How to Set Up Email Authentication for Cold Outreach
Poor email deliverability is the silent killer of outreach campaigns — you can write a perfect email and it still ends up in spam if your sending domain is not properly authenticated. SPF, DKIM, and DMARC are the three authentication standards that tell receiving mail servers your emails are legitimate. Setting them up correctly is one of the highest-leverage actions you can take to improve campaign performance, and it takes less time than most people expect.
Before you start
- Access to your domain registrar's DNS management panel (GoDaddy, Namecheap, Cloudflare, or similar)
- A dedicated sending domain or subdomain separate from your main company domain
- Admin access to your email sending platform (Google Workspace, Instantly, Lemlist, or similar)
Step-by-step guide
Set Up a Dedicated Sending Domain or Subdomain
Never send cold outreach from your primary company domain (company.com). If your cold email domain gets flagged or blacklisted, it takes your main domain's reputation with it. Register a separate but similar domain for outreach — variants like getcompany.com, try-company.com, or outreach.company.com work well. This protects your main domain's reputation while still presenting a recognizable brand.
Register two or three sending domains from the start. Rotating sending across multiple domains distributes your sending volume, reduces the risk of any single domain getting flagged, and allows you to rest domains that are warming up.
Configure SPF (Sender Policy Framework)
SPF is a DNS TXT record that lists which mail servers are authorized to send email on behalf of your domain. Without it, receiving servers have no way to verify that your emails are genuinely from you. Add a TXT record to your domain DNS with the value: 'v=spf1 include:[your-email-provider] ~all'. Replace [your-email-provider] with the SPF include string provided by your email platform (e.g., include:_spf.google.com for Google Workspace).
Publish only one SPF record per domain. Multiple SPF TXT records on the same domain cause a 'permerror' that breaks authentication entirely. If you use multiple sending services, combine them into a single SPF record with multiple include statements.
Configure DKIM (DomainKeys Identified Mail)
DKIM adds a cryptographic signature to every email you send, allowing receiving servers to verify that the email content has not been tampered with in transit. Your email platform will generate a DKIM key pair and provide you with a CNAME or TXT record to add to your DNS. Add the record exactly as specified — DKIM records are case-sensitive and must match precisely. Allow up to 48 hours for DNS propagation.
After adding your DKIM record, send a test email to mail-tester.com or use your email platform's built-in DKIM verification tool to confirm the record is correctly published before starting your campaign.
Configure DMARC (Domain-based Message Authentication, Reporting, and Conformance)
DMARC tells receiving mail servers what to do with emails that fail SPF or DKIM checks — either pass them, quarantine them, or reject them. Start with a monitoring-only policy: add a TXT record at _dmarc.yourdomain.com with the value 'v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com'. The 'p=none' policy collects reports without rejecting any mail, letting you monitor for authentication failures before tightening the policy.
After 30 days of monitoring DMARC reports, tighten your policy to 'p=quarantine' and eventually 'p=reject' to fully protect your domain from spoofing. Free tools like dmarcian or Google Postmaster Tools help you interpret DMARC reports.
Verify All Three Records Are Active
Use a free authentication checker like MXToolbox, Mail Tester, or Google Admin Toolbox to verify that SPF, DKIM, and DMARC are all correctly configured on your sending domain. Send a test email from your sending platform and review the full email headers to confirm that all three authentication checks show 'pass'. Do not start your campaign until all three are verified.
Set Up Your Google Workspace or Sending Platform Correctly
If you are using Google Workspace on your sending domain, complete the DKIM setup in your Google Admin console under Apps > Google Workspace > Gmail > Authenticate Email. If you are using a dedicated cold email platform like Instantly, follow their domain authentication walkthrough which typically includes SPF, DKIM, and custom tracking domain setup. Custom tracking domains (for open and click tracking) also need to be configured to avoid deliverability issues with default shared tracking domains.
Enable custom tracking domains in your email platform rather than using the default shared tracking subdomain. Shared tracking domains accumulate spam complaints from all users on the platform and can drag down your deliverability even if your own sending practices are clean.
Warm Up Your Sending Domain Before Launching
A freshly authenticated domain has no sending history and will be treated with suspicion by mail filters. Run a 2-4 week warm-up period where you gradually increase daily sending volume — starting at 10-20 emails per day and increasing by 10-20% each week. Use an automated warm-up tool (Instantly, Lemlist, or Mailwarm all offer this) to send low-volume, high-engagement emails between seed accounts to build your domain's reputation before your first campaign.
During warm-up, keep your send volume well below your target campaign volume. Jumping from 20 emails per day to 500 overnight is a major deliverability red flag regardless of authentication status.
Common mistakes to avoid
Sending cold outreach from your primary company domain
Fix: Register a dedicated outreach domain that is similar to your main domain but separate. Protect your primary domain's reputation by reserving it for transactional and marketing emails sent to opted-in contacts.
Setting up SPF and skipping DKIM and DMARC
Fix: All three authentication records work together. SPF alone provides weak protection and some receiving servers require DKIM as well. DMARC without SPF and DKIM provides no enforcement. Implement all three before sending at any meaningful volume.
Starting a high-volume campaign on a new domain without a warm-up period
Fix: Even with perfect authentication, a new domain that suddenly sends 500 emails on day one will trigger spam filters. Complete a 2-4 week gradual warm-up before launching your first large campaign, and monitor your deliverability metrics throughout.
What are the key takeaways from this guide?
- SPF, DKIM, and DMARC work as a system — implementing all three is necessary for strong deliverability, and skipping any one of them leaves meaningful gaps in your email authentication.
- A dedicated sending domain protects your primary company domain from reputational damage while still allowing you to run aggressive outbound campaigns at scale.
- Authentication is a prerequisite for deliverability, not a guarantee of it — after authentication, domain warm-up, list hygiene, and engagement rates are the primary factors that determine whether your emails land in inbox or spam.
Frequently asked questions
How long does it take for DNS records to propagate?
Most DNS changes propagate within 1-24 hours, though the official maximum TTL is 48 hours. You can check propagation progress using tools like WhatsMyDNS.net or MXToolbox, which show you whether your new records are visible from DNS servers around the world.
What is the difference between SPF and DKIM?
SPF verifies that the sending server is authorized to send on behalf of the domain — it checks the envelope sender. DKIM verifies that the email content has not been modified in transit using a cryptographic signature. Both checks are needed because they protect against different types of email spoofing and forgery.
Do I need email authentication even if I am sending through a reputable platform like Google or Instantly?
Yes. Sending through a reputable platform helps your emails avoid platform-level blocks, but without domain-level SPF, DKIM, and DMARC, your specific sending domain has no authentication. Most reputable platforms provide step-by-step instructions for adding the required DNS records — follow them before sending.
How do I know if my emails are landing in spam?
Use a service like Google Postmaster Tools (free, requires a Google sending domain), GlockApps, or MailTester.com to test your inbox placement rate. Monitor your bounce rate and spam complaint rate in your sending platform dashboard. A spam complaint rate above 0.3% and a bounce rate above 5% are warning signs that require immediate attention.
How many emails can I safely send per day from a warmed domain?
A fully warmed Google Workspace domain can typically handle 100-200 outbound cold emails per day per inbox without triggering spam filters. To send at higher volumes, use multiple sending inboxes across multiple warmed domains. Most cold email platforms like Instantly rotate sending across multiple inboxes automatically to keep per-inbox volume within safe limits.
Related resources
Protect Your Deliverability Before Your Next Campaign
Set up authentication, warm your domain, and then let Outvid's AI personalize every email with a video that makes it worth receiving. Start your first campaign free.