DNS & Setup

SPF DKIM DMARC setup for cold email. The complete guide that actually makes sense

dns_simplified · 2026-04-01T00:00:00Z

Every guide on email authentication is either too technical or too vague. Here is the plain English version. What each record does, how to set them up for

dns_simplified · 2026-04-01 · 2,650 views

Every guide on SPF, DKIM, and DMARC is either written for sysadmins who already know this stuff or so vague it is useless. This is the plain English version. What each record does, how to set them up, and why they matter for cold email deliverability.

SPF (Sender Policy Framework): The guest list.

SPF tells receiving email servers which servers are allowed to send email on behalf of your domain. Think of it as a bouncer with a guest list. When your email arrives at Gmail or Outlook, the receiving server checks your domain's SPF record to see if the sending server is on the list. If it is, the email passes SPF. If it is not, the email fails SPF and is more likely to land in spam or get rejected.

How to set it up: Add a TXT record to your domain's DNS. For Google Workspace, the record looks like this: v=spf1 include:_spf.google.com ~all. For Microsoft 365, it looks like: v=spf1 include:spf.protection.outlook.com ~all. If you send from both Google and Microsoft, combine them: v=spf1 include:_spf.google.com include:spf.protection.outlook.com ~all.

The most common mistake: having multiple SPF records on the same domain. You can only have one SPF TXT record per domain. If you need to authorize multiple sending services, include them all in one record. Two separate SPF records will cause authentication failures.

DKIM (DomainKeys Identified Mail): The wax seal.

DKIM adds a cryptographic signature to every email you send. The receiving server checks this signature against a public key stored in your DNS to verify the email was not tampered with during transit. Think of it as a wax seal on a letter. If the seal is intact, the recipient knows the message is authentic and unchanged.

How to set it up: Your email provider generates the DKIM keys. For Google Workspace, go to Admin Console, then Apps, then Google Workspace, then Gmail, then Authenticate Email. Google gives you a TXT record to add to your DNS. For Microsoft 365, DKIM is configured through the Exchange admin center or Microsoft 365 Defender portal. They provide two CNAME records to add to your DNS.

The good news: if you use PuzzleInbox or any properly configured Google Workspace or Microsoft 365 provider, DKIM is set up for you. You should not need to touch this yourself. Just verify it is passing by running a test through MXToolbox or the PuzzleInbox DNS checker.

DMARC (Domain-based Message Authentication, Reporting and Conformance): The policy.

DMARC tells receiving servers what to do when SPF or DKIM fails. It is the policy layer that sits on top of SPF and DKIM. Without DMARC, a receiving server that sees a failed SPF check has to decide on its own what to do. With DMARC, you tell it explicitly: monitor (p=none), quarantine (p=quarantine), or reject (p=reject).

How to set it up: Add a TXT record to your DNS at _dmarc.yourdomain.com. Start with a monitoring policy: v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com. This tells receiving servers to send you reports about authentication results without taking any action on failed emails. Let this run for 2 to 4 weeks. Review the reports to make sure legitimate emails are passing both SPF and DKIM.

Once you are confident everything is aligned, upgrade to: v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@yourdomain.com. This tells receiving servers to send failed emails to spam instead of the inbox. For maximum protection, you can eventually move to p=reject, which tells servers to block failed emails entirely. But for cold email sending domains, p=quarantine is usually the right level. Reject can cause legitimate emails to be blocked if there are any alignment issues you have not caught.

Step-by-step for Google Workspace:

1. Log into your domain registrar (Namecheap, Cloudflare, GoDaddy, etc.) and go to DNS settings. 2. Add SPF: TXT record with value v=spf1 include:_spf.google.com ~all. 3. Set up DKIM in Google Admin Console (Apps, Google Workspace, Gmail, Authenticate Email). Copy the TXT record and add it to your DNS. 4. Add DMARC: TXT record at _dmarc.yourdomain.com with value v=DMARC1; p=none; rua=mailto:your-email@yourdomain.com. 5. Wait 24 to 48 hours for DNS propagation. 6. Verify all three are passing using MXToolbox or the PuzzleInbox DNS checker.

Step-by-step for Microsoft 365:

1. Add SPF: TXT record with value v=spf1 include:spf.protection.outlook.com ~all. 2. Set up DKIM in Microsoft 365 Defender portal. Add the two CNAME records Microsoft provides to your DNS. 3. Enable DKIM signing in the Microsoft 365 admin portal. 4. Add DMARC: same as above, TXT record at _dmarc.yourdomain.com. 5. Wait 24 to 48 hours. 6. Verify with MXToolbox.

The shortcut: use PuzzleInbox. All of this is done for you when you buy inboxes from PuzzleInbox. SPF, DKIM, DMARC, and MX records are configured and verified before your inboxes are delivered. You do not need to touch DNS settings, wait for propagation, or debug authentication failures. The inboxes arrive ready to send with all authentication passing. If you prefer to manage DNS yourself, that is fine. But if DNS configuration sounds like a headache (it is for most people), let PuzzleInbox handle it.