Deliverability

The 3 DNS records that determine whether your cold emails land in the inbox

dns_basics · 2026-04-08T00:00:00Z

SPF, DKIM, DMARC explained simply. SPF tells servers who can send for your domain. DKIM proves the email wasn't tampered with. DMARC tells servers what to

dns_basics · 2026-04-08 · 2,670 views

There are exactly 3 DNS records that determine whether your cold emails reach the inbox or land in spam. If you get these wrong, nothing else you do matters. Not your copy, not your sending schedule, not your warmup. These 3 records are the foundation.

1. SPF (Sender Policy Framework). This record tells receiving mail servers which servers are authorized to send email on behalf of your domain. Think of it as a bouncer at a club with a guest list. If the sending server isn't on the list, the email gets flagged or rejected. You set this as a TXT record in your DNS. It looks something like: v=spf1 include:_spf.google.com ~all. The ~all at the end means "soft fail anything not listed" which is what you want for cold email.

2. DKIM (DomainKeys Identified Mail). This adds a cryptographic signature to every email you send. The receiving server checks this signature against a public key published in your DNS to verify the email wasn't tampered with during transit. It's like a wax seal on a letter. If someone modifies the email after it's sent, the DKIM signature breaks and the receiving server knows something is wrong.

3. DMARC (Domain-based Message Authentication, Reporting and Conformance). This record tells receiving servers what to do when SPF or DKIM authentication fails. You have three options: p=none (just monitor, don't take action), p=quarantine (send to spam), or p=reject (block entirely). For cold email, start with p=quarantine. The p=none setting basically tells servers you don't care about authentication, which actually hurts your reputation.

The critical thing most people miss: alignment. Your SPF domain, DKIM signing domain, and From address domain all need to match. If they don't align, even if SPF and DKIM pass individually, DMARC will fail. This is why shared SMTP infrastructure causes so many deliverability problems.

Use the PuzzleInbox DNS checker or MXToolbox to verify all three records are correctly configured before launching any campaign. This takes 2 minutes and saves you from burning inboxes and domains. If you're using PuzzleInbox, all three records come pre-configured on every inbox, so you're covered from day one.