Authentication is the closest thing to a guaranteed placement lift in cold outbound. It's also where 40% of senders we audit have an unforced error costing them 10–25 points.
SPF + DKIM + DMARC aligned = table stakes. DMARC at p=none with reporting first; move to p=quarantine after 30 days clean. BIMI for Primary-inbox lift on Gmail. ARC for forwarded mail. Fixing a broken SPF is a bigger placement lift than any pool will ever deliver.
SPF — the easiest to break
SPF declares which IPs are authorised to send mail claiming your domain. It's evaluated on the envelope from (Return-Path), not the visible From. The two diverge when you use a third-party ESP — the ESP's Return-Path needs to be in your SPF include chain.
Common failures:
- Multiple SPF records (RFC: only one allowed). Merge them.
- Exceeding the 10 DNS-lookup limit. Flatten where you can, drop unused includes.
~allinstead of-all. Soft-fail is an invitation to spoofers; hard-fail is what alignment expects for cold outbound.
DKIM — two selectors, 2048-bit
DKIM signs mail with a private key, publishes the public key in DNS. Two selectors enables rotation without downtime. 1024-bit is the floor; 2048-bit is what major providers prefer and what you should publish today.
selector1._domainkey.mail.example.com. TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqh..."
selector2._domainkey.mail.example.com. TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqh..."Alignment: the d= domain on DKIM must match your organisational From domain for DMARC alignment. Configure your ESP to sign with d=yourdomain.com, not d=esp.com.
DMARC — rollout that doesn't break you
- Day 0: publish
v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com. Collect reports. - Day 0–14: review reports. Identify legitimate senders not yet aligned (HR tools, transactional ESPs, forwarders).
- Day 14–30: bring all legitimate senders into SPF + DKIM alignment.
- Day 30: switch to
p=quarantine; pct=25. Watch reports. - Day 45:
p=quarantine; pct=100. - Day 60+:
p=rejectif pct=100 runs clean.
BIMI — when it's worth it
BIMI publishes a logo in the recipient's inbox next to your mail. Requires DMARC at p=quarantine or stronger, and for Gmail, a VMC (~$1,500/yr). Anecdotal +3–6 point Primary placement on Gmail after BIMI goes live. Only worth it for high-volume B2C; cold outbound at B2B volumes usually isn't eligible anyway.
ARC — for forwarded cold outbound
ARC preserves authentication results across forwarders (mailing lists, alias services). If your cold-outbound volume includes significant forwarding, ARC keeps your DMARC auth intact at the final recipient. Your ESP should support it; ask.
Audit checklist
- SPF: one record, under 10 lookups,
-allenforced. - DKIM: two selectors, 2048-bit, d= aligned to From.
- DMARC: published, reports being received, policy at least
p=none. - Return-Path: aligned subdomain of your From domain.
- PTR/reverse DNS: matches forward DNS of sending IP (ESP should handle; verify).
- MTA-STS + TLS-RPT: publish them. Free +points on “secure sender” classification.
Inbox Check shows per-provider placement alongside SPF/DKIM/DMARC verdicts and the aligned domain used. Good for validating auth rollout without waiting on DMARC reports.