What SPF record should I use for cold email?
Quick Answer
For cold email, use a consolidated SPF record that stays under the 10 DNS lookup limit:
v=spf1 include:_spf.google.com include:spf.sendgrid.net ~all
Replace sendgrid.net with your actual email sending platform (e.g., amazonses.com, mailgun.org, smtp.com).
Why This Matters
SPF (Sender Policy Framework) records have a hard limit of 10 DNS lookups. Each include: statement counts as one lookup, and some includes trigger additional lookups.
Common mistake: Adding too many services to your SPF record:
v=spf1 include:_spf.google.com include:sendgrid.net include:mailchimp.com include:hubspot.com include:salesforce.com ...
This breaks deliverability because it exceeds the lookup limit.
Best Practices for Cold Email
1. Use dedicated sending domains
Don’t send cold email from your main domain (e.g., @company.com). Instead:
- Main domain: company.com (for regular business email)
- Cold email domain: mail.company.com or go.company.com
This isolates reputation and simplifies SPF configuration.
2. Consolidate email services
Only include services you’re actively using for cold outreach:
Good (2 lookups):
v=spf1 include:_spf.google.com include:spf.sendgrid.net ~all
Bad (7+ lookups):
v=spf1 include:_spf.google.com include:sendgrid.net include:mailchimp.com include:_spf.salesforce.com include:servers.mcsv.net include:spf.protection.outlook.com ~all
3. Understand the mechanisms
v=spf1: SPF version 1 (always first)include:: Check another domain’s SPF record~all: Soft fail (recommended for cold email)-all: Hard fail (too strict, avoid for outbound)+all: Allow all (never use this)
4. Test your SPF record
Use these tools to verify:
Check for:
- ✅ DNS lookup count < 10
- ✅ No syntax errors
- ✅ Proper termination with
~allor-all
Common SPF Configurations
Google Workspace + SendGrid
v=spf1 include:_spf.google.com include:sendgrid.net ~all
Google Workspace + Amazon SES
v=spf1 include:_spf.google.com include:amazonses.com ~all
Google Workspace + Instantly.ai
v=spf1 include:_spf.google.com include:spf.instantly.ai ~all
Google Workspace + SmartLead
v=spf1 include:_spf.google.com include:spf.smartlead.ai ~all
What About DKIM and DMARC?
SPF is just one part of email authentication. For maximum deliverability:
- SPF: Authorize sending servers
- DKIM: Sign emails with cryptographic keys
- DMARC: Policy for handling authentication failures
Minimum setup for cold email:
- ✅ SPF record (as shown above)
- ✅ DKIM signing enabled in your sending platform
- ✅ DMARC record set to
p=none(monitoring mode)
Troubleshooting
“Too many DNS lookups” error
Solution: Remove unused includes or use IP addresses instead:
v=spf1 ip4:192.0.2.0/24 include:_spf.google.com ~all
Emails still going to spam
SPF alone won’t fix deliverability. Also check:
- Domain reputation (use Sender Score)
- Email content (avoid spam trigger words)
- Warm-up process (gradually increase send volume)
- List quality (remove bounces and unengaged contacts)
Implementation Checklist
- [ ] Create dedicated sending domain (e.g., mail.company.com)
- [ ] Configure SPF record with only active services
- [ ] Verify DNS lookup count < 10
- [ ] Enable DKIM in sending platform
- [ ] Set up DMARC record (
p=none) - [ ] Test with email authentication tools
- [ ] Warm up domain before full-scale outreach
Need Help?
Setting up email authentication correctly is critical for cold outreach success. If you’re seeing deliverability issues, we can audit your setup and build a systematic infrastructure for consistent inbox placement.