---
title: "How to Set Up SPF, DKIM & DMARC in FirstSales | FirstSales"
description: "Authenticate your sending domain with SPF, DKIM, and DMARC so your cold email is trusted, reaches the inbox, and isn't rejected as spoofed."
canonical: "https://firstsales.io/tutorial/domain-authentication-spf-dkim-dmarc/"
---

[Home](/)/[Tutorials](/tutorial/)/How to Set Up SPF, DKIM & DMARC in FirstSales

Deliverability

# How to Set Up SPF, DKIM & DMARC in FirstSales

Authenticate your sending domain with SPF, DKIM, and DMARC so your cold email is trusted, reaches the inbox, and isn't rejected as spoofed.

8 min read·Intermediate·5 steps

1. 1  
## Open the Technical tab  
Open your sending mailbox on the **Connectors** page and go to the **Technical** tab. This is where FirstSales checks the three DNS records that prove you're allowed to send from your domain: **SPF**, **DKIM**, and **DMARC**.  
Without them, mailbox providers treat your mail as suspicious — the _"Email authentication not set up"_ alert warns that emails "may land in spam or be rejected." This is the single highest-leverage deliverability setup.  
![Open the Technical tab](/tutorials/warmup-02-email-auth.webp)
2. 2  
## Add the three records to your DNS  
The tab lists a record for each protocol to add at your domain's DNS host:  
   * **SPF — Sender Policy Framework**: "Declares which servers may send mail for your domain."  
   * **DKIM — DomainKeys Identified Mail**: cryptographically signs outgoing mail so it can't be forged.  
   * **DMARC — Domain-based Message Authentication**: "Tells receivers what to do when SPF or DKIM fail."  
Copy each record into your DNS provider (GoDaddy, Namecheap, Cloudflare, etc.). A weighted score bar tracks progress — **SPF 34%, DKIM 33%, DMARC 33%** — so you can see how far along you are.
3. 3  
## On Cloudflare? Add records in one click  
If FirstSales detects your domain runs on Cloudflare, the tab shows _"This domain is on Cloudflare"_ and an **Add to Cloudflare** button that writes the records for you after you authorize — no manual copy-paste.  
For password/relay connectors there's also **Managed DKIM** (**Enable Managed DKIM**), where FirstSales handles the DKIM signing key.
4. 4  
## Verify the records are live  
After adding records, scroll to **Verify DNS Records** — "After adding the records above, click below to confirm they are live." Click **Check DNS Records**. Each protocol shows pass or fail; when all three pass you'll see **"All checks passed!"**  
If something fails, don't panic — _"DNS changes can take up to 48 hours to propagate."_ Wait and use **Re-check DNS Records**.
5. 5  
## High volume? Authentication is mandatory  
If a mailbox sends over **5,000 emails/day**, the tab shows a red banner: authentication is **"Required for senders over 5,000 emails/day."** Gmail and Yahoo will reject unauthenticated bulk mail with error `550-5.7.26`.  
Below that threshold it's _"Strongly recommended for all senders"_ — meaning: do it anyway. Cold outreach lives or dies on deliverability, and these three records are the foundation.

## Pro tips

Hard-won shortcuts that keep warm-up on track.

1

### All three, not just one

SPF, DKIM, and DMARC each cover a third of the score for a reason — providers want all three. Partial auth still gets you filtered; finish the set.

2

### Give DNS time before re-checking

A failed check right after adding records usually just means propagation. Changes can take up to 48 hours — wait, then Re-check, before assuming the record is wrong.

3

### Cloudflare one-click saves the copy-paste

If your domain is on Cloudflare, use 'Add to Cloudflare' — it writes all the records for you and removes the most common source of typos.

4

### Over 5k/day makes this non-negotiable

Gmail and Yahoo reject unauthenticated bulk mail (550-5.7.26). If you send at volume, authentication isn't optional — set it up before you scale sends.

## Frequently asked questions

Where do I set up SPF, DKIM, and DMARC?

On the connector's **Technical** tab. It lists the exact SPF, DKIM, and DMARC records to add at your domain's DNS host and then verifies they're live.

What does each record do?

**SPF** declares which servers may send for your domain; **DKIM** cryptographically signs your mail so it can't be forged; **DMARC** tells receivers what to do when SPF or DKIM fail. Together they prove your mail is legitimate.

How is the authentication score calculated?

It's weighted: **SPF 34%, DKIM 33%, DMARC 33%**. Full authentication (all three passing) reaches 100%; the Details tab labels tiers 'Fully Authenticated', 'Partially Protected', and 'Not Secured'.

I added the records but the check fails — why?

Most often DNS hasn't propagated yet: changes can take up to **48 hours**. Wait, then click **Re-check DNS Records**. If it still fails after that, re-copy the record exactly as shown.

My domain is on Cloudflare — is there a shortcut?

Yes. When FirstSales detects Cloudflare, use the **Add to Cloudflare** button to write the records automatically after authorizing, instead of adding them by hand.

What is Managed DKIM?

For password/relay connectors, **Enable Managed DKIM** lets FirstSales handle the DKIM signing key for you rather than you managing the DKIM record manually.

Is authentication required?

For senders over **5,000 emails/day**, yes — Gmail and Yahoo reject unauthenticated bulk mail with `550-5.7.26`. Below that it's strongly recommended for everyone; skipping it sends your mail to spam.

Does an unverified setup block me from sending?

No — the check is advisory and never blocks you from leaving the page or sending. But unauthenticated mail lands in spam or gets rejected, so treat it as required in practice.

## Ready to put this into practice?

Start your FirstSales trial and launch a warmed, authenticated mailbox in minutes.

[Start for $1](https://app.firstsales.io)

[All tutorials](/tutorial/)