On this page
DNS & Email Authentication
DNS Management for Cold Email
SPF, DKIM, and DMARC are the foundation of email deliverability. One misconfigured record can send every email to spam. This guide covers what each record does, common mistakes, and how InboxKit automates the entire process in under 60 seconds.
What Is DNS for Email?
DNS (Domain Name System) is the internet's phone book — it translates domain names into IP addresses and stores configuration records that tell the world how your domain handles email. For cold email, three DNS records matter more than anything else: SPF, DKIM, and DMARC.
Without these records, your emails have no way to prove they're legitimate. Gmail, Outlook, and other providers will either reject them outright or route them straight to spam. As of February 2024, Google and Yahoo require all bulk senders to have valid SPF, DKIM, and DMARC records — this is no longer optional.
The challenge is that DNS configuration is technical, error-prone, and tedious to maintain across multiple domains. A single typo in an SPF record can break authentication for your entire domain. InboxKit solves this by automating the entire process through Cloudflare integration.
SPF, DKIM & DMARC Explained
SPF (Sender Policy Framework)
SPF tells receiving mail servers which IP addresses and servers are authorized to send email on behalf of your domain. It's published as a TXT record in your DNS. When an email arrives, the receiving server checks the sending IP against your SPF record — if it doesn't match, the email fails SPF authentication.
Example SPF Record
v=spf1 include:_spf.google.com ~allKey rule: You can only have ONE SPF record per domain. Multiple SPF records cause authentication to fail entirely. InboxKit automatically merges SPF includes when configuring new domains.
DKIM (DomainKeys Identified Mail)
DKIM adds a cryptographic signature to each outgoing email. The sending server signs the email with a private key, and the public key is published in your DNS as a TXT record. The receiving server uses the public key to verify the signature — proving the email hasn't been tampered with in transit and genuinely came from your domain.
Example DKIM Record (selector: google)
v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNA...Key rule: DKIM uses selectors to support multiple signing keys. Each email provider (Google, Microsoft) has its own selector. InboxKit configures the correct selectors automatically for each provider.
DMARC (Domain-based Message Authentication, Reporting & Conformance)
DMARC ties SPF and DKIM together and tells receiving servers what to do when authentication fails. It has three policy levels: none (monitor only), quarantine (send to spam), and reject (block entirely). DMARC also provides reporting — you can receive aggregate reports showing who's sending email from your domain.
Example DMARC Record
v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com; pct=100Best practice: Start with p=none for monitoring, then move to p=quarantine after confirming legitimate emails pass. InboxKit sets p=quarantine by default for cold email domains.
Common DNS Errors That Kill Deliverability
These are the most frequent DNS mistakes we see across thousands of domains. Any one of them can cause all your emails to land in spam.
| Error | Impact | Frequency |
|---|---|---|
| Multiple SPF records on same domain | SPF check fails entirely — all emails affected | 31% of domains |
| SPF syntax errors (missing spaces, wrong format) | All emails marked as spam or rejected | 45% of domains |
| Missing or incorrect DKIM selector | Email authentication fails silently | 38% of domains |
| DMARC policy set to reject too early | Legitimate emails blocked before warmup completes | 52% of domains |
| TTL values set too high | DNS changes take days instead of hours to propagate | 60% of domains |
| Forgetting to add MX records | Reply emails bounce — can't receive any mail | 15% of domains |
Manual vs Automated DNS Setup
Setting up DNS manually for cold email requires researching record formats, accessing your registrar's panel, creating records one-by-one, and verifying each one propagated correctly. For a single domain, this takes about 2 hours. For 50 domains, it's a full week of work.
| Step | Manual |  InboxKit |
|---|---|---|
| Research DNS requirements | 30 min | Automatic |
| Access DNS management panel | 5 min | 10 seconds |
| Create & format records | 45 min | Automatic |
| Add records to DNS | 15 min | 5 seconds |
| Wait for propagation | 24-48 hours | 24-48 hours |
| Verify records work | 20 min | Automatic |
| Total active time | ~2 hours | < 1 minute |
How InboxKit DNS Automation Works
InboxKit uses Cloudflare's API to automate the entire DNS configuration process. Here's what happens when you connect a domain:
Domain connection
You enter your domain in the InboxKit dashboard. If your domain is on Cloudflare, InboxKit connects via API for fully automated setup. For other registrars, you point your nameservers to Cloudflare (a one-time 2-minute change), and InboxKit handles everything from there.
Existing record scan
InboxKit scans all existing DNS records on your domain. This prevents conflicts — for example, if you already have an SPF record for another service, InboxKit will merge the includes rather than creating a duplicate that would break authentication.
Record generation & deployment
Based on whether you're setting up Google Workspace, Microsoft 365, or Azure, InboxKit generates the correct SPF, DKIM, DMARC, and MX records with optimal values. All records are deployed simultaneously via the Cloudflare API — no manual copying or pasting.
Verification & monitoring
InboxKit verifies all records propagated correctly across global DNS servers. InfraGuard then monitors these records every 6 hours, alerting you instantly if anything changes. If a record is accidentally deleted or modified, you'll know within 6 hours — not when your bounce rate spikes.
DNS Best Practices for Cold Email
One SPF record per domain
Never create multiple SPF TXT records. If you need to authorize multiple senders, combine all includes into a single record. InboxKit handles this merge automatically.
Start DMARC on quarantine, not reject
Setting p=reject before your domain is warmed can block legitimate emails. Use p=quarantine during warmup, then upgrade to p=reject once you've confirmed all sending sources pass authentication.
Set TTL values between 300-3600 seconds
Lower TTL values (300s = 5 minutes) mean DNS changes propagate faster but increase DNS lookup load. For cold email domains where you make infrequent changes, 3600s (1 hour) is optimal. InboxKit sets this automatically.
Use 2048-bit DKIM keys
1024-bit DKIM keys are still common but increasingly considered weak. InboxKit configures 2048-bit keys by default for stronger cryptographic signing.
Monitor DNS records continuously
DNS records can change due to registrar migrations, provider updates, or accidental edits. InfraGuard checks every 6 hours and alerts on any changes so issues are caught before they impact deliverability.
Keep SPF lookups under 10
SPF has a 10-lookup limit. Exceeding this causes a permanent fail. If you use multiple email services (Google, Microsoft, marketing tools), your SPF includes can easily exceed this limit. InboxKit monitors your SPF lookup count and alerts you if you're approaching the limit.
Automate your DNS setup
SPF, DKIM, DMARC configured in under 60 seconds. Zero errors.
Frequently Asked Questions
InboxKit automatically configures all essential email authentication records: SPF (Sender Policy Framework) to authorize sending servers, DKIM (DomainKeys Identified Mail) with 2048-bit encryption for message signing, DMARC policies with custom alignment settings, and MX records for routing. We also set optimal TTL values and configure BIMI for brand logo display when available.
DNS propagation typically takes 24-48 hours globally. However, InboxKit sets optimal TTL values (300-3600 seconds) that achieve propagation within 1-4 hours for most regions. Our monitoring checks propagation status across 15+ global locations in real time.
Yes. InboxKit integrates with Cloudflare (our recommended provider for automated setup), GoDaddy, Namecheap, AWS Route53, Google Cloud DNS, and more. For Cloudflare domains, setup is fully automated. For other providers, we generate the exact records you need with copy-paste instructions.
InboxKit scans your existing DNS configuration before making changes. We merge new requirements with existing records — for example, appending to an existing SPF record rather than overwriting it. If conflicts are detected, the system alerts you with specific resolution steps.
SPF tells receiving mail servers which IPs are authorized to send email for your domain. DKIM adds a cryptographic signature to each email proving it hasn't been tampered with. DMARC ties SPF and DKIM together and tells receivers what to do when authentication fails (reject, quarantine, or none). All three are required for reliable cold email deliverability.
Yes. InfraGuard monitors your DNS records every 6 hours and alerts you immediately if any record is modified, deleted, or misconfigured. This catches issues like accidental record deletion, registrar changes, or provider updates before they impact deliverability.