Live Direct Marketing
HomeBlogDeliverability

Setting Up SPF, DKIM and DMARC on a New Cold Outreach Domain, Step by Step

July 7, 2026 · 11 min read · Guide: Deliverability

Since the major mailbox providers tightened their bulk-sender rules, an unauthenticated domain doesn't get filtered — it gets rejected. If you're standing up new sending domains for B2B cold outreach, SPF, DKIM and DMARC are no longer optional hygiene; they're the entry ticket. This guide walks through the setup in the order that avoids rework, shows how to verify each record actually works, and flags the handful of mistakes that quietly break deliverability weeks later.

Key takeaways
  • Gmail and Microsoft now effectively require SPF, DKIM and DMARC from any sender they don't already know — authentication failures mean rejection, not just spam-foldering.
  • Use a dedicated domain or subdomain for cold outreach so its reputation never touches your main company mail.
  • SPF says which servers may send for you, DKIM cryptographically signs each message, DMARC tells receivers what to do when both fail — you need all three, aligned.
  • Start DMARC at p=none with reports enabled, watch for a couple of weeks, then move to quarantine or reject once legitimate mail passes cleanly.
  • Verify with real test sends and header inspection, not just DNS lookups — a record can exist and still fail alignment.

Why authentication is the first thing filters check

Before a mailbox provider evaluates your subject line, your copy or your sending volume, it answers one question: is this message really from the domain it claims to be from? SPF, DKIM and DMARC are the three standards that answer it. SPF (Sender Policy Framework) publishes the list of servers allowed to send mail for your domain. DKIM (DomainKeys Identified Mail) attaches a cryptographic signature that proves the message wasn't altered and was signed by a key your domain controls. DMARC ties the two together: it tells receivers what to do when a message fails, and — critically — requires that the domain the recipient sees in the From line matches the domain that passed SPF or DKIM. That match is called alignment, and it's where most half-done setups fall apart.

For cold senders the stakes are higher than for newsletter senders. A subscriber's mailbox already has history with a newsletter domain; your cold email arrives with zero prior relationship, so authentication is one of the few positive signals you can present on the first contact. An address-based B2B program lives or dies on those first impressions: you're sending a modest number of carefully targeted letters to named decision-makers, and every one of them has to clear the technical bar before a human ever sees it.

The provider requirements introduced in 2024 made this concrete: senders above fairly low volume thresholds must have SPF and DKIM passing, a DMARC record published, and aligned From domains. Below the thresholds the rules are softer on paper, but in practice filters treat unauthenticated mail from an unknown domain as presumptively suspicious. Assume the strict rules apply to you.

Step 0: choose the right domain before touching DNS

Never run cold outreach from your primary company domain. If a campaign misfires — a bad list, a complaint spike — you don't want your invoices, support replies and internal mail paying for it. The standard pattern is a separate domain that clearly belongs to your brand: if your site is acmeanalytics.com, something like acmeanalytics.io, tryacme.com or getacmeanalytics.com. Recipients should recognize you at a glance; lookalike domains that hide the connection erode trust and look like phishing.

A subdomain of your main domain (outreach.acmeanalytics.com) is technically workable but couples reputations more than most teams want for cold traffic — subdomain reputation bleeds into the organizational domain at some providers. Most experienced cold-email operations use separate purchased domains and accept the modest cost.

Buy the domain, set up mailboxes with a real provider (Google Workspace or Microsoft 365 are the common choices), and immediately create a redirect from the outreach domain's web root to your main site. A domain with no website behind it is a spam signal; a redirect to a legitimate company site resolves it. Then let the domain age while you do the DNS work — plan for two to four weeks between purchase and first cold sends, filled with warm-up traffic.

Step 1: SPF — publish who may send for you

SPF is a single TXT record at the root of your sending domain listing the systems authorized to send mail on its behalf. If you send only through Google Workspace, the record is v=spf1 include:_spf.google.com ~all. Sending through Microsoft 365 it's v=spf1 include:spf.protection.outlook.com ~all. If a sending platform relays your mail through its own servers, its documentation will give you an include to add.

Two rules keep SPF healthy. First, exactly one SPF record per domain — publishing two TXT records that both start with v=spf1 is an instant permanent error, and it's one of the most common misconfigurations in the wild. If you need multiple senders, combine them into one record with multiple include statements. Second, stay under the 10-DNS-lookup limit: every include, a, mx and redirect mechanism costs lookups, and includes nest. Blow past ten and receivers treat the record as failed. Cold outreach domains rarely hit this because they should have few senders anyway — if your outreach domain needs six includes, that's a sign too many systems share one reputation.

End the record with ~all (softfail) rather than -all while you're setting things up; you can tighten later. And note what SPF alone doesn't do: it validates the envelope sender (the Return-Path), which recipients never see, and it breaks on forwarding. That's why DKIM and DMARC exist.

Example

Combined SPF for a domain sending via Google Workspace plus a transactional relay: v=spf1 include:_spf.google.com include:sendgrid.net ~all — one record, both senders, four lookups.

Step 2: DKIM — sign every message

DKIM works with a key pair: your mail provider holds the private key and signs each outgoing message; you publish the public key in DNS so receivers can verify the signature. Setup is done in the provider's admin console, not by hand. In Google Workspace: Admin console → Apps → Google Workspace → Gmail → Authenticate email → generate a 2048-bit key, publish the TXT record it gives you at the specified selector (like google._domainkey.yourdomain.com), then click Start authentication. In Microsoft 365 the flow is similar through the Defender portal, publishing two CNAME records.

Always choose 2048-bit keys where offered — 1024-bit still validates but is considered weak. If a third-party sending tool sends mail on your behalf, it must sign with a DKIM key on your domain, not its own; a tool that can only sign with its shared domain will fail DMARC alignment for you. Any serious platform lets you add a custom DKIM domain — this is worth checking before you commit to a tool.

The most common DKIM failure isn't the record — it's forgetting to flip the switch. Publishing the key in DNS does nothing until you activate signing in the provider console. Send yourself a test message and check the headers: you want a DKIM-Signature header with d=yourdomain.com and dkim=pass in the Authentication-Results header at the receiving end.

Step 3: DMARC — set policy and turn on the reports

DMARC is a TXT record at _dmarc.yourdomain.com. It does three jobs: it requires alignment between the visible From domain and the domains that passed SPF or DKIM; it declares your policy for failures (none, quarantine or reject); and it asks receivers to send you aggregate reports about mail claiming to be from your domain. A sane starting record: v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; adkim=r; aspf=r.

Start at p=none. This enforces nothing but turns on the reporting — for one to two weeks you watch the aggregate reports (raw XML is unreadable; use any of the free or cheap DMARC report processors) and confirm every legitimate sending path passes with alignment. Once your own mail is passing cleanly, move to p=quarantine, then p=reject. For a fresh outreach domain with exactly one mail provider this progression can take two or three weeks; there's no reason a dedicated cold-email domain should sit at p=none for months.

Getting to quarantine or reject matters for two reasons. First, several large receivers treat a permissive DMARC policy as a weaker trust signal — you get credit for enforcement. Second, it actually protects you: a cold outreach domain that spammers can spoof will inherit their complaints. Alignment mode can stay relaxed (adkim=r; aspf=r) — strict mode adds little for a simple setup and breaks things when subdomains enter the picture.

Example

Progression on a new outreach domain: week 1–2 — v=DMARC1; p=none; rua=mailto:reports@yourdomain.com. Week 3 — p=quarantine; pct=100. Week 4+ once reports are clean — p=reject.

Step 4: verify with real sends, not just DNS checks

DNS lookup tools confirm your records exist; they can't confirm your mail passes. The real test is sending. Send a normal message from each mailbox on the new domain to a Gmail account you control, open it, and use Show original — Gmail displays a summary table with SPF, DKIM and DMARC results. You want three passes and matching domains. Repeat toward an Outlook.com address and read the Authentication-Results header there. Free multi-check tools that give you a one-time address to send to and return a graded report are also useful for catching secondary issues like missing reverse DNS on relay IPs.

Check alignment specifically. A message can show spf=pass and dkim=pass and still fail DMARC, because SPF passed on the sending tool's bounce domain and DKIM was signed by the tool's shared key — neither matching your From domain. The Authentication-Results header shows which domain each check evaluated; both, or at least one, must be your visible From domain.

Finally register the domain with Google Postmaster Tools and Microsoft SNDS. At cold-outreach volumes the dashboards will be sparse, but they're where you'll see reputation and spam-rate data if something goes wrong later, and enrolling costs nothing. From this point authentication is done — what remains is behaving well: gradual warm-up, verified lists, low volumes per mailbox, and copy written for one named person rather than a segment.

The mistakes that undo everything

A short catalogue from the field. Two SPF records on one domain — permanent error, everything fails; merge them. DKIM key published but signing never activated in the console — headers show dkim=none while you believe you're covered. Sending tool signs with its own domain — passes DKIM, fails DMARC alignment, and you only notice when reports arrive. DMARC left at p=none forever — no protection, weaker trust signal. Return-Path domain not aligned and SPF alignment failing silently while DKIM carries you — fragile, breaks the day DKIM has an issue. And the classic: authenticating perfectly, then burning the domain in week one with 500 cold sends a day off an unverified list. Authentication gets you judged fairly; it doesn't survive bad behavior.

One more that's specific to cold outreach at scale: cloning a dozen domains with identical DNS, identical copy and interleaved sending. Filters cluster infrastructure, and a network of thin lookalike domains reads as a spam operation regardless of how clean each record is. Fewer domains, properly aged, sending small volumes of genuinely individual mail to researched decision-makers outperform a domain farm on every metric that matters — replies included.

Also remember that authentication is a technical claim of identity, not a legal one. Under CAN-SPAM your From line and header information must be truthful, and under GDPR you need a defensible lawful basis for contacting each person. A perfectly authenticated message that misleads about who's sending it is still non-compliant. The point of the whole exercise is the opposite: making it verifiable that a real company is writing a real business letter.

A compressed checklist for every new sending domain

Here is the whole guide as a runbook. Day one: register a brand-adjacent domain, create mailboxes, redirect the web root to your main site. Day one to two: publish SPF (one record, ~all), generate and activate a 2048-bit DKIM key, publish DMARC at p=none with rua reporting. Day two: test sends to Gmail and Outlook, inspect Authentication-Results, confirm SPF, DKIM, DMARC all pass with alignment; enroll in Postmaster Tools. Weeks one to three: warm up gradually — replies and normal correspondence first, then small cold volumes; watch DMARC reports; escalate policy to quarantine, then reject. Ongoing: keep per-mailbox cold volume in the tens per day, verify every list before sending, monitor bounce and complaint rates, and re-run the header check whenever you add or change a sending tool.

Teams running address-based outreach through a platform like LDM get most of the monitoring for free — DNS checks, per-account sending limits, warm-up pacing and bounce handling are enforced in the product — but the DNS records live in your registrar and the responsibility for them stays with you. Ten careful minutes per record, once, buys you a domain that filters judge on behavior. That's the fairest deal in deliverability, and it's the foundation everything else in cold email stands on.

FAQ

Do I really need all three — SPF, DKIM and DMARC — for cold email?

Yes. The major mailbox providers' sender requirements expect all three from anyone they don't already trust, and DMARC only works when at least one of SPF or DKIM passes with an aligned domain. Setting up two of the three leaves a gap that shows up as rejections or spam placement precisely when you can least diagnose it.

Should cold outreach run on my main company domain if it's authenticated?

No. Authentication protects your identity, not your reputation. If a campaign generates complaints, the domain that sent it pays — and you don't want that to be the domain carrying your invoices and support mail. Use a separate, clearly brand-related domain dedicated to outreach.

How long should DMARC stay at p=none?

Long enough to confirm from aggregate reports that all your legitimate mail passes with alignment — typically one to two weeks for a fresh single-provider domain. Then move to quarantine and on to reject. Leaving a dedicated outreach domain at p=none indefinitely forfeits both protection and the trust credit enforcement earns.

My SPF and DKIM both pass but DMARC fails. How?

Alignment. DMARC requires that the domain shown in the From header matches the domain SPF or DKIM actually validated. If your sending tool passes SPF on its own bounce domain and signs DKIM with its own key, both checks pass — for the tool's domains, not yours. Fix it by adding a custom DKIM key on your domain and, ideally, a custom Return-Path.

Does authentication guarantee inbox placement?

No — it guarantees you're eligible to compete for it. Placement is then decided by reputation and engagement: warm-up history, complaint and bounce rates, volume patterns, and whether recipients reply to you. Authentication failing means rejection; authentication passing means the filter moves on to judging your behavior.

How many mailboxes and domains does a small B2B outreach program need?

Less than the growth-hacking playbooks suggest. One or two dedicated domains with two or three mailboxes each, sending tens of researched emails a day per mailbox, covers most address-based B2B programs. Domain farms with cloned DNS get clustered by filters and defeat the purpose — quality of targeting scales results better than quantity of infrastructure.

Important: this is not bulk email and not spam. We run targeted outreach: every message goes to a specific representative of a specific company for a legitimate business reason, in small daily volumes, personalised to the recipient. Every email identifies the sender and includes one-click opt-out; unsubscribes and stop-lists apply to all future campaigns without exception. Companies that ask not to be contacted are excluded permanently.

Want to apply this to your outreach?

We will map it to your segment and product — before any work starts.

Talk to us