Cold Email Deliverability 2026: The Complete SPF, DKIM & DMARC Guide
If your SPF, DKIM, and DMARC are misconfigured, it does not matter how good your copy is. Gmail, Outlook, and Yahoo will route you straight to spam — or block you at the edge.
Since Google and Yahoo's February 2024 bulk-sender rules, email authentication is no longer optional. It is the price of entry. This guide walks you through the three records that separate inbox placement from the spam folder.
Key Takeaways
- SPF lists which servers can send on your behalf. Use
-all, not~all. - DKIM cryptographically signs every email. Use 2048-bit keys, never 1024-bit.
- DMARC tells receivers what to do when SPF or DKIM fail. Start at
p=none, move top=quarantinethenp=reject. - Since February 2024, Gmail and Yahoo require DMARC on any sender doing 5,000+ messages/day — cold email operators almost always cross this threshold.
The 30-Second Explanation
Think of email authentication like airport security. The mailbox provider (Gmail, Outlook) is the TSA agent. Your email is the passenger. SPF, DKIM, and DMARC are three ID checks that together prove you are who you say you are.
- SPF (Sender Policy Framework) — Proves the server sending your email is allowed to send on behalf of your domain.
- DKIM (DomainKeys Identified Mail) — Cryptographically signs every email so the receiver can verify it wasn't tampered with.
- DMARC (Domain-based Message Authentication) — Tells the receiver what to do if SPF or DKIM fail (reject, quarantine, or ignore).
Miss any one of these and modern filters will either block the message or drop it in spam. Set all three correctly and you are competing on content, not plumbing.
SPF: The "Authorized Senders" List
SPF is a single TXT record at the root of your domain. It lists the IP addresses and services that are allowed to send email using your domain name.
A typical cold email SPF record looks like this:
v=spf1 include:_spf.google.com include:sendgrid.net -all
The -all at the end is a "hard fail" — any server not in this list is explicitly unauthorized. For cold email, always use -all, never ~all (soft fail). Soft fail signals weakness to mailbox providers.
Common SPF Mistakes That Kill Deliverability
- Too many DNS lookups. SPF has a hard limit of 10 nested lookups. Exceed it and the record silently breaks. Use an SPF flattener if you are chaining providers.
- Multiple SPF records. Only one SPF TXT record is allowed per domain. Two records = automatic fail.
- Missing the sending provider. Every tool that sends on your behalf (Instantly, Smartlead, SendGrid, Google Workspace) needs its include.
DKIM: The Tamper-Proof Seal
DKIM adds a cryptographic signature to every outgoing email. The receiver fetches your public key from DNS and verifies the signature matches. If anything in the email was altered in transit, the signature breaks.
For Google Workspace, you generate a 2048-bit DKIM key in the admin console, then publish it as a TXT record at google._domainkey.yourdomain.com. For Microsoft 365, you enable DKIM in Defender and publish two CNAME records.
Use 2048-bit keys, never 1024-bit. Google's 2023 guidance explicitly called out 1024-bit DKIM as inadequate. Some legacy setups still default to 1024 — upgrade immediately.
DMARC: The Policy That Ties It All Together
DMARC is the instruction manual. It tells the receiving server: "If SPF and DKIM fail for my domain, here is what you should do." It also sends you reports on who is sending email claiming to be you.
A starter DMARC record looks like this:
v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com; pct=100The three policy levels:
| Policy | What Happens | When to Use |
|---|---|---|
p=none |
Monitor only. Reports are sent but nothing is blocked. | Weeks 1–2 of a new domain. Gather data. |
p=quarantine |
Suspicious mail goes to spam. | Once SPF + DKIM are passing 99%+ of the time. |
p=reject |
Failing mail is bounced before delivery. | Mature, monitored domains only. |
The 2024 Bulk Sender Requirement
As of February 2024, Gmail and Yahoo require any sender who pushes more than 5,000 messages per day to a single provider to publish a DMARC policy (minimum p=none). Cold email operators routinely cross this threshold across combined mailboxes — so treat DMARC as mandatory, not optional.
How to Verify Your Setup in 5 Minutes
- Send a test email to
check-auth@verifier.port25.comand read the auto-reply. - Use MXToolbox Deliverability to scan your domain.
- For ongoing monitoring, route DMARC reports to a parser like Postmark's free DMARC monitoring.
- Run our free DNS Health Checker to validate all three records in one pass.
Why This Is Hard to Get Right at Scale
Setting up SPF, DKIM, and DMARC on one domain is an afternoon's work. Setting it up correctly on 7–30 secondary domains, each with its own Google Workspace tenant, each with its own DKIM key, each with harmonized DMARC policy — that is a different problem. One typo in one record breaks that domain's deliverability for weeks.
This is the plumbing we build for you. Every TenX client receives all three records, pre-verified on every domain, with alignment audited before the first send. If you are tired of fighting DNS, we can hand you a bulletproof setup in 14 days.
Once authentication is clean, the next question is what "good" looks like. See the 2026 cold email benchmarks for realistic open/reply/meeting rates by industry.