Cold Emailing
CEO and co-founder
SPF, DKIM & DMARC Explained: Authentication Setup for Cold Email Agencies
Updated December 20, 2025
TL;DR: SPF, DKIM, and DMARC are three DNS records that tell receiving servers your emails are legitimate. Get them wrong and your inbox placement tanks overnight, but get them right and you build the trust that keeps campaigns out of spam. The catch is that manually configuring these records across 50+ domains burns hours every month that should go toward closing deals. This guide walks you through exact setup steps for GoDaddy, Namecheap, and Cloudflare, covers the mistakes that kill deliverability, and shows you how to automate the entire process to reclaim your time for revenue-generating work.
Most agency founders obsess over cold email copy while ignoring the hours they lose manually configuring DNS records. When your infrastructure costs scale faster than your revenue and your time is buried in registrar panels, you're trading high-value sales time for low-value technical work.
Setting up SPF, DKIM, and DMARC correctly is a non-negotiable requirement for inbox placement. But manually configuring these records across dozens of domains creates a massive operational bottleneck. This guide breaks down exactly how to configure your authentication records, how to avoid the mistakes that cause deliverability to tank, and how to automate the entire process so you can focus on closing clients.
Why manual DNS configuration kills agency margins
The math is brutal. An agency managing 50 domains faces significant setup time per domain for initial DNS configuration. That adds up to hours of work before a single campaign email goes out, and this doesn't include troubleshooting when records break or propagation delays that can stretch 24-48 hours.
Here's what that time costs you:
Lost sales capacity: Every hour spent in GoDaddy's DNS panel is an hour not spent on client calls
Human error risk: A single typo in an SPF record can tank deliverability for an entire client campaign
Delayed revenue: New clients wait days to launch while DNS propagates and you validate records with Mail-Tester
Margin erosion: Google Workspace costs scale linearly at $7-8.40 per inbox. 50 inboxes cost $350-420/month. Scale to 100 inboxes and you're paying $700-840/month while your infrastructure spend climbs as a percentage of billings.
The infrastructure bottleneck is real. Understanding what these authentication protocols actually do helps you fix them faster when things break.
What SPF, DKIM, and DMARC actually do for deliverability
These three protocols work together to prove your emails are legitimate. Receiving servers (Gmail, Outlook, Yahoo) check all three before deciding whether your message lands in the inbox or spam folder. Think of them as a three-layer verification system that builds trust with every email you send.
SPF: Authorizing your sending IP
Sender Policy Framework (SPF) ensures the sending mail server is authorized to originate mail from your domain. It works like an event guard stationed in your lobby. You provide a guest list (authorized IP addresses), and the guard welcomes those on the list while everyone else gets turned away.
For Microsoft 365 infrastructure, your SPF record looks like this:
This tells receiving servers that Microsoft's mail servers are authorized to send on your behalf. The -all at the end instructs servers to reject any email from unauthorized sources.
DKIM: Signing your emails to prevent tampering
DKIM (DomainKeys Identified Mail) uses a digital signature to prove the message was sent by the domain owner and hasn't been modified in transit. Your email server signs outgoing messages with a private key, and receiving servers verify the signature using a public key published in your DNS records.
Think of DKIM as a tamper-proof seal on a package. If anyone alters the contents between your server and the recipient, the seal breaks and the verification fails. This protects both your reputation and your recipients from phishing attempts using your domain.
DMARC: Telling receivers what to do with failures
DMARC is the policy layer that ties SPF and DKIM together. It answers the question: what should happen to messages that fail authentication?
DMARC offers three policy options:
Monitor (p=none): Unqualified emails still reach the inbox while you collect data
Quarantine (p=quarantine): Failed emails go to spam/junk folders
Reject (p=reject): Failed emails get blocked entirely
Step-by-step SPF, DKIM, and DMARC setup for agencies
Manual setup requires logging into your registrar's DNS panel and adding specific TXT and CNAME records. The record values stay consistent for Microsoft 365 infrastructure, but each registrar's interface works differently. Below are exact steps for GoDaddy, Namecheap, and Cloudflare before we show you how to automate the entire process.
How to configure DNS records in GoDaddy
Following GoDaddy's DNS setup process:
For SPF (TXT Record):
Navigate to DNS Management for your domain
Click Add → TXT
Name: @ (this represents your root domain)
Value:
v=spf1 include:spf.protection.outlook.com -allTTL: Leave as Default
Click Save
For DMARC (TXT Record):
Click Add → TXT
Name: _dmarc
Value:
v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.comTTL: Leave as Default
Click Save
For DKIM (CNAME Records):
Click Add → CNAME
Name: selector1._domainkey
Value: Your DKIM target from Microsoft 365 admin
TTL: Leave as Default
For Microsoft 365 specifically, repeat for selector2._domainkey (Microsoft uses two selectors for automatic key rotation)
Watch our founder walk through this in under 2 minutes.
How to configure DNS records in Namecheap
In Namecheap's interface:
For SPF (TXT Record):
Go to Domain List → Manage → Advanced DNS
Under Host Records, click Add New Record
Type: TXT Record
Host: @
Value:
v=spf1 include:spf.protection.outlook.com -allTTL: Automatic
Click the checkmark to save
For DMARC (TXT Record):
Click Add New Record
Type: TXT Record
Host: _dmarc
Value:
v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.comTTL: Automatic
Click checkmark
For DKIM (CNAME Records):
Click Add New Record
Type: CNAME Record
Host: selector1._domainkey
Target: Your DKIM value from Microsoft 365
Repeat for selector2._domainkey if using Microsoft 365
For a complete setup walkthrough, see this step-by-step Inframail tutorial.
How to configure DNS records in Cloudflare
Cloudflare requires one critical setting change:
Important: Disable Cloudflare Email Routing if enabled, and set all Microsoft 365 CNAMEs to "DNS only" (gray cloud, not orange).
For SPF and DMARC:
Go to DNS → Records
Click Add Record
Type: TXT
Name: @ (for SPF) or _dmarc (for DMARC)
Content: Your SPF or DMARC value
Click Save
For DKIM:
Click Add Record
Type: CNAME
Name: selector1._domainkey
Target: Your DKIM value
Proxy status: DNS only (critical)
Click Save
The full infrastructure setup guide covers advanced Cloudflare configurations for cold email at scale.
Common authentication mistakes that tank inbox placement
Even with proper SPF, DKIM, and DMARC policies, email authentication can fall apart if DNS records contain syntax or formatting errors. These issues often remain unnoticed until email delivery problems arise.
1. Multiple SPF records: Each domain should have only one SPF record. If you have duplicates (common when migrating between providers), they must be merged into a single record. Having two SPF records causes authentication to fail entirely.
2. Syntax errors and missing spaces: Proper formatting is crucial. Each SPF mechanism must be separated by a space. Missing spaces between elements like include:mailservice.com and ip4:192.168.1.1 cause the record to fail.
3. SPF lookup limit exceeded: The 10 DNS lookup limit is a frequent stumbling block. If your SPF record triggers more than 10 DNS lookups, you encounter "SPF PermError: too many DNS lookups" and DMARC automatically fails authentication.
4. DMARC alignment failures: DMARC failures happen even when SPF and DKIM pass because of domain alignment issues. DMARC requires the domain in the "From" header to match the domains authenticated by SPF or DKIM. Using third-party sending services without proper alignment causes silent failures.
These mistakes explain why deliverability can drop significantly with zero warning. One misconfigured record across multiple client domains means emergency work and angry client calls.
Email authentication best practices for agencies
Beyond correct setup, maintaining deliverability requires ongoing monitoring and proactive management. Here's what separates agencies with consistent inbox placement from those fighting fires weekly:
1. Monitor DMARC reports regularly: Your DMARC record can include a reporting address (rua=mailto:dmarc@yourdomain.com) that receives authentication reports. These reports show you exactly which emails pass or fail authentication and from which IP addresses. Reviewing these weekly catches problems before clients notice.
2. Test before launching campaigns: Never launch a client campaign without validating DNS configuration first. Understanding healthy metrics helps you catch problems early. Target Mail-Tester scores of 9+/10 and inbox placement rates above 75%.
3. Use dedicated IPs to isolate reputation: Shared IP pools mean your sender reputation depends on other users' behavior. One bad actor spamming gets the whole range flagged. Dedicated IPs mean your behavior alone determines reputation. This video explains the dedicated vs shared IP differences for cold email deliverability.
4. Warm up inboxes properly after migration: Moving to new infrastructure requires proper warmup. Our warmup guide covers the exact ramp-up schedule to build sender reputation without triggering spam filters.
How to validate your DNS setup before launching campaigns
Before sending a single campaign email, validate that all records are configured correctly and propagated globally.
Mail-Tester.com: Send a test email to the address provided by Mail-Tester and receive a comprehensive score out of 10. This checks SPF, DKIM, DMARC, and other deliverability factors including content, blacklists, and formatting. Aim for 9+/10 before launching campaigns.
MXToolbox: Use MXToolbox's diagnostic tools to check individual records. The SPF Record Check acts as a validator that runs diagnostic tests against your record. It also checks if your IP or domain appears on any blacklists.
Google Admin Toolbox: Google's Check MX tool validates whether your domain has proper email authentication configured for Gmail deliverability. If you send emails to Gmail users, this tells you if Google trusts your domain setup.
Propagation timing: DNS updates typically take a few minutes but can stretch to 24-48 hours for global propagation. Most changes take effect quickly, but plan for delays when onboarding new clients.
Automating DNS setup to reclaim hours every month
Manual DNS configuration made sense when you had 5 domains. At 50-200 domains across multiple clients, it can become a time-consuming bottleneck that keeps you trapped doing technical work instead of sales activities.
We built the world's first automated email setup platform that handles SPF, DKIM, DMARC, email forwarding, and domain redirects in seconds. You buy new domains inside our platform or bring your own from GoDaddy or Namecheap, and DNS configuration happens automatically. No registrar panels. No copy-paste errors. No propagation anxiety.
Watch the 2-minute SPF, DKIM, DMARC setup to see the exact workflow.
Cost comparison: Inframail vs Google Workspace
Inboxes | Google Workspace (Annual) | Inframail Unlimited | Monthly Savings | Annual Savings |
|---|---|---|---|---|
50 | $350/month | $129/month | $221 | $2,652 |
100 | $700/month | $129/month | $571 | $6,852 |
200 | $1,400/month | $129/month | $1,271 | $15,252 |
These monthly savings protect your margins as you grow.
Calculate your exact savings with the TCO calculator
The pricing table shows headline comparisons, but your real infrastructure cost includes platform fees, domain costs, warmup tools, and your sending platform. Our full ROI calculator breaks down every line item:
Platform fee: $129/month (Unlimited) or $327/month (Agency Pack)
Domain costs: $9-17/year per domain (.com domains are $16.44/yr and .info domains are $9.44/yr) (purchased separately or transferred)
Warmup tools: Varies by provider ($15-50/month per inbox elsewhere)
Sending platform: Your Instantly or Smartlead subscription
Plug in your current client count, inbox count, and sending volume to see your monthly and annual savings. The calculator shows the exact break-even point where flat-rate pricing beats per-seat models.
What agency founders say about the switch
"I've been using Inframail for a couple of months and the experience has been really good. I can set-up inboxes in 5mins while saving money on Google Workspace subscriptions and benefit from great deliverability." - Verified user review of Inframail
"Inframail has been absolute gold in terms of delivering a great customer experience, and allowing me to spin up cold email infrastructure at scale for my clients as easily and fast as possible" - Verified user review of Inframail
Infrastructure that scales with you
Our platform includes dedicated IP infrastructure (1 IP on Unlimited Plan, 3 IPs on Agency Pack) built on Microsoft's cloud platform. This means your sending reputation stays isolated from other senders. We score 88% inbox rate via GMass testing (a deliverability measurement tool) and 9.5/10 on Mail-Tester across tested domains.
For agencies comparing options, our Mailforge alternative comparison breaks down feature differences and pricing models.
Sign up to Inframail and get started today.
Specific FAQs
How long does DNS propagation take after adding SPF, DKIM, and DMARC records?
Most DNS changes take effect within 1 hour, but global propagation can take up to 48 hours. Plan for 24-hour buffer before launching campaigns.
What Mail-Tester score should I target before sending cold emails?
Target 9+/10 on Mail-Tester. Lower scores may indicate configuration issues, content problems, or blacklist presence that need investigation.
How many DNS lookups can my SPF record have?
SPF records are limited to 10 DNS lookups. Exceeding this triggers PermError and causes DMARC to fail automatically.
What DMARC policy should cold email agencies start with?
Start with p=none (monitor mode) to collect data without risking deliverability. The timeline to move to p=quarantine varies based on your organization's complexity and can range from days to several weeks of clean reports.
How much does Inframail cost compared to Google Workspace for 100 inboxes?
We charge $129/month flat regardless of inbox count. Google Workspace at 100 inboxes costs $700/month (annual plan), a $571/month difference.
Can I migrate existing domains from GoDaddy or Namecheap to Inframail?
Yes. Transfer your domains or point nameservers to our platform and all DNS configuration (SPF, DKIM, DMARC) happens automatically in minutes.
Key terminology
DNS propagation: The time required for DNS record changes to spread across global nameservers. Typically 1-48 hours depending on TTL settings and provider.
Dedicated IP: An IP address used exclusively by one sender, isolating your sender reputation from other users. We provide 1 dedicated US IP on Unlimited Plan or 3 IPs on Agency Pack.
TXT record: A DNS record type containing text information. Used to publish SPF and DMARC policies that email servers read to authenticate messages.
Inbox placement rate: The percentage of emails that land in the primary inbox versus spam or promotions folders. Target 75%+ for cold email campaigns.
DKIM selector: A string that points to the specific DKIM key record in DNS (e.g., selector1._domainkey). Multiple selectors allow key rotation without downtime.
Social Proof
Inframail now has 38 5-star reviews on Trustpilot (https://www.trustpilot.com/review/inframail.io).
