You're launching your first cold email campaign tomorrow. 500 well-targeted recipients, a personalized message, a clear offer. You hit "send" and… 60% land in spam. Not because your message is bad. Because your domain doesn't have the DNS records that Gmail, Outlook, and Yahoo need to tell a legitimate sender apart from an impersonator.
Three records govern the technical deliverability of a sending domain: SPF, DKIM, and DMARC. Without them, your emails are treated as suspicious by default. With them properly configured, you enter the "trust zone" of email providers — a necessary (not sufficient, but necessary) condition for your emails to land in the inbox.
The 30-second test
Before reading further: send an email from your domain to check-auth@verifier.gappssmtp.com or to your own Gmail account. Open the received message → "Show original" → look for the lines SPF: PASS, DKIM: PASS, DMARC: PASS. Three PASSes = you're ready to send. One FAIL = read this article before launching your campaign.
Why these three records exist
The SMTP protocol from 1982 has an original flaw: anyone can put any address in the "sender" field. A spammer can write an email "from" leon@outsend.xyz without ever having touched the outsend.xyz domain. To limit impersonation, the IETF published three complementary standards: RFC 7208 (SPF) in 2014, RFC 6376 (DKIM) in 2011, RFC 7489 (DMARC) in 2015.
Each one answers a specific question from the receiving server:
- SPF — "is this server authorized to send on behalf of this domain?"
- DKIM — "has the message been altered between the sender and me?"
- DMARC — "what should the domain do if SPF or DKIM fails?"
Since February 2024, Gmail and Yahoo require all three for any sender exceeding 5,000 messages per day. Below that threshold, they tolerate the absence of DMARC but are increasingly marking as spam domains that have neither SPF nor DKIM. In cold outreach, even 50 recipients per day is enough to trigger the filter if your domain isn't signed.
SPF — the DNS record that authorizes your sending servers
SPF (Sender Policy Framework) is a TXT record in your domain's DNS zone. It lists the servers authorized to send mail on your behalf. If Gmail receives an email claiming to be from you but sent from a server not on this list, it knows something is suspicious.
Example SPF record for a domain that sends via Gmail Workspace and Brevo:
outsend.xyz. IN TXT "v=spf1 include:_spf.google.com include:spf.sendinblue.com -all"
Breaking it down:
v=spf1— protocol versioninclude:_spf.google.com— authorizes Google Workspace serversinclude:spf.sendinblue.com— authorizes Brevo (formerly Sendinblue) servers-all— strictly rejects any unlisted server (the dash matters:~allwould be a "soft fail", which is less protective)
The official SPF limit is 10 DNS lookups per record. Beyond that, Gmail considers the record broken and treats it as if it doesn't exist. If you stack Mailgun + Brevo + Mailchimp + Salesforce + Office 365, you'll exceed this limit. The only solution: "flatten" your SPF using a service like EasyDMARC or Dmarcian.
DKIM — the cryptographic signature on every message
DKIM (DomainKeys Identified Mail) cryptographically signs each outgoing email with a private key stored on your sending server. The corresponding public key is published in your DNS zone. The receiving server reads the DKIM-Signature header of the message, retrieves the corresponding public key from your DNS, and verifies that the signature is valid.
In practice, the DKIM header looks like:
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=outsend.xyz; s=brevo1;
h=from:to:subject:date;
bh=base64hash; b=signature...
The s=brevo1 field is the selector. The receiving server looks up the public key at brevo1._domainkey.outsend.xyz. If the key is missing or if the signature doesn't validate, DKIM fails.
Each sending tool has its own selector and its own key. If you use Brevo + Gmail Workspace, you'll have two separate DKIM records to publish — one per provider.
DMARC — the policy that defines what to do on failure
DMARC (Domain-based Message Authentication, Reporting and Conformance) is the policy layer. Once SPF and DKIM are published, DMARC tells the receiving server how to react if one or the other fails.
Three possible policies:
p=none— observe, reject nothing. Ideal during the learning phase to collect reports.p=quarantine— sends messages that fail alignment to spam.p=reject— outright rejects them; they never arrive.
To start with cold outreach, publish p=none for 2–4 weeks, review the daily XML reports sent by providers, fix any leaks, then move to p=quarantine and finally p=reject.
Example DMARC record for outsend.xyz:
_dmarc.outsend.xyz. IN TXT "v=DMARC1; p=quarantine; rua=mailto:dmarc@outsend.xyz; pct=100; adkim=s; aspf=s"
The rua=mailto: is the address that receives daily aggregate reports. Without reports, you're flying blind.
The 3 scenarios in cold outreach
| Domain configuration | Impact on cold email |
|---|---|
| No records (new domain, never configured) | 50–70% in spam from the 50th message. Gmail bulk-rejects. |
| SPF only, no DKIM | 10–30% in spam. Yahoo rejects volumes above 100/day. |
| SPF + DKIM, no DMARC | Acceptable deliverability but zero feedback. A silent misconfiguration can sink your domain without warning. |
| SPF + DKIM + DMARC (p=none then quarantine) | Reference configuration. You enter the Gmail/Yahoo/Outlook trust zone. |
What Gmail checks before accepting your message
In 2026, Gmail applies a scoring grid combining over 100 signals. The three DNS records are just one part of the equation, but they're the only ones a sender can fully control upfront. Other signals depend on recipient behavior (open rates, spam reports, unsubscribes) and the domain's sending history.
Gmail's operational verification order:
- Does the sender's domain have a valid SPF? Is the sending server listed?
- Does the message carry a DKIM signature? Does the public key validate it?
- Do SPF and DKIM align with the domain visible in the "From" field? (this is DMARC alignment)
- Does the sending domain have a positive reputation history?
- Does the message content trigger classic anti-spam rules?
Failing the first three points means you're disqualified before your content is even analyzed. France's data protection authority (CNIL) sets out the legal obligations for commercial email prospecting in its guide on commercial email outreach (prior consent for B2C, simple opt-out, clear advertiser identification). Technical deliverability compliance is additional to these legal obligations — it does not replace them.
How outsend checks a domain before sending
Outsend's delivery_check module queries a domain's public DNS zone and returns a report on all three records within seconds — no installation required. Paste a domain, get a structured report:
- SPF: present / absent, text content, number of DNS lookups consumed, final qualifier (-all / ~all / ?all)
- DKIM: selectors detected against standard names (default, google, brevo, mailgun, k1, etc.), algorithm, key length
- DMARC: present / absent, policy (none / quarantine / reject), percentage applied, aggregate report address
- Overall verdict: ready for volume sending / partial configuration / fix before any campaign
The check can also be run in batch over a prospect list to qualify recipients: a target domain that lacks SPF/DKIM/DMARC will accept your message more readily (no strict inbound filtering), but it also signals a less professionally equipped recipient — useful for campaign segmentation.
No tool replaces manual configuration in your DNS zone (at OVH, Gandi, Cloudflare, Route 53). Outsend's check tells you where you stand and what's missing, not where to click in your registrar's interface.
FAQ
How long does DNS propagation take?
Anywhere from 5 minutes to 48 hours depending on the TTL configured at your registrar. Most modern DNS providers (Cloudflare, Gandi) propagate in under 15 minutes. Verify with dig TXT outsend.xyz or via a web tool like MXToolbox.
Do I need a dedicated prospecting domain or can I use my main domain?
A dedicated domain is recommended for volumes above 500/day. A burned prospecting domain doesn't drag down your corporate domain's reputation. A common pattern: outsend.xyz for the brand, outsendmail.com or get-outsend.com for cold campaigns.
SPF with ~all or -all — which should I choose?
-all (hard fail) if you control all your sending sources and want to protect your domain against impersonation. ~all (soft fail) during the learning phase, while you identify all legitimate sources. Avoid ?all — it does nothing useful.
What should I do with DMARC reports received as XML?
Parse them with a dedicated tool — Dmarcian, EasyDMARC, and MXToolbox all offer free parsing up to a certain volume. These reports reveal servers sending on your behalf without authorization (often: a forgotten tool, a legacy CRM, sometimes an actual impersonation attempt).
My domain is old but has no authentication — what should I do?
Publish SPF + DKIM first, wait 7 days, then publish DMARC with p=none. Read 4 weeks of reports. Fix any detected leaks. Move to p=quarantine with pct=25 (progressively quarantining 25% of failing traffic), then scale to 100%, then move to p=reject. Allow 6–8 weeks for the full sequence.
Does Outsend automatically sign my campaign emails?
Outsend campaigns (on request, not available as alpha self-service) are sent via an authenticated Brevo infrastructure. The DKIM signature applied is that of the sending infrastructure, not your personal domain. For recipients to see "sent from outsend.xyz" with good deliverability, you publish the appropriate records in your DNS zone pointing to Brevo (DKIM CNAME + SPF include) — this procedure is documented during the alpha application process.
Need an overview? See all Outsend features.
Try Outsend for free
All-in-one, built for European B2B. Free alpha access on application.
Request free alpha accessoutsend.xyz — B2B scraping and prospecting platform, currently in alpha. Free application at /demander-acces.