EmailX logo with white text and pixelated blue X
AI Arena Blog Book a demo Get started
Email

Email Deliverability: A Step-by-Step Guide to Setting Up SPF, DKIM, and DMARC

Learn how to set up SPF, DKIM, and DMARC to ensure your cold emails land in inboxes, not spam. Follow this step-by-step guide for Google Workspace, Outlook, and private emails to improve your outreach success with Emailx.

By Julien Paltrinieri

Published on 2025-06-11

Picture this: you spend 30 minutes brewing the perfect cup of coffee every morning—grinding the beans, measuring the water, waiting for it to steep—only to find that 3 out of 4 times, the machine jams, leaving you with nothing but a mess. That’s the reality of cold emailing without proper deliverability setup: you send 100 cold emails, but only 23.9% get opened—meaning 76 emails vanish into the void, often due to deliverability issues Gartner. Setting up SPF, DKIM, and DMARC correctly is key to ensuring your emails don’t get lost in the spam abyss.

Why SPF, DKIM, and DMARC Are Non-Negotiable for Cold Email Success

For businesses, every email counts. But if your emails are flagged as spam, your open rates—and your chances of landing a reply—plummet. A 2024 study by Higher Logic notes that authenticated emails (using SPF, DKIM, and DMARC) can double deliverability rates compared to non-authenticated ones Higher Logic. These protocols prove to email providers like Gmail, Outlook, and Yahoo that your emails are legitimate, not spam or phishing attempts.

  • SPF (Sender Policy Framework): Lists which servers are authorized to send emails for your domain, preventing spoofing.

  • DKIM (DomainKeys Identified Mail): Adds a digital signature to your emails, verifying they haven’t been tampered with.

  • DMARC (Domain-based Message Authentication, Reporting & Conformance): Aligns SPF and DKIM, telling servers what to do with emails that fail authentication (e.g., reject or quarantine).

Since February 2024, Google and Yahoo have mandated these protocols for bulk senders (over 5,000 emails daily), and Outlook followed suit in May 2025 for high-volume senders, per Microsoft’s Community Hub announcement. Even if you’re sending fewer emails, setting these up protects your domain reputation and ensures your emails reach inboxes—crucial for cold outreach success.

Does the Setup Process Change for Google Workspace, Outlook, or Private Emails?

The core process of setting up SPF, DKIM, and DMARC is similar across platforms, but there are key differences depending on whether you’re using Gmail (Google Workspace), Outlook (Microsoft 365), or a private email service (e.g., Namecheap’s Private Email).

  • Gmail (Google Workspace): Automates some steps, like providing an SPF record (include:_spf.google.com), but you must manually enable DKIM and set up DMARC. It’s user-friendly for startups.

  • Outlook (Microsoft 365): Requires manual setup for SPF, DKIM, and DMARC, with specific CNAME records for DKIM. Microsoft’s strict requirements for high-volume senders (over 5,000 emails daily) make this critical.

  • Private Emails (e.g., Namecheap, Self-Hosted): You’ll need to manually configure everything, often with more technical steps, especially if self-hosting. This gives you more control but requires more effort.

Below, I’ll walk you through a detailed setup guide that works for any scenario, with specific notes for each platform.

Step-by-Step Guide to Set Up SPF, DKIM, and DMARC

Here’s how to set up SPF, DKIM, and DMARC. Follow these steps to ensure your emails land in inboxes, not spam folders.

Step 1: Set Up SPF (Sender Policy Framework)

SPF authorizes which servers can send emails for your domain, reducing spoofing risks.

  1. Access Your DNS Management:

    • Log in to your domain registrar (e.g., Namecheap, GoDaddy) or DNS provider (e.g., Cloudflare). Find the DNS settings panel.

    • For Google Workspace: Google provides a default SPF record. For Outlook: You’ll need Microsoft’s SPF include. For private emails: You may need to identify your mail server’s IP.

  2. Create a TXT Record:

    • Name/Host: Use @ or leave it blank (depends on your provider).

    • Value:

      • Google Workspace: Use v=spf1 include:_spf.google.com ~all.

      • Outlook (Microsoft 365): Use v=spf1 include:spf.protection.outlook.com -all.

      • Private Email: If using Namecheap’s Private Email, check their docs for the include (e.g., include:relay.mailchannels.net). If self-hosting, use your server’s IP, like v=spf1 ip4:123.123.123.123 -all.

      • Note: Use ~all (soft fail) for testing, then switch to -all (hard fail) once you’re confident.

    • If you use multiple services (e.g., Emailx for sending campaigns), combine includes: v=spf1 include:_spf.google.com include:emailx.ai ~all.

  3. Save and Wait:

    • Save the record. DNS propagation can take 5 minutes to 48 hours.

    • For Outlook, ensure your sending IPs have valid PTR records (reverse DNS), as Microsoft requires this for high-volume senders.

  4. Verify:

    • Use Mail-Tester or Google Admin Toolbox to confirm your SPF is active.

Pro Tip: Don’t create multiple SPF records for one domain—it causes errors. Merge includes into a single record.

Step 2: Set Up DKIM (DomainKeys Identified Mail)

DKIM adds a digital signature to verify your emails’ integrity.

  1. Generate DKIM Keys:

    • Google Workspace:

      • Go to Google Admin Console > Apps > Google Workspace > Gmail > Authenticate Email.

      • Select your domain, click “Generate New Record,” and choose a selector (e.g., google).

      • Copy the TXT record value (e.g., v=DKIM1; k=rsa; p=MIGfMA0GCSq...).

    • Outlook (Microsoft 365):

      • In Microsoft 365 Defender, go to Policies & Rules > Threat Policies > DKIM.

      • Select your domain, enable DKIM, and note the two CNAME records (e.g., selector1._domainkey.yourdomain.com and selector2._domainkey.yourdomain.com).

    • Private Email:

      • For Namecheap Private Email, check their dashboard for DKIM setup instructions—they may provide a TXT record.

      • If self-hosting, use a tool like OpenDKIM to generate keys: sudo opendkim-genkey -d yourdomain.com -s default.

  2. Add the DKIM Record to DNS:

    • Create a TXT (or CNAME for Outlook) record in your DNS panel.

    • Google Workspace: Name: google._domainkey.yourdomain.com. Value: The TXT record from Google.

    • Outlook: Add the two CNAME records (e.g., Name: selector1._domainkey, Value: selector1-yourdomain-com._domainkey.yourtenant.onmicrosoft.com).

    • Private Email: Name: default._domainkey.yourdomain.com. Value: The public key (e.g., v=DKIM1; k=rsa; p=MIGfMA0GCSq...).

  3. Enable DKIM Signing:

    • Google Workspace: Return to the Admin Console, click “Start Authentication,” and save.

    • Outlook: DKIM signing starts automatically once CNAME records propagate.

    • Private Email: For managed services, they handle signing. For self-hosted, configure your mail server (e.g., Postfix) with the private key.

  4. Verify:

    • Wait up to 48 hours for propagation, then send a test email to check-auth@verifier.port25.com or use Mail-Tester. Look for “DKIM=pass” in the results.

Pro Tip: For managed services like Google Workspace, DKIM key rotation is automatic. If self-hosting, rotate keys every 6 months for security.

Step 3: Set Up DMARC (Domain-based Message Authentication, Reporting & Conformance)

DMARC aligns SPF and DKIM, ensuring your emails are authenticated and providing reports on failures.

  1. Wait for SPF and DKIM:

    • Ensure SPF and DKIM are active for 48 hours before setting up DMARC, as Google and Microsoft recommend.

  2. Create a DMARC TXT Record:

    • In your DNS panel, add a TXT record.

    • Name: _dmarc.yourdomain.com.

    • Value: Start with a monitoring policy: v=DMARC1; p=none; rua=mailto:reports@yourdomain.com;.

      • p=none monitors without blocking.

      • rua=mailto:reports@yourdomain.com sends reports to your email.

  3. Save and Wait:

    • Save the record and allow 5 minutes to 48 hours for propagation.

  4. Analyze Reports:

    • Use tools like Dmarcian to review DMARC reports. I spotted unauthorized senders trying to spoof team@emailx.ai—tightening my SPF fixed that.

  5. Tighten Policy:

    • After 1 month of monitoring, if all legitimate emails pass, update to p=quarantine (e.g., v=DMARC1; p=quarantine; pct=20; rua=mailto:reports@yourdomain.com;). After 3 months, move to p=reject.

Pro Tip: For Outlook, ensure subdomains have their own SPF and DKIM records, as Microsoft notes DMARC inheritance can be disrupted without them.

Why This Matters for Your Cold Email Strategy

A case study from Smartlead.ai shows a similar trend: a startup using Google Workspace saw a 30% increase in inbox placement after implementing these protocols Smartlead.ai. For startups and freelancers, this means more prospects see your emails, giving frameworks like Counseling Sale a real chance to shine.

  • Google Workspace: Streamlined setup with built-in tools, ideal for startups scaling fast.

  • Outlook: Stricter requirements for high-volume senders, but critical for Microsoft-based prospects.

  • Private Emails: More manual work, but offers flexibility for custom setups.

Conclusion: Don’t Let Spam Filters Stop Your Growth

If you’re a startup founder or freelancer, you can’t afford to let spam filters derail your cold email efforts. Setting up SPF, DKIM, and DMARC ensures your emails reach inboxes, giving you a fighting chance to stand out with strategies like Emailx’s Counseling Sale framework. Here’s your checklist:

  • Set Up SPF: Authorize your servers.

  • Enable DKIM: Sign your emails.

  • Configure DMARC: Monitor and protect.

  • Test Everything: Aim for a 10/10 on Mail-Tester.

  • Warm Up Your Domain: Use tools like WarmupInbox to build trust.

The AI Sales Playbook Blog

Drop your email to never miss out on valuable sales outreach tips and tricks.

@2024 EmailX

Terms of Use Privacy Policy