Live Direct Marketing
HomeBlogDeliverability

SPF for a Domain That Sends B2B Cold Outreach, Not Newsletters

July 7, 2026 · 11 min read · Guide: Deliverability

A cold email to a named decision-maker fails for one of two reasons before the recipient ever reads a word: it never reaches the inbox, or it lands in spam next to newsletter blasts it has nothing in common with. SPF is the DNS record that tells a receiving mail server which servers are allowed to say 'this domain sent this message' — and for a domain running targeted B2B outreach, getting it wrong is one of the fastest ways to guarantee the second outcome. Here is what the record actually does, how to set it up correctly, and where its protection stops.

Key takeaways
  • SPF is a DNS TXT record authorizing which mail servers may send as your domain; receivers check it against the envelope-from (return-path) domain, not the visible From: header.
  • A domain can carry only one SPF record — two separate TXT records starting with v=spf1 make SPF invalid for the whole domain, not just for the second tool.
  • The mechanism chain (include, a, mx, exists, redirect) is capped at 10 DNS lookups; exceeding it fails SPF even for a correctly configured, legitimate sender.
  • SPF alone doesn't authenticate what the recipient sees in the From: field — DKIM and DMARC alignment are what actually connect an SPF pass to sender trust.
  • Use ~all (softfail) while validating a new setup and move to -all (hardfail) only once every legitimate sending source has been confirmed to pass.

Why a Missing SPF Record Sinks B2B Cold Outreach

Before a receiving mail server shows a message to anyone, it asks a question: is the server that just connected to deliver this mail actually authorized to send on behalf of the domain named in the envelope? SPF is the answer file. Without it, there's nothing to check against, so the filter falls back on reputation signals alone — and reputation is thin for any domain or mailbox that hasn't been sending at volume for months.

Cold outreach amplifies this risk in a way newsletter sending doesn't. A targeted B2B campaign to named companies is inherently low-volume, spread thin across dozens of different receiving domains, often from mailboxes that are only weeks old. Every one of those receiving servers is evaluating an unfamiliar sending pattern with no history to lean on. If SPF is missing or broken, that's one more unknown stacked on top of several — and for spam filters, it's frequently the deciding one.

The symptom practitioners recognize: a campaign gets a normal reply rate from Gmail-hosted recipients but goes nearly silent at Microsoft 365 domains, or vice versa. That asymmetry is the fingerprint of an authentication problem specific to how one provider scores unauthenticated mail, and SPF is the first thing worth checking when it shows up.

How SPF Actually Works: the Envelope-From Check

Mechanically, SPF (Sender Policy Framework) is a single TXT record published at the root of the sending domain, starting with the string v=spf1 and followed by a list of mechanisms that name authorized senders, ending in a catch-all rule for everything else.

The domain SPF checks is not the one a recipient sees in their inbox. During the SMTP handshake, the sending server issues a MAIL FROM command carrying the envelope-from (also called the return-path) address — that's the domain SPF validates, separately from the visible From: header a person reads. For most cold-outreach setups the two match, but any relay, ESP, or bounce-handling tool that rewrites the return-path can quietly break that assumption if it isn't accounted for.

The common mechanisms: ip4: and ip6: authorize a specific server by address; a authorizes the domain's own A record; mx authorizes its mail servers; include: delegates to another domain's SPF record, which is how you fold in a provider like Google Workspace or Microsoft 365 without listing their infrastructure by hand. Each mechanism carries a qualifier — + for pass (the default, usually omitted), ~ for softfail, - for hardfail, ? for neutral — and the record closes with an all mechanism that decides what happens to anything not explicitly listed.

Example

v=spf1 include:_spf.google.com ip4:203.0.113.45 ~all — this authorizes anything Google Workspace's own SPF record permits (the mailboxes actually sending the outreach), plus one specific dedicated server at 203.0.113.45 (for example, a transactional relay handling opt-out confirmations), and softfails everything else, meaning unauthorized senders are flagged but not automatically rejected.

Setting Up SPF for a Domain Sending B2B Outreach

Start by inventorying every system that sends mail as the domain, not just the obvious one. That means the mailbox provider actually doing the sending (Google Workspace, Microsoft 365, or a self-hosted server), any transactional relay handling bounces or opt-out confirmations, and any additional tool — a warm-up service, a CRM's outbound module — that puts the domain in a From: or return-path address. Missing one of these is the single most common cause of a setup that tests clean and then breaks once the campaign actually runs across every channel it uses.

The 10-Lookup Limit and Why SPF Alone Isn't Enough

SPF's specification caps evaluation at 10 DNS lookups, and include, a, mx, exists, and redirect mechanisms all count toward that limit — including lookups nested inside an included record. A domain routing outreach through a mailbox provider, a relay, and a warm-up tool stacks that chain faster than it looks: a single Google Workspace include can itself spend more than one lookup, and every additional provider adds more. Cross the limit and SPF returns a permerror, which most receivers treat as an outright fail — for every sender listed in the record, correctly configured or not.

Even a passing SPF check only proves the return-path domain was authorized; it says nothing about the domain a recipient actually sees in From:, and nothing survives a message being forwarded through another mail system, which routinely breaks SPF entirely. DKIM covers what SPF can't: it attaches a cryptographic signature to the message body and headers, verified against a public key published in DNS, proving the message wasn't altered in transit and that the signing domain is authentic — and unlike SPF, a DKIM signature travels with the message through most forwards. DMARC then ties the two together, requiring that SPF or DKIM (or both) align with the visible From: domain, and publishes a policy — none, quarantine, or reject — telling receivers what to do when that alignment fails.

For a domain running B2B cold outreach, the practical order is: get SPF right first, because it's the cheapest to set up and the most common gap. But don't stop there. DKIM should sign every mailbox actually sending outreach, and even a DMARC record set to monitor-only (p=none) lets you see whether SPF and DKIM alignment is genuinely working before any provider starts enforcing a stricter policy against the domain.

Common SPF Mistakes That Quietly Break Deliverability

Most SPF problems aren't exotic — they're small inventory gaps that accumulate as a sending setup evolves. The pattern practitioners see most often is a domain that worked fine for months, then someone adds a tool or switches a relay and deliverability drops with no obvious cause.

SPF Checklist Before a New Domain Starts Sending Outreach

Before any addressed B2B campaign goes out from a new sending domain or subdomain, verify authentication end to end rather than assuming a mailbox provider handled it automatically on account creation. This is a five-minute DNS lookup and a test send, and it catches the majority of the deliverability problems that otherwise surface only after a campaign has already gone quiet.

FAQ

What is SPF and how does it protect B2B cold outreach?

SPF is a DNS TXT record that lists which mail servers are authorized to send email as your domain. Receiving mail servers check it before delivery, so a correctly published SPF record reduces the chance that legitimate cold outreach is treated as unauthenticated and filtered before a recipient ever sees it.

What's the difference between ~all and -all in an SPF record?

~all is a softfail — mail from unlisted sources is flagged as suspicious but usually still delivered, often to spam. -all is a hardfail, instructing receivers to reject unauthorized mail outright. Use ~all while confirming every legitimate sending source passes, then move to -all once the setup is proven.

Can I publish two SPF records for redundancy?

No. A domain can have only one SPF record; publishing two separate TXT records that both start with v=spf1 makes SPF invalid for the entire domain and typically returns a permerror, which most receivers treat as a fail for every sender listed.

Does passing SPF mean my cold email won't go to spam?

No — SPF only confirms the return-path domain was authorized to send. It doesn't authenticate the visible From: address the recipient sees, and it doesn't survive most forwarding. DKIM signing and a DMARC record with proper alignment are what close that gap alongside SPF.

What is the SPF 10-lookup limit and why does it matter?

SPF evaluation is capped at 10 DNS lookups, and mechanisms like include, a, mx, exists, and redirect all count toward it, including lookups nested inside included records. Stacking too many providers in one record exceeds the limit and causes SPF to fail entirely, even for correctly authorized senders.

Does SPF check the sender name a recipient sees in their inbox?

No. SPF checks the envelope-from (return-path) domain used during the SMTP handshake, not the visible From: header a recipient reads. A message can pass SPF while the visible sender domain is different — which is exactly why DMARC alignment, not SPF alone, is needed to protect the address people actually see.

Important: this is not bulk email and not spam. We run targeted outreach: every message goes to a specific representative of a specific company for a legitimate business reason, in small daily volumes, personalised to the recipient. Every email identifies the sender and includes one-click opt-out; unsubscribes and stop-lists apply to all future campaigns without exception. Companies that ask not to be contacted are excluded permanently.

Want to apply this to your outreach?

We will map it to your segment and product — before any work starts.

Talk to us