Moongie
PL Pricing Book a strategy call
  1. Home
  2. Blog
  3. SPF, DKIM, DMARC for Cold Email - Plain-En…
June 13, 20267 min read#deliverability#cold email#authentication

SPF, DKIM, DMARC for Cold Email - Plain-English Setup

A no-jargon guide to SPF, DKIM, DMARC for cold email - what each record does, how to set them up, and why they decide your inbox placement.

SPF, DKIM, DMARC for Cold Email - Plain-English Setup

If your cold emails are landing in spam, the first thing to check isn't your copy - it's your authentication. SPF, DKIM, and DMARC are the three DNS records that tell mailbox providers your messages are really from you. Get them wrong and even perfect copy ends up in the junk folder.

This guide walks through what each record actually does, how to set them up without a networking degree, and how they fit into a healthy cold email program. No jargon you don't need, no acronym soup left unexplained.

What are SPF, DKIM, and DMARC in plain English?

They're three text records you add to your sending domain's DNS that prove your emails are legitimate. SPF says which servers are allowed to send for your domain, DKIM cryptographically signs each message so it can't be tampered with, and DMARC tells receivers what to do when the first two fail.

Think of it like sending a package. SPF is the approved list of couriers. DKIM is the tamper-proof seal on the box. DMARC is the instruction note that says "if the courier isn't on the list or the seal is broken, return to sender (or bin it)."

Mailbox providers like Google and Yahoo now expect bulk senders to have all three configured correctly. Skip them and you're not just risking spam placement - you may get rejected outright.

If SPF, DKIM, and DMARC aren't set, you're not doing cold email - you're doing cold guessing.

Do I really need all three for cold email?

Yes. For cold email specifically, you need all three on every sending domain, and they need to align. Cold outreach is exactly the kind of "new sender, no prior relationship" traffic that filters scrutinize hardest, so missing authentication is an instant red flag.

Here's why each one matters for outbound:

  • SPF stops your domain from being an easy spoof target and confirms your sending platform is authorized.
  • DKIM survives forwarding and proves the body wasn't altered in transit - filters weigh it heavily.
  • DMARC ties it together and, critically, gives you reporting so you can see who's sending as you.

If you only set one, set DKIM. But "only one" is the wrong answer for cold email. The cost of all three is a few DNS records; the cost of skipping them is your whole campaign. We dig deeper into this in why cold emails go to spam.

How do I set up SPF for cold email?

SPF is a single TXT record on your sending domain that lists the servers allowed to send mail for you. You publish it once per domain and it covers every mailbox on that domain.

A basic SPF record looks like this:

v=spf1 include:_spf.google.com ~all

The include: part points to your email provider (here, Google Workspace). The ~all at the end means "soft fail anything not listed" - a sane default. A few rules that trip people up:

  • You can only have one SPF record per domain. Multiple records break it. If you use several services, combine their include: statements into one line.
  • SPF has a 10 DNS lookup limit. Every include: counts. Stack too many tools and SPF silently fails.
  • SPF checks the envelope sender (the return-path), not the visible "From" address. This matters for DMARC alignment later.

Once published, give DNS a little time to propagate, then verify with any free SPF checker before you send anything.

What about DKIM - is it harder?

DKIM is a key pair: your sending platform holds a private key and signs outgoing mail with it, and you publish the matching public key as a DNS record. It's slightly more involved than SPF but still a copy-paste job once your provider generates the record.

The flow is almost always:

  1. Turn on DKIM in your email platform's admin panel.
  2. The platform gives you a selector and a public key (a TXT or CNAME record).
  3. Paste that record into your DNS.
  4. Go back to the platform and click "authenticate" or "verify."

The one mistake to avoid: enabling DKIM in the platform but never publishing the DNS side, or vice versa. Both halves have to exist. After setup, send yourself a test message and check the headers - you want to see dkim=pass.

DKIM is the strongest signal of the three because it's cryptographic and survives forwarding, which SPF doesn't. It's non-negotiable for serious outbound.

How do I configure DMARC without breaking my email?

Start DMARC in monitoring mode (p=none), watch the reports, then tighten the policy once you confirm legitimate mail is passing. This lets you collect data without accidentally blocking your own messages.

A safe starting record looks like this:

v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com
  • p=none means "don't reject or quarantine yet, just report."
  • rua= is where aggregate reports get sent so you can see what's authenticating.

After a week or two of clean reports, move to p=quarantine and eventually p=reject for the strongest protection. For cold email, you generally don't need to rush to p=reject on your sending domain, but you absolutely should not stay at p=none forever - that's the configuration spammers leave in place.

The key concept is alignment: DMARC passes when the domain in your visible "From" matches the domain validated by SPF or DKIM. You can have SPF and DKIM technically passing yet still fail DMARC if the domains don't line up. Most platform setups handle this automatically, but it's the thing to check when DMARC shows red despite the other two being green.

Should I authenticate my main domain or a separate one?

Use separate domains for cold email, not your primary company domain - and authenticate each one fully. Cold outreach carries reputation risk, and you never want a deliverability problem to follow you back to the address your customers and invoices use.

The pattern that works:

  • Keep yourcompany.com for normal business mail.
  • Register lookalike sending domains (e.g. getyourcompany.com, tryyourcompany.com) for outbound.
  • Set up SPF, DKIM, and DMARC on every sending domain individually.
  • Point them all at your real site so they don't look abandoned.

How many domains and mailboxes you need isn't a fixed formula - it's sized to your sending goals and your list size. We keep volume sane with a per-mailbox cap of around 25 emails per day, which is the single biggest lever on deliverability. More on the math in why 25 emails per mailbox.

Authentication is set - why am I still in spam?

Because SPF, DKIM, and DMARC get you in the door, not into the inbox. They're the price of entry. After authentication, inbox placement depends on warmup, sending volume, list quality, and content - the human side of deliverability.

Here's the honest order of operations after your records pass:

  1. Warmup - new domains and mailboxes need 3-4 weeks of gradual, natural-looking activity before real campaigns. We never skip this; here's why we never rush warmup.
  2. Volume discipline - stay under ~25/day per mailbox and scale by adding mailboxes, not by hammering one.
  3. List hygiene - verified addresses keep bounce rates under 1%. High bounces tank reputation fast.
  4. Content - no spammy phrases, balanced text, real personalization, working unsubscribe.
  5. Monitoring - watch placement daily and adjust before a small dip becomes a blacklist.

This is exactly the stack we run as managed cold email infrastructure - authentication, warmup, and daily deliverability monitoring handled for you, not handed off. On our own campaigns it keeps inbox placement around 98.7%, reply rates near 4.5%, and bounce rate around 0.8% across 1,500+ mailboxes under management.

A quick SPF / DKIM / DMARC setup checklist

Run through this for every sending domain before your first campaign goes out:

  • [ ] One SPF TXT record published, under the 10-lookup limit, ending in ~all.
  • [ ] DKIM enabled in the platform and the public key live in DNS.
  • [ ] A test email shows spf=pass and dkim=pass in the headers.
  • [ ] DMARC record published, starting at p=none with a working rua= address.
  • [ ] DMARC alignment confirmed (From domain matches SPF or DKIM domain).
  • [ ] Sending domain is separate from your primary business domain.
  • [ ] Records verified after DNS propagation, not just immediately after pasting.

Tick all seven and your authentication is genuinely done. Then the real deliverability work - warmup, volume, hygiene - begins.

Where this fits in a full outbound system

Authentication is foundational but it's one layer. The campaigns that actually book meetings combine clean infrastructure with the right cadence and a destination worth clicking to. A strong email + LinkedIn cadence lifts reply rates, and sending people to a high-converting landing page turns those replies into pipeline. If you'd rather run channels together, see our mixed outreach approach.

You can do SPF, DKIM, and DMARC yourself - this guide gives you everything you need. But if you'd rather have authentication, warmup, and daily monitoring handled by a team that does this every day across 1,500+ mailboxes, get in touch. We'll size the setup to your goals and operate it for you - never a self-managed handover.

Want this handled for you? Moongie runs managed cold email infrastructure, mixed email + LinkedIn outreach and high-converting landing pages. Book a free 30-minute strategy call - or win our playbook in the Inbox Run game.

← All posts