NewSee how
FirstSales
Home/Tutorials/How to Set Up SPF, DKIM & DMARC in FirstSales
Deliverability

How to Set Up SPF, DKIM & DMARC in FirstSales

Authenticate your sending domain with SPF, DKIM, and DMARC so your cold email is trusted, reaches the inbox, and isn't rejected as spoofed.

8 min read·Intermediate·5 steps
  1. 1

    Open the Technical tab

    Open your sending mailbox on the Connectors page and go to the Technical tab. This is where FirstSales checks the three DNS records that prove you're allowed to send from your domain: SPF, DKIM, and DMARC.

    Without them, mailbox providers treat your mail as suspicious — the "Email authentication not set up" alert warns that emails "may land in spam or be rejected." This is the single highest-leverage deliverability setup.

    Open the Technical tab
  2. 2

    Add the three records to your DNS

    The tab lists a record for each protocol to add at your domain's DNS host:

    • SPF — Sender Policy Framework: "Declares which servers may send mail for your domain."
    • DKIM — DomainKeys Identified Mail: cryptographically signs outgoing mail so it can't be forged.
    • DMARC — Domain-based Message Authentication: "Tells receivers what to do when SPF or DKIM fail."

    Copy each record into your DNS provider (GoDaddy, Namecheap, Cloudflare, etc.). A weighted score bar tracks progress — SPF 34%, DKIM 33%, DMARC 33% — so you can see how far along you are.

  3. 3

    On Cloudflare? Add records in one click

    If FirstSales detects your domain runs on Cloudflare, the tab shows "This domain is on Cloudflare" and an Add to Cloudflare button that writes the records for you after you authorize — no manual copy-paste.

    For password/relay connectors there's also Managed DKIM (Enable Managed DKIM), where FirstSales handles the DKIM signing key.

  4. 4

    Verify the records are live

    After adding records, scroll to Verify DNS Records — "After adding the records above, click below to confirm they are live." Click Check DNS Records. Each protocol shows pass or fail; when all three pass you'll see "All checks passed!"

    If something fails, don't panic — "DNS changes can take up to 48 hours to propagate." Wait and use Re-check DNS Records.

  5. 5

    High volume? Authentication is mandatory

    If a mailbox sends over 5,000 emails/day, the tab shows a red banner: authentication is "Required for senders over 5,000 emails/day." Gmail and Yahoo will reject unauthenticated bulk mail with error 550-5.7.26.

    Below that threshold it's "Strongly recommended for all senders" — meaning: do it anyway. Cold outreach lives or dies on deliverability, and these three records are the foundation.

Pro tips

Hard-won shortcuts that keep warm-up on track.

1

All three, not just one

SPF, DKIM, and DMARC each cover a third of the score for a reason — providers want all three. Partial auth still gets you filtered; finish the set.

2

Give DNS time before re-checking

A failed check right after adding records usually just means propagation. Changes can take up to 48 hours — wait, then Re-check, before assuming the record is wrong.

3

Cloudflare one-click saves the copy-paste

If your domain is on Cloudflare, use 'Add to Cloudflare' — it writes all the records for you and removes the most common source of typos.

4

Over 5k/day makes this non-negotiable

Gmail and Yahoo reject unauthenticated bulk mail (550-5.7.26). If you send at volume, authentication isn't optional — set it up before you scale sends.

Frequently asked questions

Where do I set up SPF, DKIM, and DMARC?

On the connector's Technical tab. It lists the exact SPF, DKIM, and DMARC records to add at your domain's DNS host and then verifies they're live.

What does each record do?

SPF declares which servers may send for your domain; DKIM cryptographically signs your mail so it can't be forged; DMARC tells receivers what to do when SPF or DKIM fail. Together they prove your mail is legitimate.

How is the authentication score calculated?

It's weighted: SPF 34%, DKIM 33%, DMARC 33%. Full authentication (all three passing) reaches 100%; the Details tab labels tiers 'Fully Authenticated', 'Partially Protected', and 'Not Secured'.

I added the records but the check fails — why?

Most often DNS hasn't propagated yet: changes can take up to 48 hours. Wait, then click Re-check DNS Records. If it still fails after that, re-copy the record exactly as shown.

My domain is on Cloudflare — is there a shortcut?

Yes. When FirstSales detects Cloudflare, use the Add to Cloudflare button to write the records automatically after authorizing, instead of adding them by hand.

What is Managed DKIM?

For password/relay connectors, Enable Managed DKIM lets FirstSales handle the DKIM signing key for you rather than you managing the DKIM record manually.

Is authentication required?

For senders over 5,000 emails/day, yes — Gmail and Yahoo reject unauthenticated bulk mail with 550-5.7.26. Below that it's strongly recommended for everyone; skipping it sends your mail to spam.

Does an unverified setup block me from sending?

No — the check is advisory and never blocks you from leaving the page or sending. But unauthenticated mail lands in spam or gets rejected, so treat it as required in practice.

Ready to put this into practice?

Start your FirstSales trial and launch a warmed, authenticated mailbox in minutes.

Start for $1