Blog
Back to blog
How to Set Up SPF, DKIM and DMARC for Gmail Cold Email
cold emaildeliverabilitygmailSPFDKIMDMARCemail marketing
Introduction to Email Deliverability for Cold Outreach
When launching a cold email campaign through Gmail or Google Workspace, the primary objective is to ensure your message reaches the recipient's primary inbox. However, the path from your outbox to their eyes is fraught with technical hurdles. Modern email service providers (ESPs) employ sophisticated filtering algorithms designed to protect users from phishing, spoofing, and unsolicited spam.
To bypass these filters, you must prove that you are a legitimate sender. This is where the trifecta of email authentication comes into play: SPF, DKIM, and DMARC. These three protocols form the foundation of your sender reputation. Without them, even the most well-crafted, personalized outreach will likely languish in the spam folder, unseen and unread. Setting these up correctly is not just a technical recommendation; it is a mandatory requirement for anyone serious about professional cold email outreach.
Understanding the Basics: Why Authentication Matters
Email protocol (SMTP) was originally designed without robust security features. It is relatively easy for a malicious actor to 'spoof' an email address, making it appear as though a message is coming from a trusted domain. To combat this, the industry developed authentication standards that allow receiving servers to verify the identity of the sender.
For cold emailers using Gmail, authentication is critical because you are often sending a higher volume of messages to people who haven't interacted with you before. Gmail’s filters are particularly sensitive to these patterns. If your domain lacks proper records, Google’s algorithms may flag your account as a risk, leading to decreased deliverability or, in extreme cases, a permanent ban on your workspace.
SPF (Sender Policy Framework): Your Authorized Sender List
What is SPF?
SPF is a DNS record that specifies which mail servers are authorized to send email on behalf of your domain. Think of it as a guest list for a private event. When your email arrives at its destination, the receiving server checks the SPF record of the domain in the "From" address. If the IP address of the server that sent the email is on the list, the email passes the check.
How to Create an SPF Record for Gmail
If you are using Google Workspace, your SPF record needs to include Google’s mail servers. A typical SPF record is a single line of text added to your domain's TXT records.
For most Google Workspace users, the record looks like this:
v=spf1 include:_spf.google.com ~all
- v=spf1: Identifies the record as SPF.
- include:_spf.google.com: Tells the receiving server to trust Google's mail servers.
- ~all: This is a 'soft fail' tag. It suggests that if the mail comes from a server not listed, it should be accepted but flagged for closer inspection. A
-alltag (hard fail) is more strict but can lead to delivery issues if you use third-party tools that haven't been added to the record.
Common SPF Mistakes
One of the most frequent errors is having multiple SPF records. A domain should only have one SPF TXT record. If you use other services (like an email marketing platform or a CRM), you must merge them into a single line, such as:
v=spf1 include:_spf.google.com include:other-service.com ~all.
DKIM (DomainKeys Identified Mail): The Digital Signature
What is DKIM?
DKIM adds a cryptographic signature to your emails. This signature is linked to your domain and ensures that the content of the email has not been tampered with in transit. Unlike SPF, which validates the sender's server, DKIM validates the message itself.
When you send an email, your server uses a private key to generate a signature. The receiving server then looks up your public key in your DNS records to verify the signature. If they match, the integrity of the email is confirmed.
Setting Up DKIM in Google Workspace
Setting up DKIM for Gmail is a two-step process handled through the Google Admin Console:
- Generate the Key: Log into your Google Admin Console, navigate to Apps > Google Workspace > Gmail > Authenticate email. Select your domain and click 'Generate new record'. You will be given a TXT record name (usually starting with
google._domainkey) and a long string of characters (the public key). - Update DNS: Log into your domain registrar (like GoDaddy, Namecheap, or Cloudflare) and add a new TXT record with the details provided by Google.
- Start Authentication: Once the DNS has propagated, go back to the Google Admin Console and click 'Start Authentication'.
DMARC (Domain-based Message Authentication, Reporting, and Conformance)
What is DMARC?
DMARC is the 'supervisor' of SPF and DKIM. It tells receiving servers what to do if an email fails the SPF or DKIM checks. It also provides a feedback loop by sending reports back to the domain owner, detailing which emails are passing or failing authentication.
The Three DMARC Policies
When setting up DMARC, you define a policy (p) that dictates the action taken on failed emails:
- p=none: The 'monitoring' phase. No action is taken against failed emails, but you receive reports. This is the best place to start.
- p=quarantine: Emails that fail authentication are sent to the spam folder.
- p=reject: Emails that fail authentication are blocked entirely and never reach the recipient.
Constructing Your DMARC Record
A basic DMARC record for a new cold email domain should look like this:
v=DMARC1; p=none; rua=mailto:admin@yourdomain.com
This tells servers to do nothing to failed emails (p=none) but to send aggregate reports (rua) to your email address. Over time, as you confirm your authentication is solid, you should move toward p=quarantine or p=reject to protect your domain reputation.
The Technical Setup: Step-by-Step Walkthrough
Setting these records up can feel daunting, but following a structured approach ensures nothing is missed.
Step 1: Audit Your Current Records
Before adding anything new, use a DNS lookup tool to see what currently exists. Look for TXT records that start with v=spf1. If you find one, prepare to edit it rather than creating a second one.
Step 2: Configure SPF for Gmail
Log in to your DNS provider. Create a new TXT record. If your provider asks for a 'Host' or 'Name', use @. In the 'Value' or 'Content' field, enter v=spf1 include:_spf.google.com ~all. Save the changes.
Step 3: Generate and Add DKIM
Go to the Google Admin Console. Generate the DKIM TXT record as described earlier. Return to your DNS provider and add a second TXT record. The Host/Name will be something like google._domainkey. The value will be the long string provided by Google. Wait at least 48 hours for propagation before clicking 'Start Authentication' in the Admin Console.
Step 4: Implement DMARC
Add a third TXT record to your DNS. The Host/Name should be _dmarc. The value should start with v=DMARC1; p=none;. Including an email for reports is highly recommended so you can monitor for any issues.
Advanced Deliverability: Beyond Technical Records
While SPF, DKIM, and DMARC are the 'Big Three', they are only part of the deliverability equation. For cold outreach, your sender reputation is also influenced by your sending behavior and content quality.
Inbox Warm-up
You cannot register a new domain and immediately start sending hundreds of emails. This is a red flag for Google. You must 'warm up' your inbox by gradually increasing the volume of emails sent and received. This simulates natural human behavior and builds trust with ESPs.
Monitoring Reputation
Use tools like Google Postmaster Tools to track your domain reputation and spam rates. If you notice a dip in your reputation, it’s a sign that your content might be too 'salesy' or that you are targeting the wrong prospects who are marking your emails as spam.
Using Specialized Tools
If managing these technical nuances feels overwhelming, or if you want to scale your outreach safely, you might consider platforms like EmaReach. Stop Landing in Spam. Cold Emails That Reach the Inbox. EmaReach AI combines AI-written cold outreach with inbox warm-up and multi-account sending—so your emails land in the primary tab and get replies. This type of automation ensures that while you focus on the technical setup once, the software maintains your reputation through consistent, high-quality engagement.
Optimizing Content for the Primary Tab
Even with perfect technical records, your content can trigger spam filters. Avoid 'spammy' keywords like 'Free', 'Buy Now', 'Cash', or excessive use of exclamation marks. Focus on providing value and initiating a conversation. Personalization is the key to cold email success. Use the recipient's name, mention their company, and reference a specific pain point they might be facing.
Troubleshooting Common Authentication Issues
DNS Propagation Delays
DNS changes do not happen instantly. It can take anywhere from a few minutes to 48 hours for the new records to be recognized globally. If your authentication tests fail immediately after setup, wait a day and try again.
Alignment Failures
DMARC requires 'alignment'. This means the domain in the 'From' header must match the domain validated by SPF and/or DKIM. If you are sending mail from marketing@yourdomain.com but your SPF record is set up for mail.provider.com, you will face alignment issues. Ensure your 'Return-Path' and 'From' addresses are consistent.
Too Many DNS Lookups
SPF has a limit of 10 'lookups'. If your SPF record includes too many include: tags, it will fail. This happens when companies use too many third-party tools. Use an SPF flattener or consolidate your tools if you hit this limit.
The Importance of Custom Tracking Domains
Many cold email tools use shared tracking domains for open and click tracking. If another user on that shared domain sends spam, it can negatively impact your deliverability. Setting up a Custom Tracking Domain (a CNAME record in your DNS) ensures that your tracking links are associated with your own authenticated domain, further boosting your sender authority.
Conclusion
Mastering SPF, DKIM, and DMARC is the most impactful technical step you can take for your cold email strategy. By verifying your identity and protecting your domain, you tell Google and other email providers that you are a professional and trustworthy sender. While the setup requires a bit of technical maneuvering in your DNS records, the payoff is a significantly higher deliverability rate and, ultimately, more successful outreach campaigns. Once these foundations are in place, you can focus on what really matters: crafting compelling messages and building relationships with your prospects.
EmaReach AI
Ready to scale your cold email outreach?
Join thousands of teams using EmaReach AI for AI-powered campaigns, domain warmup, and 95%+ deliverability. Start free — no credit card required.
Related posts
Read articleCold Email Tactics That Top Salespeople Use on Gmail
Master the expert-level cold email strategies used by top sales professionals to bypass spam filters and land in the primary Gmail inbox. From technical domain setup and DMARC authentication to lowercase subject lines and the BAB copy framework, this guide covers the 1500+ word blueprint for high-conversion outreach.
Gmail Cold Email for App Developers: Get Beta Users Fast
Learn how to leverage Gmail cold email outreach to recruit high-quality beta users for your app. This guide covers lead generation, personalized templates, and deliverability strategies to help developers scale their user testing phase quickly and effectively.
