If your cold emails are landing in spam and you have not yet checked your email authentication records, stop everything and check those first. SPF, DKIM and DMARC are three DNS records that tell receiving mail servers that your emails are legitimate. Missing or misconfigured authentication records are responsible for the majority of cold email deliverability failures we diagnose at Koldconvert.
What SPF does
SPF (Sender Policy Framework) is a DNS record that lists which servers are authorised to send email on behalf of your domain. When Gmail receives an email claiming to be from you, it checks your domain's SPF record to verify that the sending server is on the approved list. If it is not, the email fails SPF authentication and is significantly more likely to be routed to spam.
Your SPF record looks like this in your DNS settings: v=spf1 include:_spf.google.com include:sendgrid.net ~all. The include: entries authorise specific sending services. The ~all at the end means "soft fail" for anything not listed (use -all for hard fail once you are confident your list is complete).
What DKIM does
DKIM (DomainKeys Identified Mail) adds a cryptographic signature to every email you send. The receiving server uses a public key stored in your DNS to verify that the email was not tampered with in transit and that it genuinely came from your domain. An email without a valid DKIM signature cannot be verified as authentic.
Every email sending service (Instantly, Smartlead, Google Workspace, SendGrid) has instructions for adding their DKIM record to your DNS. It is usually a long TXT or CNAME record that you copy from their dashboard and add to your domain registrar. It looks complicated but takes about 3 minutes to set up.
What DMARC does
DMARC (Domain-based Message Authentication, Reporting and Conformance) is the policy that ties SPF and DMARC together and tells receiving servers what to do when an email fails authentication. Without DMARC, a receiving server that finds an SPF or DKIM failure has no clear instruction. With DMARC, you can specify: do nothing (p=none), send to spam (p=quarantine), or reject entirely (p=reject).
DMARC also enables reporting. When you include a reporting address (rua=mailto:), you receive aggregate reports from receiving mail servers showing you which emails passed and failed authentication. This is invaluable for diagnosing deliverability problems.
The correct setup order
Step 1: Add SPF record to your domain DNS. Include all services you send from.
Step 2: Add DKIM keys for every sending service you use. Google Workspace, Instantly, Smartlead and SendGrid all provide these in their setup docs.
Step 3: Add DMARC with p=none and a reporting address. Wait 2 to 4 weeks and review the reports.
Step 4: Move DMARC to p=quarantine once reports confirm clean authentication. Move to p=reject once you are certain no legitimate emails are failing.
What a complete record set looks like
SPF: v=spf1 include:_spf.google.com ~all
DKIM: A TXT or CNAME record provided by your sending platform, usually at google._domainkey.yourdomain.com or similar.
DMARC: v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com; adkim=r; aspf=r
Authentication does not guarantee inbox placement. But the absence of it almost guarantees spam placement. Set it up on day one, before you send a single email.
One thing most guides miss: sending domain warm-up
Authentication is necessary but not sufficient. A brand-new domain with perfect SPF, DKIM and DMARC still needs to be warmed up before high-volume sending. Start with 5 to 10 emails per day on a new domain, increase by 10 to 20 percent per day, and reach your target volume over 2 to 4 weeks. Google Postmaster Tools will show you your domain's sender reputation as it develops.
Frequently asked questions
Do I need DMARC if I already have SPF and DKIM?
Yes. Without DMARC, Gmail and Yahoo cannot enforce your authentication policies. DMARC is now mandatory for bulk senders to Gmail (over 5,000 per day) and is strongly recommended for all cold email senders.
What DMARC policy should I start with?
Start with p=none and a reporting address. After 2 to 4 weeks reviewing reports, move to p=quarantine. Then p=reject once you are confident.
How do I check if my authentication is set up correctly?
Use MXToolbox for SPF and DMARC checks. Use Mail-Tester for a full authentication score. Use Google Postmaster Tools for reputation monitoring at scale.