Key Takeaway
SPF, DKIM, and DMARC are the three DNS authentication protocols that prove your emails are legitimate. Without them, your cold emails will land in spam. Set them up before warming up your inboxes with WarmySender for maximum deliverability.
If you have ever set up a cold email account and been told to “configure your DNS records,” you have encountered SPF, DKIM, and DMARC. These three protocols are the authentication layer that proves to Gmail, Outlook, and Yahoo that you are who you say you are — and that your emails have not been tampered with in transit.
In 2026, these records are not optional. Google and Yahoo both require SPF, DKIM, and DMARC for anyone sending bulk email. Skip them and your emails go straight to spam, no questions asked.
The Simple Version
Think of email authentication like ID verification at a building entrance:
| Protocol | Real-World Analogy | What It Does |
|---|---|---|
| SPF | Guest list at the door | Lists which servers are authorized to send email from your domain |
| DKIM | Tamper-proof seal on a letter | Adds a digital signature that proves the email was not modified in transit |
| DMARC | Security policy: what to do with fakes | Tells inbox providers how to handle emails that fail SPF or DKIM checks |
SPF (Sender Policy Framework) — The Guest List
SPF is a DNS record that tells inbox providers which mail servers are allowed to send emails on behalf of your domain. When Gmail receives an email from your domain, it checks the SPF record to see if the sending server is on the approved list.
How to set it up:
Add a TXT record to your domain’s DNS with the following value:
v=spf1 include:_spf.google.com ~allFor Microsoft 365:
v=spf1 include:spf.protection.outlook.com ~allFor both:
v=spf1 include:_spf.google.com include:spf.protection.outlook.com ~allThe ~all at the end means “soft fail” — emails from unlisted servers will be marked suspicious but not outright rejected. This is the recommended starting point. You can tighten to -all (hard fail) once you are confident all legitimate sending sources are listed.
Common SPF mistakes:
- Having multiple SPF records (only one is allowed per domain — combine them)
- Forgetting to include third-party senders (your email marketing tool, CRM, etc.)
- Exceeding the 10 DNS lookup limit (each
include:counts as one lookup)
DKIM (DomainKeys Identified Mail) — The Tamper-Proof Seal
DKIM adds a cryptographic signature to every email you send. The receiving server uses your public DKIM key (published in DNS) to verify that the email content has not been altered since it left your server.
How to set it up:
DKIM keys are generated by your email provider. The process varies:
Google Workspace: Go to Admin Console > Apps > Google Workspace > Gmail > Authenticate Email. Generate a DKIM key, then add the provided TXT record to your DNS.
Microsoft 365: Go to Microsoft 365 Defender > Email & Collaboration > Policies > DKIM. Enable DKIM signing and add the required CNAME records to your DNS.
DMARC (Domain-based Message Authentication, Reporting, and Conformance) — The Security Policy
DMARC builds on SPF and DKIM by telling inbox providers what to do when an email fails authentication. It also provides reporting, so you can see who is sending emails using your domain (including unauthorized senders).
DMARC policies:
| Policy | DNS Value | What Happens to Failing Emails | When to Use |
|---|---|---|---|
| None (monitor) | p=none | Delivered normally, but reports are generated | Start here — monitor first |
| Quarantine | p=quarantine | Sent to spam/junk folder | After 2-4 weeks of monitoring |
| Reject | p=reject | Blocked entirely | When fully confident in setup |
Recommended starting DMARC record:
v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; ruf=mailto:dmarc-forensics@yourdomain.com; pct=100The rua address receives aggregate reports (daily summaries of all email sent from your domain). The ruf address receives forensic reports (details on individual failures). Start with p=none to monitor without affecting delivery, then gradually tighten.
How All Three Work Together
When Gmail receives an email from your domain, here is what happens:
Step 1 — SPF check: Is the sending server on the approved list? If yes, SPF passes.
Step 2 — DKIM check: Does the DKIM signature match the public key in DNS? If yes, DKIM passes.
Step 3 — DMARC check: Did at least one of SPF or DKIM pass AND align with the From domain? If yes, DMARC passes.
Step 4 — Policy enforcement: If DMARC fails, apply the policy (none, quarantine, or reject).
Verifying Your Setup
After configuring all three records, verify them using these free tools:
- MXToolbox: Check SPF, DKIM, and DMARC records individually
- Mail Tester (mail-tester.com): Send a test email and get a deliverability score
- Google Postmaster Tools: Monitor your domain reputation with Gmail specifically
- dmarcian: Analyze DMARC reports and track authentication results over time
After DNS: The Next Step Is Warmup
Configuring SPF, DKIM, and DMARC is the foundation, but it is not enough on its own. These records prove your emails are authentic — they do not prove you are a trusted sender. That is what email warmup does.
Once your DNS records are verified, connect your inboxes to WarmySender and start the warmup process. The combination of proper authentication plus automated warmup gives you the highest possible inbox placement rate.
The Authentication + Warmup Formula
DNS authentication (SPF, DKIM, DMARC) proves your emails are legitimate. Email warmup proves you are a trusted sender. Together, they give inbox providers every reason to deliver your emails to the inbox. WarmySender handles the warmup side automatically, while also including email verification and campaign tools in one platform.
DNS records set up? The next step is warmup.
Start warming your inboxes with WarmySender and watch your inbox placement rate climb.