coldicp.com

How to Set Up MX, SPF, DKIM, DMARC & Forwarding for Cold Email

How to Set Up MX, SPF, DKIM, DMARC & Forwarding for Cold Email — COLDICP

Written by

COLDICP

in

If your cold emails are landing in spam, the problem almost certainly isn’t your copy — it’s your infrastructure. Email authentication records (MX, SPF, DKIM, and DMARC) are the DNS-level signals that tell receiving mail servers your domain is legitimate and your sending is authorized. Without them, even the best-written cold email gets filtered before anyone reads it. At COLDICP, proper email infrastructure setup is the foundation of every outbound system we build — it’s how we consistently achieve 98%+ inbox placement rates for clients. This guide walks through every record you need, how to set it up, and what to check before your first send.

Why Email Authentication Matters for Cold Outreach

Cold outreach operates in a high-scrutiny environment. You’re sending unsolicited email from a domain the recipient has never interacted with. Mail servers at Google, Microsoft, and other providers run authentication checks on every inbound message. If your domain fails those checks, your email either goes to spam or gets rejected entirely.

The four authentication layers — MX, SPF, DKIM, and DMARC — work together to prove three things:

  • MX: Your domain can receive email (proving it’s a real, active domain)
  • SPF: The server sending your email is authorized to send on behalf of your domain
  • DKIM: Your email hasn’t been tampered with in transit (cryptographic signature)
  • DMARC: What to do if SPF or DKIM fails — and who to notify

Skipping any of these is like cold calling from an unknown number with no caller ID. Carriers and recipients don’t trust it. See our guide on inbound vs outbound for more context on why infrastructure investment pays off in outbound-led growth.

What Is an MX Record and How to Set It Up

An MX (Mail Exchange) record tells the internet where to deliver email sent to your domain. Without an MX record, your domain looks like it can’t receive email — which is a major spam signal for outbound senders.

How to set it up:

  1. Log in to your domain registrar or DNS provider (GoDaddy, Cloudflare, Namecheap, etc.)
  2. Navigate to DNS settings for your sending domain
  3. Add MX records pointing to your email provider’s mail servers

Example (Google Workspace):

Type Name Value Priority
MX @ aspmx.l.google.com 1
MX @ alt1.aspmx.l.google.com 5
MX @ alt2.aspmx.l.google.com 10

Your email provider will give you their specific MX values. Use the exact values they provide.

How to Set Up SPF

SPF (Sender Policy Framework) is a DNS TXT record that lists which mail servers are authorized to send email from your domain. When a receiving server gets an email from you, it checks your SPF record to confirm the sending server is on the approved list.

How to set it up:

  1. Go to your DNS settings
  2. Create a new TXT record at the root of your domain (@)
  3. Add your SPF record as the value

Example SPF record (Google Workspace + Instantly):

v=spf1 include:_spf.google.com include:spf.instantlyai.com ~all

Key rules:

  • You can only have one SPF TXT record per domain. Combine all senders into a single record.
  • Use ~all (softfail) rather than -all (hardfail) during initial setup to avoid blocking legitimate mail while you test.
  • Keep your include count under 10 DNS lookups to avoid SPF PermError.

How to Set Up DKIM

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to your outgoing emails. The receiving server uses a public key stored in your DNS to verify that the email was actually sent by you and hasn’t been altered in transit.

How to set it up:

  1. Log in to your email sending platform (Google Workspace, Instantly, Smartlead, etc.)
  2. Navigate to the DKIM settings — your platform will generate a public/private key pair
  3. Copy the CNAME or TXT record the platform provides
  4. Add it to your DNS as a TXT record, typically at a subdomain like google._domainkey.yourdomain.com
  5. Return to your email platform and click Verify / Authenticate

Example DKIM DNS entry:

Type Name Value
TXT google._domainkey v=DKIM1; k=rsa; p=MIGfMA0GCS…

Each sending platform generates its own DKIM key. If you send from multiple platforms, set up a separate DKIM record for each.

How to Set Up DMARC

DMARC (Domain-based Message Authentication, Reporting & Conformance) tells receiving mail servers what to do when an email fails SPF or DKIM checks. It also sends you aggregate reports on authentication failures — which is useful for monitoring deliverability.

How to set it up:

  1. Add a TXT record to your DNS at _dmarc.yourdomain.com
  2. Start with a monitoring-only policy, then tighten it over time

Example DMARC record (start here):

v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

DMARC policy options:

  • p=none: Monitor only — no action taken on failures. Start here.
  • p=quarantine: Failed emails go to spam. Use after confirming SPF/DKIM are working.
  • p=reject: Failed emails are blocked entirely. Use only when you’re fully confident in your setup.

Setting Up Email Forwarding

For cold outreach, many teams use secondary domains (e.g., usecoldicp.com alongside coldicp.com) to protect their primary domain’s reputation. Setting up email forwarding from your sending domains to your main inbox ensures replies don’t get lost.

Most email providers (Google Workspace, Microsoft 365) offer forwarding rules in their admin settings. Alternatively, route forwarding through your CRM or inbox management tool to keep reply tracking intact.

Domain Warmup Protocol After Setup

Authentication records prove your domain is legitimate — but a brand new domain with zero sending history still looks suspicious to mail servers. Domain warmup gradually builds your sender reputation by starting with low send volumes and increasing over 4–6 weeks.

Standard warmup schedule:

  • Week 1–2: 10–20 emails/day. Send only to engaged contacts or warm leads.
  • Week 3–4: 50–100 emails/day. Monitor open rates and spam complaints closely.
  • Week 5–6: 200–300 emails/day. If metrics are clean, you’re ready to scale.
  • Full scale: 200–500 emails/domain/day maximum for cold outreach.

Use a dedicated warmup tool (Instantly’s warmup, Smartlead warmup, or Mailreach) alongside manual warmup sends for the first two weeks. Once your cold email copy is ready, a warmed domain means your first send actually lands.

5 Common Mistakes That Kill Deliverability

  • One domain for everything: Never use your primary business domain for cold outreach. Set up 3–5 sending domains minimum and rotate volume across them.
  • Missing DMARC: Even a p=none DMARC record is required by Google and Yahoo for bulk senders since February 2024. Not having one gets your emails flagged.
  • Overloading SPF includes: Each include= in your SPF record triggers a DNS lookup. Exceeding 10 lookups causes SPF PermError — your emails fail authentication even if your record looks correct.
  • Sending cold to unverified lists: High bounce rates (above 2%) tank sender reputation fast. Verify every email address before sending.
  • Skipping warmup on new domains: Going from zero to 500 emails/day on a new domain is the fastest way to get blacklisted. Warmup is not optional.

How to Verify Your Setup

Before sending a single cold email, verify every record is configured correctly:

  • MXToolbox: Check MX, SPF, DKIM, and DMARC records. Run the Email Health report for a full audit.
  • Mail-tester.com: Send a test email and get a deliverability score out of 10. Aim for 9+.
  • Google Postmaster Tools: Monitor your domain reputation and spam rate with Google’s mail servers directly.
  • GlockApps: Test inbox placement across multiple providers (Gmail, Outlook, Yahoo) simultaneously.

Conclusion

Email infrastructure is the unsexy foundation that determines whether everything else works. Get your MX, SPF, DKIM, and DMARC records right before you write a single cold email — and warm your domain properly before you hit scale. If you want COLDICP to build and maintain the infrastructure for you (including multi-domain architecture, continuous monitoring, and 98%+ inbox rates), apply for the GTM Pilot.

Frequently Asked Questions

Do I need separate domains for cold email?

Yes. Always use secondary sending domains for cold outreach — never your primary business domain. If a sending domain gets blacklisted, your main domain (and its reputation for transactional and marketing email) stays clean. Set up a minimum of 3–5 sending domains with slight variations of your brand name.

How long does it take for DNS records to propagate?

Most DNS changes propagate within 15–60 minutes, but full global propagation can take up to 48 hours. Use MXToolbox to check record visibility after changes. Don’t start sending until all records are confirmed active.

What’s the difference between SPF softfail (~all) and hardfail (-all)?

Softfail (~all) marks emails from unauthorized servers as suspicious but still delivers them. Hardfail (-all) rejects them outright. Start with softfail while you verify your setup, then move to hardfail once you’re confident all your legitimate sending sources are included in your SPF record.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

More posts