Cold Email Domain Setup: The Complete DNS Configuration Guide

By Puzzle Inbox Team · Mar 18, 2026 · 13 min read

Step-by-step instructions for setting up domains, SPF, DKIM, DMARC, and MX records for cold email — so your emails actually land in the inbox.

Why Your Domain Setup Determines Your Deliverability

Most people think cold email deliverability is about copy. Write better emails, land in the inbox. That's backwards. The most important deliverability factor is your technical infrastructure — specifically, how your domains and DNS records are configured.

I've diagnosed hundreds of deliverability issues for clients over the past three years. The majority of them — probably 70% — trace back to incorrect or missing DNS configuration. Not bad copy. Not spam trigger words. Missing or broken DNS records.

This guide covers everything you need to configure a cold email domain correctly from scratch. If you're already sending and landing in spam, check each section against your existing setup — there's a good chance something is misconfigured.

Step 1: Choose and Register Your Sending Domains

Never send cold email from your primary company domain. If your company is at yourcompany.com and your cold email domains get flagged or blocked, your main domain reputation is safe. This is not optional advice.

How Many Domains Do You Need?

The math: each domain should have 2-3 inboxes. Each inbox should send 15-20 emails per day. So one domain with 3 inboxes = 45-60 emails per day. If you want to send 200 emails per day, you need 4-5 domains with 2-3 inboxes each.

For most outbound operations, I recommend starting with 3-5 sending domains. This gives you enough volume to test meaningfully and enough redundancy that if one domain gets a complaint spike, your whole operation doesn't go down.

Domain Naming Strategy

Your sending domains should look real and be plausibly connected to your brand. Good examples:

• getyourcompany.com
• tryyourcompany.com
• yourcompany.io
• yourcompanyhq.com
• withyourcompany.com

Avoid domains with hyphens, numbers, or nonsense strings. A domain like xkq-yourcompany-247.com looks like spam before you send a single email.

Buy from a reputable registrar — Namecheap, Google Domains (now Squarespace), or Cloudflare. .com is preferred. .io is acceptable. Avoid newer TLDs like .xyz or .info — they carry higher spam association.

Step 2: Set Up MX Records (Mail Exchange)

MX records tell the internet where to deliver email sent to your domain. Without MX records, your domain can't receive email — and many spam filters are suspicious of domains that can't receive email.

If you're using Google Workspace inboxes, your MX records point to Google's mail servers:

• Priority 1: ASPMX.L.GOOGLE.COM
• Priority 5: ALT1.ASPMX.L.GOOGLE.COM
• Priority 5: ALT2.ASPMX.L.GOOGLE.COM
• Priority 10: ALT3.ASPMX.L.GOOGLE.COM
• Priority 10: ALT4.ASPMX.L.GOOGLE.COM

If you're using Microsoft 365, your MX record will point to a yourdomain-com.mail.protection.outlook.com address that Microsoft provides when you set up the account.

Add MX records in your DNS provider's control panel. Changes typically propagate in 15 minutes to 2 hours, though the full global propagation can take up to 48 hours.

Step 3: Configure SPF (Sender Policy Framework)

SPF is a DNS record that specifies which mail servers are authorized to send email on behalf of your domain. When a receiving server gets an email claiming to be from yourcompany.com, it checks the SPF record to see if the sending server is on the authorized list.

SPF for Google Workspace

Create a TXT record on your domain with this value:

v=spf1 include:_spf.google.com ~all

The include:_spf.google.com part authorizes Google's sending servers. The ~all at the end means "soft fail" — email from unauthorized servers is accepted but marked as suspicious. Some guides recommend -all (hard fail), but ~all is safer during initial setup.

SPF for Microsoft 365

v=spf1 include:spf.protection.outlook.com ~all

SPF for Custom SMTP

If you're using a custom SMTP service, you'll need to add their specific include statement. Your SMTP provider will give you the exact value.

SPF Rules to Follow

• Only one SPF record per domain. If you have multiple, delete all but one and merge them into a single record.
• Keep DNS lookups under 10. Each "include:" counts as a lookup. Exceeding 10 causes SPF to fail.
• Don't use "+all" — that means any server can send on behalf of your domain, which effectively disables SPF protection.

Step 4: Configure DKIM (DomainKeys Identified Mail)

DKIM adds a cryptographic signature to every email you send. The signature is generated using a private key on your mail server and verified by the recipient's server using a public key stored in your DNS. If the signature is valid, it proves the email wasn't modified in transit and genuinely came from an authorized server.

DKIM for Google Workspace

1. In Google Admin Console, go to Apps > Google Workspace > Gmail > Authenticate Email
2. Select your sending domain
3. Click "Generate New Record"
4. Choose 2048-bit key length (stronger than 1024)
5. Copy the TXT record name and value
6. Add this TXT record in your DNS provider
7. Wait for DNS propagation (up to 48 hours)
8. Return to Google Admin and click "Start Authentication"

DKIM for Microsoft 365

1. In Microsoft 365 Defender portal, go to Email & Collaboration > Policies & Rules > Threat Policies > DKIM
2. Select your domain
3. Click "Enable"
4. Microsoft will show you two CNAME records to add to your DNS
5. Add both CNAME records to your DNS provider
6. Wait for propagation, then enable DKIM in the portal

Verifying DKIM is Working

Send a test email to mail-tester.com or use MXToolbox's DKIM checker. You should see a pass result. If you see "DKIM: not found" or "invalid signature," the DNS hasn't propagated yet or there's a configuration error.

Step 5: Configure DMARC

DMARC (Domain-based Message Authentication, Reporting, and Conformance) builds on SPF and DKIM. It tells receiving servers what to do when an email fails authentication, and where to send reports about authentication failures.

Starting DMARC Configuration

Add a TXT record for _dmarc.yourdomain.com with this value for a monitoring-only setup:

v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

The p=none means take no action on failing emails — just report. The rua address is where aggregate reports get sent. Use an email address you actually check, or a service like Postmark's DMARC Digests that parses the XML reports into readable summaries.

Tightening DMARC Over Time

After 2-4 weeks of monitoring, check your DMARC reports. Once you've confirmed legitimate email is passing authentication, you can tighten the policy:

• p=quarantine: Failing emails go to spam
• p=reject: Failing emails are rejected outright

For cold email sending domains, p=none is fine long-term. The main value of DMARC for senders is the reporting — it tells you if anyone is spoofing your domain.

Step 6: Set Up a Custom Tracking Domain

Most cold email sending tools track link clicks and email opens by routing through their own tracking servers. The problem: if the tracking domain is the same as your sending domain, and the tracking domain gets blocklisted, your sending domain is implicated.

The fix is to set up a custom tracking subdomain on a different domain. For example, if you're sending from tryyourcompany.com, set up tracking on a CNAME like track.yourcompanyapp.com or click.yourcompany.io.

In your sending tool (Instantly, Smartlead, etc.), go to the tracking settings and add your custom subdomain. The tool will give you the CNAME record to add to your DNS. Point it to their tracking server, and you're done.

Step 7: Configure Your Redirect Domain

When someone visits your sending domain (tryyourcompany.com), they should be redirected to your main website. A domain that returns a 404 or blank page looks suspicious to spam filters and confuses prospects who try to look you up.

Most DNS providers let you set up a redirect at the domain level. Point tryyourcompany.com to yourcompany.com with a 301 redirect. Takes 5 minutes and adds a meaningful legitimacy signal.

Step 8: Verify Everything with These Tools

Before you send a single email, verify your configuration:

• MXToolbox.com: Check MX, SPF, DKIM, and DMARC records. Free and comprehensive.
• Mail-tester.com: Send a test email and get a 10-point deliverability score. Aim for 9/10 or higher.
• Google Postmaster Tools: Register your sending domains to monitor domain reputation directly in Gmail's systems.
• GlockApps or InboxAlly: Paid tools that show you where your emails land across different email clients — inbox, spam, or promotions tab.

If mail-tester.com gives you anything below 8/10, don't start sending until you fix it. Common issues: missing DMARC record, SPF record with too many lookups, DKIM not yet propagated.

Common Configuration Mistakes

After reviewing hundreds of client setups, here are the mistakes I see most often:

• Multiple SPF records: Only one TXT record starting with "v=spf1" per domain. Merge them or delete duplicates.
• DKIM on the wrong subdomain: Make sure you're adding the DKIM record to the exact subdomain Google or Microsoft specifies. google._domainkey.yourdomain.com is different from _domainkey.yourdomain.com.
• No DMARC record at all: Many spam filters now treat the absence of DMARC as a negative signal. Add at minimum p=none.
• Sending before warmup is complete: New inboxes need 3-4 weeks of warmup before sending cold email at volume. Skipping warmup is the fastest way to destroy a new domain's reputation.
• Using the same tracking domain across all sending domains: If that tracking domain gets flagged, every campaign suffers. Use custom tracking subdomains per sending domain.

For providers that handle all this configuration for you, see our roundup of cold email infrastructure providers — some do full DNS setup and pre-warming as part of the service.