't listed in SPF or DKIM yet, reject will break your email delivery entirely.

One Sending Domain Per Campaign (The Right Architecture)

For cold email, the best practice is to use a separate sending domain from your primary business domain — for example, yourdomain.com for inbound business email and outreach.yourdomain.com or yourdomain-outreach.com for campaigns. This protects your primary domain's reputation from the deliverability impact of cold outreach.

Each sending domain needs its own SPF, DKIM, and DMARC records. The same principles apply — separate domain, separate configuration, same validation process.

If you're running campaigns on a governed outbound platform like YOG.io, the warmup system, authentication verification, and deliverability monitoring are built in — but the DNS records still need to be configured on your domain. No platform can add DNS records on your behalf.

Summary Checklist

  1. ✅ One SPF TXT record at your domain root — lists all authorised senders
  2. ✅ DKIM public key published — one selector per sending platform
  3. ✅ DMARC TXT record at _dmarc.yourdomain.com — start with p=none
  4. ✅ Verified via mail-tester.com — score 9/10 or above
  5. ✅ Headers show SPF=pass, DKIM=pass, DMARC=pass
  6. ✅ DMARC aggregate reports directed to a monitored inbox
  7. ✅ Progression plan: none → quarantine → reject over 8–12 weeks

Once these are in place, you have the authentication foundation that every deliverability best practice builds on. Domain warmup, list hygiene, and engagement rates all matter — but without authentication, they can't help you. With it, you're starting from a position where inbox placement is actually achievable.

If you're running a cold email campaign and want to check your current deliverability score before sending, YOG.io's campaign analytics tracks open rates, bounce rates, and spam signals per domain — see what's available in the YOG.io pricing guide.

Related reading

Email Deliverability

Cold Email Deliverability in 2025: Why Your Emails Land in Spam and How to Fix It

10 min readEmail Deliverability

Email Warmup: What It Is, How Long It Takes, and What Destroys It

9 min readCompliance

GDPR Cold Email: What You Can and Can't Do in 2025

11 min read
Ready?

Run your next outbound or marketing campaign from one governed system.

Import an audience, let AI prepare the message, approve the work, send from the right identity, and measure what happens next. One contact memory underneath every campaign.

Start free todayTalk to a human

No credit card · 14-day free trial · Governed by design