SPF, DKIM, and DMARC for Cold Email: What Actually Matters in 2026

A new sending domain with no SPF record will land in spam from day one. Gmail flags it. Outlook quarantines it. The campaign you spent two weeks targeting gets read by nobody.

This is preventable. SPF, DKIM, and DMARC are three DNS records — together they take about 20 minutes to set up correctly and decide whether your cold email reaches the inbox or the junk folder. Here is what actually matters in 2026.

SPF: tell the world who can send for you

SPF (Sender Policy Framework) is a TXT record on your domain that lists which IP addresses or services are authorized to send email as you. When Gmail receives mail claiming to be from your domain, it checks SPF. If the sending IP isn’t in your record, the message is flagged.

A working SPF for a typical cold email setup looks like:

v=spf1 include:_spf.google.com include:sendgrid.net ip4:89.167.64.66 ~all

Three things to get right:

1. Use ~all (soft fail), not -all (hard fail) at first. Hard fail is technically stronger, but if you forget one sending service, every message gets rejected. Move to -all after a month of clean sending.
2. Watch the 10 DNS lookup limit. Every include: is one lookup. Stack too many and your SPF breaks silently. Tools like mxtoolbox.com will count them.
3. One SPF record per domain. Multiple v=spf1 records on the same domain invalidate authentication. Merge them.

DKIM: sign every message you send

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to each outbound message. The recipient’s server fetches your public key from DNS, verifies the signature, and confirms the message wasn’t altered in transit.

The setup depends on your sending service. For self-hosted Postfix with OpenDKIM, you generate a 2048-bit key and publish the public part as a TXT record at selector._domainkey.yourdomain.com. For Google Workspace, you enable DKIM in admin settings and paste their TXT record.

What people get wrong: using the same DKIM key across all sending streams. If you send transactional from one service and cold outreach from another, give each its own selector. When one stream gets a deliverability hit, the other stays clean.

DMARC: tell receivers what to do when SPF or DKIM fails

DMARC (Domain-based Message Authentication, Reporting & Conformance) builds on SPF and DKIM. It tells receiving servers what to do with messages that fail authentication, and it sends you reports.

A reasonable starting record:

v=DMARC1; p=quarantine; rua=mailto:postmaster@yourdomain.com; aspf=r; adkim=r

Three decisions to make:

• Policy (p=): start at none to monitor, move to quarantine after two weeks of clean reports, escalate to reject only when you’re certain every legitimate sender is authenticated. Jumping straight to reject will block your own internal emails until you find every blind spot.
• Reports (rua=): point at a mailbox you actually check. Aggregate reports arrive as XML — ugly to read raw, but services like Postmark DMARC or dmarcian make it digestible.
• Alignment (aspf= and adkim=): r (relaxed) is fine. Strict alignment causes failures when you send through subdomains or third-party services with their own envelope sender.

What trips up cold email setups specifically

The technical setup is the same as for any business email. What’s different is volume and pattern. Three things to watch:

1. Don’t send from your main brand domain. Use a dedicated outreach domain (e.g., yourbrand-mail.com), warm it up for 4-6 weeks, and protect your main domain’s reputation.
2. Match the From header to the authenticated domain. From: Mark <mark@outreach.afflab.lv> aligned with SPF/DKIM passes DMARC. From: Mark <mark@gmail.com> sent via your own SMTP doesn’t.
3. Reverse DNS matters. Your sending IP should have a PTR record matching the hostname in the EHLO greeting. Without this, Gmail downgrades you regardless of SPF/DKIM.

What to skip

You don’t need BIMI yet. You don’t need MTA-STS for cold outreach (it’s defensive, not offensive). And you don’t need to obsess about a perfect 10/10 mail-tester.com score — anything above 8 is fine in practice. The points lost are usually for things like “.vip” TLD penalties or missing PTR records on shared IPs that you can’t fix anyway.

A 20-minute checklist

1. Publish SPF with ~all, include only services you actually use.
2. Generate and publish DKIM with a unique selector for cold outreach.
3. Publish DMARC at p=none with a working rua= mailbox.
4. Verify with mxtoolbox.com or mail-tester.com.
5. Wait 48 hours, check DMARC reports for unexpected failures.
6. Move DMARC to p=quarantine.

That’s the whole thing. Most “deliverability problems” are unauthenticated mail, not algorithmic punishment. Fix the authentication first; everything else is downstream.