DKIM, SPF, DMARC for cold email: the 30-minute setup (2026)

In 2026 a cold email domain without DKIM, SPF, and DMARC properly configured is functionally dead. Gmail and Outlook's classifier routes 60%+ of unconfigured-domain mail directly to spam. The setup takes 30 minutes once, then runs forever — and it's the foundation every other deliverability optimization sits on top of.

This is the step-by-step setup for solo founders and 2-person teams.

Key takeaways

• SPF, DKIM, DMARC are 3 DNS records that authenticate your email. Without them, you're 5–10x more likely to land in spam.

• Setup time: 30 minutes total once, including DNS propagation wait.

• DMARC policy progression: start at p=none (monitoring), upgrade to p=quarantine after 30 days, optionally to p=reject at 90 days.

• Tools: Google Postmaster Tools (free) + MXToolbox SuperTool (free) verify config + monitor reputation.

• Pair with the 7-day LinkedIn account warmup and why cold email stopped working in 2026 for full deliverability.

What are DKIM, SPF, and DMARC?

Three DNS records that prove you own your email domain. SPF (Sender Policy Framework) tells receiving servers which IPs are authorized to send mail from your domain. DKIM (DomainKeys Identified Mail) cryptographically signs each email so recipients verify it wasn't tampered with. DMARC (Domain-based Message Authentication) tells receivers what to do if SPF or DKIM fail.

Without these, Gmail/Outlook's spam classifier defaults to suspicion. With them properly configured, your sender reputation can build cleanly.

Step 1: Set up SPF (10 minutes)

Add a TXT record to your domain's DNS pointing to your sending platform:

• Google Workspace: v=spf1 include:_spf.google.com ~all

• Microsoft 365: v=spf1 include:spf.protection.outlook.com ~all

• Smartlead: v=spf1 include:smtp.smartlead.ai ~all

• Instantly: v=spf1 include:_spf.instantly.ai ~all

If you send from multiple platforms, combine includes: v=spf1 include:_spf.google.com include:_spf.instantly.ai ~all. The ~all (soft fail) is the default; -all (hard fail) is stricter and recommended once you've confirmed everything works.

Step 2: Set up DKIM (10 minutes)

Generate a DKIM key in your sending platform (Google Workspace Admin, Smartlead/Instantly settings) and add the resulting TXT record to your DNS. The record name is typically selector._domainkey.yourdomain.com and the value is a long public key string.

Most platforms provide one-click setup with copy-paste DNS values. Don't generate keys yourself — use the platform's generator.

Step 3: Set up DMARC (5 minutes)

Add a TXT record _dmarc.yourdomain.com with this value:

v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com; pct=100

v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com; pct=100

v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com; pct=100

v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com; pct=100

Start with p=none (monitoring only — no action taken on failed mail). After 30 days of clean DMARC reports, upgrade to p=quarantine (failed mail goes to spam). After 90 days of clean reports, optionally p=reject (failed mail bounced).

Forcing p=reject from day 1 is a mistake — if anything's misconfigured you'll bounce legitimate mail.

Step 4: Verify with MXToolbox + Google Postmaster (5 minutes)

Free tools to confirm everything works:

1. MXToolbox SuperTool — paste your domain, run SPF + DKIM + DMARC checks. Should all show green.

2. Google Postmaster Tools (postmaster.google.com) — add your domain to monitor sender reputation, spam rate, and authentication results over time.

Wait 24–48 hours after DNS changes for full propagation before relying on these checks.

What about BIMI?

BIMI (Brand Indicators for Message Identification) shows your logo next to emails in Gmail. Optional bonus on top of DKIM + SPF + DMARC. Requires DMARC at p=quarantine or stricter, plus a verified Mark Certificate ($1,500–$2,500/year). Skip BIMI for solo founders — it's a 2027 nice-to-have.

Frequently asked questions

What if my domain registrar doesn't support DNS TXT records?

Move to one that does. Cloudflare DNS is free and excellent. Spending 30 minutes migrating DNS is far cheaper than running cold email on a registrar that limits TXT records.

Can I skip DMARC and just do SPF + DKIM?

In 2024+, no. Gmail/Yahoo's bulk-sender requirements (1,000+/day) explicitly require DMARC. Below that volume DMARC is still strongly recommended — missing it triples spam-folder placement.

How often should I review DMARC reports?

Weekly for the first 60 days. Monthly after. Look for legitimate sources sending mail without authentication — those are usually forgotten apps (e.g., your project management tool sending notifications) that need to be added to SPF.

The deliverability floor everyone needs

30 minutes. 3 DNS records. Done forever. Without these, every other cold email tactic is built on sand. With them, you have a clean foundation for sender reputation that compounds over months.

repco hands off cold email follow-up to your existing sending platform (Smartlead/Instantly) so the deliverability work is your responsibility — once. Find my buyers (Free) and let your warmed domain do the heavy lifting on follow-up.

Further reading: Why cold email stopped working in 2026 | Lemlist vs Smartlead vs Instantly | The 6-touch follow-up sequence for cold email