Email Sending Infrastructure: SPF, DKIM, DMARC, and Choosing Your Engine

Before you write a single subject line, your sending infrastructure needs to be right. This guide covers how to choose the correct sending approach for your use case, set up the three DNS authentication records every sender needs, and verify your configuration is working before you go live.

The two sending approaches

There are two fundamentally different ways to send email at scale, and they serve different purposes. Using the wrong one for your use case will hurt your deliverability and, in some cases, get your account suspended.

Approach 1: Bulk sending (Mailchimp, SendGrid)

Bulk ESPs (Email Service Providers) are built for sending large volumes from a shared or dedicated IP to people who have opted in to hear from you. They handle list management, unsubscribe processing, and compliance tooling out of the box.

The most widely used platforms:

• SendGrid by Twilio: developer-first, strong API, good deliverability at high volume.
• Mailchimp: beginner-friendly, all-in-one marketing automation.
• Klaviyo: built for e-commerce with deep behavioral triggers.
• Brevo (formerly Sendinblue): affordable starting point with solid feature coverage.

On shared IP plans, your sender reputation is partly influenced by other users on the same IP pool. Dedicated IPs are available at higher volume tiers (typically 100k+ emails/month on SendGrid Pro) and give you full control over your reputation.

Approach 2: Individual account sending (SmartLead)

This is the modern outbound sales approach. Rather than one domain blasting thousands of emails, you use multiple individual Google Workspace or Microsoft 365 accounts, each sending 30 to 50 emails per day. Each email looks and behaves like a real person sent it, because technically one did.

The math works in your favor: 10 warmed inboxes at 40 sends per day equals 400 targeted emails per day, or roughly 12,000 per month. Spread across enough sending accounts, you can run serious outbound volume without any single account sending at suspicious levels.

Popular tools for managing multi-inbox outbound:

• SmartLead: multi-inbox management, built-in warmup, per-inbox analytics.
• Instantly.ai: similar feature set, large warmup network.
• Lemlist: image and video personalization per contact.
• Woodpecker: strong CRM integrations, good for smaller teams.

Sending limits matter. Keep each inbox under 50 emails per day, and use randomized intervals between sends (3 to 8 minutes is a reasonable range). Tools like SmartLead have these controls built in.

DNS authentication: what you need and why

When a receiving mail server gets an email from your domain, it checks three DNS records to decide whether to trust the message. Skipping any of them increases the chance your emails hit spam, and missing DKIM or DMARC is a common reason technically correct emails fail deliverability tests.

All three records are required. They work together: SPF and DKIM provide authentication signals, DMARC sets the enforcement policy and ties them together under your domain.

Setting up SPF

An SPF record is a TXT record added to your domain's DNS at the root level (i.e., on yourdomain.com, not a subdomain). It lists the mail servers permitted to send on your behalf.

Example SPF record for a domain using Google Workspace and SendGrid:

v=spf1 include:_spf.google.com include:sendgrid.net ~all

Breaking down each part:

• v=spf1: declares this is an SPF record.
• include:_spf.google.com: authorizes Google's servers to send for you.
• include:sendgrid.net: authorizes SendGrid's servers.
• ~all: soft fail for anything not listed. Use -all (hard fail) once you are confident your record covers all your senders.

Verify your SPF record with MXToolbox's SPF checker or the Google Admin Toolbox.

Setting up DKIM

DKIM uses a public/private key pair. Your mail server signs outgoing messages with the private key. The public key lives in DNS. Receiving servers use the public key to verify the signature matches, confirming the email was not tampered with after leaving your server.

Every major email platform generates a DKIM key for you during setup. The process is roughly the same across providers:

1. 1Go to your email platform's authentication settings.
2. 2Generate or locate your DKIM public key.
3. 3Add it as a TXT record in DNS at selector._domainkey.yourdomain.com.
4. 4Return to the platform and verify the record is detected.

The record looks like this (values abbreviated):

Type:  TXT
Name:  google._domainkey.yourdomain.com
Value: v=DKIM1; k=rsa; p=MIIBIjANBgkqhki...

For Google Workspace, DKIM is enabled in Admin Console > Apps > Google Workspace > Gmail > Authenticate email. Full instructions are in Google's DKIM setup guide. Microsoft 365 has an equivalent in the Microsoft 365 Admin Center under Email authentication settings.

For SmartLead users connecting Gmail or Outlook accounts: DKIM is handled at the Google or Microsoft level for that account's domain. You do not configure it in SmartLead directly.

Setting up DMARC

DMARC sits on top of SPF and DKIM. It tells receiving servers what to do when an email fails either check, and it sends aggregate reports to an email address you specify so you can monitor your domain's authentication results.

A basic DMARC record looks like this:

Type:  TXT
Name:  _dmarc.yourdomain.com
Value: v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com; pct=100

The key parameters:

• p=none: monitoring mode. No action taken on failing messages, but reports are generated. Start here.
• p=quarantine: failing emails go to spam. Move to this after 2 to 4 weeks of clean reports.
• p=reject: failing emails are blocked entirely. This is the end goal once you are confident in your setup.
• rua=: where to send aggregate reports. These are daily XML summaries from major providers.
• pct=100: apply the policy to 100% of failing messages.

Configuring your sending engine

For bulk sending (Mailchimp / SendGrid)

Both platforms walk you through domain authentication during onboarding. Complete every step, including the DKIM portion. A few additional settings are worth attention:

• Use a subdomain for marketing email. Send from mail.yourdomain.com or news.yourdomain.com instead of your root domain.
• Set up a custom tracking domain. By default, tracked links route through the ESP's generic domain (like track.sendgrid.net). Spam filters notice this.
• If you are on a dedicated IP, warm it up. Shared IP plans are pre-warmed. Dedicated IPs start cold — ramp volume gradually over 4 to 6 weeks.

For individual account sending (SmartLead)

Setup here is more hands-on because you are managing multiple inboxes and domains rather than one account with one sending address.

• Register alias domains. Do not use your primary business domain for cold outreach.
• Use Google Workspace or Microsoft 365. Free Gmail addresses have lower trust with inbox providers. Business accounts on paid plans ($6/user/month for Workspace) perform significantly better.
• Configure SPF, DKIM, and DMARC on every sending domain. Each alias domain needs its own records.
• Warm up every inbox before sending campaigns. See the warmup guide for the full schedule.
• Cap sends at 30 to 50 per day per inbox. Use randomized intervals (4 to 8 minutes).

Pre-launch checklist

Before sending your first campaign, confirm every item below is complete. DNS authentication issues are the leading cause of deliverability problems for new senders.

• SPF record is published and validated (MXToolbox confirms passing)
• DKIM key is generated, published in DNS, and verified by your email platform
• DMARC record is live at _dmarc.yourdomain.com (start with p=none)
• Sending domain is not your primary business domain
• Inbox warming is complete (minimum 3 weeks for cold outreach accounts)
• Daily send limit is set per inbox (30 to 50 max)
• Inbox placement test run and email landing in Primary inbox, not Spam
• Unsubscribe mechanism is in place on every email (required by CAN-SPAM)
• Hard bounce removal is configured (automatic in most platforms)

Tools reference