$ man dns-records

DNS Records (SPF / DKIM / DMARC)

Three DNS authentication records that prove your emails are legitimate. SPF says which servers can send on your behalf. DKIM adds a cryptographic signature. DMARC tells receiving servers what to do if SPF or DKIM fail.

Without these three records, your emails look unverified to inbox providers. Google and Microsoft check all three before deciding whether to deliver, flag, or reject your message. Missing SPF? Suspicious. No DKIM? No signature. No DMARC? No policy. You're basically sending unsigned mail from an unverified address. Most cold emailers skip DMARC entirely. That's a mistake.

Every secondary domain I set up gets all three configured before a single email sends. SPF points to the sending platform (Instantly's servers). DKIM gets configured through the inbox provider (Google Workspace or Microsoft 365). DMARC starts at p=none for monitoring, then moves to p=quarantine once I confirm alignment. I verify all three with MXToolbox before warmup starts. If any record is missing or misconfigured, I don't send.