SPF, DKIM and DMARC: The Cold Email Setup Checklist

SPF, DKIM, and DMARC are three DNS-based email authentication standards that tell receiving mail servers whether an email claiming to come from your domain actually originated from a server you authorized. Without all three in place and passing, Gmail, Yahoo, and Outlook either reject your cold email outright or filter it to spam. Since early 2024, all three are effectively mandatory for any sender sending more than a few hundred emails per day. This checklist covers setup, verification, and the mistakes that break authentication silently after it has been working.

What Each Record Does (Plain Language)

• SPF (Sender Policy Framework): A DNS TXT record that lists the IP addresses and mail servers authorized to send email on behalf of your domain. When a receiving server gets an email from you, it checks your SPF record to verify the sending server is on the approved list.
• DKIM (DomainKeys Identified Mail): A cryptographic signature attached to every outgoing email. The receiving server fetches your public key from DNS and uses it to verify the signature, confirming the message was not modified in transit and came from a server with your private key.
• DMARC (Domain-based Message Authentication, Reporting, and Conformance): A policy published in DNS that tells receiving servers what to do when SPF or DKIM checks fail: nothing (monitor), quarantine (send to spam), or reject (block entirely). DMARC also enables reporting so you can see when someone is attempting to spoof your domain.

All three work together. DMARC requires at least one of SPF or DKIM to pass and to be aligned with your "From" domain. Having SPF and DKIM without DMARC means there is no policy enforcing what happens when they fail.

SPF Setup Checklist

1. Log into your DNS provider (Cloudflare, GoDaddy, Namecheap, Google Domains, etc.).
2. Add a TXT record at the root of your domain (@ or your domain name).
3. The record should look like: v=spf1 include:yourmailprovider.com ~all (replace yourmailprovider.com with the SPF include provided by your email sending tool).
4. If you send from multiple services (e.g., Google Workspace for regular email, plus Instantly or Smartlead for cold outreach), include all of them in one SPF record. You can only have one SPF record per domain.
5. Use ~all (softfail) during setup and testing. Move to -all (hard fail) once you are confident all legitimate sending sources are included.
6. Verify with: nslookup -type=TXT yourdomain.com or mxtoolbox.com/spf.

Common mistake: Adding a second SPF record instead of editing the existing one. Multiple SPF records on the same domain cause the check to fail. Merge all includes into a single record.

DKIM Setup Checklist

1. In your email sending platform (Google Workspace, Outlook/Microsoft 365, Smartlead, Instantly, or similar), find the DKIM setup section. It will generate a public/private key pair.
2. Copy the DNS TXT record it provides. It will look something like: host google._domainkey.yourdomain.com, value a long string starting with v=DKIM1; k=rsa; p=....
3. Add that TXT record to your DNS provider exactly as shown. The selector prefix (e.g., "google") must match what your sending platform uses.
4. If you have multiple sending platforms, each one gets its own DKIM key with a different selector prefix. Multiple DKIM records are fine.
5. Verify with: mxtoolbox.com/dkim or by sending a test email to mail-tester.com.

Common mistake: Copying the DKIM public key with line breaks or extra spaces from your provider's UI. DNS values must be unbroken strings. Most DNS providers handle this automatically, but double-check if verification fails.

DMARC Setup Checklist

1. Add a TXT record at _dmarc.yourdomain.com.
2. Start with a monitoring-only policy: v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com. This tells receiving servers to take no action on failures but to send you aggregate reports.
3. Monitor the reports for two to four weeks. Tools like Dmarcian, Postmark's DMARC Digests, or EasyDMARC make these readable. You are looking for: which servers are sending email on your behalf, whether SPF and DKIM are passing, and whether anyone is spoofing your domain.
4. Once you confirm all legitimate sending sources are passing, move to p=quarantine: v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc-reports@yourdomain.com. The pct=25 means apply the quarantine policy to only 25% of failing messages initially.
5. Gradually increase pct to 100% and eventually move to p=reject for maximum protection.

Common mistake: Jumping straight to p=reject without monitoring first. If you have a sending source not yet in your SPF record or without DKIM configured, you will block your own legitimate email.

Verification: Confirm Everything Is Working

After Setup: What Can Break Authentication Silently

• Adding a new sending tool (e.g., a new sequencer or CRM with email sending) without adding its SPF include to your record.
• Switching DNS providers and forgetting to migrate all TXT records, including DKIM keys.
• Your sending platform rotating DKIM keys without notifying you (some do this automatically; verify your DKIM record is still current after platform updates).
• Domain migrations where the new domain provider does not copy TXT records from the old one.

Set a calendar reminder to run a full authentication check every quarter. It takes five minutes and catches silent failures before they cost you an entire campaign's deliverability.

For how authentication fits into the broader warm-up and deliverability picture, see the cold email warm-up guide and outbound sales automation.

PhewDo's outreach platform is designed to work alongside your authenticated sending infrastructure, handling multi-channel sequencing, safe send pacing, and a unified AI inbox for all replies. If you want to see how it fits into a properly configured cold email setup, start free at PhewDo.