Live Direct Marketing
HomeBlogDeliverability

SPF, DKIM and DMARC for Cold Email Domains: Setup That Survives Scrutiny

July 7, 2026 · 11 min read · Guide: Deliverability

Since Google and Yahoo tightened bulk-sender requirements, missing or broken authentication is no longer a reputation penalty — it is a rejection reason. For a domain running B2B cold outreach the stakes are higher still: you send to strangers, so mailbox providers extend you zero benefit of the doubt. This guide walks through configuring SPF, DKIM and DMARC correctly, in the right order, with the alignment details that cold senders most often get wrong.

Key takeaways
  • SPF says which servers may send for your domain, DKIM cryptographically signs each message, DMARC ties both to the visible From address and tells receivers what to do on failure.
  • All three are now effectively mandatory: major providers require them for bulk senders, and corporate gateways score unauthenticated mail harshly.
  • Alignment is the detail most cold senders miss — SPF or DKIM must pass for the same domain the recipient sees in the From line.
  • Roll out DMARC in stages: monitor with p=none first, read the reports, then move to quarantine and reject once legitimate mail passes cleanly.
  • Use a dedicated sending domain for cold outreach with its own full authentication stack, so the primary company domain never carries the risk.

What each protocol actually does

SPF (Sender Policy Framework) is a DNS record listing the servers allowed to send mail on behalf of your domain. When your message arrives, the receiving server checks whether the connecting IP is on that list. It is the oldest and simplest of the three — and the weakest alone, because SPF checks the invisible envelope sender, not the From address a human sees.

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to every message, generated with a private key on the sending server and verified against a public key published in your DNS. A valid signature proves the message really came from an authorized sender and was not altered in transit. Unlike SPF, DKIM survives forwarding, which matters in B2B where mail routinely passes through gateways and internal redirects.

DMARC (Domain-based Message Authentication, Reporting and Conformance) is the policy layer on top. It requires that SPF or DKIM not only pass, but pass for the domain shown in the From header — this is alignment — and it publishes your instruction for what receivers should do with failing mail: deliver anyway (none), send to spam (quarantine) or refuse (reject). DMARC also gives you reporting, which is how you see who is sending as your domain, legitimately or not.

For a cold sender the practical summary: SPF and DKIM get you scored as authenticated; DMARC alignment gets you scored as honest. Corporate mail gateways — your actual audience in B2B — check all three.

Setting up SPF without breaking it

Your SPF record is a single TXT record at the root of the sending domain. It enumerates sending sources with include: statements — your mail provider (Google Workspace, Microsoft 365) plus any sending platform — and ends with an all qualifier. Use ~all (softfail) during setup and testing; -all (hardfail) is fine once you are certain the record covers every legitimate source.

The classic SPF failure is the 10-DNS-lookup limit. Every include, a, mx and redirect mechanism costs lookups, and nested includes from providers count too. Exceed ten and SPF returns a permanent error — which under DMARC counts as a failure. Cold senders hit this when they bolt a sending platform, a CRM, a helpdesk and a marketing tool onto one domain. Audit the chain with any SPF checker, remove sources that no longer send, and remember: a dedicated cold-outreach domain usually needs exactly one or two includes.

One record only. Two TXT records both starting with v=spf1 make SPF permanently invalid — a surprisingly common state on domains where several tools each pasted their own record. Merge them into one.

Example

A clean SPF record for a dedicated cold-sending domain on Google Workspace: v=spf1 include:_spf.google.com ~all — one include, three lookups, nothing else. Resist adding tools to this domain that do not need to send from it.

DKIM: sign with your own domain, 2048-bit

DKIM setup runs through your mail or sending platform: it generates a key pair, you publish the public key as a TXT record at selector._domainkey.yourdomain, and the platform starts signing outgoing mail. Generate 2048-bit keys where offered — 1024-bit still validates but is being deprecated and looks dated to security-conscious gateways.

The trap for cold senders is the signing domain. Some platforms sign with their own domain by default, and the signature validates — but it validates for the platform's domain, not yours, so it does nothing for DMARC alignment. Always complete the custom-domain DKIM step so the d= field in the signature is your sending domain. If you cannot see your own domain in the DKIM-Signature header of a test message, alignment will fail regardless of how green the platform dashboard looks.

Verify by sending a message to a mailbox you control and reading the headers: Authentication-Results should show dkim=pass with d=yourdomain. Gmail's show original view presents this in a readable summary table. Do this once per sending source — every mailbox provider or platform in your stack signs independently.

DMARC: staged rollout, not a copy-paste record

Publish DMARC as a TXT record at _dmarc.yourdomain. Start with monitoring mode: v=DMARC1; p=none; rua=mailto:reports@yourdomain — this changes nothing about delivery yet, but receivers begin sending you aggregate reports listing every source that sends as your domain and whether it passes alignment.

Run p=none for two to four weeks and actually read the reports (raw XML is unreadable; any free DMARC report viewer makes it digestible). You are looking for two things: legitimate sources that fail alignment — usually a tool with unsigned or platform-signed DKIM — and unknown sources, which are either forgotten infrastructure or someone spoofing you. Fix the legitimate failures first.

Then tighten in steps: p=quarantine, optionally with pct= to apply it to a fraction of failing mail first, then p=reject once weeks of reports show clean alignment from everything real. For a dedicated cold-sending domain this progression can be quick — there are only one or two sources to verify — and ending at reject is the right destination: providers increasingly treat p=none as a formality and give full trust only to enforced policies.

Note the direction of causality: DMARC at reject does not boost deliverability by itself; it removes doubt. Combined with clean volume patterns, verified lists and content that earns replies, it tells corporate gateways that mail claiming to be you is provably you — which is the baseline for everything else you do in cold outreach to work.

Mistakes that keep cold senders in the spam folder

Most authentication problems in cold outreach are not exotic. The same short list accounts for nearly all failures we see on domains coming to us with delivery problems.

Order of operations for a new cold-sending domain

For a fresh dedicated domain, the sequence that avoids self-inflicted damage: register the domain and set up the mailbox provider; publish SPF with the provider's single include and ~all; enable DKIM with a 2048-bit key signed by your domain and verify d= in real headers; publish DMARC at p=none with a reporting address; begin domain warmup at low daily volume.

During the warmup weeks, watch the DMARC reports. By the time the domain is ready for real campaign volume — typically three to four weeks of gradually increasing, human-looking activity — you should have clean reports and can move to quarantine, then reject. Authentication and warmup finish together, which is convenient: both are prerequisites for the first real send, not optimizations after it.

In LDM, domain and mailbox onboarding runs this checklist automatically — DNS records are validated, DKIM alignment is verified against live headers rather than dashboard status, and campaigns cannot start on a domain that fails authentication checks. If you run your own stack, replicate that gate manually: five minutes with a DNS checker and one test message with visible headers, before any prospect sees your mail.

FAQ

Do I really need all three — SPF, DKIM and DMARC — for cold email?

Yes. Google and Yahoo require authentication from bulk senders, and corporate gateways score unauthenticated mail harshly. SPF alone fails on forwarding, DKIM alone leaves the From address unverified, and DMARC is what binds either to the domain the recipient actually sees. Treat the trio as one mandatory unit.

What DMARC policy should a cold-sending domain use?

End state: p=reject. Path: start at p=none with reporting, fix any alignment failures the reports reveal, pass through p=quarantine, and enforce reject once several weeks of reports are clean. On a dedicated sending domain with one or two sources, this whole progression can take under a month.

What is DMARC alignment in plain terms?

The domain that passes SPF or DKIM must match the domain in the visible From header. A platform can pass SPF for its own infrastructure domain while your From says yourcompany.com — technically authenticated, but not aligned, so DMARC fails. Custom-domain DKIM is usually the fix.

Should I authenticate my main company domain and send cold email from it?

Authenticate the main domain regardless — that protects normal correspondence from spoofing. But send cold outreach from a separate dedicated domain with its own authentication stack. If a campaign damages reputation, the blast radius stays contained and your invoices, support and internal mail keep delivering.

How do I check whether my authentication actually works?

Send a message to a mailbox you control and open the full headers. Authentication-Results should show spf=pass, dkim=pass with d= equal to your sending domain, and dmarc=pass. Dashboard checkmarks in a sending tool are not sufficient — they often report the platform's own authentication, not your domain's alignment.

Does moving DMARC to p=reject improve deliverability?

Indirectly. Enforcement does not add points by itself, but providers discount p=none as unenforced and treat reject as a strong honesty signal. More importantly, reject stops spoofers from burning your domain's reputation with mail you never sent — damage you would otherwise inherit invisibly.

Important: this is not bulk email and not spam. We run targeted outreach: every message goes to a specific representative of a specific company for a legitimate business reason, in small daily volumes, personalised to the recipient. Every email identifies the sender and includes one-click opt-out; unsubscribes and stop-lists apply to all future campaigns without exception. Companies that ask not to be contacted are excluded permanently.

Want to apply this to your outreach?

We will map it to your segment and product — before any work starts.

Talk to us