Skip to main content

How to set up DNS records for cold email

In this article we go over how to set up the necessary DNS records for your sending domains in order to not land into spam (SPF, DKIM, and DMARC)

Written by Miro
Updated over 3 weeks ago

Overview

When sending emails from your own domain, having the correct DNS records is essential for deliverability. Without proper domain authentication, your emails are more likely to land in spam folders or be rejected entirely.

This guide covers the three key DNS records you need: SPF, DKIM, and DMARC.

Why DNS Records Matter

Email providers like Gmail, Outlook, and Yahoo use DNS records to verify that emails claiming to be from your domain are actually authorized. Think of these records as a way to prove your identity:

  • SPF tells email providers which servers are allowed to send email on behalf of your domain

  • DKIM adds a digital signature to your emails to prove they haven't been tampered with

  • DMARC tells email providers what to do with emails that fail SPF or DKIM checks

Without these records, your emails may be:

  • Marked as spam

  • Flagged with a warning

  • Rejected entirely

SPF (Sender Policy Framework)

SPF specifies which mail servers are authorized to send emails for your domain.

How to Set Up SPF

  1. Log in to your domain's DNS management (usually your domain registrar or hosting provider)

  2. Add a new TXT record with the following details:

  • Host/Name: @ (or leave blank, depending on your provider)

  • Value: v=spf1 include:_spf.google.com ~all (example for Google Workspace)

Example SPF Records

Email Provider

SPF Record Value

Google Workspace

v=spf1 include:_spf.google.com ~all

Microsoft 365

v=spf1 include:spf.protection.outlook.com ~all

Multiple providers

v=spf1 include:_spf.google.com include:spf.protection.outlook.com ~all

Note: You can only have one SPF record per domain. If you use multiple email providers, combine them into a single record using multiple include: statements.

DKIM (DomainKeys Identified Mail)

DKIM adds a cryptographic signature to your emails, allowing recipients to verify the email hasn't been altered in transit.

How to Set Up DKIM

DKIM setup varies by email provider. You'll typically need to:

  1. Generate a DKIM key in your email provider's admin console

  2. Add the provided TXT record to your DNS

Provider-Specific Instructions

Google Workspace:

  1. Go to Google Admin Console → Apps → Google Workspace → Gmail → Authenticate Email

  2. Click Generate New Record

  3. Add the TXT record to your DNS with the provided values

  4. Return to Google Admin and click Start Authentication

Microsoft 365:

  1. Go to Microsoft 365 Defender → Policies → Email Authentication Settings → DKIM

  2. Select your domain and enable DKIM signing

  3. Add the CNAME records provided to your DNS

DMARC (Domain-based Message Authentication, Reporting & Conformance)

DMARC tells email providers what to do when an email fails SPF or DKIM checks, and provides reporting on authentication results.

How to Set Up DMARC

  1. Add a new TXT record to your DNS:

  • Host/Name: _dmarc

DMARC Policy Options

Policy

What It Does

p=none

Monitor only — emails are delivered but you receive reports

p=quarantine

Failed emails go to spam

p=reject

Failed emails are rejected entirely

Recommendation: Start with p=none to monitor your email authentication. Once you've verified everything is working correctly, gradually move to p=quarantine and eventually p=reject.

Verifying Your DNS Records

After adding your DNS records, verify they're set up correctly:

  1. Use an online checker: Tools like MXToolbox or Mail Tester can verify your SPF, DKIM, and DMARC records

  2. Send a test email: Send an email to a Gmail account and click "Show original" to see the authentication results

  3. Check the headers: Look for spf=pass, dkim=pass, and dmarc=pass

Note: DNS changes can take up to 48 hours to propagate, though most changes take effect within a few hours.

Quick Checklist

  • [ ] SPF record added with your email provider's servers

  • [ ] DKIM enabled and DNS record added

  • [ ] DMARC record added (start with p=none)

  • [ ] Verified all records using an online checker

  • [ ] Sent test email and confirmed authentication passes

Common Issues

"SPF record not found"

  • Make sure the TXT record is added at the root domain (@)

  • Check for typos in the record value

  • Wait for DNS propagation (up to 48 hours)

"DKIM signature not valid"

  • Ensure the DKIM record in your DNS matches what your email provider generated

  • Make sure DKIM signing is enabled in your email provider's admin console

"DMARC record not found"

  • The hostname must be _dmarc (with the underscore)

  • Make sure it's a TXT record, not another record type

Did this answer your question?