SPF, DKIM, and DMARC for Cold Email: The Simple Fix Guide

Most cold email deliverability problems trace back to authentication. SPF, DKIM, and DMARC form the foundation of email trust — without them, providers have no technical reason to believe your email is legitimate. Here's what each one does and how to fix common problems.

What each record actually does

SPF (Sender Policy Framework)

SPF is a DNS record that lists which servers are authorized to send email for your domain. When a receiving server gets your email, it checks whether the sending server's IP is in your SPF record. If it's not, the email fails SPF — which is a strong spam signal.

DKIM (DomainKeys Identified Mail)

DKIM adds a cryptographic signature to every email you send. The receiving server looks up your public key in DNS and uses it to verify the signature. If the signature is valid, the email hasn't been tampered with and genuinely came from an authorized source. A broken DKIM signature is one of the most damaging authentication failures for cold email.

DMARC (Domain-based Message Authentication, Reporting & Conformance)

DMARC ties SPF and DKIM together and tells receiving servers what to do when authentication fails. It also gives you visibility through aggregate reports. Without DMARC, you don't know when your domain is being spoofed or when authentication is silently failing.

Diagnosing authentication problems

Use the SPF checker, DKIM checker, and DMARC lookup to verify each record. Then run a placement test — the test email's headers will show exactly what the receiving server saw for each auth check.

SPF: common errors and fixes

Missing SPF record

No SPF record means no authorization. Add one immediately. For Google Workspace: v=spf1 include:_spf.google.com ~all. For M365: v=spf1 include:spf.protection.outlook.com -all.

Multiple SPF records

A domain can only have one SPF record. If you have two v=spf1 TXT records, authentication will fail. Merge them into a single record.

Too many DNS lookups

SPF has a 10 DNS lookup limit. Using multiple include: statements can exceed this. If you're over the limit, use SPF flattening to reduce lookups.

Softfail vs hardfail

~all (softfail) means unauthorized senders are flagged but not rejected. -all (hardfail) means they're rejected. For most cold email setups, ~all is appropriate. +all (passall) is dangerous — it authorizes every server, which means SPF provides no protection.

DKIM: common errors and fixes

DKIM not enabled with your ESP

Most ESPs require you to explicitly enable DKIM. In Google Workspace, go to Admin > Apps > Google Workspace > Gmail > Authenticate email. For M365, go to Microsoft 365 Defender > Email & Collaboration > Policies & Rules > DKIM.

Wrong selector

The selector is the prefix before ._domainkey.yourdomain.com. GWS uses google. M365 uses selector1 and selector2. Custom SMTP tools use their own. Use the DKIM checker to auto-discover which selectors are present.

Key not published in DNS

You can activate DKIM in your ESP but forget to add the DNS record. The DKIM checker will tell you if the record exists and if the key is valid.

Short key length

1024-bit DKIM keys are considered weak. 2048-bit is the current standard. If your key is 1024-bit, rotate to a 2048-bit key through your ESP.

DMARC: setup and common mistakes

No DMARC record

A missing DMARC record means you're not getting any authentication reporting and you're not signaling a policy to receivers. Add at minimum: v=DMARC1; p=none; rua=mailto:your@email.com

Policy set too aggressively too early

Starting with p=reject before you've verified all your sending sources will block legitimate email. Start with p=none, monitor reports for 2–4 weeks, then move to p=quarantine and eventually p=reject.

The auth setup checklist