How to Set Up SPF, DKIM, and DMARC for Cold Email Outreach (Step-by-Step)

Getting your DNS records wrong is the fastest way to kill your cold email deliverability before you send a single message. SPF, DKIM, and DMARC are not optional extras — they are the foundational authentication layer that tells Gmail, Outlook, and every other major email provider that your emails are legitimate.

This guide walks through exactly how to configure each record, step by step, using Google Workspace as the primary example. The same principles apply to Microsoft 365 and other providers — the specific record values differ, but the logic is identical.

What Each Record Does and Why It Matters

Before setting up the records, it helps to understand what each one actually does. These aren't interchangeable — each solves a different part of the email authentication problem.

SPF (Sender Policy Framework)

SPF is a DNS TXT record that lists which mail servers are authorized to send email on behalf of your domain. When a receiving server gets an email claiming to be from you@yourdomain.com, it looks up your domain's SPF record to verify the sending server's IP address is on the approved list.

Without SPF, anyone can send email "from" your domain. With SPF, unauthorized senders fail the check and their emails are marked suspicious or rejected.

DKIM (DomainKeys Identified Mail)

DKIM adds a cryptographic signature to every email you send. The sending server signs each message with a private key, and publishes the corresponding public key in a DNS TXT record. Receiving servers use the public key to verify the signature — confirming the email wasn't modified in transit and genuinely came from your domain.

DKIM protects against email tampering and strengthens your domain's identity. It's a direct signal that boosts inbox placement rates.

DMARC (Domain-based Message Authentication, Reporting and Conformance)

DMARC builds on SPF and DKIM by telling receiving servers what to do when authentication fails. It also adds an alignment requirement — the "From" domain must match the domain in the SPF or DKIM record.

DMARC has three policy levels: p=none (monitor only), p=quarantine (send to spam), andp=reject (block entirely). For cold email, start with p=none.

Step 1: Set Up SPF for Google Workspace

Log into your domain registrar (GoDaddy, Namecheap, Cloudflare, etc.) and navigate to DNS settings.

Add a new TXT record with these values:

• Type: TXT
• Name/Host: @ (or leave blank — this means the root domain)
• Value: v=spf1 include:_spf.google.com ~all
• TTL: 3600 (1 hour) or your registrar's default

If you're using Microsoft 365 instead of Google Workspace, the value is:

• v=spf1 include:spf.protection.outlook.com ~all

Important SPF rules:

• You can only have one SPF record per domain. If you have multiple sending services (e.g., Google + Mailgun), combine them in one record: v=spf1 include:_spf.google.com include:mailgun.org ~all
• SPF has a 10 DNS lookup limit. Each include: statement counts as one lookup. Exceeding 10 breaks SPF.
• Use ~all (softfail) rather than -all (hardfail) for cold email. Hardfail can cause legitimate mail to be rejected if your setup has any gaps.

Step 2: Set Up DKIM for Google Workspace

DKIM setup in Google Workspace requires generating a key in the Admin Console and then publishing the public key in DNS.

In Google Admin Console:

• Go to Apps > Google Workspace > Gmail
• Click "Authenticate email"
• Select your domain from the dropdown
• Click "Generate new record"
• Choose DKIM key length: select 2048-bit (more secure than 1024-bit)
• The selector prefix defaults to google — leave this as-is
• Copy the generated TXT record value

In your DNS settings:

• Type: TXT
• Name/Host: google._domainkey
• Value: The long string Google generated (starts with v=DKIM1; k=rsa; p=...)
• TTL: 3600

After publishing the DNS record (allow 15–60 minutes for propagation), return to Google Admin Console and click "Start authentication." Google will verify the record and activate DKIM signing.

For Microsoft 365: Navigate to Security > Email & collaboration > Policies & rules > Threat policies > DKIM. Select your domain and enable signing. Microsoft generates the CNAME records for you to publish in DNS.

Step 3: Set Up DMARC

DMARC requires both SPF and DKIM to be working correctly first — DMARC alignment checks depend on both passing. Don't set up DMARC until you've verified SPF and DKIM are functioning.

Starter DMARC record (monitoring only):

• Type: TXT
• Name/Host: _dmarc
• Value: v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com; ruf=mailto:dmarc@yourdomain.com; fo=1
• TTL: 3600

Replace dmarc@yourdomain.com with an actual email address you monitor — you'll receive aggregate reports (rua) and failure reports (ruf) to this address.

DMARC policy progression:

• Start: p=none — monitor and collect reports, no action on failures
• After 30 days with clean reports: p=quarantine — failed auth goes to spam
• After 60 days with clean reports: p=reject — failed auth is blocked entirely

For cold email, staying at p=none is fine. The primary benefit for deliverability is having a DMARC record present at all — even a monitoring-only policy signals to receiving servers that you care about authentication.

Step 4: Set Up Custom Tracking Domain (Critical)

Every cold email tool uses a tracking domain to log opens (tracking pixel) and clicks (link redirection). By default, most tools use their own shared tracking domain — and those shared domains are often on blacklists due to abuse by other users.

Set up a custom tracking domain for each sending domain. This is a CNAME record pointing to your ESP's tracking infrastructure:

• Type: CNAME
• Name/Host: track (this creates track.yourdomain.com)
• Value: Your ESP's tracking endpoint (e.g., tracking.instantly.ai for Instantly)

After adding the CNAME, go to your ESP settings and set track.yourdomain.com as your custom tracking domain. All open and click tracking will now route through your domain rather than a shared one.

Step 5: Verify Everything Is Working

After publishing all records and waiting for DNS propagation (typically 15 minutes to a few hours), verify each record is resolving correctly.

Use these tools:

• MXToolbox.com — SPF Lookup, DKIM Lookup (enter your selector: google), DMARC Lookup
• Mail-tester.com — send a test email to the address they provide. Score of 9–10/10 means your authentication is clean.
• Google Postmaster Tools — sign up at postmaster.google.com and verify your domain. Monitor domain reputation and authentication pass rates.

A fully configured domain should show:

• SPF: PASS
• DKIM: PASS (using the google selector)
• DMARC: Record found, policy configured
• Mail-tester score: 9–10/10

Common Mistakes to Avoid

These are the most frequent errors when setting up DNS for cold email:

• Multiple SPF records — You can only have one. Merge all include: statements into a single TXT record.
• Forgetting to activate DKIM in Google Admin — Publishing the DNS record alone is not enough. You must click "Start authentication" in the Admin Console.
• Using the wrong host for DKIM — The Name/Host field must be google._domainkey, not just _domainkey.
• Setting DMARC before SPF/DKIM are confirmed working — DMARC can cause legitimate email to fail if SPF or DKIM has errors.
• Skipping the custom tracking domain — Using your ESP's default tracking domain is a significant deliverability risk.

For a complete walkthrough of the full cold email infrastructure — including domain purchasing strategy and warm-up schedules — see our cold email deliverability checklist and our email domain warm-up guide.

Want to learn how to build and sell AI automations? Join our free community. Join the free AI Agency Sprint community.