Cold Email Deliverability: DMARC, SPF, DKIM Explained Simply

You can write the perfect cold email — right persona, right message, right timing — and it will still fail if it lands in spam. Deliverability is the foundation everything else sits on. And yet most SDRs and founders setting up their first outbound motion have no idea what SPF, DKIM, and DMARC actually do.

This guide explains all three in plain English, shows you what to set up, and tells you how to verify it's working before you send a single email.

The One-Sentence Version

SPF, DKIM, and DMARC are three DNS records that tell email providers "this email really did come from who it says it came from." Without them, your emails look suspicious to spam filters — because anyone could claim to send email from your domain.

SPF — Sender Policy Framework

Without SPF, anyone can send email that appears to come from your domain. Spam filters flag this as suspicious.

What an SPF record looks like:

This example tells email servers: "Mail from this domain may come from Google (Gmail) or SendGrid. Treat anything else with suspicion (~all)."

How to set it up: Log into your domain registrar (GoDaddy, Namecheap, Cloudflare, etc.), go to DNS settings, and add a TXT record. Your email sending tool (Google Workspace, SendGrid, Instantly, etc.) will give you the exact string to use.

DKIM — DomainKeys Identified Mail

Think of DKIM as a wax seal on a letter — it proves authenticity and shows if the contents were altered.

What a DKIM record looks like:

The long string after "p=" is your public key — it's unique to your domain and generated by your email provider. You don't write this yourself; your provider generates it and gives you the record to paste into DNS.

How to set it up: In Google Workspace (Gmail for business), go to Admin → Apps → Gmail → Authenticate email → Generate key → copy the DNS record → paste into your domain's DNS.

DMARC — Domain-based Message Authentication

What a DMARC record looks like:

Breaking it down: p=quarantine means "if the email fails, send it to spam." You can also use p=none (just monitor, don't act) to start safely, or p=reject (block entirely) once you're confident everything is set up correctly.

The Sending Domain Rule — Most Important Thing in This Guide

Here's the single most important deliverability rule for cold email: never send cold outreach from your main company domain.

If your company is acme.com, do not send cold email from yourname@acme.com. Use a secondary domain — getacme.com, tryacme.io, useacme.co. Set up SPF, DKIM, and DMARC on that domain, warm it up, and send from there.

Why? Because cold email at volume will eventually generate spam complaints. If that happens to your main domain, you damage your entire company's email reputation — affecting customer emails, support emails, and everything else. A secondary domain keeps the risk isolated.

Email Warmup — Non-Negotiable Before Sending at Volume

A brand new domain has zero reputation. If you start sending 100 cold emails per day on day one, spam filters will flag it immediately. You need to warm up the domain first.

Warmup means sending a small number of emails per day that get opened, replied to, and marked as important — building a positive reputation history. Tools like Instantly, Lemwarm, and Mailreach automate this.

• Week 1: 5–10 emails/day
• Week 2: 20–30 emails/day
• Week 3: 40–60 emails/day
• Week 4+: 80–150 emails/day (per domain)

How to Verify Your Setup

After setting up all three records, use these free tools to verify:

• MXToolbox (mxtoolbox.com) — check SPF and DMARC records
• Mail-Tester (mail-tester.com) — send a test email and get a spam score
• Google Admin Toolbox — check DKIM
• GlockApps — test inbox placement across Gmail, Outlook, Yahoo

Aim for a mail-tester score of 9/10 or above before starting any campaign.