SPF, DKIM & DMARC: The Complete Email Authentication Setup Guide
The three records that decide whether your cold email lands in the inbox or the spam folder — explained without the jargon, with copy-paste setup steps.
- SPF, DKIM, and DMARC are the three DNS records that prove your email is really from you — without all three, Google and Microsoft route you to spam by default.
- As of 2024, Google and Yahoo *require* all three for anyone sending volume. This is no longer optional.
- DMARC should start at `p=none` (monitor), then move to `p=quarantine` and finally `p=reject` once your reports are clean.
- Authentication gets you *eligible* for the inbox. Reputation and warmup get you *into* it.
You wrote a great cold email. The targeting was tight, the offer was relevant, the subject line earned the open. And it still landed in spam — so it was never even seen. Nine times out of ten, the culprit isn't your copy. It's that your sending domain can't prove it's really you.
Email providers assume every message is guilty until authenticated. SPF, DKIM, and DMARC are the three records that establish your innocence. Get them right and you become *eligible* for the inbox. Skip them and Google, Microsoft, and Yahoo quietly route you to spam — or reject you outright. Since February 2024, Gmail and Yahoo require all three from bulk senders. This guide walks through each one in plain language, with the exact steps to set them up.
These records make you eligible for the inbox — they don't guarantee placement. A perfectly authenticated domain with a bad sending reputation still lands in spam. Think of authentication as the ID check at the door, not the VIP pass.
SPF: who is allowed to send for you
SPF (Sender Policy Framework) is a public list of the servers permitted to send email from your domain. When a receiving server gets your message, it checks the sending IP against this list. If the IP isn't authorized, that's a red flag.
SPF lives as a single TXT record on your domain. A typical record for a domain sending through Google Workspace plus a sending platform looks like this:
v=spf1 include:_spf.google.com include:sendgrid.net ~all- v=spf1 — declares this as an SPF record.
- include: — authorizes a third party (your email provider, your outbound tool) to send on your behalf.
- ~all — soft-fail: anything not listed is suspicious but not rejected. Use `~all`, not `-all`, while you're still adding senders.
SPF allows a maximum of 10 DNS lookups. Each `include:` can trigger several. Stack too many tools and SPF silently breaks — and you won't get an error, you'll just start landing in spam. Audit your includes and remove tools you no longer send through.
DKIM: proof the message wasn't tampered with
DKIM (DomainKeys Identified Mail) adds a cryptographic signature to every email you send. Your server signs with a private key; the receiving server verifies with a public key published in your DNS. If the signature checks out, the receiver knows the message genuinely came from your domain and wasn't altered in transit.
You don't generate DKIM keys by hand — your email provider does. The setup is always the same three steps:
- Enable DKIM in your email platform (Google Workspace, Microsoft 365, or your sending tool).
- Copy the TXT (or CNAME) record it generates — it'll look like `selector._domainkey.yourdomain.com`.
- Paste it into your DNS, wait for propagation, and click 'Authenticate' / 'Verify' back in the platform.
If you send through more than one service, each one gets its own DKIM record with its own selector. They don't conflict.
DMARC: what to do when a message fails
SPF and DKIM check identity. DMARC (Domain-based Message Authentication, Reporting & Conformance) is the policy that tells receivers what to do when those checks fail — and asks them to send you reports so you can see who's sending mail in your name.
A starter DMARC record looks like this:
v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com; fo=1The `p=` value is the policy, and you should ratchet it up in three stages — never start at `reject`:
| Stage | Policy | What it does | When to use it |
|---|---|---|---|
| 1. Monitor | p=none | Takes no action; just sends you reports | Week 1–2, while you confirm all legitimate senders pass |
| 2. Quarantine | p=quarantine | Sends failing mail to spam | Once reports are clean for ~2 weeks |
| 3. Enforce | p=reject | Blocks failing mail entirely | When you're confident — this is the goal |
Jumping straight to p=reject before your reports are clean will block your own legitimate email — including, ironically, your cold outreach. The staged rollout is the difference between protecting your domain and accidentally silencing it.
Your setup checklist
- Publish an SPF record with every service you send through (mind the 10-lookup limit).
- Enable DKIM in each sending platform and publish the keys.
- Publish a DMARC record at p=none and point reports to an inbox you check.
- Read your DMARC reports for two weeks; fix any legitimate sender that's failing.
- Move to p=quarantine, then p=reject.
- Only now start sending real volume — and warm up first (see the warmup guide below).
Authentication is the foundation, not the finish line. Once these three records are clean, your domain is *allowed* into the inbox. Whether it actually lands there comes down to reputation, volume ramp, and content — which is exactly what the rest of this series covers.
Frequently asked questions
Do I need all three of SPF, DKIM, and DMARC?
Yes. Since February 2024, Google and Yahoo require all three from bulk senders, and most receiving servers treat a missing record as a strong spam signal. Setting up only one or two leaves obvious gaps.
How long do DNS changes take to work?
Most providers propagate within a few minutes to a few hours, though TTL settings can push it to 24–48 hours. Verify with a checker tool before assuming a record is live.
Will SPF, DKIM, and DMARC stop my emails going to spam?
They make you eligible for the inbox but don't guarantee placement. You also need a warmed-up domain, a healthy sending reputation, and content that doesn't trip spam filters.
Stop losing pipeline to the spam folder.
GTM100x runs the deliverability, warmup, and targeting work in the background — so your team spends its time on the conversations that close.
Keep reading
Why Your Cold Emails Go to Spam (and How to Fix It)
Eight reasons good cold emails end up in spam — and the specific fix for each. Most have nothing to do with your copy.
Cold Email & DeliverabilityHow to Warm Up a New Email Domain for Cold Outreach
A new domain has zero reputation — and inbox providers treat zero as suspicious. Here's the week-by-week warmup schedule that builds trust without burning the domain.