Cold Email Deliverability: SPF, DKIM & DMARC Explained (2026)
A practical guide to cold email deliverability — what SPF, DKIM, and DMARC do, how to set them up, and the sending practices that keep you out of spam.
The best cold email in the world is worthless if it lands in spam. Deliverability — whether your messages actually reach the inbox — is decided largely by technical setup most senders ignore. This guide explains the three authentication standards that matter (SPF, DKIM, DMARC), how to set them up, and the sending habits that keep you out of the spam folder.
Why deliverability matters
Open rates, reply rates, and ultimately revenue all depend on one thing first: your email reaching the inbox. A campaign with great copy and a 5% inbox rate fails; a mediocre one with 95% inbox placement succeeds. Deliverability is the multiplier on everything else you do, which is why it's worth getting the technical foundation right before you scale sending.
SPF, DKIM, and DMARC explained
| Standard | What it does | In plain English |
|---|---|---|
| SPF | Lists authorized sending servers for your domain | 'These servers are allowed to send as me' |
| DKIM | Cryptographically signs each message | 'This message really came from me, untampered' |
| DMARC | Tells receivers what to do if SPF/DKIM fail | 'If a message fails the checks, here's how to handle it' |
Mailbox providers (Gmail, Outlook) use these to decide whether to trust you. Missing or misconfigured authentication is the fastest way to the spam folder — and as of recent years, major providers effectively require them for bulk senders.
Setting them up
- 1SPF — add a TXT record to your domain's DNS listing the services allowed to send for you (your email provider gives you the value).
- 2DKIM — enable DKIM in your email provider and publish the public key as a DNS record so receivers can verify the signature.
- 3DMARC — add a DMARC TXT record (start with a 'none' policy to monitor, then tighten to quarantine/reject once you've confirmed SPF and DKIM pass).
- 4Verify — use a free authentication checker to confirm all three pass before sending volume.
Authentication is necessary but not sufficient. SPF/DKIM/DMARC get you eligible for the inbox — they don't guarantee it. Reputation, warmup, list quality, and content still decide placement.
Beyond authentication
- Warm up the domain before sending volume — see how to warm up an email domain
- Verify every address before sending — high bounce rates destroy reputation
- Ramp volume gradually rather than blasting from day one
- Keep content clean — avoid spam-trigger phrasing and too many links
- Use a separate sending domain to protect your primary domain
A deliverability checklist
Before any cold campaign: SPF, DKIM, and DMARC configured and passing; a warmed sending domain; a verified, clean list; gradual volume; and clean content. Get those right and your great copy actually gets read.
A clean, verified list is half of deliverability — bounces from bad data are a top reputation killer. Build a verified list from Google Maps with this email-extraction guide, and pair it with tested templates.
Ready to extract your first leads?
Start with 500 free contacts every month. No credit card required.