Skip to main content

SPF, DKIM & DMARC - Complete Setup Guide

If you purchase your domains through Prospi, many of these records are configured automatically, saving you time and reducing the risk of misconfiguration.

Why DNS Authentication Matters

SPF, DKIM, and DMARC are email authentication protocols that prove to receiving mail servers that your emails are legitimate and not spoofed. Without them properly configured, your cold emails will almost certainly land in spam - or be rejected entirely.

Setting these up correctly is the single most important technical step for cold email deliverability.

SPF (Sender Policy Framework)

What It Does

SPF tells receiving mail servers which servers are authorized to send email on behalf of your domain. When Gmail receives an email from @yourdomain.com, it checks your SPF record to verify the sending server is allowed.

How to Set It Up

  1. Log in to your domain registrar or DNS provider (e.g., GoDaddy, Namecheap, Cloudflare).

  2. Navigate to DNS settings for your domain.

  3. Add a new TXT record with the following values:

    • Host/Name: @ (or leave blank, depending on your provider)

    • Type: TXT

    • Value: v=spf1 include:_spf.google.com ~all (for Google Workspace - adjust the include based on your email provider)

  4. If you use multiple sending services, include all of them in a single SPF record: v=spf1 include:_spf.google.com include:sendgrid.net ~all

  5. Save the record and allow up to 48 hours for DNS propagation.

Common Mistakes

  • Multiple SPF records - You can only have ONE SPF TXT record per domain. If you need multiple includes, combine them into a single record.

  • Using -all too early - Start with ~all (soft handling) while testing. Switch to -all (strict handling) once you have confirmed everything works.

  • Exceeding the 10-lookup limit - SPF allows a maximum of 10 DNS lookups. Too many includes will break your record.

DKIM (DomainKeys Identified Mail)

What It Does

DKIM adds a digital signature to every email you send. The receiving server uses a public key (published in your DNS) to verify the signature, confirming the email was not altered in transit and truly came from your domain.

How to Set It Up

  1. Your email provider (Google Workspace, Outlook, etc.) will generate a DKIM key pair for you.

  2. For Google Workspace:

    • Go to Admin Console → Apps → Google Workspace → Gmail → Authenticate email.

    • Click Generate New Record. Select your domain and a DKIM key bit length (2048-bit recommended).

    • Google will provide a TXT record value.

  3. Add the DKIM record to your DNS:

    • Host/Name: google._domainkey (or the selector your provider specifies)

    • Type: TXT

    • Value: The long string provided by your email provider

  4. Go back to your email provider and click Start Authentication (or equivalent).

  5. Allow up to 48 hours for propagation.

Common Mistakes

  • Not starting authentication - Adding the DNS record is not enough; you must also enable DKIM in your email provider's admin panel.

  • Incorrect selector - Make sure the host/name matches exactly what your provider specifies.

  • Truncated records - Some DNS providers have character limits for TXT records. If your DKIM value is cut off, split it into two quoted strings or use a provider that supports longer records.

DMARC (Domain-based Message Authentication, Reporting & Conformance)

What It Does

DMARC ties SPF and DKIM together and tells receiving servers what to do when an email does not pass authentication. It also provides reporting so you can monitor who is sending email from your domain.

How to Set It Up

  1. Add a new TXT record to your DNS:

  2. Start with p=none (monitor only) to collect data without affecting delivery.

  3. After 2–4 weeks of clean reports, upgrade to p=quarantine and eventually p=reject for maximum protection.

DMARC Policy Levels

  • p=none - Monitor only. No action taken on non-passing emails. Best for initial setup.

  • p=quarantine - Non-passing emails are sent to spam. Good intermediate step.

  • p=reject - Non-passing emails are blocked entirely. Maximum protection, use once you are confident.

How to Verify Your Setup

After configuring all three records, verify they are working correctly:

  1. Prospi - Visit Prospi and use their SPF, DKIM, and DMARC lookup tools. Enter your domain and check for any notifications.

  2. Google Admin Toolbox - Use toolbox.googleapps.com/apps/checkmx/ to verify your Google Workspace DNS setup.

  3. Send a test email - Send an email to a Gmail account, open it, click the three dots → "Show Original." Look for spf=pass, dkim=pass, and dmarc=pass.

  4. mail-tester.com - Send an email to the address shown on their site and get a deliverability score with specific recommendations.

Quick Reference Checklist

Record

Type

Host

Example Value

SPF

TXT

@

v=spf1 include:_spf.google.com ~all

DKIM

TXT

google._domainkey

(provided by email provider)

DMARC

TXT

_dmarc

v=DMARC1; p=none; rua=mailto:[email protected]

Pro tip: If you purchase your domains through Prospi, many of these records are configured automatically, saving you time and reducing the risk of misconfiguration.

Related Articles
How to Set Up Google Workspace Inboxes for Cold Email
How to Set Up Outlook (Microsoft 365) Inboxes for Cold Email
Avoiding Spam Folders - Deliverability Best Practices
Scaling Outreach - When & How to Add More Inboxes
What If My Warmup Stats Look Low?
Did this answer your question?