Skip to content
OutboundQA
All posts

DMARC

DMARC for cold email: the 5-minute setup that saves a launch

June 10, 2026 · OutboundQA

On this page
  1. What DMARC actually does
  2. The three policy levels
  3. The 5-minute setup
  4. The mistakes that break launches
  5. Where this fits in a launch

Most cold email campaigns that underperform do not have a copy problem. They have an infrastructure problem, and the most common one is a missing or weak DMARC record. Since Google and Yahoo tightened their sender rules, DMARC went from nice-to-have to required. Here is the five-minute version.

What DMARC actually does

DMARC is a DNS TXT record at _dmarc.yourdomain. It tells receiving servers two things: what to do with mail that fails SPF and DKIM, and where to send reports about that mail. Without it, a receiver has no policy to follow and treats your domain as less trustworthy.

DMARC builds on two records you should already have:

  • SPF lists which servers may send for your domain.
  • DKIM signs your mail so receivers can verify it was not tampered with.

DMARC ties them together and enforces a policy when they fail.

The three policy levels

The policy lives in the p= tag:

  • p=none is monitor only. Reports come in, nothing is enforced. Safe to start with.
  • p=quarantine sends failing mail to spam.
  • p=reject blocks failing mail outright.

For a new cold email domain, start at p=none, watch the reports for a week or two, fix any source that is failing, then move to p=quarantine. You get the protection without accidentally sending your own legitimate mail to spam on day one.

The 5-minute setup

  1. Confirm SPF exists and is a single valid record. Run it through the SPF checker.
  2. Confirm DKIM is set up in your sending tool and the selector is published.
  3. Add a DMARC record at _dmarc.yourdomain with a starting policy of p=none and a reporting address.
  4. Wait for reports, fix failing sources, then raise the policy to quarantine.

You can verify the result in seconds with the DMARC checker.

The mistakes that break launches

  • No DMARC at all. The single most common blocker. Google and Yahoo bulk-sender rules expect it.
  • Stuck on p=none forever. Monitoring is not protection. Move up once your sources are clean.
  • SPF over 10 lookups. DMARC depends on SPF passing, and SPF silently fails past 10 DNS lookups. Cold email stacks hit this fast.
  • DKIM selector not published. The signature exists in the tool but the public key is not in DNS, so verification fails.

Where this fits in a launch

DMARC is one of seventeen checks in a proper pre-launch pass. The others, tracking domain SSL, blacklist status, domain age, and the rest, fail just as quietly. If you run campaigns for clients, the fastest way to avoid the “performance dropped and now the client is asking questions” conversation is to verify all of it before launch and keep a record you can show.

That is exactly what a launch QA pilot does: upload the workspace domains and inboxes, get a Ready, Needs Fix, or Do Not Launch verdict with the exact fixes, and a report you can hand to your team or client.

Run the pre-flight check on your next outbound launch

Upload the domains and inboxes, get a verdict and the exact fixes, and a report you can share.