SPF, DKIM & DMARC Setup Guide for Cold Email (2026)

By Joey T · April 10, 2026 · 11 min read

You built a beautiful email sequence. You loaded 500 leads. You hit send. And... crickets. 15% open rate. Your emails are going straight to spam.

The problem isn't your copy. It's your DNS. If SPF, DKIM, and DMARC aren't configured correctly, email providers flag you before your prospect even sees your subject line.

Here's how to fix it — permanently.

What Are SPF, DKIM, and DMARC?

Think of them as three layers of email ID verification:

Protocol	What It Does	Analogy
SPF	Lists which servers can send email from your domain	A guest list at the door
DKIM	Adds a digital signature to prove the email wasn't tampered with	A wax seal on a letter
DMARC	Tells receiving servers what to do when SPF/DKIM fail	The bouncer's instructions

All three work together. Missing one is like locking two doors but leaving the third wide open.

Step 1: Set Up SPF

SPF (Sender Policy Framework) tells the world which mail servers are authorized to send email on behalf of your domain.

How to Add an SPF Record

Go to your DNS provider (Cloudflare, Namecheap, GoDaddy, etc.)
Add a TXT record for your root domain
The value depends on your email provider

Common SPF Records

Google Workspace:

v=spf1 include:_spf.google.com ~all

Google Workspace + Saleshandy:

v=spf1 include:_spf.google.com include:_spf.saleshandy.com ~all

Microsoft 365:

v=spf1 include:spf.protection.outlook.com ~all

⚠️ Common mistake: You can only have ONE SPF record per domain. If you need multiple providers, combine them into a single record with multiple include: statements. Two separate SPF TXT records = both get ignored.

SPF Lookup Limit

SPF allows a maximum of 10 DNS lookups. Each include: counts as one (plus any nested lookups inside it). Google's include alone uses 4-5 lookups. If you exceed 10, your SPF silently fails.

Check your count: Use MXToolbox SPF Checker to verify.

Step 2: Set Up DKIM

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to every email you send. The receiving server checks this signature against a public key in your DNS.

For Google Workspace

Go to Google Admin Console → Apps → Google Workspace → Gmail → Authenticate Email
Click Generate New Record
Select your domain, keep the prefix as google
Copy the DKIM value (a long string starting with v=DKIM1;)
Add a TXT record in your DNS:
- Name: google._domainkey
- Value: the string Google gave you
Wait 24-48 hours for DNS propagation
Go back to Google Admin and click Start Authentication

For Saleshandy (or similar sending tools)

Most cold email tools provide their own DKIM records. Check your tool's documentation — they'll give you a CNAME or TXT record to add. For Saleshandy specifically:

Go to Settings → Email Accounts → Select account → Authentication
Copy the DKIM CNAME record
Add it to your DNS

✅ Pro tip: Always set up DKIM for BOTH your email provider (Google/Microsoft) AND your sending tool (Saleshandy/Instantly/Lemlist). They use separate keys and both need to pass.

Step 3: Set Up DMARC

DMARC (Domain-based Message Authentication, Reporting & Conformance) ties SPF and DKIM together and tells receiving servers what to do when checks fail.

The DMARC Record

Add a TXT record in your DNS:

Name: _dmarc
Value: (see below)

Start with Monitoring Mode

v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com; pct=100

This tells servers: "Don't reject anything yet, but send me reports about failures." Run this for 2-4 weeks to identify legitimate senders you might have missed in SPF.

Then Tighten to Quarantine

v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com; pct=100

After confirming all legitimate email passes SPF/DKIM, switch to quarantine. Failed emails go to spam instead of inbox.

Finally: Reject

v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com; pct=100

The nuclear option. Failed emails get bounced entirely. Only do this once you're 100% confident your DNS is correct.

⚠️ For cold email domains: Start with p=none and stay there for at least 2 weeks. Going straight to p=reject on a new domain can cause deliverability issues while your warmup is still running.

The Complete DNS Checklist

Record Type	Name	Value	TTL
TXT	@	`v=spf1 include:_spf.google.com include:_spf.saleshandy.com ~all`	3600
TXT	google._domainkey	[Google DKIM value]	3600
CNAME	sh._domainkey	[Saleshandy DKIM value]	3600
TXT	_dmarc	`v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com; pct=100`	3600
MX	@	Google/Microsoft MX records	3600

How to Verify Everything Works

Quick Test: Send to mail-tester.com

Go to mail-tester.com
Copy the test email address
Send an email from your cold email account
Check your score — aim for 9/10 or higher

DNS Verification Tools

SPF: MXToolbox SPF Check
DKIM: MXToolbox DKIM Check
DMARC: MXToolbox DMARC Check
Everything: LearnDMARC.com (visual flowchart)

Command-Line Verification

# Check SPF
dig TXT yourdomain.com | grep spf

# Check DKIM
dig TXT google._domainkey.yourdomain.com

# Check DMARC
dig TXT _dmarc.yourdomain.com

# Check MX
dig MX yourdomain.com

Common Mistakes That Kill Deliverability

Multiple SPF records — Only one TXT record starting with v=spf1 per domain. Combine providers into one record.
Forgetting the sending tool's SPF include — Google's SPF only covers Gmail. Your cold email tool sends from different servers.
Not waiting for DKIM propagation — DKIM records can take up to 48 hours. Don't start sending before they're live.
DMARC set to reject on Day 1 — Start with p=none, graduate to p=quarantine, then p=reject.
Using your main domain for cold email — Always use a separate sending domain. If it gets burned, your main domain stays clean.
Skipping custom tracking domain — Default tracking domains are shared and often blacklisted. Use a custom subdomain.

Sending Domain Strategy for Cold Email

Never send cold email from your primary business domain. Here's the right setup:

Primary domain: yourbusiness.com — for website, inbound, transactional email only
Sending domain 1: getyourbusiness.com — for cold outreach
Sending domain 2: tryyourbusiness.com — backup sending domain
Tracking domain: track.getyourbusiness.com — custom link/open tracking

Cost: ~$12/year per domain. Cheap insurance against reputation damage.

Want the Full Cold Email Infrastructure Setup?

My playbook covers DNS setup, warmup strategy, sequence design, and lead enrichment — everything from zero to sending.

Get the Playbook — $29

Key Takeaways

SPF + DKIM + DMARC = mandatory. Missing any one of them is like leaving a door unlocked.
One SPF record, max 10 lookups. Combine all providers into a single TXT record.
DKIM for every sender. Your email provider AND your cold email tool each need their own DKIM keys.
DMARC starts at p=none. Monitor first, enforce later.
Separate domains for cold email. Protect your primary domain at all costs.
Verify with MXToolbox and mail-tester.com. Don't guess — check.

Set this up once, correctly, and you'll never wonder why your emails are going to spam again.