If your SPF, DKIM, and DMARC records are not configured correctly, your cold emails will land in spam. It is that simple.
Since February 2024, Gmail and Yahoo have enforced strict email authentication requirements for bulk senders. Microsoft followed with similar enforcement for Outlook in May 2025. The result: emails without proper SPF, DKIM, and DMARC authentication get rejected outright — they do not even make it to the spam folder.
At imisofts, DNS authentication is the first technical step in every infrastructure build. We configure these records for every domain, every time, with zero exceptions. This guide walks through exactly how we do it.
Why email authentication matters for cold email
Email authentication serves two purposes. First, it tells receiving mail servers that your emails are legitimate — that they actually come from your domain and have not been spoofed or tampered with. Second, it protects your sender reputation by preventing others from sending emails pretending to be you.
For cold email specifically, authentication is the price of admission. Without it, your emails are treated as suspicious by default. With it, you clear the first and most important hurdle to inbox placement.
The authentication stack has three core protocols: SPF, DKIM, and DMARC. Each serves a different function, and all three need to work together.
SPF: Sender Policy Framework
SPF tells receiving mail servers which IP addresses and servers are authorized to send email on behalf of your domain.
To set up SPF, you add a TXT record to your domain's DNS settings. The record specifies your sending server IPs and any third-party services authorized to send email for you.
A typical SPF record for cold email looks like this:
v=spf1 ip4:YOUR.SERVER.IP.ADDRESS include:_spf.google.com ~all
The components break down as follows. "v=spf1" declares this is an SPF record. "ip4:YOUR.SERVER.IP.ADDRESS" authorizes your private server's IP to send email for this domain. "include:_spf.google.com" authorizes Google's servers if you also use Google services. "~all" soft-fails any server not listed, meaning unauthenticated emails get flagged but not rejected outright.
Pro tip from our operations: Use "~all" (soft fail) during initial setup and warmup. Once everything is verified and running smoothly, switch to "-all" (hard fail) to strictly reject unauthorized senders. This gives you a safety margin during the configuration phase.
The host name for the SPF TXT record should be @ (or your bare domain, depending on your DNS provider).
DKIM: DomainKeys Identified Mail
DKIM adds a cryptographic signature to every email sent from your domain. The receiving server checks this signature against a public key stored in your DNS to verify the email has not been altered in transit.
DKIM setup involves two steps. First, generate a DKIM key pair in your email platform or server. This creates a private key (used to sign outgoing emails) and a public key (published in your DNS for verification). Second, add the public key as a TXT record in your DNS.
The DKIM DNS record goes to a specific hostname format: selector._domainkey.yourdomain.com. The "selector" is a name you choose or that your email platform assigns — it identifies which key to use for verification.
The record value looks like this:
v=DKIM1; k=rsa; p=YOUR_PUBLIC_KEY_STRING_HERE
The public key is a long string of characters generated during key pair creation. Your email platform or server will provide this value — you copy it directly into the DNS record.
After adding the DKIM record, enable DKIM signing on your email server so every outgoing email gets signed automatically.
DMARC: Domain-based Message Authentication
DMARC ties SPF and DKIM together. It tells receiving servers what to do with emails that fail SPF or DKIM checks and provides a reporting mechanism so you can monitor authentication results.
Add a DMARC TXT record with the hostname _dmarc.yourdomain.com.
We recommend starting with a monitoring policy:
v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; pct=100
This tells receiving servers to send authentication reports to your specified email address without taking any action on failing emails. The "p=none" policy lets you monitor before enforcing.
After 2 to 4 weeks of monitoring, once you confirm that SPF and DKIM are passing consistently, tighten the policy:
v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@yourdomain.com; pct=100
This moves failing emails to the spam folder. Eventually, you can move to the strictest policy:
v=DMARC1; p=reject; rua=mailto:dmarc-reports@yourdomain.com; pct=100
This tells receiving servers to completely reject emails that fail authentication. This is the gold standard and sends the strongest trust signal to email providers.
What we have seen: Many cold email setups skip DMARC entirely or leave it at "p=none" forever. Moving to "p=quarantine" or "p=reject" actually improves deliverability because it signals to email providers that you take authentication seriously.
MX records
MX records tell the internet where to deliver incoming mail for your domain. Even though cold email domains are primarily for outbound, receiving servers check MX records as part of their validation.
A domain without MX records looks suspicious — it suggests the domain was set up solely for sending, which is a spam signal. Configure MX records to point to your private server so the domain can both send and receive.
MX records use a specific format with a priority value and mail server hostname. Lower priority numbers indicate the preferred server:
Priority: 10, Value: mail.yourdomain.com
Tracking CNAME
The tracking CNAME record enables custom open and click tracking for your cold email campaigns. Without it, your emails use shared tracking domains from Instantly or SmartLead — which are used by thousands of senders and frequently flagged by spam filters.
Add a CNAME record that points a subdomain (like track.yourdomain.com) to your campaign platform's tracking server. The specific value depends on your platform — Instantly and SmartLead each have their own tracking server hostnames.
Custom tracking domains are one of the most overlooked elements of cold email infrastructure. We include them in every build because the deliverability impact is measurable.
Verification: how to confirm everything works
After configuring all DNS records, you need to verify that everything is working before starting warmup.
The simplest method is to send an email from one of your new inboxes to a personal Gmail account. In Gmail, open the email, click the three dots menu, and select "Show original." You will see a panel showing SPF, DKIM, and DMARC results. All three should show "PASS."
If any show "FAIL" or "SOFTFAIL," there is a DNS configuration error that needs to be corrected before proceeding.
We also recommend checking your records with MXToolbox or similar DNS lookup tools. Enter your domain and verify that SPF, DKIM, and DMARC records are resolving correctly.
Allow 24 to 48 hours for DNS propagation after making changes. Some records propagate quickly, but others can take up to 48 hours to fully resolve.
Google Postmaster Tools setup
After DNS authentication is verified, we set up Google Postmaster Tools for every domain. This gives you direct visibility into how Gmail views your sender reputation.
Google Postmaster shows your domain reputation (high, medium, low, bad), spam rate (should stay below 0.3%), authentication results (SPF, DKIM, DMARC pass rates), and delivery errors.
Setting up Postmaster requires adding a TXT verification record to your DNS — one more record to add, but it gives you monitoring that is invaluable for catching issues before they become catastrophic.
The complete DNS record checklist
For every cold email domain, we configure these records:
One SPF TXT record at @ authorizing your sending server. One DKIM TXT record at selector._domainkey with your public key. One DMARC TXT record at _dmarc with your policy. At least one MX record pointing to your mail server. One CNAME record for custom email tracking. One TXT record for Google Postmaster verification.
Six records per domain. For a client running 25 domains, that is 150 DNS records configured and verified. This is why most teams outsource infrastructure — the technical overhead is substantial but critical.
Conclusion
SPF, DKIM, and DMARC setup is the non-negotiable foundation of cold email deliverability. Since Gmail, Yahoo, and Outlook began enforcing strict authentication in 2024 and 2025, improperly configured domains get rejected outright.
At imisofts, we configure the complete DNS authentication stack for every domain in every infrastructure package. If you want your records done right the first time, check out our packages at imisofts.com/cold-email-marketing#packages.