Cold Email Domain Setup Checklist 2026: SPF, DKIM, DMARC & Warm-Up

Most cold email deliverability problems are not sequencing problems or copy problems. They are infrastructure problems. A single misconfigured DNS record, a domain sent without warm-up, or a missing DMARC policy can route your entire outbound motion to spam before a single prospect reads your message.

This is the exact checklist DevCommX uses when setting up cold email infrastructure for clients the same infrastructure that powers AI-powered SDR systems and signal-based outbound campaigns. Follow every step before sending a single cold email.

Why Domain Setup Is the Foundation of Cold Email Success

Before diving into the checklist, it's worth understanding why infrastructure matters more than most sales teams realise.

Email providers like Gmail and Outlook have become increasingly sophisticated at identifying low-quality senders. In 2024, Google tightened its bulk sender requirements, mandating one-click unsubscribe links and enforcing stricter spam thresholds. In 2026, these filters are even more nuanced they assess your DNS configuration, sending history, domain age, engagement signals, and complaint rates simultaneously.

Even a perfectly crafted, hyper-personalised cold email will land in spam if the domain sending it hasn't been properly configured and warmed. Conversely, a solid infrastructure gives even average copy a fighting chance of reaching the inbox.

The good news: domain setup is a one-time investment. Do it right once, and it becomes a durable competitive advantage.

Phase 1: Domain Purchase and Structuring

Step 1: Buy Sending Domains Separate from Your Main Domain

Never send cold email from your primary domain (yourcompany.com). If it gets blacklisted and aggressive outbound will eventually cause issues you will damage your primary domain's reputation, affecting all company email, including internal communications and transactional messages.

Buy secondary sending domains that mirror your brand:

• yourcompany.io
• getyourcompany.com
• tryyourcompany.com
• yourcompanyhq.com

Each sending domain should support 2–3 sending mailboxes maximum. For 100 emails per day per mailbox, 3 domains with 3 mailboxes each gives you 900 emails per day of total sending capacity. This distributed approach also means that if one domain takes a reputation hit, your entire outbound operation doesn't go down.

When choosing alternative TLDs and prefixes, prioritise names that still look professional and credible to a prospect seeing the sender address for the first time. Domains like "tryyourcompany.com" or "getyourcompany.com" are common enough that most savvy B2B buyers won't flag them, but anything that looks spammy or promotional in the domain name itself will hurt open rates before deliverability is even a factor.

Step 2: Choose the Right Registrar

Use Google Domains (now Squarespace Domains), Namecheap, or Cloudflare Registrar. Avoid obscure registrars some spam filters flag emails from domains registered at less reputable registrars, and their control panels are often harder to navigate for DNS configuration.

Cloudflare Registrar is a particularly strong choice in 2026 because it offers at-cost domain pricing (no markup), an excellent DNS management interface, and fast propagation times all of which are useful during the setup phase.

Step 3: Account for Domain Age

New domains need 14–21 days of warm-up before sending cold email at scale. This isn't just about warming the mailboxes it's about establishing a sending history for a domain that email providers have never seen before. A brand-new domain sending hundreds of emails immediately is a classic spam signal.

Plan your campaign start dates accordingly. If you need to launch a campaign on the 1st of the month, purchase your domains at least three weeks before and begin the warm-up process on day one.

Phase 2: DNS Authentication Records

This is the technical foundation. Every record must be correct. A single error here and Gmail and Outlook will route your emails to spam or reject them outright. Take your time with this phase and verify each record after setting it.

Step 4: Configure SPF (Sender Policy Framework)

SPF tells receiving mail servers which IP addresses are authorised to send email on behalf of your domain. When a receiving server gets an email claiming to be from yourdomain.io, it checks the SPF record to verify the sending server is on the approved list.

Example SPF record for Google Workspace sending:

v=spf1 include:_spf.google.com ~all


Key rules to follow:

Only one SPF record per domain. Multiple SPF records cause SPF to fail entirely receiving servers don't know which one to trust and treat the configuration as broken.

Use ~all (softfail) when starting. This tells receiving servers to accept the email but mark it as potentially suspicious. Once you've confirmed all your legitimate sending sources are included, switch to -all (hardfail), which rejects emails from unauthorised sources entirely.

Merge multiple senders into one record. If you're using Google Workspace for sending but also routing through a platform like Smartlead or Instantly, combine them: v=spf1 include:_spf.google.com include:sendgrid.net ~all. Adding a second SPF record instead of merging is one of the most common configuration mistakes.

Verify your SPF record is live using MXToolbox's SPF checker at mxtoolbox.com/spf.aspx.

Step 5: Configure DKIM (DomainKeys Identified Mail)

DKIM adds a cryptographic signature to your outgoing emails. The signature is generated using a private key held by your email provider and verified by receiving servers using a public key published in your DNS. This proves the email was not tampered with in transit and genuinely came from an authorised sender.

Setting up DKIM in Google Workspace:

1. Go to Google Admin Console → Apps → Google Workspace → Gmail → Authenticate email
2. Generate a DKIM key (use 2048-bit minimum 1024-bit is considered insecure in 2026)
3. Copy the TXT record provided and add it to your domain's DNS
4. Return to the Admin Console and enable DKIM signing
5. Allow 24–48 hours for DNS propagation before verifying

Verify the record is live with: dig TXT google._domainkey.yourdomain.com

You can also use MXToolbox's DKIM checker at mxtoolbox.com/dkim.aspx to confirm the record is returning correctly and the key is valid.

DKIM is critical. Emails lacking DKIM signatures are significantly more likely to be flagged by spam filters, and without it, your DMARC policy cannot reach its full enforcement potential.

Step 6: Configure DMARC (Domain-based Message Authentication, Reporting & Conformance)

DMARC ties SPF and DKIM together by telling receiving mail servers what to do when either check fails. It also provides a reporting mechanism so you can monitor authentication failures across all email sent from your domain including spoofed emails you didn't send yourself.

Start with a monitoring policy:

v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com


The p=none policy means receiving servers take no action on failing emails they just send reports to your designated address. Run this for 30 days to understand your authentication baseline before moving to enforcement.

After 30 days of clean reports, move to quarantine:

v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com; pct=100


This routes failing emails to spam folders rather than rejecting them outright.

Eventually move to reject for maximum protection:

v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com; pct=100


The reject policy is the gold standard. It blocks failing emails entirely and signals to receiving servers that your domain takes authentication seriously which positively influences your domain reputation score.

Note: If you don't have a dedicated inbox for DMARC reports, use a tool like Postmark's DMARC Digests or Dmarcian to parse the reports into readable summaries.

Step 7: Configure MX Records

Ensure your MX records point to your email provider Google Workspace or Microsoft 365. Without valid MX records, replies won't be received. This matters more than it sounds: a domain that can send but not receive email is a strong spam signal. Spam filters check MX records, and missing or misconfigured ones can cause your outgoing emails to be treated with higher suspicion.

If you're using Google Workspace, your MX records should look like this:

Step 8: Verify Everything with Google Postmaster Tools

After configuring all records, set up Google Postmaster Tools at postmaster.google.com. Add each sending domain and verify ownership via a DNS TXT record.

Postmaster Tools gives you visibility into:

• Domain Reputation High, Medium, Low, or Bad. You need High before scaling.
• IP Reputation The reputation of the IPs your emails are sent from.
• Spam Rate The percentage of your emails Gmail users mark as spam.
• Delivery Errors Authentication failures, rate limiting, and other issues.

If your domain reputation shows Low or Medium, complete your warm-up period before increasing send volume. Do not try to push through sending at scale with a damaged reputation accelerates the damage.

Phase 3: Email Warm-Up

Step 9: Create Sending Mailboxes

For each sending domain, create 2–3 mailboxes with professional naming:

• firstname@yourdomain.io (e.g., amrit@devcommx.io)
• firstname.lastname@yourdomain.io
• firstname@getyourcompany.com

Avoid generic names like info@, sales@, or hello@. These addresses have consistently lower deliverability than named sender addresses because they're associated with bulk, impersonal communication. A real name in the From field also builds more trust with recipients, improving open rates.

Step 10: Build Out Complete Mailbox Profiles

Every sending mailbox needs a complete identity:

• A profile photo of a real person (not a logo or avatar)
• A full name (First Last)
• A job title and company name in the email signature
• A LinkedIn URL in the signature
• A phone number (optional but adds trust)

This may feel like a small detail, but it contributes to the overall legitimacy signal your emails project. Spam filters look at email metadata holistically, and a complete sender profile is one of dozens of small trust signals that accumulate across your outreach.

Step 11: Connect to a Warm-Up Tool and Keep It Running

Never skip warm-up. Connect every new mailbox to a warm-up tool for 14–21 days before sending any cold email. Warm-up tools simulate real email activity by automatically sending and replying to emails between a network of trusted mailboxes, gradually building your sending reputation.

Recommended warm-up tools in 2026:

Warm-up ramp schedule:

Critically, keep warm-up running permanently alongside cold email sending. It maintains your sender reputation and compensates for any spam complaints you receive. Turning off warm-up once you're sending at scale is a common mistake that leads to gradual reputation decay.

Phase 4: Sending Infrastructure Setup

Step 12: Choose Your Sending Platform

For teams using Clay for data enrichment, Smartlead is the most common pairing due to its native Clay integration and webhook support. If you're running a lighter outbound operation and want a simpler interface, Instantly is an excellent choice.

Step 13: Configure Unsubscribe Handling

Every sequence needs a one-click unsubscribe link. Gmail's 2024 bulk sender requirements made this mandatory, and violating it drives up spam complaint rates fast. All major sending platforms include this automatically do not turn it off or attempt to work around it.

Beyond compliance, unsubscribes are actually healthy for your domain. Someone who unsubscribes is far less likely to mark you as spam, which protects your sender reputation. Make it easy for disinterested recipients to opt out.

Step 14: Set Sending Limits Per Mailbox

Maximum recommended cold email limits per mailbox per day:

• Google Workspace: 40–50 cold emails/day
• Microsoft 365/Outlook: 50–60 cold emails/day
• Hard cap: Never exceed 80 cold emails per mailbox per day, regardless of provider

Spread volume across all mailboxes. For 300 cold emails per day, use 6+ mailboxes across 2–3 domains. This distributes risk and keeps you well within the safe sending thresholds for each individual mailbox.

Phase 5: Monitoring and Maintenance

Step 15: Monitor Spam Complaint Rates Weekly

Your spam rate should stay below 0.1% that's 1 complaint per 1,000 emails sent. Above 0.3% and Gmail will begin throttling your delivery. Above 1% and you risk domain blacklisting, which requires delisting requests and extended repair periods.

Monitor via Google Postmaster Tools. Note that Postmaster Tools only shows data for Gmail recipients, but Gmail accounts for 60% or more of most B2B prospect inboxes, making it a reliable leading indicator of your overall deliverability health.

High spam complaint rates are almost always a targeting or relevance problem. If your open rates are acceptable but complaint rates are rising, examine your list quality and sequence messaging.

Step 16: Run Monthly Blacklist Checks

Use MXToolbox Blacklist Check (mxtoolbox.com/blacklists.aspx) on all sending domains monthly. If you appear on a blacklist, stop sending immediately from that domain and investigate the cause before requesting delisting. Common causes include a spike in spam complaints, sending to a spam trap, or an unusually high bounce rate.

Delisting requests vary in speed. SPAMHAUS delisting can take 24–48 hours; others are faster. But the more important step is diagnosing and fixing the root cause otherwise the same domain will be relisted.

Step 17: Rotate Domains Every 6–12 Months

Even with perfect practices, high-volume sending domains accumulate reputation damage over time. Plan to retire and replace sending domains annually for sustained deliverability at scale. When retiring a domain, wind down volume gradually rather than cutting off abruptly, and maintain the DNS records for 90 days after the last email is sent.

Common Cold Email Domain Setup Mistakes

How This Fits Into Your Full GTM Stack

Cold email infrastructure is one layer of a full GTM engineering stack. The setup described here is the foundation that your email deliverability strategy sits on top of. Once infrastructure is live and warmed up, connect it to Clay for enrichment-driven personalisation and signal-based prospecting.

A well-configured infrastructure doesn't just improve deliverability it enables higher-quality, more targeted campaigns because you have the headroom to send carefully targeted, low-volume sequences to high-value segments without worrying about hitting your limits.

If you need a GTM engineer to set up and manage this infrastructure, consider reaching out to a specialist or reviewing hiring guides for GTM engineers who understand the intersection of sales process and technical infrastructure.

Conclusion

Cold email infrastructure is not glamorous, but it is the difference between a scalable outbound motion and one that constantly fights fires. Invest the time upfront to configure SPF, DKIM, and DMARC correctly, warm every mailbox properly, and monitor your reputation consistently. The returns compound: a high-reputation domain that has been maintained for six months is dramatically more valuable than a freshly spun-up domain, and that advantage grows over time.

Follow this checklist before sending your first cold email from any new domain, and revisit it quarterly to ensure your sending infrastructure is still in good shape.

Frequently Asked Questions

Q: Can I use my main domain for cold email if I'm only sending a small number of emails?

A: It's not recommended, even at low volume. The risk isn't just blacklisting it's reputation damage that accumulates slowly and is hard to reverse. A secondary sending domain costs a few dollars per year and completely insulates your primary domain. It's one of the cheapest risk mitigation steps in outbound sales.

Q: How long does DNS propagation take after setting up SPF, DKIM, and DMARC?

A: Most DNS changes propagate within a few hours, but the standard window is 24–48 hours. Always verify your records using MXToolbox or a dig command after 48 hours rather than immediately after making the change. DKIM in particular needs to be enabled in your mail provider's settings after the DNS record is live.

Q: What's the difference between SPF softfail (~all) and hardfail (-all)?

A: Softfail (~all) tells receiving servers to accept emails from unauthorised senders but mark them as potentially suspicious. Hardfail (-all) tells receiving servers to reject them outright. Start with softfail while you're confirming all your sending sources are correctly included, then move to hardfail once your configuration is stable.

Q: Do I need DMARC if I already have SPF and DKIM?

A: Yes. SPF and DKIM independently verify parts of the sending process, but DMARC is what ties them together and tells receiving servers what to do when either check fails. Without DMARC, your domain is also vulnerable to spoofing someone else can send email that appears to come from your domain and there's no policy in place to block it.

Q: How many sending domains do I need?

A: As a baseline, plan for one domain per 2–3 sending mailboxes, and one mailbox per 40–50 cold emails per day. For a team sending 500 cold emails per day, that's roughly 10–12 mailboxes across 4–6 domains. Scale the number of domains with your volume targets.

Q: What happens if I skip the warm-up period?

A: A new domain or mailbox that immediately starts sending high volumes of cold email will almost certainly land in spam from day one. Email providers treat unrecognised senders as high-risk by default. The warm-up period establishes a positive sending history that signals you are a legitimate sender.

Q: My emails are landing in spam despite correct DNS setup. What should I check?

A: First verify your DNS records are actually live (not just saved in your provider's panel) using MXToolbox. Then check Google Postmaster Tools for any domain or IP reputation signals. Review your email content for spam trigger words. Check your bounce rate high bounces indicate list quality issues that damage reputation. Finally, verify your warm-up is still running and your daily send limits are within recommended ranges.

Q: Is it safe to use the same warm-up network as my competitors?

A: Reputable warm-up tools run large, diverse networks specifically to prevent this from being an issue. The warm-up emails are internal to the network and don't affect your campaign targeting. The main thing to avoid is cheap or low-quality warm-up tools that use small, low-quality networks these can actually hurt rather than help your reputation.

External Sources and References

1. Google's Email Sender Guidelines (2024, updated 2025) Google's official documentation on bulk sender requirements, including one-click unsubscribe mandates and spam thresholds.https://support.google.com/mail/answer/81126
2. MXToolbox Email Header Analyzer, SPF & DKIM Checker Free tools for verifying SPF, DKIM, DMARC records and running blacklist checks across your sending domains.https://mxtoolbox.com
3. Google Postmaster Tools Official Google tool for monitoring domain reputation, spam rates, and delivery errors for Gmail recipients.https://postmaster.google.com
4. DMARC.org Domain-based Message Authentication The official resource for DMARC standards, implementation guides, and policy best practices.https://dmarc.org
5. RFC 7489 DMARC Specification The technical specification for DMARC published by the Internet Engineering Task Force (IETF).https://datatracker.ietf.org/doc/html/rfc7489
6. RFC 7208 SPF Specification The IETF specification for Sender Policy Framework, the technical foundation for SPF record configuration.https://datatracker.ietf.org/doc/html/rfc7208
7. Cloudflare DNS Learning Center Email Security Records A practical guide to SPF, DKIM, and DMARC from Cloudflare's documentation library.https://www.cloudflare.com/learning/email-security/dmarc-dkim-spf/
8. Microsoft 365 Anti-Spam Policy Documentation Microsoft's official documentation on email authentication and outbound spam filtering for Microsoft 365 users.https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spam-protection
9. Dmarcian DMARC Report Analyser A tool for parsing and visualising DMARC aggregate reports, making it easier to monitor authentication failures at scale.https://dmarcian.com
10. SPAMHAUS Domain and IP Reputation Database The most widely referenced email blacklist. Use the SPAMHAUS lookup tool to check if your sending domains or IPs are listed.https://www.spamhaus.org/lookup/

‍