What's the minimum I need for cold email deliverability?

You need all three: SPF, DKIM, and DMARC. Gmail requires all three for senders of 5,000+ emails per day (since February 2024), and Outlook enforces the same for high-volume senders as of May 2025 — missing any one of them puts your deliverability at serious risk.

How long does it take for DNS records to propagate?

Most DNS changes propagate within 24–48 hours, though some providers reflect changes in as little as 15 minutes. Use a DNS checker like MXToolbox to verify your records are live before launching a campaign.

Can I set up DMARC enforcement (p=reject) right away?

No — start with p=none and a reporting address so you can see which sending sources are passing authentication. Moving to quarantine or reject before you've confirmed alignment across all your senders will cause your legitimate emails to get rejected.

Why does my SPF record fail even though I set it up correctly?

The most likely culprit is either multiple SPF TXT records on the same domain (only one is allowed) or exceeding the 10 DNS lookup limit defined in the SPF standard (RFC 7208) — both cause a permerror that silently breaks authentication.

How to Set Up SPF, DKIM, and DMARC for Cold Email

Q: How to set up SPF DKIM and DMARC for cold email

A tactical walkthrough to set up SPF, DKIM, and DMARC for cold email. Stop spam folder placement and get compliant with Gmail and Outlook's bulk sender requirements.

If your SDRs are watching emails vanish into spam folders, the culprit is almost always the same thing: your DNS authentication records are missing, misconfigured, or misaligned. Three records — SPF, DKIM, and DMARC — determine whether receiving servers trust your mail or bin it. You can fix all three in under an hour. Here's exactly how.

Step 1: Create Your SPF Record

SPF (Sender Policy Framework) tells receiving mail servers which IP addresses and services are authorized to send email on behalf of your domain. If an email arrives from a server not listed in your SPF record, the receiving server knows it's unauthorized.

Every SPF record must start with v=spf1 and end with an -all (hard fail) or ~all (soft fail) directive. For cold email, -all is the recommended default — it signals that anything not explicitly listed is unauthorized.

The 10-lookup limit: Per the SPF specification standard (RFC 7208), your SPF record is limited to 10 DNS lookups total. Each include:, a:, mx:, and redirect= directive counts toward that limit — including nested lookups inside any include: you reference. Exceed 10 and SPF returns a permerror, authentication fails silently, and your emails go to spam. Use ip4: and ip6: mechanisms where possible — they don't count against the lookup limit.

When to use: Every cold email sending domain needs an SPF record. No exceptions. It's your first authentication layer.

Step 2: Set Up DKIM Signing

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to every email you send. The receiving server uses a public key you publish in DNS to verify the signature — if the message was altered in transit, the signature won't match and DKIM fails.

You don't generate these keys manually. Your email provider (Microsoft 365, Google Workspace, or your sending platform) creates the key pair. You publish the public key as a TXT record at selector._domainkey.yourdomain.com and enable signing in your platform settings. Use 2048-bit keys when your provider supports them.

When to use: Required for bulk senders on both Gmail and Outlook. Google has required SPF, DKIM, and DMARC for senders of 5,000+ emails per day since February 1, 2024. Microsoft enforces the same for high-volume senders (5,000+ emails/day to Outlook.com consumer addresses) as of May 5, 2025. Without DKIM in place at that volume, your mail gets routed to Junk or rejected outright.

Step 3: Configure DMARC

DMARC (Domain-based Message Authentication, Reporting & Conformance) ties SPF and DKIM together. It tells receiving servers what to do when an email fails both checks — and critically, it gives you visibility into what's passing and what isn't before you lock anything down.

Start with p=none. Never jump straight to enforcement. Publish a monitoring policy first with a reporting address (rua=mailto:[email protected]) so you can see all your sending sources. Once you've confirmed everything passes alignment, move to p=quarantine, then p=reject.

When to use: Required for compliance with Microsoft's 2025 bulk sender rules (announced April 2025, enforcement from May 5, 2025). Gmail also enforces DMARC for anyone sending 5,000+ emails per day — a p=none policy is acceptable to start.

The One Common Mistake You're Almost Certainly Making

The single most common DNS authentication error is having multiple SPF records on the same domain. Only one SPF TXT record is permitted per domain — having two causes a permerror that silently breaks authentication. According to MailDeck's audit of 1,000+ onboarded cold email domains (note: MailDeck is a cold email infrastructure vendor), multiple SPF records accounted for 23% of setup failures. Check your DNS right now with MXToolbox's SPF Lookup to confirm you only have one.

The Broader Picture

Cloudflare Radar Q1 2026 data — covering global email traffic broadly, not cold email specifically — shows that 14.54% of all emails still fail SPF authentication, as reported by TechnologyChecker.io. Even with rising DMARC adoption, more than 1 in 7 emails across the ecosystem is failing the most basic authentication check. For cold email senders where every delivered message counts, getting these records right isn't optional.

Verify your full setup with a DMARC checker before you launch your next campaign. Fixing these records is a one-time investment that protects your domain health for every sequence that follows.