DMARC
DMARC for cold email: the 5-minute setup that saves a launch
June 10, 2026 · OutboundQA
On this page
Most cold email campaigns that underperform do not have a copy problem. They have an infrastructure problem, and the most common one is a missing or weak DMARC record. Since Google and Yahoo tightened their sender rules, DMARC went from nice-to-have to required. Here is the five-minute version.
What DMARC actually does
DMARC is a DNS TXT record at _dmarc.yourdomain. It tells receiving servers two things: what to do with mail that fails SPF and DKIM, and where to send reports about that mail. Without it, a receiver has no policy to follow and treats your domain as less trustworthy.
DMARC builds on two records you should already have:
- SPF lists which servers may send for your domain.
- DKIM signs your mail so receivers can verify it was not tampered with.
DMARC ties them together and enforces a policy when they fail.
The three policy levels
The policy lives in the p= tag:
p=noneis monitor only. Reports come in, nothing is enforced. Safe to start with.p=quarantinesends failing mail to spam.p=rejectblocks failing mail outright.
For a new cold email domain, start at p=none, watch the reports for a week or two, fix any source that is failing, then move to p=quarantine. You get the protection without accidentally sending your own legitimate mail to spam on day one.
The 5-minute setup
- Confirm SPF exists and is a single valid record. Run it through the SPF checker.
- Confirm DKIM is set up in your sending tool and the selector is published.
- Add a DMARC record at
_dmarc.yourdomainwith a starting policy ofp=noneand a reporting address. - Wait for reports, fix failing sources, then raise the policy to quarantine.
You can verify the result in seconds with the DMARC checker.
The mistakes that break launches
- No DMARC at all. The single most common blocker. Google and Yahoo bulk-sender rules expect it.
- Stuck on p=none forever. Monitoring is not protection. Move up once your sources are clean.
- SPF over 10 lookups. DMARC depends on SPF passing, and SPF silently fails past 10 DNS lookups. Cold email stacks hit this fast.
- DKIM selector not published. The signature exists in the tool but the public key is not in DNS, so verification fails.
Where this fits in a launch
DMARC is one of seventeen checks in a proper pre-launch pass. The others, tracking domain SSL, blacklist status, domain age, and the rest, fail just as quietly. If you run campaigns for clients, the fastest way to avoid the “performance dropped and now the client is asking questions” conversation is to verify all of it before launch and keep a record you can show.
That is exactly what a launch QA pilot does: upload the workspace domains and inboxes, get a Ready, Needs Fix, or Do Not Launch verdict with the exact fixes, and a report you can hand to your team or client.
Run the pre-flight check on your next outbound launch
Upload the domains and inboxes, get a verdict and the exact fixes, and a report you can share.