For SDRs and marketers diving into cold email campaigns, deliverability is often a top concern. Whether you're new to sending mass cold emails or an experienced sender struggling with low inbox placement, this guide will help you understand email authentication in detail.
In this article, you will find everything you need to know about MX, SPF, DKIM, and DMARC setup:
Let’s get started.
MX, SPF, DKIM, and DMARC records are "email authentication" methods because they confirm sender identity and decide whether it comes from a reliable source or has been faked by spammers pretending to be someone else.
In simple words, these records build a trustworthy sender’s reputation. Think of it as an identity verification of your domain so that the ESPs can let your email reach the recipients' primary inbox.
Directs email to your domain's mail servers.
MX records specify which servers handle incoming emails from your domain. These records don’t directly impact outbound email authentication but ensure that your emails are routed properly to recipients.
Prevents sender address forgery.
SPF records list all IP addresses authorized to send emails on behalf of your domain. When you send an email, the recipient’s server checks the SPF record to verify that the sending IP is legitimate.
A correct SPF setup helps keep your emails out of spam by showing you’re an authentic sender.
Confirms message authenticity and integrity.
DKIM attaches a unique digital signature to each outgoing email, verifying the email hasn’t been altered in transit. This is done by using cryptographic keys that match the public key in your DNS with a private key on your server.
A valid DKIM signature boosts your sender's reputation and builds trust with ISPs.
Provides visibility and control over unauthenticated emails.
DMARC combines SPF and DKIM to specify actions if an email fails either check. With DMARC, you can choose to allow, quarantine, or reject unauthenticated emails. DMARC also provides reporting, helping you see if others are trying to spoof your domain.
Always do the email authentication process—MX, SPF, DKIM, and DMARC set up—after buying new domains and before warm-ups.
The benefits of email authentication—MX, SPF, DKIM, and DMARC records—include enhanced sender reputation, better deliverability rates, etc.
Here are the benefits in a bit more detail:
Email providers like Gmail and Outlook use authentication to decide if an email is trustworthy. With MX, SPF, DKIM, and DMARC records in place, your sender addresses have a much better chance of reaching the inbox instead of the spam folder, which means higher open rates.
Authentication signals to email providers that your domain is secure and verified. As email providers see this, they begin trusting your emails, making it easier for you to maintain a good sender reputation, essential for long-term cold emailing success.
Without authentication, spammers could forge emails to look like they’re from your domain, damaging your brand and reputation. With SPF, DKIM, and DMARC, you protect your domain from unauthorized senders, keeping your brand safe.
When your emails are authenticated and more likely to reach the inbox, recipients are more likely to see, open, and engage with them. Better deliverability and trust lead to higher response rates, making your campaigns more successful.
For specific instructions on setting up your MX Record in Google Workspace, click here and in Microsoft Office 365, click here.
For general instructions, follow this 5-step guide to set up MX records:
Log in to your domain registrar (e.g., GoDaddy, Namecheap, Cloudflare) and navigate to the DNS settings or DNS management section for your domain.
In the DNS management area, find the section to add or manage MX records.
Select the option to add a new record, choose "MX" as the record type, and specify the mail server address (e.g., `mail.yourdomain.com`).
Assign a priority to the MX record, with lower numbers indicating higher priority. Repeat for multiple records if needed.
Save your new MX record settings. It may take up to 48 hours for the changes to fully propagate across the internet.
This setup should allow emails to be routed to your mail server based on the MX records you've specified.
For specific instructions on setting up your SPF Record in Google Workspace, click here and in Microsoft Office 365, click here.
For other ESPs, follow this 5-step guide to set up SPF record:
Log in to your DNS hosting provider (e.g., GoDaddy, Cloudflare, Namecheap).
Find the DNS management section where you can add or edit DNS records.
Look for an existing SPF record in your DNS settings. If it’s not there, you’ll need to add one.
Start the SPF record with v=spf1 to indicate the SPF version.
Add your authorized sending IPs or include other domain names authorized to send on your behalf. For example:
End the record with an all directive, such as -all (strict) or ~all (lenient).
Example SPF record:
makefile
Copy code
v=spf1 ip4:192.168.0.1 include:sendgrid.net ~all
Save the record. The new SPF record may take a few minutes to propagate, though sometimes it can take up to 48 hours.
Use SPF record validation tools like MxToolBox or Google’s SPF check to confirm the record is correct and is properly identifying your sending servers.
For specific instructions on setting up your DKIM record in Google Workspace, click here and in Microsoft Office 365, click here.
For other ESPs, follow this 5-step guide to set up DKIM record:
Start by generating a public-private key pair.
Many email service providers (ESPs) and platforms have built-in tools to generate DKIM keys for you. If not, you can use tools like OpenSSL to create one manually.
Log in to your DNS hosting provider (e.g., GoDaddy, Cloudflare, Namecheap). Navigate to the DNS management section where you can add or edit DNS records.
Add a new TXT record.
In the "Host" or "Name" field, add a prefix (often provided by your email provider) followed by `_domainkey`.
For example, `selector1._domainkey`. In the "Value" or "Text" field, paste your public key. This key should begin with `v=DKIM1; k=rsa;` followed by the actual key content.
Save the TXT record. DNS propagation for DKIM records can take a few minutes to a few hours.
Use testing tools like DKIMCore, Google’s Check MX tool, or MxToolbox to confirm that the DKIM record is set up correctly and active. These tools will verify that the record is properly configured and working.
For specific instructions on setting up your DKIM record in Google Workspace, click here and in Microsoft Office 365, click here.
For other ESPs, follow this 5-step guide to set up DKIM record:
Here’s a step-by-step guide for setting up a DMARC (Domain-based Message Authentication, Reporting, and Conformance) record on your server. DMARC helps protect your domain from unauthorized use, such as phishing emails, by aligning SPF and DKIM authentication.
None (`p=none`): Monitors email traffic without affecting delivery. Useful for testing.
Quarantine (`p=quarantine`): Sends suspicious emails to spam or junk.
Reject (`p=reject`): Blocks suspicious emails from reaching the recipient.
Choose the level that best fits your needs; testing with `none` is often recommended before setting stricter policies.
Access your DNS management console on your hosting provider’s site (e.g., GoDaddy, Cloudflare, Namecheap).
Navigate to the section where you can add or edit DNS records.
In the “Host” or “Name” field, enter `_dmarc.yourdomain.com` (replace “yourdomain.com” with your actual domain name).
In the “Value” or “Text” field, enter your DMARC policy.
The basic structure includes the version (`v=DMARC1`), policy (`p=policy`), and email address for reports (`rua=mailto:your-email@domain.com`).
Enter an email to receive regular summary reports on DMARC alignment.
For detailed reports on failed messages.
Customize reporting for specific DMARC failures (e.g., `fo=1` for failures to be reported).
Save the DMARC record. Allow some time for DNS propagation, which can range from a few minutes to 24 hours.
Use DMARC testing tools like DMARC Analyzer or MXToolbox to verify that your DMARC record is correctly configured and monitor its effectiveness.
Here’s how you can check if your MX, SPF, DKIM, and DMARC records are set up correctly:
Send a test email and examine the headers for:
Tools like MXToolbox or Google Apps Toolbox provide quick checks for your SPF, DKIM, and DMARC records.
Many email service providers have a “Domains” or “Settings” section where you can verify these records. Correctly set up records will usually display with green checkmarks or “verified” status.
You can use nslookup (short for "Name Server Lookup"). It’s a command-line tool used for querying Domain Name System (DNS) records. It helps network administrators and users retrieve various DNS details, such as IP addresses associated with a domain, the Mail Exchange (MX) records for email routing, or TXT records for SPF, DKIM, and DMARC authentication.
If records aren’t passing, adjustments to your DNS settings may be needed. Remember that while these records authenticate emails, proper server configurations are essential for the records to be effective in enforcing your domain policies.
These methods will confirm if your MX, SPF, DKIM, and DMARC records are properly set up and functioning.
Once you’ve set up MX, SPF, DKIM, and DMARC, it’s time to warm up your email. Jumping straight into sending cold emails can hurt deliverability, even with these records in place.
Use a tool like Manyreach that comes with unlimited email warm-ups to warm up your email senders daily for 30 days. This builds your domain’s a positive reputation and helps your emails hit inboxes, not spam.
Start slow, and let the warm-up process work its magic!