Email Deliverability for Startups: SPF, DKIM, DMARC, and the Real Fundamentals
How to set up email so it actually reaches the inbox — domain authentication (SPF, DKIM, DMARC, BIMI), warmup, and the operational discipline most teams skip.
Why Email Deliverability Matters More in 2026
The deliverability landscape changed permanently in 2024. Gmail and Yahoo jointly mandated DMARC for bulk senders. iCloud followed. Microsoft tightened its filtering. Apple Mail Privacy Protection broke open-rate signaling. The cumulative effect: email that worked in 2022 increasingly hits spam in 2026, often invisibly.
Most teams discover this the wrong way — by noticing pipeline dropoff, customer support tickets about missed receipts, or campaigns that produce dramatically lower opens than the previous month. By that point, sender reputation has already taken damage that's hard to recover.
This guide covers the technical foundation, the operational discipline, and the diagnostics. It pairs with our cold email outreach playbook for the message-craft side and the email marketing first 1000 subscribers playbook for newsletter growth.
The 4 Foundations of Email Deliverability
| Component | What It Does | Required? |
|---|---|---|
| SPF | Authorizes IPs to send on behalf of your domain | Yes — table stakes since 2018 |
| DKIM | Cryptographic signature verifying message authenticity | Yes — table stakes since 2018 |
| DMARC | Policy telling receivers what to do with auth failures | Yes — required for bulk senders since 2024 |
| BIMI | Brand logo display in inbox (Gmail, Yahoo, Apple) | Optional — improves CTR but not delivery |
| Domain warmup | Builds sending reputation gradually | Yes for new sending domains |
| Sending volume limits | Stays under provider per-account caps | Yes — provider-specific |
| List hygiene | Removes bouncing or unengaged addresses | Yes — ongoing |
| Engagement-based sending | Sends most to engaged users, less to disengaged | Yes — affects sender reputation |
The first four are technical setup. The next four are operational discipline. Both layers matter; either alone is insufficient.
What Is SPF and How Do You Set It Up?
SPF (Sender Policy Framework) is a DNS record that lists the IP addresses authorized to send email on behalf of your domain. When a receiving server gets an email claiming to be from you@yourdomain.com, it checks the SPF record to see if the sending IP is authorized.
SPF Setup
Add a TXT record to your domain's DNS:
v=spf1 include:_spf.google.com include:mailgun.org include:_spf.salesforce.com ~all
The structure:
v=spf1— SPF version 1 (only version in use)include:directives — third-party senders authorized to send on your behalf~all(softfail) or-all(hardfail) — what to do with mail from other sources
Start with ~all (softfail) for the first 30 days, then move to -all (hardfail) once you've confirmed all legitimate senders are listed.
Common SPF Mistakes
- Missing senders. If you use Google Workspace, your CRM (HubSpot, Salesforce), an email service provider (Mailgun, SendGrid, Postmark), and a cold-email tool (Apollo, Smartlead), all four need to be in your SPF. Missing one means that sender's emails fail SPF and may land in spam.
- Multiple SPF records. RFC mandates one SPF TXT record per domain. Two records produce permerror failures. Concatenate everything into one record.
- More than 10 DNS lookups. SPF spec limits to 10 included lookups. Adding many includes can exceed the limit and produce permerror. Use SPF flattening tools (Easydmarc, Halon) if you hit this.
What Is DKIM and How Do You Set It Up?
DKIM (DomainKeys Identified Mail) adds a cryptographic signature to outgoing email headers. The signature uses a private key on the sending side and a public key published in your DNS. Receivers verify the signature against the public key to confirm the message wasn't modified in transit.
DKIM Setup
Each email service provides DKIM setup instructions:
- Google Workspace: Admin Console → Apps → Gmail → Authenticate Email. Generate, publish, and authenticate.
- Mailgun / SendGrid / Postmark: Generate keys in provider dashboard, add CNAME records to DNS.
- Multiple providers: Each gets its own selector (e.g.,
google._domainkey,mailgun._domainkey).
DKIM keys should be 2048-bit, not 1024-bit (the older standard is deprecated by major receivers). Verify with dkimvalidator.com or dig against your domain.
What Is DMARC and Why It Matters in 2026
DMARC (Domain-based Message Authentication, Reporting, and Conformance) is the policy layer on top of SPF and DKIM. It tells receivers what to do when authentication fails — accept anyway, quarantine to spam, or reject entirely. It also requests reports back to you about authentication results.
In February 2024, Gmail and Yahoo jointly mandated DMARC for any sender of 5,000+ messages per day. Major receivers followed. By 2026, the practical floor is DMARC with p=quarantine or stricter for any business sending meaningful email volume.
DMARC Setup
Add a TXT record at _dmarc.yourdomain.com:
v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; pct=100
The structure:
v=DMARC1— versionp=none/p=quarantine/p=reject— what to do with failuresrua=— where to send aggregate reportspct=— percentage of mail to apply policy to (use 100 for full enforcement)
The 3-Step DMARC Rollout
Don't move directly to p=reject — you'll block legitimate mail you didn't know was being sent.
- Week 1–4:
p=none— receive reports without affecting delivery. Identify all legitimate sending sources from reports. - Week 4–8:
p=quarantine; pct=25→pct=100— gradually move failing mail to spam. Monitor for legitimate senders failing auth. - Week 8+:
p=reject— block unauthenticated mail entirely. This is the target state.
Most organizations spend 4–8 weeks in the rollout. Reports from Google Postmaster Tools and DMARC parsing services (Dmarcian, EasyDMARC, Valimail) make the discovery work manageable.
Why Use Separate Subdomains for Different Email Types
Your domain has one reputation. Damaging it for any reason damages it for all uses. The fix is segmenting email types onto subdomains:
| Email Type | Recommended Subdomain |
|---|---|
| Transactional (receipts, password resets) | tx.yourdomain.com |
| Marketing (newsletters, campaigns) | mail.yourdomain.com |
| Cold outbound | get-yourdomain.com (separate root domain) |
| Personal / sales | yourdomain.com (root) |
| Internal team | yourdomain.com (root) |
Why this matters: if a marketing campaign generates spam complaints, your transactional reputation stays clean — meaning your password reset emails still arrive. Same logic separating cold outbound onto a completely different root domain.
Most teams discover the value of this segmentation the hard way — after a campaign incident that takes weeks to recover from across all email use cases. Set up the segmentation before you need it.
Domain Warmup for New Sending Domains
A new domain has zero reputation with major receivers. Sending high volume immediately produces predictable failure: emails land in spam, complaints get filed, reputation never recovers.
Warmup is the process of building reputation gradually:
Manual Warmup (Free, Slow)
Send a small volume of conversational email to engaged recipients for 4–6 weeks before sending campaigns. Day 1: 10 emails. Day 7: 50. Day 14: 150. Day 30: 500. The pattern is exponential but careful — engagement on each send signals legitimacy.
Automated Warmup (Paid, Faster)
Tools like Lemwarm, Mailwarm, Instantly's warmup, and Smartlead's built-in warmup network simulate human conversation by sending to a network of warmup inboxes. Reasonable warmup runs $15–$50 per inbox per month for 4–8 weeks.
Both approaches work. Manual is free and slower; automated is faster and more reliable for new domains needing scale. For most B2B startups doing cold outbound, automated warmup pays for itself in the first month of normal sending.
Sending Volume Limits
Each provider has per-account daily sending caps. Exceeding them triggers automatic throttling or temporary blocks.
| Provider | Recommended Daily Limit Per Address |
|---|---|
| Google Workspace | 30–50 (cold outbound), 500 (warmed transactional) |
| Microsoft 365 | 30–50 (cold outbound), 1,000 (transactional) |
| Mailgun / SendGrid (transactional) | Bounded by your plan tier; typically 100K+ |
| Klaviyo / ConvertKit (marketing) | Bounded by plan tier |
For cold outbound at scale, the answer is not pushing volume higher per inbox — it's adding more sending inboxes (each with separate warmup) and rotating between them.
Engagement-Based Sending
Major receivers (Gmail, Outlook, Yahoo) track engagement signals per sender:
- Opens
- Clicks
- Replies
- Reports as spam
- Manual moves to inbox or spam
- Deletions without opening
Sending to disengaged recipients (people who haven't opened in 90+ days) hurts your reputation even when those people don't actively complain. The discipline:
List Hygiene Cadence
- Daily: Remove hard bounces immediately
- Weekly: Remove soft bounces after 3 consecutive
- Quarterly: Run a "re-engagement" campaign to subscribers inactive for 60+ days; remove non-responders
- Annually: Audit and remove anyone who hasn't engaged in 12 months
The temptation to keep large list sizes ("look at our 50K subscribers!") is the most expensive vanity metric in email marketing. A 20K list with 35% engagement outperforms a 50K list with 8% engagement on every business metric — and protects your sender reputation in the process.
Common Email Deliverability Mistakes
No DMARC Configured
By 2026, this is the most damaging deliverability omission. Gmail and Yahoo now mandate DMARC for bulk senders; without it, your bulk mail increasingly goes to spam.
Single Domain for Everything
Sending transactional, marketing, sales, and cold outbound from one domain means any incident damages everything. Segment by use case.
Sending Cold Email From the Primary Domain
The single fastest way to damage all email deliverability. Use a separate domain (e.g., get-yourcompany.com) for cold outbound.
Pushing Volume Through One Inbox
Per-inbox volume limits exist for a reason. Pushing past them creates throttling, blocks, and reputation damage. Scale via more inboxes, not higher per-inbox sends.
Skipping Warmup
A new sending domain or new sending inbox without warmup hits spam from email one. The 4–6 weeks of warmup is non-optional.
Ignoring Postmaster Tools
Google Postmaster Tools (free) shows you exactly how Gmail sees your domain — spam rate, reputation, authentication status. Most teams have never opened it. Set it up; check monthly.
Not Removing Disengaged Subscribers
Continuing to send to people who haven't engaged in 12+ months damages your reputation with engaged recipients. Painful as it is to "lose" subscribers, removing them improves outcomes for the rest of the list.
One SPF Record With 10+ Includes
Hitting the 10-lookup limit produces SPF permerror failures. Use SPF flattening if you have many third-party senders.
Monitoring Email Deliverability
Three free tools cover most needs:
- Google Postmaster Tools — Gmail-specific reputation, spam rate, authentication results. Free; required for any serious sender.
- MXToolbox SuperTool — DNS record checks (SPF, DKIM, DMARC), blacklist checks, deliverability tests. Free tier sufficient.
- Mail-Tester — send a test email to a unique address; receive a deliverability score. Free for 3 tests per day; useful pre-campaign sanity check.
For paid monitoring, GlockApps and 250ok offer inbox placement testing across major providers. Useful for high-volume senders ($300–$2000/month range).
When Lightweight Setup Is Enough (Not For You)
Skip the full enterprise-grade setup if:
- You send under 100 emails per month total. Personal-level sending volume rarely hits deliverability problems. SPF + DKIM + basic DMARC is sufficient.
- You only send transactional email through a reputable provider (Stripe receipts, Postmark transactional). The provider handles infrastructure; your only job is SPF/DKIM/DMARC at the DNS level.
- You're pre-revenue and email is one of 10 things on your plate. Set up SPF/DKIM/DMARC properly and move on. Optimization makes sense after you have volume to optimize.
Conclusion
Email deliverability is the foundation that makes every other email investment work. SPF, DKIM, and DMARC are non-negotiable in 2026. Domain warmup is required for new sending. Subdomain segmentation protects you from your own campaign mistakes. Engagement-based sending and disciplined list hygiene maintain the reputation that determines whether your messages reach the inbox or the spam folder.
The technical setup takes a day; the operational discipline takes ongoing attention. Get both right and email becomes one of the highest-ROI acquisition and retention channels available. Skip them and the rest of your email strategy executes in the spam folder.
Pair this technical foundation with strong cold email mechanics, thoughtful email list growth, and disciplined marketing attribution — together they form the email-operations layer that compounds for years.
Frequently Asked Questions
What is email deliverability?
Email deliverability is the percentage of your sent emails that reach the inbox (vs spam or being rejected entirely). Healthy deliverability for major receivers (Gmail, Outlook, Yahoo) is 95%+ inbox placement. Below 85%, your sender reputation has issues — usually traceable to missing authentication (SPF/DKIM/DMARC), inadequate domain warmup, poor list hygiene, or excessive sending volume per inbox.
Do I need SPF, DKIM, and DMARC?
Yes, all three. SPF authorizes sending IPs, DKIM cryptographically signs messages, and DMARC tells receivers what to do with authentication failures. Since 2024, Gmail and Yahoo mandate all three for bulk senders. Without them, your email increasingly goes to spam, often invisibly. The setup takes a day; the protection is permanent.
How do I improve email deliverability?
Five priorities. (1) Set up SPF, DKIM, and DMARC properly — move DMARC to p=reject within 8 weeks. (2) Use separate subdomains for transactional, marketing, and cold outbound. (3) Warm up new sending domains for 4–6 weeks before scale sending. (4) Stay under per-inbox daily volume limits (30–50 for cold outbound). (5) Remove disengaged subscribers quarterly — sending to dead addresses damages your reputation with engaged ones.
What's the difference between SPF and DKIM?
SPF (Sender Policy Framework) lists the IPs authorized to send email on behalf of your domain — a DNS-based access control list. DKIM (DomainKeys Identified Mail) adds a cryptographic signature to each outgoing message, verifying it wasn't modified in transit and confirming the sender's authority. Both are required; they protect against different attack vectors.
What is DMARC and what should my policy be?
DMARC tells receiving mail servers what to do when SPF or DKIM authentication fails — accept anyway (p=none), quarantine to spam (p=quarantine), or reject entirely (p=reject). Start with p=none to gather reports, move to p=quarantine after 4 weeks of clean data, and reach p=reject by week 8. By 2026, p=reject is the expected production state for any serious sender.
Should I use a separate domain for cold email?
Yes, always. Cold email can trigger blacklisting that damages your primary domain's deliverability for all email — including customer communications. Buy a lookalike domain (e.g., 'get-yourcompany.com' instead of 'yourcompany.com'), set up SPF/DKIM/DMARC, run 4–6 weeks of warmup, and send cold outbound only from there. The cost is $10/year for the domain and a few hours of setup.
How do I warm up a new email sending domain?
Two approaches. Manual: send small volumes of conversational email to engaged recipients for 4–6 weeks, gradually scaling from 10/day to 500/day. Automated: use a warmup tool (Lemwarm, Mailwarm, Instantly, Smartlead) that simulates conversation by sending to a network of warmup inboxes. Automated is faster and more reliable for cold outbound at scale ($15–$50 per inbox/month). Manual works for low-volume use cases.
About Daniel Park
CTO & Technology Editor
Daniel Park spent eight years as an engineering lead at Google before leaving to build his own SaaS company, which he bootstrapped to $3M ARR and eventually sold. With an MS from Carnegie Mellon and an AWS Solutions Architect certification, he writes about the technical decisions that make or break startups — from choosing your stack to hiring your first engineers.
View All Articles →
