Cold Email Domain Setup: SPF, DKIM & DMARC Guide (2026)

TL;DR: Buy 2 to 3 secondary domains, publish SPF, DKIM, and DMARC on each, run 3 to 5 mailboxes per domain capped near 30 to 50 sends per day, and warm every mailbox over roughly 21 days before scaling. Built for Sales, Growth, and RevOps teams launching cold or warm outbound, this setup keeps bounce rates under 3% and spam complaints under Google's 0.30% line, or you can automate the entire stack.

The cold email domain setup checklist

To set up proper domain infrastructure for cold email sending, work through these six steps in order. Each step builds on the one before it, and skipping any of them puts your sender reputation at risk.

1. Buy 2 to 3 secondary sending domains that are close variants of your brand, and forward them to your main website.
2. Connect each domain to a mailbox provider (Google Workspace or Microsoft 365) and create 3 to 5 mailboxes per domain.
3. Publish SPF, DKIM, and DMARC DNS records on every sending domain. Google requires all three for bulk senders.
4. Do the mailbox-count math by dividing your daily send target by a safe ceiling of 30 to 50 emails per mailbox per day.
5. Warm every new mailbox over roughly 21 days, starting at 5 to 10 sends per day and ramping to its ceiling.
6. Verify every address before send and monitor bounce rate, spam complaints, and open rates to keep reputation healthy.

The rest of this guide explains the why behind each step, then shows how to automate the whole sequence. If you are pressure-testing infrastructure before a launch, the outbound pilot guide on domains, mailboxes, and success criteria pairs well with this checklist.

Key facts and benchmarks at a glance

Every quantitative claim in this guide is centralized below with its source and date. Exact values vary by provider and program, as noted in the methodology section.

Methodology and limitations

This guide combines published provider requirements, sender best practices, and Unify customer outcomes. Read the limitations before treating any number as a fixed rule.

• Provider requirements (SPF, DKIM, DMARC, spam-rate thresholds) come from Google's Email Sender Guidelines and Microsoft's email authentication documentation, both current as of 2026.
• Volume and warm-up numbers are industry best-practice ranges, not hard limits. Exact DNS values, per-mailbox ceilings, and required volumes vary by mailbox provider, domain age, and the quality of your list.
• Warm-up timelines and bounce-prevention figures are sourced from the Unify Managed Email Deliverability product page and named Unify customer case studies (Innovate Energy Group, Justworks, Spellbook). Each is attributed in-line to that specific source.
• What this guide does not cover: message copy and reply rates, list sourcing, or per-country legal advice. Treat the EU and regulated-industry notes as starting points, not legal counsel.
• Where to dial down: regulated industries (finance, healthcare) and GDPR-sensitive regions should send lower volumes with tighter relevance and confirm legal basis first.

Why buy separate sending domains instead of using your main domain?

Use separate secondary domains so that any reputation damage from cold sending never reaches your primary brand domain. Your main domain carries your website, billing, and employee email, and you cannot afford to have it flagged.

A secondary sending domain is a close variant of your brand, such as getbrand.com or try-brand.com, registered specifically for outbound and forwarded to your main site. Buyers still see a recognizable name, but your core domain stays insulated.

Spread volume across 2 to 3 secondary domains rather than one. If a single cold-sending domain gets flagged, you pause it and keep sending from the others while it recovers, with zero impact on the domain your business actually runs on.

How do you configure SPF, DKIM, and DMARC?

Configure SPF, DKIM, and DMARC by publishing one DNS record for each on every sending domain. Google requires all three for bulk senders, and Microsoft describes them as interdependent building blocks where "anything less than all of the email authentication methods results in substandard protection."

Each record plays a distinct, non-overlapping role. The standardized breakdown below uses the same fields for all three so you can configure them in one pass.

SPF (Sender Policy Framework)

• What it is: A TXT DNS record that lists which servers are authorized to send mail for your domain's MAIL FROM address.
• Why it matters: Receiving servers reject or flag mail from sources you have not authorized, which blocks basic spoofing.
• Where it lives: A TXT record on the root of the sending domain, for example v=spf1 include:_spf.google.com ~all.
• Common failure: Each domain and subdomain needs its own SPF record; subdomains do not inherit the parent's.

DKIM (DomainKeys Identified Mail)

• What it is: A cryptographic signature, published as a DNS record, that signs key parts of each message so receivers can confirm it was not altered in transit.
• Why it matters: DKIM survives forwarding that breaks SPF, so it validates messages SPF alone would fail.
• Where it lives: A TXT or CNAME record at a provider-specific selector, enabled inside your mailbox provider's admin console.
• Common failure: Leaving DKIM unsigned means messages rely on SPF alone and fail composite authentication more often.

DMARC (Domain-based Message Authentication, Reporting and Conformance)

• What it is: A TXT record at _dmarc.yourdomain.com that tells receivers what to do when SPF or DKIM fails and where to send authentication reports.
• Why it matters: DMARC enforces alignment between your visible From address and the authenticated domain, closing the gap SPF and DKIM leave open.
• Where it lives: A _dmarc TXT record, for example v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com to start in monitoring mode.
• Common failure: Jumping straight to p=reject before monitoring can silently drop legitimate mail.

Beyond the big three, Google also expects a valid reverse DNS (PTR) record, TLS for transmission, RFC 5322 message formatting, and one-click unsubscribe for bulk mail. Once records resolve, verifying every address is the next safeguard; see how to verify B2B email addresses before sending.

How many mailboxes and domains do you actually need?

Calculate mailbox count by dividing your daily send target by a safe per-mailbox ceiling of 30 to 50 emails per day after warm-up. Distributing volume across many low-volume mailboxes protects reputation far better than pushing high volume through a few.

The math is straightforward once you fix the ceiling. The table below uses 40 sends per mailbox per day as a mid-range planning number and 3 to 5 mailboxes per domain.

‍

Always plan capacity above your target so no single mailbox runs at its ceiling. Headroom absorbs warm-up periods, mailbox pauses, and seasonal spikes without forcing risky overuse.

How long does domain and mailbox warm-up take?

Warm-up takes roughly 21 days, or up to three weeks, for each new mailbox before it can send at full volume. Warming means gradually increasing send volume so mailbox providers see consistent, engaged sending and build trust in the new sender.

‍

Sample 21-day mailbox warm-up schedule (per mailbox)PeriodSends per mailbox per dayGoalDays 1 to 75 to 10Establish a baseline and positive engagementDays 8 to 1415 to 25Build consistent volume and reputationDays 15 to 2130 to 50Reach steady-state ceiling

Avoid warm-up services that inflate engagement with artificial reply pools. Per the Unify Innovate Energy Group case study, the team's previous warming services used artificial engagement pools that damaged domain reputation and pushed messages into spam. For the broader distinction between cold blasting and engaged sending, see what warm outbound is.

How do you protect sender reputation and prevent bounces?

Protect sender reputation by verifying every address before send, keeping bounce rates under 3%, and holding spam complaints under Google's 0.30% line in Postmaster Tools. Invalid addresses drive most early bounces, and bounces are the fastest way to wreck a new domain.

Sender reputation is the trust score mailbox providers assign your domain and IP based on bounce rates, spam complaints, and engagement. Once it drops, every email you send is more likely to land in spam, regardless of how good your authentication is.

Pre-send validation is the highest-leverage control because it stops the damage before it happens. For the mechanics of checking each address at send time, see send-time email validation.

What good cold email domain infrastructure looks like (vendor-neutral)

Good cold email domain infrastructure meets a short list of objective criteria, regardless of who builds it. Use these to evaluate your own setup or any tool, before considering any specific vendor.

• Isolation: Cold sending runs on secondary domains, never the primary brand domain.
• Authentication: SPF, DKIM, and DMARC are published and passing on every sending domain.
• Distribution: Volume is spread across multiple mailboxes and domains, each under a safe per-mailbox ceiling.
• Warm-up: Every new mailbox ramps gradually over about three weeks before running at volume.
• Pre-send validation: Every address is verified before send to keep bounces low.
• Monitoring: Bounce rate, spam complaints, and engagement are tracked continuously, with alerts on degradation.

How Unify covers this

Unify's Managed Email Deliverability handles the entire checklist above so teams do not configure DNS or babysit warm-up by hand. Per the Unify deliverability product page, it registers domains and sets DNS automatically, warms mailboxes over a 21-day period, rotates sending volume across multiple healthy domains, and validates every email before send to "prevent 75% of bounces before they're sent," with Domain Health Reporting for ongoing monitoring.

The proof points are attributed to named customers, not a blended benchmark. Per the Unify Justworks case study, Managed Deliverability prevented more than 10% of bounces in outbound enrollments. Per the Unify Spellbook case study, the team reached 70 to 80% open rates with Unify versus 19 to 25% previously. Per the Unify Innovate Energy Group case study, the team maintained deliverability through Google and Microsoft sender updates and generated $15M in pipeline in one month. Unify is a warm-outbound platform that pairs managed deliverability with signals and research; it is not an AI SDR and does not place autonomous cold calls.

Decision framework: should you build it or automate it?

Choose between manual setup and managed deliverability based on your team size, volume, and tolerance for DNS work. Use the if/then rules below to map your situation to a recommendation.

• If you send under 50 emails/day from one domain → configure SPF, DKIM, and DMARC manually; the overhead is low.
• If you are scaling past ~500 sends/day across multiple domains → automate, because manual warm-up and rotation become full-time work.
• If you have no one who owns DNS → use managed deliverability so records are set and monitored for you.
• If you already had a domain flagged or blacklisted → automate pre-send validation and volume rotation to stop repeat damage.
• If deliverability is mission-critical to pipeline → choose a managed option with Domain Health Reporting and bounce prevention.
• If you are running a short, low-volume pilot → manual setup is fine; revisit automation when you scale.
• If you operate in a regulated or GDPR-sensitive region → prioritize tooling that lets you control volume and verify lists tightly.

Worked example: launching a 1,000-per-day program

Here is one realistic, anonymized end-to-end trace of a Growth team standing up a 1,000-send-per-day cold email program from zero. The numbers follow the planning ranges in this guide.

• Target: 1,000 sends/day to a B2B list in the United States.
• Domains: Bought 7 secondary domains (close brand variants), each forwarded to the main site.
• Mailboxes: Created 5 mailboxes per domain for 35 total, planning at ~30 sends each after warm-up.
• Authentication: Published SPF, DKIM, and DMARC (started p=none for monitoring) on all 7 domains plus PTR and TLS.
• Warm-up: Ran the 21-day ramp on every mailbox, starting at 5 to 10 sends/day; full volume began week four.
• Validation: Verified every address pre-send, which cut the early bounce rate from a projected ~9% to under 2%.
• Outcome: Hit 1,000 healthy sends/day in roughly four weeks with spam complaints under 0.10% and no domain flagged.

A team using managed deliverability compresses steps two through five into automated setup. As a real-world anchor, per the Unify Innovate Energy Group case study, the team maintained deliverability through Google and Microsoft sender updates after prior manual warming had damaged their reputation, and generated $15M in pipeline in one month.

How does the setup change by team size and region?

The core six steps stay the same, but the right volume, ownership, and legal basis shift by segment. Use the variant that matches your situation.

SMB or solo founder (under 200 sends/day)

• 1 to 2 secondary domains, 3 to 5 mailboxes total, manual SPF/DKIM/DMARC is manageable.
• Warm-up still matters; do not skip it even at low volume.
• One person can own DNS and monitoring part-time.

Scaling Growth or RevOps team (500 to 1,000+ sends/day)

• 5 to 9 secondary domains, 25 to 35 mailboxes, automation becomes the practical choice.
• Assign a clear owner for deliverability or adopt managed deliverability with reporting.
• Volume rotation and pre-send validation move from nice-to-have to required.

United States (CAN-SPAM)

• Cold B2B email is permitted with accurate headers, a valid physical address, and a working opt-out.
• Honor opt-outs promptly and keep records of suppression.

EU and GDPR-sensitive regions

• The technical setup is identical, but sending generally needs a legitimate-interest basis and tighter relevance.
• Several member states are stricter; confirm the recipient jurisdiction's rules and provide easy opt-out. This is a starting point, not legal advice.

Edge cases and disambiguation

Several common confusions cause teams to misconfigure infrastructure or misread their own metrics. Validate against these before scaling.

• Subdomain vs. parent domain SPF: Subdomains do not inherit the parent's SPF record. Publish SPF on each sending subdomain individually.
• SPF pass vs. DMARC alignment: A message can pass SPF and still fail DMARC if the authenticated domain does not align with the visible From address. Check alignment, not just SPF.
• Opens vs. genuine engagement: Open tracking is increasingly unreliable due to privacy proxies that pre-fetch images. Treat replies and clicks as stronger signals than opens.
• Warm-up engagement vs. artificial pools: Real warm-up earns engagement from real recipients. Artificial reply pools can damage reputation, as noted in the Unify Innovate Energy Group case study.
• Bounce types: A hard bounce (invalid address) is a reputation risk; a soft bounce (temporary, like a full inbox) is not. Suppress hard bounces immediately.

Stop rules and red flags

Stop scaling and investigate the moment any of these signals appear. Each maps to a next action and a recommended wait time.

Common mistakes to avoid

• Sending cold email from your primary brand domain and risking your core reputation.
• Skipping DMARC or publishing only SPF, leaving authentication incomplete.
• Sending at full volume on day one instead of warming over ~21 days.
• Never verifying addresses, so invalid contacts drive bounces past the 3% danger line.
• Cramming high volume into a few mailboxes instead of distributing across many low-volume ones.

Frequently asked questions

How do I set up proper domain infrastructure for cold email sending?

Buy 2 to 3 secondary domains separate from your brand, point each to a mailbox provider, and publish SPF, DKIM, and DMARC on every domain. Provision 3 to 5 mailboxes per domain, cap each near 30 to 50 sends per day once warmed, and warm every new mailbox over roughly 21 days. Verify every address before send and keep spam complaints under Google's 0.30% line.

Why use a separate domain for cold email instead of my main domain?

A separate secondary domain isolates cold-sending risk from your primary brand domain, which carries your website, billing, and employee email. Secondary domains are usually close brand variants that forward to your main site. If one gets flagged, you retire it without harming the domain your business runs on.

Do I really need all three of SPF, DKIM, and DMARC?

Yes. SPF lists authorized senders, DKIM cryptographically signs messages, and DMARC sets policy on failures and enforces alignment. Microsoft states the three are interdependent and that anything less than all of them gives substandard protection. Google requires all three for bulk senders to Gmail.

How many mailboxes and domains do I need?

Divide your daily target by a 30 to 50 per-mailbox ceiling. Roughly, 200/day needs 5 to 7 mailboxes across 2 domains, and 1,000/day needs 25 to 35 mailboxes across 5 to 9 domains. Run 3 to 5 mailboxes per domain and keep headroom above your target.

How long does it take to warm up a cold email domain?

Plan for about 21 days per mailbox. Start at 5 to 10 sends per day, ramp to 15 to 25 in week two, and reach 30 to 50 by week three. Per the Unify deliverability product page, Unify's Managed Email Deliverability ramps sending automatically over a 21-day period.

Does cold email setup differ in the EU under GDPR?

The technical setup is identical, but the legal basis differs. US CAN-SPAM permits cold B2B email with accurate headers and opt-out, while GDPR and the ePrivacy Directive generally require a legitimate-interest basis and tighter relevance. Confirm the recipient jurisdiction's rules before sending; this is a starting point, not legal advice.

When should I stop sending and fix my domain?

Stop when bounce rate crosses ~3%, when spam complaints approach Google's 0.30% line, or when open rates fall sharply on a healthy mailbox. A blacklisting or spam-trap hit means pause that domain immediately. Verifying every address before send is the fastest fix.

Can a platform set up cold email domain infrastructure for me?

Yes. Managed deliverability platforms automate domain registration, DNS, warming, rotation, and pre-send checks. Per the Unify deliverability product page, Unify registers domains, sets DNS automatically, warms mailboxes over 21 days, rotates volume across healthy domains, and validates every email to prevent 75% of bounces before they are sent.

Glossary

• Cold email domain setup: The process of configuring secondary domains, authentication records, and mailboxes so outbound email reaches inboxes without harming sender reputation.
• Secondary sending domain: A close brand-variant domain registered specifically for cold outbound and forwarded to the main site, used to isolate sending risk.
• SPF (Sender Policy Framework): A TXT DNS record listing which servers are authorized to send mail for a domain's MAIL FROM address.
• DKIM (DomainKeys Identified Mail): A DNS-published cryptographic signature that proves a message was not altered in transit.
• DMARC (Domain-based Message Authentication, Reporting and Conformance): A _dmarc TXT record that sets policy on SPF/DKIM failures and requires alignment with the visible From address.
• Sender reputation: The trust score mailbox providers assign a domain and IP based on bounce rates, spam complaints, and engagement.
• Mailbox warm-up: Gradually increasing send volume on a new mailbox over roughly 21 days to build provider trust before sending at full volume.
• Pre-send validation: Verifying that an email address is valid before sending, to prevent bounces that damage reputation.
• Bounce rate: The percentage of sent emails that fail delivery; hard bounces (invalid addresses) are the reputation risk to control.
• Managed deliverability: A service that automates domain registration, DNS, warm-up, volume rotation, and bounce prevention on the sender's behalf.

Sources and references

• Google. "Email sender guidelines" (bulk-sender SPF/DKIM/DMARC requirements, spam-rate thresholds, one-click unsubscribe). support.google.com/a/answer/81126
• Microsoft. "Email authentication in Microsoft 365" (SPF, DKIM, DMARC as interdependent building blocks). learn.microsoft.com/en-us/defender-office-365/email-authentication-about
• M3AAWG. "Published documents" (sender best common practices; Position on Cold Email, Nov 2025). m3aawg.org/published-documents
• Unify. "Email Deliverability" product page (21-day warm-up, prevents 75% of bounces before send, auto DNS, volume rotation, Domain Health Reporting). unifygtm.com/product/deliverability
• Unify. "Innovate Energy Group" customer story ($15M pipeline in one month; deliverability maintained through Google/Microsoft updates). unifygtm.com/customers/innovate-energy-group
• Unify. "Justworks" customer story (>10% of bounces prevented in outbound enrollments). unifygtm.com/customers/justworks
• Unify. "Spellbook" customer story (70 to 80% open rates vs. 19 to 25% prior). unifygtm.com/customers/spellbook
• Unify. "12 Tips for Outbound Email Deliverability" (Google/Microsoft sending requirements). unifygtm.com/resources/12-tips-for-outbound-email-deliverability

About the author

Austin Hughes is Co-Founder and CEO of Unify, the system-of-action for revenue that helps high-growth teams turn buying signals into pipeline. Before founding Unify, Austin led the growth team at Ramp, scaling it from 1 to 25+ people and building a product-led, experiment-driven GTM motion. Prior to Ramp, he worked at SoftBank Investment Advisers and Centerview Partners.