AutoMail
Deliverability

SPF, DKIM and DMARC Explained for Cold Email

SPF, DKIM and DMARC explained: what each record does, the difference between them, exactly what Google requires in 2026, and how to set all three up correctly.

By the AutoMail team

July 2026 · 10 min read

SPF, DKIM and DMARC are three DNS records that together prove your email is really from you. SPF lists which servers may send for your domain, DKIM cryptographically signs each message so tampering is detectable, and DMARC tells receiving servers what to do when a message fails those checks and where to send reports. Cold email that skips them does not reach the inbox.

Here is the part most articles on this topic get wrong. Google does not require all three from everyone. It requires SPF or DKIM from every sender, and SPF and DKIM plus DMARC only once you send 5,000 or more messages a day to Gmail accounts. Most cold email programs never cross that line. You should still set up all three, and the reason why is more interesting than the requirement.

What are SPF, DKIM and DMARC?

Record What it does Question it answers Record type
SPF Lists the IP addresses and services allowed to send email for your domain Is this server allowed to send for this domain? TXT
DKIM Adds a cryptographic signature to the message header, verified against a public key in DNS Was this message actually signed by this domain, and unaltered in transit? TXT
DMARC Sets the policy for failures and requests reports; enforces From: alignment The From: address says this domain. Does it match what SPF or DKIM authenticated? TXT

The relationship matters more than the definitions. SPF and DKIM each authenticate something, but neither one looks at the From: address your recipient actually sees. That is the gap DMARC closes, and it is why DMARC is not simply a third checkbox.

SPF: who is allowed to send

SPF is a TXT record listing authorized senders. A typical one looks like v=spf1 include:_spf.google.com include:sendgrid.net ~all, which means Google Workspace and SendGrid may send for this domain and anything else is suspect.

The trap is the lookup limit. SPF permits a maximum of 10 DNS lookups, and every include: can trigger more lookups inside itself. Exceed 10 and the record does not degrade gracefully, it returns a permanent error and SPF fails entirely. Teams hit this by stacking one service after another over the years, then wonder why authentication broke without anyone touching DNS.

The other subtlety: SPF validates the envelope sender, not the From: header your recipient reads. On its own, SPF does not stop anyone putting your domain in the visible From: field.

DKIM: proof the message is unaltered

DKIM signs outgoing mail with a private key. The matching public key sits in DNS at a selector you choose, so the receiver can verify the signature and know the message body and headers were not modified after signing.

Key length is a hard requirement, not a preference. Google states that sending to personal Gmail accounts requires a DKIM key of 1024 bits or longer, and recommends 2048. Use 2048. Some providers still default to 1024, and a few older setups are on 512, which will simply be rejected.

DMARC: the policy that ties it together

DMARC does two jobs. It enforces alignment, meaning the domain in the visible From: header must match the domain authenticated by SPF or DKIM, and it tells receivers what to do on failure via the policy tag.

Policy What receivers do on failure When to use it
p=none Nothing. Deliver as normal, but send you reports Weeks 1 to 4. Monitoring only, while you find what is failing
p=quarantine Route failures to spam Once reports are clean. The sensible steady state for most senders
p=reject Refuse failures at the SMTP level When you are confident every legitimate source is authenticated

Google's minimum is genuinely low: its documentation says your DMARC enforcement policy can be set to none. So a bare v=DMARC1; p=none; rua=mailto:[email protected] satisfies the requirement. It does not protect you from anything, but it does start the reports flowing, and the reports are how you find the sending source nobody remembered.

Do I need SPF, DKIM and DMARC for cold email?

Yes, all three, even though Google's bulk rules technically only demand all three above 5,000 messages a day to Gmail. Cold email is unsolicited, which means it is judged harder than mail people asked for. Authentication is the cheapest trust signal available and there is no reason to arrive at that judgment missing one.

The rules also are not only Google's. Yahoo aligned with Google in February 2024 and Microsoft followed with enforcement in 2025, and the direction of travel across all of them is one way. Failing authentication increasingly means rejection at the SMTP level rather than a trip to the spam folder, which at least has the virtue of being visible: you get a bounce instead of silence.

There is a second reason that has nothing to do with cold email. These records govern every message your domain sends, including the ones that pay you. The same authentication that decides whether outreach lands also decides whether your invoices arrive, which matters a great deal if you chase overdue invoices by email and cannot afford them sitting in a junk folder for three weeks.

What are the requirements for sending to Gmail in 2026?

Google splits its requirements into two tiers. Straight from its sender guidelines:

Requirement All senders 5,000+ messages/day to Gmail
SPF or DKIM Required Both required
DMARC Not required Required (p=none acceptable)
From: alignment with SPF or DKIM Not required Required
Valid forward and reverse DNS (PTR) Required Required
TLS for transmission Required Required
Spam rate in Postmaster Tools Below 0.30%, target 0.10% Below 0.30%, target 0.10%
One-click unsubscribe Not required Required for marketing and subscribed messages
RFC 5322 formatting, no Gmail From: impersonation Required Required

Two details worth pulling out. The spam rate is two numbers, not one: Google says keep it below 0.10% and separately says avoid ever reaching 0.30%. Treat 0.10% as the target and 0.30% as the edge of a cliff. At 0.30% you are looking at three complaints per thousand emails, which is a very thin margin.

And the one-click unsubscribe requirement is written for marketing and subscribed messages, which 1:1 cold email is arguably not. Put one in anyway. CAN-SPAM requires a working opt-out regardless, and the alternative to an unsubscribe link is a complaint, which is the thing that actually hurts you. We cover the legal side in is cold email legal.

How do I set up SPF, DKIM and DMARC?

  1. Publish SPF first. One TXT record at the root of the sending domain. One SPF record per domain, never two, and count your lookups against the limit of 10.
  2. Enable DKIM at your mail provider. Google Workspace and Microsoft 365 both generate the key and give you the TXT record. Choose 2048-bit. Turn on signing after the record resolves, not before.
  3. Add DMARC at p=none with a reporting address. Do not start at reject. You will discover a sending source you forgot about, and at reject you discover it by breaking it.
  4. Read the reports for two to four weeks. Aggregate reports arrive as XML. They will show every IP sending as your domain. Authenticate the legitimate ones.
  5. Move to p=quarantine, then consider p=reject. Only once reports show your legitimate mail passing consistently.
  6. Verify before you send. Send a message to a Gmail account, open Show original, and confirm SPF, DKIM and DMARC all show PASS. That takes a minute and settles it.

On a fresh cold email domain the whole job is about twenty minutes plus DNS propagation. Do it before warm-up rather than during: building reputation on an unauthenticated mailbox wastes the weeks you spend doing it. See how to warm up an email account for the order of operations, and cold email domain setup for the domain structure this sits on.

What is the difference between SPF, DKIM and DMARC?

SPF authorizes the server, DKIM authenticates the message, DMARC aligns them to the address the recipient actually sees and decides what happens on failure. They are sequential rather than alternative: SPF and DKIM each produce a verdict, and DMARC is the only one of the three that looks at the visible From: header.

The practical consequence is that SPF and DKIM can both pass while the message is still fraudulent. An attacker sends from a server with valid SPF for their own domain and signs with their own DKIM key, then puts your domain in the From: field. Both checks pass, for their domain. DMARC alignment is what catches the mismatch, which is why "we have SPF and DKIM, we are fine" is not true.

Common failures and what causes them

  • SPF permerror. More than 10 DNS lookups. Flatten the record or drop services you no longer use.
  • Two SPF records on one domain. Invalid, and it fails both. Merge into one.
  • DKIM passes in testing, fails in production. Usually a forwarding service or an email platform re-signing and breaking the original signature.
  • DMARC fails while SPF passes. Alignment. Your envelope sender is on a different domain from your From: address.
  • Everything passes but mail still lands in spam. Authentication is necessary, not sufficient. It proves who you are, not that anyone wants your email. That part is reputation, content and list quality.

That last point is the one to keep. Authentication gets you assessed rather than discarded. It does not get you into the inbox on its own, and a sender who treats it as the finish line ends up with perfectly authenticated mail in the spam folder.

How AutoMail handles this

AutoMail checks SPF, DKIM and DMARC on every mailbox you connect and tells you which records are missing or misconfigured before you send anything, rather than after a campaign underperforms. Every message goes out through a spam-score check, warm-up runs continuously on every plan, and one-click unsubscribe is in every email by default. The records still live in your DNS, because they should, but you do not have to guess whether they are right.

Last updated July 2026. Requirements sourced from Google's official Email sender guidelines.

See AutoMail book meetings

AutoMail personalizes every email, protects deliverability with inbox rotation and warm-up, auto follows up, pauses on reply and books meetings into your calendar and CRM. Flat monthly fee, not per-seat, permission-based by design.

Put your cold email on autopilot

AutoMail personalizes every email, protects deliverability with inbox rotation and warm-up, auto follows up, pauses on reply and books meetings into your calendar and CRM. Flat monthly fee, not per-seat, permission-based by design.

1-click unsubscribe in every email · Personalize, deliver, book · Flat per-workspace pricing

1-click unsubscribe in every email · suppression honored · CAN-SPAM and GDPR.