Email deliverability is a crucial part of effective cold email campaigns — if you know your emails are landing in your prospect’s primary inbox, you’ll start more conversations and have more opportunities to close new deals.

SPF, DKIM, and DMARC are the three most important email authentication methods that ensure good email deliverability. These email security measures protect both senders and recipients from the dangers of phishing, email spoofing, and spam. 

But how do they work, and how exactly are they related to deliverability? Let's find out:

  1. Why Do You Need to Use SPF and DKIM?

  2. What is Sender Policy Framework (SPF)?

  3. What is DomainKeys Identified Mail (DKIM)?

  4. What’s the Difference Between SPF and DKIM?

  5. How Does SPF Work for Email Authentication?

  6. How Do I Set Up an SPF Record?

  7. How Does DKIM Work for Email Authentication?

  8. How Do I Set Up a DKIM Record?

  9. What Will Happen if I Don’t Set Up My SPF and DKIM Records?

  10. How Does DMARC Work for Email Authentication?

  11. Warming Up Your Email Account to Ensure High Deliverability

Why Do You Need to Use SPF and DKIM?

In the early days of email, a lot of viruses, spam, and scams were sent via email using fake sender information. This does still happen today, but there are more mechanisms in place to help verify information about email senders. 

Two of these mechanisms are SPF and DKIM.

SPF and DKIM are methods of email authentication. As such, they allow email servers to identify who is sending emails and verify if they’re trustworthy or not. 

Setting these records up is crucial to email deliverability and ensures that your messages reach their intended recipients safely and securely. 

Starting February 1, 2024, two of the world’s biggest email providers — Google and Yahoo — will require all senders targeting Gmail and Yahoo accounts to set up SPF or DKIM email authentication for their domains.

What is Sender Policy Framework (SPF)?

Sender Policy Framework, or SPF, is a form of email authentication. SPF defines a validation process for a specific email that has been sent from a mail server. 

The goal of SPF is to detect forgery and prevent spam. Through the help of SPF protocols, a domain’s owner can pinpoint the exact mail servers the email senders are able to send the message from. 

Through this, SPF gives the email recipient information about the email sender’s legitimacy. When the recipient gets the email, their email provider (Ex. Gmail) verifies the SPF credentials through a domain lookup in the DNS records. If something is amiss, the receiving server will flag the message as spam, as it has effectively failed the SPF authentication check. 

If you cold email without your SPF records in place, your recipient’s inboxes won’t let your email through, as it doesn’t trust you as a legitimate sender. Most spammers won’t take the time to add their SPF records, so it’s an effective email validation mechanism.

What is DomainKeys Identified Mail (DKIM)?

DomainKeys Identified Mail, or DKIM, is an email authentication protocol used to detect fake sender email addresses or spoofed ones. 

It works by linking an email back to its domain. An email sender can attach DKIM signatures, which are encryption-secured headers added to the message, which can help the receiving inbox verify the source of the message. 

This is important because a lot of phishing campaigns spoof emails from trusted domains. Think of the emails you’ve received posing as a bank, Google, or some other trusted domain. It still happens today, but DKIM acts as a potent safeguard against ill-intentioned scammers.

When it comes to cold emailing, your DKIM essentially tells your prospect’s inbox that you are who you say you are, and gives the email service provider (ESP) a good reason to let your email through. 

Gmail’s New Bulk Sender Requirements

Starting in February 2024, Google will require senders who send 5,000 or more emails per day to Gmail and Yahoo accounts to:

  • Authenticate outgoing email with SPF and DKIM

  • Avoid sending unsolicited email

  • Make it easy for recipients to unsubscribe

Learn more: Gmail Bulk Sender Guidelines

What’s the Difference Between SPF and DKIM?

DKIM and SPF seem similar if you’re new to them. So, what’s the difference?

Put simply, SPF allows senders to define exactly which IP addresses may send an email for that particular domain. Meanwhile, DKIM verifies the authenticity of an email by providing a digital signature and encryption key. 

They work hand-in-hand to prevent spam and detect forgery while sending and receiving emails.

How Does SPF Work for Email Authentication?

SPF works by specifying the mail servers authorized to send emails from your domain. If you have it in place, the receiving mail servers can verify that the incoming messages did come from you.

Without SPF records, the messages sent by your organization may be marked as spam, because your prospects’ and customers’ inboxes won’t be able to verify that it’s really you sending the email. Your emails will land in the spam folder or be completely blocked from landing in their inbox.

Once your SPF records are in place, you won’t need to do any ongoing management. You’ll need to make sure they’re in place for every domain you use for your email activity.

Here’s a basic overview of how SPF records work:

  1. Publishing an SPF record: Your domain’s administrator publishes an SPF record, which is the policy that defines which mail servers are allowed to send emails. The SPF record is stored under the domain’s overall DNS records.

  2. Checking IP against the list of authorized IPs: Each time an inbound server gets an incoming message, it searches DNS for the rules for the bounce or Return-Path domain. The inbound mail server checks the IP of the message sender against the list of authorized IPs defined in the SPF record.

  3. Taking action: The receiving server uses the rules indicated in the sender domain’s SPF record to determine what to do: Accept, reject, or flag the email as spam.

How Do I Set Up an SPF Record?

Setting up your SPF takes a few minutes and will ensure that your messages land in your prospects’ inboxes. It’s a vital step before sending any cold outreach. 

If you’re using a custom inbox, make sure to check with your email provider. They’ll be able to show you the best way to set up your SPF record.

If you’re using G Suite or Outlook, follow these steps:

How to Set up SPF for G Suite

Here are Google’s instructions for Setting up your SPF records in G Suite.

It’s relatively easy to do.

To set up SPF records in G Suite, sign in to your domain host and navigate to the DNS management page. (Your domain host could be Google Domains, Namecheap, GoDaddy, or whichever service you use to manage your domain.)

Next, Locate the DNS TXT records section and create a new TXT record. Enter "@" in the host field if it's required; otherwise, leave it blank. For the value, input "v=spf1 include:_spf.google.com ~all" to authorize G Suite servers to send emails on your behalf. Save the record.

This process may take up to 48 hours to propagate. Verify your SPF record through G Suite's admin console to ensure it's correctly configured, protecting your domain against email spoofing. 

How to Set up SPF for Outlook

To set up SPF records for your domain in Microsoft Outlook or Microsoft 365, access your domain's DNS settings through your hosting provider's control panel.

Locate the DNS management area and create a new TXT record. In the value field, enter your SPF details to specify the mail servers authorized to send emails on behalf of your domain. If all of your mail is being sent with Microsoft 365/Outlook, use the following SPF record: “v=spf1 include:spf.protection.outlook.com -all”.

You may enter other records if you’re using a dedicated Exchange Online account or an on-premises email system. For unique situations like these check out Microsoft’s guide here.

Save the record and allow up to 48 hours for propagation.

If you’re unsure if your domain is ready to start using for your email activity, you can use tools like spamtester.ai to verify (more on this later in the guide).

To troubleshoot SPF issues, check out this guide from Microsoft. 

How To Set Up SPF With Other Email Providers

You might have an email account from your domain host that isn't one of the major providers. You should configure SPF if you want to use that account for sending, as well. The basic process is the same.

First access to your domain's DNS settings. Then search for your email provider's documentation on SPF records. You'll add a TXT record. It usually begins with "v=spf1", indicating the version and policy.

The record may specify "a", "mx", or "ip4" to define which hosts are allowed to send emails on your domain's behalf. It often has "include:serviceprovider.com" in the record. An ending qualifier like "-all" rejects all other hosts. Update your DNS records, and propagation will secure your email authenticity against spoofing.

How Does DKIM Work for Email Authentication?

DKIM was created for similar purposes as SPF: to prevent spammers from impersonating your domains and pose as a legitimate email sender from your brand. 

DKIM is a kind of signature that you can add to your emails to allow receiving mail servers to check the email sender’s authenticity. The signature isn’t a typical email signature. It works with encrypted keys, your private and public key:

  • Private key: This is available only to you and is unique to your domain. The private key will allow you to encrypt your signature.

  • Public key: This is something you have to add to your DNS (using DKIM) so that the receiving mail server can retrieve it and decrypt your signature.

Setting up DKIM on your DNS allows you to add a layer of security. For example, it’s like presenting an ID card (your public key) to get into your office, even if the security guard already knows that you work at the building. It’s a way to prove that it’s really you at the door. If you forgot your key, you may still get let in, but security won’t be certain.

How Do I Set Up a DKIM Record?

The first step is to generate a public key. To do this, you’ll have to log into your email provider’s admin console. The steps vary depending on your email provider. 

Setting Up DKIM for G Suite

For example, if you're using G Suite to send emails, here’s a detailed guide. 

DKIM signatures need to be manually turned on in your Google Admin console as they turn these off on default.

Once you have your public key, you can then take the generated TXT record to place into your DNS records. 

Here’s a simple overview of how DKIM is set up and tested:

Step 1: Publishing your cryptographic key

The key is published by the domain owner and is formatted as a TXT record in the domain’s DNS record.

Step 2: Attaching the unique DKIM

Every time a message is sent by an outgoing mail server (i.e., your outbound emails), this server attaches the DKIM signature to the message’s header.

Step 3: Detecting and decrypting the signature

Inbound mail servers (i.e., your prospects’ email server) uses the DKIM key to decrypt the signature of the message. If it matches with the expected values, then the message is considered authentic and can get through.

Setting up DKIM for Outlook

In Outlook, the process works in a similar way.

You’ll need to create your DKIM keys in your Microsoft account. Then, once those are ready, you’ll be shown new CNAME records that you need to copy and paste into a new CNAME entry in your domain’s admin panel.

Once your DKIM signature is enabled, you’ll be ready to start sending your emails with the confidence that they’ll land in your prospect’s inbox.

Click here to read detailed, step-by-step instructions on Microsoft’s website. 

Setting Up DKIM Authentication for Other Email Providers

If you got a free or cheap email account from your domain provider like GoDaddy or Hostinger, you can set up DKIM there, as well. The basic process starts by generating a DKIM key pair using a tool provided by your domain host or a third-party service.

Once you have the public and private keys, you must add the DKIM record to your domain's DNS settings. This DNS entry will include your public key and should follow your host's specifications.

Configure your email server or service provider to use the private key to sign outgoing messages. This ensures that receiving servers can verify messages using the public key in your DNS. Remember to test the configuration to ensure it's working correctly. It's a good idea to look up instructions from your specific email provider, too.

What Will Happen if I Don’t Set Up My SPF and DKIM Records?

In any business scenario where you’re sending a lot of emails — whether it’s cold outreach to new potential clients, or nurturing campaigns to welcome customers and email subscribers to your list — you need to set up SPF and DKIM. 

If you don’t set up these records, over time, most of your emails will be flagged as spam, potentially even resulting in your domain getting completely blocked by email service providers. 

Needless to say, your emails won’t have the business impact you expected them to.

How to Check if Your SPF and DKIM Records are Set Up?

Once you’ve followed your inbox provider’s instructions to add your SPF and DKIM records, you’ll need to verify that they’re working.

Reviewing using QuickMail’s Deliverability Report

On QuickMail’s pro plan you’ll have access to advanced deliverability reports.

First, head to your inbox and make sure your deliverability testing is active.

Every week, QuickMail will automatically test to see how your inbox deliverability is performing.

If your SPF and DKIM pass the checks, you’re ready to start sending your emails.

If your SPF or DKIM records have issues, you’ll see it in the deliverability report so you can take action to update them.

If your emails are being sent to spam, you’ll be notified. 

Using Free Tools to Check Your Email Setup

There are also free tools like spamtester.ai and Check MX that will review your domain setup and let you know if any issues are present.

spamtester.ai will ask you to send a test email to their inboxes, and the service will scan your email for issues.

Then, it will generate a report analyzing all of your domain’s potential areas for improvement. If everything is set up correctly, you should see a green check and the “You’re properly authenticated” message, and two sections mentioning your SPF and DKIM.

If you’re missing any essential records, spamtester.ai will tell you which ones are missing so it’ll be easy for you to add them.

Check MX is a free tool from Google that offers a similar service. Run your domain through it, and wait for the results.

Here’s what your results will look like if your SPF and DKIM records are correctly set up in Check MX:

These tools make it fast and straightforward to review your email setup. If there’s an issue, you’ll be told exactly what it is and given instructions on how to fix it.

For a deliverability jumpstart, grab our guide: Cold Email Deliverability 101

How Does DMARC Work for Email Authentication?

You may have also seen DMARC being referenced on your email account. DMARC stands for Domain-based Message Authentication, Reporting & Conformance.

It’s another email authentication system that helps you protect your domain against spoofing.

From February 1, 2024, Google and Yahoo will require any senders who send more than 5,000 messages per day to Google/Yahoo accounts to implement DMARC email authentication for the sending domain.

DMARC requires you have your DKIM and SPF records set up before implementing it.

It works by telling email servers what to do if they receive an email from your domain that does not pass SPF or DKIM authentication methods, either: do nothing, quarantine the email, or reject it completely. In other words, you're letting other email servers know what to do with spoofed email messages claiming to come from your account.If your SPF and DKIM records on outgoing messages don’t match the records you defined in your admin console, DMARC will tell the receiving server to do what you’ve indicated. 

For example, if your DMARC policy is set to ‘none’, then the receiving inbox will receive them normally (even if there’s a risk the email isn’t really from you). Quarantine tells the inbox to send emails to the spam folder. Reject tells the inbox to reject them.

Here’s how to set DMARC up on Gmail, and here’s add DMARC rules for Outlook accounts.

Warming Up Your Email Account to Ensure High Deliverability

Once your SPF, DKIM, and DMARC authentications are set up, you can begin sending emails and have a strong degree of confidence that they won’t land in spam filters.

But, if your domain is new, there’s still a risk that your recipients’ inboxes don’t completely trust you.

To help prove to ESPs that you’re a trustworthy sender, you should warm up your domain before launching any high-volume email campaigns using MailFlow, which has a native integration with QuickMail.

MailFlow is an email warmup tool that is ideal for anyone who wants to improve their deliverability.

To start with the Auto-Warmer, sign up for MailFlow and connect the inbox you’re going to use to send emails.

Then, head to the settings tab, and go to the Auto Warmer. Add the number of daily emails you want to send. A best practice for this is to start with a low volume on a new domain, and slowly work up from there. If you buy a new domain and immediately start sending hundreds of emails per day, ESPs will know something isn’t right.

Once you’ve set that up, the Auto Warmer will start automatically sending and replying to your emails for you, generating real positive engagement on them.

You’ll know exactly where your emails are landing — in the main inbox, spam, or other folders — thanks to the MailFlow Auto Warmer Report.

If you notice your emails are being sent to spam too often, you can review your DKIM and SPF records, and review your email campaigns for problems that could be causing the deliverability issues.

Wrapping Up

Setting up both SPF and DKIM records is a crucial step in ensuring your domain’s email deliverability stays high. 

And if you send high volumes of emails to Gmail and/or Yahoo accounts, you’ll need to set up DMARC authentication too.

It may seem complicated at first if you’re not a technical person, but the steps are easy to follow, and all email service providers will have detailed instructions on how to implement them.

The process won’t take long, and it’ll have a huge payoff as you’ll be sure that your email campaigns are landing in your recipient’s inboxes. Click here to start your free trial.