SPF, DKIM, and DMARC are DNS records that prove your email is actually from your domain. Without them, modern email providers treat your messages as suspicious. Proper configuration is a 20-minute task that most teams do wrong or not at all.
Lists the servers authorized to send email on behalf of your domain. A TXT record on your domain that says "email from these IPs or hosts is legitimate."
v=spf1 include:_spf.google.com include:sendgrid.net ~all
This says: Google Workspace's servers and SendGrid's servers can send from this domain. Everything else is "soft-fail" (flag but don't reject).
Your sending tool (Instantly, Smartlead, whatever) will tell you what to include. Your email host (Google Workspace, Microsoft 365) will give you their include. Combine them in one record.
Cryptographically signs every outgoing email with a key only your domain controls. Receiving servers verify the signature using a public key published in your DNS.
Provides two things: proof that the email really came from your domain, and proof it wasn't tampered with in transit.
A TXT record at a specific subdomain (typically selector._domainkey.yourdomain.com) containing the public key:
v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEB...[long key]...
Your sending tool generates the key and gives you the DNS record. You publish it. Most tools support this automatically for their sending domains.
Tells receiving servers what to do with emails that fail SPF or DKIM checks. Also provides reporting so you can see who's sending as your domain.
v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; pct=100
Month 1: publish DMARC with p=none and rua reporting. Watch who's sending as you.
Month 2-3: identify any legitimate senders failing SPF/DKIM. Fix.
Month 4+: move to p=quarantine, then p=reject once you're confident.
Many domains stay at p=none forever. For cold email sending domains, p=none is sufficient; the key benefit is authentication passing, not the policy enforcement.
Default DKIM is disabled. You must enable it explicitly in admin console. Most workspaces don't.
SPF is configured automatically but DKIM requires explicit enablement per domain.
Each requires its own DNS setup. Your SPF includes them; they each publish DKIM on your domain via CNAME or TXT records.
These tools usually connect to mailboxes you own (via Google Workspace or Outlook). The DKIM and SPF you set up for the mailbox provider is what matters. The cold email tool just sends through your existing mailbox.
Brand Indicators for Message Identification: displays your logo next to emails in supporting clients. Requires DMARC at p=quarantine or stricter plus a verified mark certificate. Nice-to-have, not relevant for most cold email.
Before sending anything, send a test email from the domain to mail-tester.com. Score should be 9+/10. If under, your configuration has problems. Fix before sending to real prospects.
Also check at Google Postmaster Tools (postmaster.google.com) after you've sent some volume. Provides spam rate, domain reputation, IP reputation, and authentication pass rates for Gmail specifically.
Next: Sending domain strategy.