DMARC setup guide for cold email (SPF, DKIM, DMARC in plain English)

Short answer: publish an SPF record listing your senders, enable DKIM signing on your mailbox, then add a DMARC TXT record at _dmarc.yourdomain.com with at least p=quarantine. Since 2024, Gmail and Yahoo reject bulk mail without all three aligned.

The three records

• SPF (TXT on root): v=spf1 include:yourprovider.com ~all — authorises who can send as you.
• DKIM (TXT on a selector): a public key your provider gives you; it cryptographically signs each message.
• DMARC (TXT on _dmarc): v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com — the policy + where to send reports.

Quarantine vs reject

Start at p=quarantine (failures go to spam) once you've confirmed legitimate mail passes. Move to p=reject (failures bounced) for the strongest protection — and it's what high-trust senders use.

The cold-email gotcha

Your *envelope-from* domain must align with your *header-from* domain for DMARC to pass. Many "spray" tools break alignment with custom return-paths. Autocloz keeps alignment intact and monitors SPF/DKIM/DMARC continuously, warning you before a misconfiguration tanks placement.

> Don't want to manage DNS by hand? Start free — Autocloz flags every auth gap on the mailbox setup screen.