The Founder's Cold Email Deliverability Cheatsheet: SPF, DKIM, DMARC Without the Jargon

Most cold-email "best practice" articles spend two pages defining DNS before getting to the point. Tech founders don't need the definition — they need to know what to set, on which domain, in what order, and what happens if they get it wrong.

So here's the 60-second mental model first, then the exact records.

The 60-second model

A receiving mail server (Gmail, Outlook, Apple Mail) has to decide three things about every incoming email:

1. Is the sender who they say they are? → SPF answers this.

2. Was the message tampered with on the way? → DKIM answers this.

3. What should I do when one of the above fails? → DMARC tells the receiver your policy.

Without all three, modern filters quietly route your cold email to spam. Not with a bounce — silently, so you don't even know. This is why people obsess about deliverability before sending: catching the silent-route-to-spam is the hardest pipeline leak to debug.

Rule 1: never use your primary domain for cold outbound

Buy secondary domains. Send cold email from getbookedcalls.com, not bookedcalls.ai. If a domain's reputation gets damaged (spam complaints, blacklist hit), throw it away — don't damage the primary domain your customers receive transactional + product email from.

Typical setup for a founder: one primary, three or four sending domains. Mailbox per inbox, ~30–40 sends per inbox per day max. Rotate.

SPF — "is the sender who they say they are?"

SPF (Sender Policy Framework) is a DNS TXT record listing the servers allowed to send mail on behalf of your domain. When Google sees a message claiming to be from getbookedcalls.com, it looks up the SPF record and checks: is the sending server on the list?

What to set: A single TXT record at the root of each sending domain (@).

Replace the include: values with whichever sending service you actually use (Instantly, Lemlist, Smartlead, Google Workspace, Mailgun, etc. — each publishes its own SPF include string).

The -all at the end means "anything not in this list, hard-reject." Some guides say use ~all (soft-fail) — don't. -all is the right answer for cold-email sending domains.

Common gotcha: you can only have one SPF record per domain. If your provider sets one and you set another, they conflict and both fail. Merge into a single record.

DKIM — "was the message tampered with?"

DKIM (DomainKeys Identified Mail) cryptographically signs every outgoing email with a private key. The matching public key lives in a DNS TXT record on your domain. The receiver fetches the public key, checks the signature, and confirms the message hasn't been altered.

What to set: Whatever your sending provider gives you. It'll look like a long TXT record at a selector subdomain (selector1._domainkey.getbookedcalls.com):

You won't author this yourself — your sending tool produces it. You paste it into your DNS exactly as given.

Common gotcha: the public key is long. Some DNS providers split it into multiple strings; some don't. Both work, but truncation breaks DKIM silently. After setting, test using dkimvalidator.com or mail-tester.com.

DMARC — "what's your policy?"

DMARC (Domain-based Message Authentication, Reporting & Conformance) is your published policy on what receivers should do when SPF or DKIM fails. It also gives you a reporting endpoint so you find out who's spoofing your domain.

What to set: A TXT record at _dmarc.getbookedcalls.com:

The key parts:

• p=quarantine — send failing messages to spam (start here; move to p=reject after 30 days if reports look clean)

• rua=mailto:... — daily aggregate reports come here; read them weekly

• pct=100 — apply the policy to 100% of messages

• aspf=s / adkim=s — strict alignment; your sending domain must match exactly

Why strict alignment matters: without it, attackers can spoof your domain by sending from a similar-looking one and SPF still passes.

The right order to do this

1. Buy the domain (Cloudflare, Namecheap, One.com)

2. Set the MX records pointing to your sending provider (Google Workspace if using Gmail-based; otherwise per provider)

3. Set SPF (TXT, root, single record)

4. Set DKIM (TXT, selector subdomain, from sending provider)

5. Set DMARC (TXT, _dmarc subdomain, start with p=quarantine)

6. Wait 24–48 hours for DNS to propagate

7. Test with mail-tester.com — aim for 10/10. If you don't, the score breakdown tells you exactly which record is wrong.

8. Begin mailbox warm-up: 5 emails/day for week 1, 10 for week 2, 20 for week 3, 40 for week 4

9. Begin real sending in week 5

Most cold-email programmes that fail at the deliverability layer skip steps 5–8. They don't fail with bounces — they fail silently into spam.

One more thing: BIMI is not for cold email

You'll see BIMI ("Brand Indicators for Message Identification") in deliverability articles. Ignore it for cold-outbound sending domains. It's for primary brand domains that send transactional + product email — the certificate cost and complexity isn't worth it for sending domains you'd happily throw away.

Where to go next

• Our full B2B email deliverability guide covers warm-up strategy, IP reputation, and what to do when a domain gets blacklisted.

• The guide on scaling outbound safely covers volume ramps without burning domains.

• Or just have us own the entire infrastructure and pack your pipeline with booked calls and hot leads — book a call.