Cold Email Domain Infrastructure Setup: Copy-Paste DNS Records for SPF, DKIM, DMARC

Austin Hughes

Updated on: Apr 20, 2026

See why go-to-market leaders at high growth companies use Unify.

Thank you! Your submission has been received!

Oops! Something went wrong while submitting the form.

The Technical Guide to Cold Email Domain Infrastructure (With Copy-Paste DNS Records)

TL;DR: Cold email success starts with domain infrastructure, not subject lines. Before you send a single prospecting email, you need dedicated sending subdomains and four correctly configured DNS records: SPF, DKIM, DMARC, and optionally BIMI. Teams that skip this step see inbox placement rates below 70%. Teams that get it right consistently achieve 90% or higher. This guide gives you the exact DNS records to copy, the warm-up schedule to follow, and the monitoring tools to keep reputation intact.

Proper cold email domain infrastructure means: sending only from dedicated subdomains (never your primary domain), publishing correct SPF, DKIM, DMARC, and optionally BIMI DNS records on each subdomain, warming every new mailbox for 3-4 weeks before full-volume sends, and monitoring reputation continuously with Google Postmaster Tools and Microsoft SNDS. Get these four layers right and inbox placement consistently exceeds 90%. Skip them and even the best-written cold emails land in spam.

Most sales teams treat this as an afterthought. They pick a sequencing tool, connect their company inbox, and wonder why reply rates are flat. The problem usually isn't the copy. Inbox providers evaluate the sending domain's reputation and authentication records before a single word of the message is read. Misconfigured DNS means messages get silently filtered regardless of how well-targeted the outreach is.

This guide walks through every layer of cold email domain infrastructure with copy-paste DNS record examples for Google Workspace and Microsoft 365, a week-by-week warm-up schedule, and a full monitoring stack. If you're looking at sequence strategy or personalization, see our guide on cold email best practices and the SDR research-to-send workflow. The domain foundation covered here is what makes that work actually reach inboxes.

Why Should You Never Send Cold Outbound From Your Primary Domain?

Cold email from your primary company domain puts the entire organization's email reputation at risk. Cold outbound by design generates higher bounce rates, occasional spam complaints, and unsubscribe signals. These signals are normal for cold outreach. But when they accumulate against yourcompany.com, they degrade deliverability for every other email that domain sends: product notifications, invoices, customer support responses, and executive correspondence.

A dedicated sending subdomain like outreach.yourcompany.com or send.yourcompany.com keeps those reputation signals isolated. If a subdomain gets flagged or blacklisted, you retire it and spin up a replacement. The primary domain stays clean. Microsoft's own documentation recommends using a subdomain for any email service not under your direct control, specifically to prevent issues from affecting the reputation of mail sent by users in your main email domain.

The practical rule: register 3-5 sending subdomains per active outbound program. Run 2-3 mailboxes per subdomain. Cap sends at 25-40 emails per mailbox daily once fully warmed. This structure gives you sustainable daily volume while keeping any single subdomain's risk exposure small.

How Do You Configure SPF for a Cold Email Sending Subdomain?

SPF (Sender Policy Framework) is a DNS TXT record that tells inbox providers which mail servers are authorized to send email for your domain. Without it, receiving servers cannot verify that your email actually came from you, and many will either reject or downgrade it.

Each subdomain needs exactly one SPF record. Multiple SPF records on the same hostname cause authentication failures. The record goes on the subdomain itself, not the root domain.

SPF record for a Google Workspace subdomain:

Type: TXT Host: outreach.yourcompany.com Value: v=spf1 include:_spf.google.com ~all TTL: 3600

SPF record for a Microsoft 365 subdomain:

Type: TXT Host: outreach.yourcompany.com Value: v=spf1 include:spf.protection.outlook.com ~all TTL: 3600

The ~all at the end means "softfail" — mail from unlisted servers gets accepted but flagged. This is the right starting setting. Only move to -all (hardfail) after you have confirmed via DMARC reports that all legitimate mail from the subdomain passes SPF alignment. SPF has a 10 DNS lookup limit; if your record includes many nested includes, use an SPF flattening tool to stay within bounds.

How Do You Configure DKIM for Cold Email?

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to each outgoing message. Receiving mail servers use the public key published in your DNS to verify that the email body and headers were not modified in transit and that the message genuinely originated from your domain.

For Google Workspace, DKIM is configured in the Admin Console (Apps > Google Workspace > Gmail > Authenticate email). Google generates the key pair and gives you the TXT record to publish. Always select 2048-bit key length, which is the standard in 2026. The published DNS record looks like this:

Type: TXT Host: google._domainkey.outreach.yourcompany.com Value: v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA[your-public-key] TTL: 3600

For Microsoft 365, DKIM uses two CNAME records that point to Microsoft-hosted public keys. Generate the records in the Microsoft Defender portal under Email & Collaboration > Policies & Rules > Email Authentication Settings > DKIM tab. The CNAME format is:

Type: CNAME Host: selector1._domainkey.outreach.yourcompany.com Value: selector1-outreach-yourcompany-com._domainkey.[your-tenant].onmicrosoft.com Type: CNAME Host: selector2._domainkey.outreach.yourcompany.com Value: selector2-outreach-yourcompany-com._domainkey.[your-tenant].onmicrosoft.com

Each subdomain you send from requires its own DKIM configuration. A DKIM record on yourcompany.com does not cover outreach.yourcompany.com. Allow up to 48 hours after publishing DNS records before enabling DMARC enforcement so authentication has time to propagate.

How Do You Configure DMARC for Cold Email?

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is mandatory for bulk email senders and must be configured on every sending subdomain. Google has required it since February 2024 for senders of 5,000 or more messages per day to Gmail recipients. Microsoft followed with enforcement for Outlook.com as of May 2025. DMARC tells inbox providers what to do when SPF or DKIM authentication fails, and it delivers aggregate reports showing exactly which servers are sending mail for your domain — critical for catching misconfigured infrastructure before it damages reputation.

Starting DMARC record (monitoring mode):

Type: TXT Host: _dmarc.outreach.yourcompany.com Value: v=DMARC1; p=none; rua=mailto:dmarc-reports@yourcompany.com; ruf=mailto:dmarc-failures@yourcompany.com; sp=none; adkim=r; aspf=r TTL: 3600

Production DMARC record (after verifying all sources pass):

Type: TXT Host: _dmarc.outreach.yourcompany.com Value: v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@yourcompany.com; pct=100; adkim=r; aspf=r TTL: 3600

The progression is: p=none (observe for 2-4 weeks) to p=quarantine (move failing mail to spam) to p=reject (block failing mail entirely). Do not jump straight to p=reject. Review DMARC aggregate reports first to confirm no legitimate sending sources are failing alignment. Relaxed alignment (adkim=r; aspf=r) is correct for most setups — it allows subdomain matches where the authenticated domain is a parent of the From address domain.

Should You Configure BIMI for Cold Email Subdomains?

BIMI (Brand Indicators for Message Identification) is an optional DNS record that displays your company logo in the inbox avatar for Gmail, Yahoo Mail, Apple Mail, and other BIMI-enabled clients. It requires a DMARC policy of p=quarantine or p=reject and is not a deliverability requirement — but it is a trust signal that increases open rates and visual brand recognition.

BIMI requires your logo as a square SVG file in Tiny PS format, hosted at a public HTTPS URL. For full logo display in Gmail, a Verified Mark Certificate (VMC) from DigiCert or Entrust is also required.

BIMI DNS record:

Type: TXT Host: default._bimi.outreach.yourcompany.com Value: v=BIMI1; l=https://yourcompany.com/logo-bimi.svg; a=https://yourcompany.com/vmc.pem TTL: 3600

If you don't yet have a VMC, you can publish BIMI without the a= field. This works for Apple Mail and Yahoo but not Gmail. BIMI is worth setting up on your highest-volume sending subdomains once DMARC enforcement is in place — it adds no sending complexity and improves visibility.

What Is the Right Warm-Up Schedule for New Cold Email Domains?

A new mailbox with no sending history has no reputation. Inbox providers treat unknown senders with suspicion. Warm-up builds reputation by starting with low volume, generating positive engagement, and gradually increasing sends over 3-4 weeks before any cold outreach begins.

The recommended warm-up ramp per mailbox:

Week 1: 5 emails per day (internal or known contacts only)
Week 2: 10-12 emails per day (warm prospects, newsletter subscribers)
Week 3: 15-20 emails per day (begin limited cold sends)
Week 4+: 25 emails per day (full cold campaign)

Never send bulk cold outreach in week one. Inbox providers look at the ratio of sent volume to engagement. Low engagement on a brand-new mailbox at high volume triggers spam filters. Tools like Warmup Inbox, TrulyInbox, or built-in warming within your sequencing platform automate the engagement loop by exchanging warm-up emails with a network of other inboxes and marking them as not spam.

Teams rotating across 3-5 fully warmed sending domains maintain average inbox placement rates above 92%, compared to 68-74% for teams sending at similar volumes from a single domain. Source: Unify outbound infrastructure analysis.

That 20+ percentage point gap is almost entirely attributable to domain rotation and warm-up discipline — not copy quality or subject line testing. Domain architecture matters as much as authentication records.

For a deeper look at how domain health affects deliverability at scale, see Cold Email Domain Health: How to Scale Without Burning Your Reputation.

How Do You Monitor Cold Email Domain Reputation?

Configuring DNS records correctly is the foundation. Monitoring reputation on an ongoing basis is what keeps the infrastructure working after launch. Two primary tools cover the two largest inbox ecosystems.

Google Postmaster Tools (postmaster.google.com) provides Gmail-specific signals for your sending domains. Register each sending domain to access spam rate tracking, authentication compliance checks (SPF, DKIM, DMARC, TLS), and the Compliance Status dashboard. Keep spam rates below 0.1%. Rates above 0.3% trigger deliverability penalties in Gmail. Note: Google migrated to Postmaster Tools V2 in September 2025, retiring the four-tier High/Medium/Low/Bad domain reputation display. The current dashboard shows pass/fail compliance status and spam rate trends.

Microsoft SNDS (Sender Network Data Service, sendersupport.olc.protection.outlook.com) gives visibility into Outlook.com and Hotmail deliverability. It covers consumer Outlook inboxes, not Microsoft 365 enterprise accounts. SNDS color codes your sending IP: Green (low complaint rate, good deliverability), Yellow (moderate issues), Red (high complaints or blacklisted). Authentication requirements for SNDS access were updated in November 2025.

A complete monitoring stack also includes MXToolbox for blacklist lookups across major RBLs, and GlockApps or Mail-Tester for periodic seed list testing to measure actual inbox vs. spam folder placement rates. Check MXToolbox once per week per sending domain. Run seed tests once per month during steady-state operations, or whenever reply rates drop unexpectedly.

Key thresholds to track across all sending domains:

Inbox placement rate: target above 90% (Unify benchmark for healthy domains)
Spam complaint rate: keep below 0.1%, never exceed 0.3%
Hard bounce rate: keep below 2%
DMARC alignment rate: target above 98%

How Does Domain Infrastructure Connect to Signal-Based Outbound?

Proper domain infrastructure solves the floor problem: it stops deliverability from being the reason campaigns fail. But infrastructure alone doesn't drive pipeline. What accelerates results is combining clean infrastructure with intent-driven targeting.

When you send only to accounts showing active buying signals — job postings, technology changes, funding events, website visits — your contact-to-meeting rate climbs significantly. Unify customers sending signal-triggered outreach to high-intent accounts see open rates around 80% and reply rates near 5%, compared to roughly 30% and under 1% for cold outbound sent to static, unqualified lists. The infrastructure keeps emails reaching inboxes. The signal layer makes those emails worth opening.

Signal-based outreach also naturally caps your daily send volume to the addressable in-market audience at any given time. This alignment between targeting precision and sending volume is exactly what inbox providers reward: high engagement relative to send volume, low complaint rates, and consistent behavioral patterns over time. It's why infrastructure health and signal-based targeting are best understood together, not separately.

Unify has powered nearly $100M in pipeline via email outreach, with customers like Campfire doubling qualified outbound pipeline in five months and Pylon achieving 4.2x ROI from orchestrated automated outbound. The common thread in those results is a sending infrastructure built on authenticated, warmed domains paired with outreach timed to intent signals.

To understand how signal selection connects to sequence design, see Building a Signal-Driven Sales Playbook and our overview of Cold Email in 2026: Domains, Deliverability, and Sequences.

Cold Email Domain Infrastructure Checklist

Register 3-5 dedicated sending subdomains (e.g., outreach.yourcompany.com, send.yourcompany.com)
Configure SPF TXT record on each subdomain (one record per hostname, max 10 DNS lookups)
Configure DKIM with 2048-bit key on each subdomain
Configure DMARC starting at p=none with aggregate reporting address
Escalate DMARC to p=quarantine after 2-4 weeks of clean aggregate reports
Optionally publish BIMI record once p=quarantine or p=reject is in place
Warm each new mailbox over 3-4 weeks before full cold send volume
Cap cold sends at 25-40 emails per mailbox per day
Run 2-3 mailboxes per sending domain
Register all sending domains with Google Postmaster Tools
Monitor Microsoft SNDS for Outlook/Hotmail signals
Check MXToolbox blacklist status weekly per domain
Run seed list placement tests monthly
Keep spam complaint rate below 0.1%, bounce rate below 2%

Frequently Asked Questions

How do I set up proper domain infrastructure for cold email sending?

Start by registering 2-3 dedicated sending subdomains — never use your primary company domain for cold outbound. Then configure four DNS records on each subdomain: an SPF TXT record, a DKIM TXT or CNAME record, a DMARC TXT record, and optionally a BIMI TXT record. Warm each new mailbox for 3-4 weeks before sending at full volume, keeping daily sends at or below 25-40 emails per inbox. Register each sending domain in Google Postmaster Tools and Microsoft SNDS for ongoing reputation monitoring.

What is the correct SPF record format for cold email?

An SPF TXT record for a Google Workspace sending subdomain looks like: v=spf1 include:_spf.google.com ~all. For Microsoft 365, use: v=spf1 include:spf.protection.outlook.com ~all. Each subdomain needs exactly one SPF record. The ~all (softfail) is correct for most setups; only move to -all (hardfail) after confirming all legitimate sending sources pass authentication via DMARC reports.

Why should I use subdomains instead of my main domain for cold email?

Cold email campaigns generate higher bounce rates and occasional spam complaints. If you send from your primary domain (yourcompany.com), those reputation signals damage your corporate email deliverability for every other type of email you send. A dedicated subdomain like outreach.yourcompany.com keeps complaint and bounce risk isolated. If a subdomain gets blacklisted, you can retire it without affecting the reputation of your main domain or marketing email.

What DMARC policy should I start with for cold email?

Start with p=none to observe authentication results without rejecting any mail. After reviewing DMARC aggregate reports for two to four weeks and confirming all legitimate mail passes SPF and DKIM alignment, escalate to p=quarantine, then p=reject. Moving straight to p=reject before all sending sources are aligned will cause legitimate emails to be blocked by receiving servers.

How many domains and mailboxes do I need for cold email at scale?

The standard recommendation is 3-5 sending domains with 2-3 mailboxes per domain. Each mailbox should cap at 25-40 emails per day once fully warmed. To estimate domains needed, divide your total daily send target by (mailboxes per domain multiplied by your per-mailbox daily limit). Unify's platform handles domain rotation and per-mailbox throttling automatically, so teams using signal-based targeting stay well within safe volume bounds while maximizing pipeline output.

Sources

About the Author

Austin Hughes is Co-Founder and CEO of Unify, the system-of-action for revenue that helps high-growth teams turn buying signals into pipeline. Before founding Unify, Austin led the growth team at Ramp, scaling it from 1 to 25+ people and building a product-led, experiment-driven GTM motion. Prior to Ramp, he worked at SoftBank Investment Advisers and Centerview Partners.

Transform growth into a science with Unify

Capture intent signals, run AI agents, and engage prospects with personalized outbound in one system of action. Hundreds of companies like Cursor, Perplextiy, and Together AI use Unify to power GTM.

Get started with Unify

Contents

Text Link