Email Domain Setup: SPF, DKIM, DMARC Explained Simply

You spent two hours writing the perfect cold email. The subject line hooks. The body is tight. The offer is clear. You hit send on 500 contacts and check back the next morning.

Twelve opens. Zero replies. And a bounce rate that would make your stomach drop.

Before you blame the copy, check the foundation. SPF, DKIM, and DMARC are three DNS records that determine whether your email even has a chance of landing in the inbox. Most outreach teams ignore them until their entire sending infrastructure is flagged. By then, it is too late.

This is the plain-English guide to setting them up correctly the first time.

Why This Matters More in 2026 Than It Did Two Years Ago

In February 2024, Google and Yahoo updated their bulk sender requirements. If you send more than 5,000 emails per day to Gmail addresses, SPF and DKIM are now mandatory. DMARC with at least a p=none policy is required. Miss any of these and your email does not land. It disappears.

Even if you are sending smaller volumes, inbox providers are scoring every domain they see. A domain without these records looks like a spammer. A domain with them properly configured looks like a legitimate business. The difference is not subtle. It shows up directly in your open rates.

The good news: all three records are free to set up and take less than an hour if you know what you are doing.

SPF: Telling the World Who Is Allowed to Send From Your Domain

SPF stands for Sender Policy Framework. It is a DNS record that lists every server authorized to send email on behalf of your domain. When a receiving server gets an email claiming to come from yourdomain.com, it checks your SPF record to see if the sending server is on the approved list.

If it is not on the list, the email fails SPF authentication. Depending on the receiving server’s settings, it may go to spam or get dropped entirely.

What an SPF record looks like:

v=spf1 include:_spf.google.com include:sendgrid.net ~all

Breaking this down:

• v=spf1 declares this is an SPF record
• include: entries authorize specific sending services (Google Workspace, SendGrid, Instantly, etc.)
• ~all means “soft fail” anything not on the list (recommended for most teams starting out)
• -all means “hard fail” anything not on the list (more strict, use once you are confident in your setup)

How to add it: Go to your domain registrar (GoDaddy, Namecheap, Cloudflare, etc.) and add a TXT record to the root of your domain (@). The value is the SPF string above, modified to include every service you use to send email.

One critical rule: You can only have one SPF record per domain. If you have multiple, combine them into a single record. Two SPF records cancel each other out and break authentication entirely.

DKIM: A Digital Signature on Every Email You Send

DKIM stands for DomainKeys Identified Mail. Where SPF says “this server is allowed to send,” DKIM says “this specific email was sent by us and has not been altered in transit.”

Your sending service generates a pair of cryptographic keys. The private key stays on their server and signs every email you send. The public key lives in your DNS as a TXT record. When a receiving server gets your email, it looks up your public key and uses it to verify the signature. If it matches, the email is authenticated.

What a DKIM record looks like:

selector._domainkey.yourdomain.com
v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GN...

The “selector” is a label your sending service provides. Google Workspace uses “google.” Instantly, Smartlead, and similar tools will each give you their own selector and key value when you set up DKIM in their dashboard.

How to add it: Every sending platform has a DKIM setup section in their settings. They will give you the exact record name and value to add to your DNS. Follow their specific instructions, because the selector name matters. If you are using multiple sending services, each one gets its own DKIM record with its own selector. They coexist without conflict.

In 2026, the standard is 2048-bit DKIM keys. If your sending platform is still offering 1024-bit, it meets the minimum but 2048-bit provides stronger authentication. Use it if available.

DMARC: The Policy That Ties Everything Together

DMARC stands for Domain-based Message Authentication, Reporting and Conformance. It does three things:

1. Tells receiving servers what to do when SPF or DKIM fails
2. Requires that the “From” address domain matches the authenticated domain (alignment)
3. Sends you reports on what is being sent from your domain, including unauthorized senders

What a DMARC record looks like:

v=DMARC1; p=none; rua=mailto:[email protected]

The three policy options:

• p=none — Monitor mode. Emails still deliver, but you get reports. Start here.
• p=quarantine — Failed emails go to spam. Use this after you have confirmed your SPF and DKIM are working correctly.
• p=reject — Failed emails are dropped entirely. The most strict setting. Use this once you are certain only your authorized services are sending from this domain.

How to add it: Add a TXT record at _dmarc.yourdomain.com with the value above. Replace the email address with a real inbox you check. DMARC reports are XML files that tell you exactly what is hitting your domain and whether it is passing authentication.

If you want something readable, tools like Postmark’s DMARC digests or dmarcian will parse those XML reports into plain language.

Setting Up Sending Domains the Right Way

A mistake many outreach teams make: they send cold email from their primary company domain.

Do not do this.

Your primary domain has your company’s reputation attached to it. If you burn it with aggressive cold outreach, your transactional emails, your newsletters, your sales follow-ups all take the hit. It is not worth the risk.

The standard setup for serious outreach teams:

1. Register 2-5 sending domains that are variations of your main brand (yourbrand-outreach.com, tryyourbrand.com, yourbrandteam.com)
2. Set up SPF, DKIM, and DMARC on each one
3. Warm each domain for 3-4 weeks before sending cold volume
4. Rotate across domains to spread sending load and protect deliverability

This approach keeps your main domain clean and gives you recovery options if one sending domain takes a hit.

For a full breakdown of the tools and infrastructure stack that supports this approach, the eNZeTi team has documented how they set up outreach infrastructure for law firms specifically.

Verifying Your Setup

After adding your records, DNS propagation can take anywhere from a few minutes to 48 hours. Once propagated, test everything before sending a single cold email.

Free tools to verify your setup:

• MXToolbox (mxtoolbox.com) — Check SPF, DKIM, and DMARC records instantly
• Mail-Tester (mail-tester.com) — Send a test email and get a score with a breakdown of what is passing and what is failing
• Google Postmaster Tools — Track your domain reputation with Gmail directly. Free to set up, worth monitoring weekly.
• GlockApps — Paid but detailed inbox placement testing across major providers

A healthy setup looks like this on Mail-Tester: SPF pass, DKIM pass, DMARC pass, no blacklists, score of 9 or above. If you are scoring below 8, something is misconfigured or your IP is on a blacklist.

Common Mistakes That Kill Deliverability

Multiple SPF records. One per domain. If you have two, combine them into one.

Not including all sending services in SPF. If you use Instantly to send cold email AND Google Workspace to send one-off emails, both need to be in your SPF record. Every service you send from needs authorization.

Forgetting subdomain DMARC. By default, DMARC applies to your root domain. If you send from subdomains (mail.yourdomain.com), add sp=reject or set up separate DMARC records for each subdomain you use.

Never checking DMARC reports. The reports exist to tell you if someone is spoofing your domain. Check them at least monthly. Unauthorized senders using your domain can damage your reputation without you knowing it.

Skipping warm-up after setup. Proper DNS authentication is step one. Step two is building sender reputation. A freshly set up domain with perfect DKIM and SPF still needs to warm up before handling high volume. Inbox providers look at history, not just authentication.

The Full Setup Checklist

Use this before your first send from any new domain:

• SPF record added at root domain, includes every sending service
• DKIM configured in each sending platform, TXT records added to DNS
• DMARC record at _dmarc.yourdomain.com, start with p=none
• MXToolbox verification passing for all three
• Mail-Tester score at 9+
• Google Postmaster Tools set up and monitoring domain reputation
• Domain warm-up started (minimum 3 weeks before full cold volume)
• Primary company domain not in the sending rotation

This is not optional infrastructure. This is the foundation. Every tactical decision you make about copy, sequences, timing, and personalization sits on top of this. If the foundation is broken, none of the tactics matter.

The firms and outreach teams that figure this out early run sustainable campaigns for years. The ones that skip it spend those same years fighting blacklists, warming new domains, and wondering why their open rates keep dropping.

Set it up once. Set it up right. Then focus on the campaigns that actually move the needle. For teams running outreach into professional services, eNZeTi connects that outreach directly to a conversion infrastructure that closes what you send.