RocketSDR
Sign in
Deliverability

DMARC, DKIM, SPF for Cold Email: The 2026 Setup Guide

The three DNS records every cold email domain needs — what they do, how to configure them, and the mistakes that silently kill your deliverability.

Ayush PateriaAyush Pateria
· May 23, 2026· 7 min read
TL;DR

SPF tells inbox providers which servers can send on your behalf. DKIM cryptographically signs every email to prevent tampering. DMARC tells providers what to do when SPF or DKIM fails. All three are required. Missing any one is enough to land in spam.

Why you need all three

SPF, DKIM, and DMARC are email authentication protocols. Together, they answer three questions for the receiving mail server:

1. Is this server allowed to send email for this domain? (SPF) 2. Was this email tampered with in transit? (DKIM) 3. What should I do if authentication fails? (DMARC)

As of February 2024, Google and Yahoo require all three for anyone sending more than 5,000 emails per day. But even at lower volumes, missing any one of these records signals to inbox providers that your domain may not be legitimate — and they'll default to treating your emails as suspicious.

SPF: who's allowed to send

SPF (Sender Policy Framework) is a DNS TXT record that lists the mail servers authorized to send email on behalf of your domain.

For Google Workspace:
v=spf1 include:_spf.google.com ~all

For Microsoft 365: v=spf1 include:spf.protection.outlook.com ~all

For both (if you use both ESPs on the same domain):
v=spf1 include:_spf.google.com include:spf.protection.outlook.com ~all

Rules: - Only one SPF record per domain. Multiple records = both get ignored. - Use ~all (soft fail) during setup and warmup. Switch to -all (hard fail) once stable. - Maximum 10 DNS lookups in a single SPF record. Most include: directives count as one lookup each.

DKIM: proving the email wasn't tampered with

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to every outgoing email. The receiving server checks the signature against a public key published in your DNS.

Setup for Google Workspace: 1. Admin Console → Apps → Google Workspace → Gmail → Authenticate Email 2. Click 'Generate New Record' 3. Copy the TXT record value 4. Add it to your DNS as a TXT record with the name google._domainkey

DKIM is the most commonly skipped record — because it's more technical than SPF — and it's the one that has the biggest individual impact on deliverability. Skip SPF and some emails get through. Skip DKIM and most emails look suspicious.

Warning
DKIM keys are provider-specific. If you switch from Google Workspace to Microsoft 365 (or add M365 alongside Google), you need a separate DKIM record for each provider.

DMARC: what happens when things fail

DMARC (Domain-based Message Authentication, Reporting & Conformance) builds on SPF and DKIM. It tells inbox providers two things: (1) what to do when authentication fails, and (2) where to send reports about authentication results.

Start with monitoring only:
v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com
After 2–4 weeks of clean reports, move to quarantine:
v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@yourdomain.com
Once confident (usually month 2+), move to reject:
v=DMARC1; p=reject; rua=mailto:dmarc-reports@yourdomain.com

The reports sent to your rua= address will show you who's sending email using your domain — including any unauthorized senders. This is also how you catch spoofing attempts.

How to verify your setup

After configuring all three records, verify them before sending a single email:

1. MXToolbox (mxtoolbox.com/SuperTool.aspx) — checks SPF, DKIM, DMARC, and blacklist status 2. Mail Tester (mail-tester.com) — send a test email and get a deliverability score with specific issues flagged 3. Google Postmaster Tools — if you're sending to Gmail recipients, this shows your domain's reputation directly from Google's perspective

Run these checks on every sending domain, not just your primary. A single misconfigured domain in a pool of 10 can drag down the reputation of the others through IP association.

The four mistakes that silently kill deliverability

These are the errors we see most frequently when auditing customer setups:

  • Multiple SPF records: adding a second SPF record instead of merging into one. Both get ignored by the receiving server. Your domain has zero SPF protection and you don't know it.
  • DKIM not rotated after provider change: switched from one ESP to another but left the old DKIM key. Now DKIM validation fails on every email.
  • DMARC set to reject too early: going straight to p=reject before verifying SPF and DKIM are clean. Legitimate emails get blocked.
  • Subdomains not covered: SPF and DKIM configured on the apex domain but not on the subdomain you're actually sending from. If you send from outreach.yourdomain.com, that subdomain needs its own records.

Frequently asked questions

Do I need all three (SPF, DKIM, DMARC) for cold email?

Yes. As of 2024, Google and Yahoo require all three for bulk senders. Missing any one will cause deliverability issues — even if the other two are correctly configured.

What's the most commonly misconfigured record?

DKIM. It requires generating a key pair through your email provider and adding the public key as a DNS TXT record. Many teams set up SPF and DMARC but skip DKIM because it's more technical — and it's the one that matters most.

Should I set DMARC to reject?

Not immediately. Start with p=none (monitoring), move to p=quarantine after 2–4 weeks of clean reports, then p=reject once you're confident. Going straight to reject will block legitimate emails if anything is misconfigured.

Can I have multiple SPF records?

No. You can only have one SPF record per domain. If you use multiple sending services, combine them into one record using multiple 'include:' directives.

DNS records configured automatically.

RocketSDR provisions sending domains with SPF, DKIM, and DMARC configured out of the box. No DNS editing required.

Related articles

Deliverability
How to Set Up a Cold Email Domain (Step by Step)
8 min read
Deliverability
Is Email Warmup Worth It? (Data from 100K Inboxes)
6 min read