SPF, DKIM, and DMARC: the cold-email checklist Google actually checks in 2026
The three records every cold sender needs, what each one does, what Google and Microsoft penalise when they are wrong.
Rejwan Nirob·Apr 8, 2026·7 min readThere is no such thing as a cold-email program with weak DNS that survives 2026. Google enforces SPF and DKIM alignment for any sender exceeding 5,000 emails per day, and Microsoft is converging on the same posture. If you are running outbound at agency scale and your DMARC report is silent, that is not a good sign - that is the silence of a domain nobody is reading.
What each record actually does
SPF declares which IPs are allowed to send on your behalf. DKIM cryptographically signs each message so the receiving server can prove it was not modified in transit. DMARC tells the receiving server what to do when SPF and DKIM disagree with the visible From address - accept, quarantine, or reject.
On their own, none of the three is sufficient. SPF without DKIM gets spoofed. DKIM without DMARC has no enforcement. DMARC without alignment is theatre. The trio works because each one closes a different attack surface.
What Google checks before it lets you in
- SPF passes for the sending IP (publish exactly one TXT record, not two)
- DKIM signature validates against the published 2048-bit key
- DMARC alignment is strict or relaxed, and explicitly published
- PTR record on the sending IP resolves back to a hostname under your domain
- TLS 1.2+ is offered on the connection
The most common mistake
Two SPF records. We see it constantly - one record for Google Workspace, one record for a marketing tool, both published as separate TXT entries. SPF spec allows one. Two records means SPF fails entirely, and your cold campaign starts every send half a step behind.
Inboxlee handles this by merging includes into a single record at provisioning time. If you bring an existing domain, the wizard flags conflicting SPF before you connect a mailbox.
Every domain Inboxlee provisions ships with SPF, DKIM 2048-bit, DMARC quarantine, and MX configured on day one. Background polling confirms propagation before the mailbox is marked live.
Provision a domainFrequently asked
Do I need SPF, DKIM, and DMARC all three for cold email?
Yes. SPF declares which servers can send for your domain, DKIM cryptographically signs each message, and DMARC tells receivers what to do when the first two disagree with the visible From address. Missing any one and Gmail/Outlook drop your placement immediately.
What DMARC policy should I use for cold email - none, quarantine, or reject?
Start with p=quarantine. p=none gives you reporting but no enforcement and providers treat it as soft. p=reject is the strictest but can silently drop legitimate mail if anything is misconfigured. Quarantine is the safe default and what Inboxlee provisions automatically.
Why do two SPF records break my deliverability?
SPF spec allows exactly one TXT record per domain. If you publish two (e.g. one for Workspace and one for a marketing tool), SPF fails entirely and your cold sends start every message half a step behind. Inboxlee merges all includes into one record at provisioning time.
Does Google really enforce SPF and DKIM for cold senders in 2026?
Yes. Google enforces SPF and DKIM alignment for any sender exceeding 5,000 emails per day, and Microsoft is converging on the same posture. Even below 5K/day, missing or weak auth correlates with measurable placement decline.