New Playbook: Cold Email Infrastructure Setup Guide

Read Now arrow_forward
Mailsfinder Mailsfinder
Mailsfinder Mailsfinder
Pricing
Compare
Contact
Log In Start Free Trial
outgoing_mail Outbound

Configuring SPF & DKIM for Better Outreach

calendar_today Last updated: March 10, 2026 schedule 6 min read

What Are SPF and DKIM?

SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) are email authentication protocols that help receiving mail servers verify that an email was actually sent from an authorized source. Together, they form the foundation of email deliverability and are essential for any outbound sales or marketing operation.

SPF works by publishing a DNS record that lists all the IP addresses and mail servers authorized to send email on behalf of your domain. When a receiving server gets an email from your domain, it checks the SPF record to confirm that the sending server is on the approved list.

DKIM adds a cryptographic signature to the headers of every outgoing email. The receiving server uses a public key (published in your DNS records) to verify the signature, confirming that the email was not altered in transit and that it genuinely came from your domain.

Why SPF and DKIM Matter for Outreach

Without properly configured SPF and DKIM records, your outbound emails are significantly more likely to land in spam folders or be rejected outright. Here is why they matter:

  • Inbox placement: Major email providers (Gmail, Outlook, Yahoo) use SPF and DKIM checks as key signals when deciding whether to deliver an email to the inbox or spam folder.
  • Domain reputation: Properly authenticated emails build positive sender reputation over time, which makes all future emails from your domain more likely to be delivered.
  • Spoofing protection: SPF and DKIM prevent bad actors from sending emails that impersonate your domain, protecting both your brand and your recipients.
  • DMARC compatibility: SPF and DKIM are prerequisites for DMARC (Domain-based Message Authentication, Reporting, and Conformance), which provides an additional layer of policy enforcement.

Setting Up SPF Records

To configure SPF, you need to add a TXT record to your domain's DNS settings. Here is the process:

  1. Log in to your domain registrar or DNS management console (e.g., Cloudflare, GoDaddy, Namecheap, Route 53).
  2. Navigate to the DNS records section for your domain.
  3. Create a new TXT record with the following values:
Type:  TXT
Host:  @  (or leave blank for root domain)
Value: v=spf1 include:_spf.google.com include:sendgrid.net ~all

The include: directives specify which mail services are authorized to send on your behalf. Modify these to match your actual email sending infrastructure. Common includes are:

  • include:_spf.google.com -- Google Workspace
  • include:sendgrid.net -- SendGrid
  • include:mailgun.org -- Mailgun
  • include:amazonses.com -- Amazon SES

The ~all at the end is a soft fail mechanism that tells receiving servers to flag (but not reject) emails from unauthorized sources. For stricter enforcement, use -all (hard fail) once you have verified all legitimate senders are included.

Setting Up DKIM Records

DKIM configuration varies by email service provider. Most providers generate the DKIM key pair for you and provide the DNS record you need to publish. Here is the general process:

  1. In your email service provider's admin console, navigate to Authentication or Domain Settings.
  2. Locate the DKIM section and generate a new key pair if one does not already exist.
  3. Copy the provided CNAME or TXT record. It will look something like this:
Type:  TXT
Host:  google._domainkey  (selector varies by provider)
Value: v=DKIM1; k=rsa; p=MIIBIjANBgkqhki...
  1. Add this record to your DNS settings.
  2. Return to your email provider and click "Verify" or "Authenticate" to confirm the record is live.

DNS propagation can take up to 48 hours, though most records go live within 15 to 30 minutes.

Testing Your Configuration

After publishing your SPF and DKIM records, verify them using these free tools:

  • Google Admin Toolbox (Check MX): Enter your domain to verify SPF, DKIM, and DMARC records.
  • MXToolbox: Provides detailed diagnostics for SPF record syntax, DNS propagation status, and DKIM selector validation.
  • Mail Tester (mail-tester.com): Send an email to the provided address and receive a deliverability score with actionable recommendations.
  • Send a test email to Gmail: Open the email in Gmail, click the three dots, and select "Show original." Check for "SPF: PASS" and "DKIM: PASS" in the headers.

Common Mistakes to Avoid

  • Multiple SPF records: A domain must have only one SPF TXT record. If you have multiple, merge them into a single record using additional include: directives.
  • Exceeding the DNS lookup limit: SPF records are limited to 10 DNS lookups. Each include: and redirect: counts as one lookup. Use an SPF flattening tool if you exceed this limit.
  • Forgetting third-party senders: If you use tools like Mailchimp, Intercom, or a cold email platform alongside your primary email, make sure their servers are included in your SPF record.
  • Using the wrong DKIM selector: Each email provider uses its own selector (e.g., google, s1, k1). Make sure the selector in your DNS record matches what your provider expects.

Summary

Configuring SPF and DKIM is one of the highest-impact actions you can take to improve your outbound email deliverability. Set up both records in your DNS, test with free verification tools, and avoid common pitfalls like multiple SPF records or missing third-party senders. Once authenticated, your emails are more likely to reach inboxes, build domain reputation, and drive the results your outreach campaigns need.

arrow_back Back to Help Center