Blog

Cold Email SPF, DKIM and DMARC Setup Guide [2026]

May 19, 2026 By Pavel Stoletov

Email authentication is the single largest determinant of whether your cold emails reach the inbox in 2026. Domains with SPF, DKIM, and DMARC properly configured hit 89% inbox placement in third-party testing, versus 74% for SPF + DKIM without DMARC, and 61% for SPF-only domains. EmailShield processes 100,000 emails per minute in bulk verification with sub-2-second single-email response times, hitting 99.8% verified accuracy via real SMTP handshakes on self-hosted proxy infrastructure, which lets us see authentication failures across millions of cold email sends every month. This guide covers the exact DNS configuration for cold email SPF DKIM DMARC setup in 2026, the 10-lookup limit that silently breaks SPF records, the policy ramp from p=none to p=reject, and the verification step that nine out of ten operators skip.

The reason this matters more than ever in 2026: Gmail and Yahoo started enforcing authentication for bulk senders in February 2024, Microsoft extended the same rules to Outlook in May 2025, and tolerance for misconfiguration is functionally zero. A single malformed include in your SPF record can drop your reply rate from 15% to under 2% overnight. We have seen it happen on client domains.

Why SPF, DKIM, and DMARC matter for cold email in 2026

Cold email at scale is functionally bulk email. The 2024 Gmail and Yahoo sender requirements made all three records mandatory for any domain sending 5,000+ messages per day to those providers. Microsoft followed in May 2025 with the same thresholds for Outlook.com, Hotmail, and Live addresses, with planned escalation from junk-routing to outright rejection via the 550 5.7.515 error code.

Even below the 5,000/day threshold, receivers use authentication as a primary trust signal. According to a 2026 Martal Group report cited across the industry, roughly 17% of cold emails never reach the inbox due to poor domain authentication, high bounce rates, or spam-triggering content. The Validity benchmark puts the figure at 1 in 6 legitimate messages globally.

Here is what authentication actually proves to a receiving server:

Protocol	What it proves	Layer
SPF	The IP that connected is authorized to send for your domain	Network
DKIM	The message was signed by your domain and was not altered in transit	Cryptographic
DMARC	What to do when SPF or DKIM fail to align, plus reporting	Policy

A useful mental model: SPF is the guest list, DKIM is the wax seal on the envelope, DMARC is the bouncer who decides what happens when someone fails the check. All three exist because SMTP, the protocol email is built on, has no native way to verify that a message claiming to come from you actually did.

For cold outreach specifically, the bar is higher than transactional or newsletter sends. You are reaching out to people who did not opt in, which means receivers scrutinize your sender reputation harder. Authentication is the minimum entry fee.

Map your sending universe before you touch DNS

Before writing a single DNS record, document every system that sends email as your domain. Every one of them needs to appear in SPF and sign with DKIM. Skip one and you have a sender that fails alignment, which corrupts your DMARC reports and limits how far you can ramp policy.

A typical cold email stack in 2026:

Service category	Examples	Authentication impact
Mailbox provider	Google Workspace, Microsoft 365	SPF include + DKIM signing
Sequencer	Instantly, Smartlead, Lemlist	SPF include + DKIM signing
CRM	HubSpot, Salesforce, Close	SPF include if it sends mail
Transactional	Postmark, SendGrid, AWS SES	SPF include + DKIM signing
Marketing automation	Customer.io, ActiveCampaign	SPF include + DKIM signing
Monitoring / forms	Cal.com, Tally, internal tools	SPF include if relevant

A common pattern we see at EmailShield Full Scan: a client's Google Workspace and Smartlead are configured, but the CRM that sends meeting reminders is not. The reminders fail DMARC alignment, the rua reports flag the CRM IPs as unauthorized, and the operator cannot ramp past p=none because they cannot tell which failures are spoofing and which are their own forgotten tool.

Document the inventory in a single source of truth. Every time someone adds a new sender, audit it against SPF and DKIM the same day.

Domain architecture decision

Cold email belongs on dedicated sending domains, separate from your primary brand domain. Reasons:

Complaint rates and reputation damage on a dedicated domain do not touch your customer-facing email.
You can spin up 3 to 5 sending domains for rotation, capped at 4 to 6 mailboxes each, sending 40 to 50 emails per mailbox per day.
If a domain gets blacklisted, you burn the dedicated domain instead of the business.

Use simple extensions (.com, .co, .io). Avoid .xyz, .site, .top. Buy domains that resemble your brand without being the brand itself: yourbrand-mail.com, getyourbrand.com, tryyourbrand.io.

For ongoing list health on those dedicated domains, run every prospect list through list cleaning before the first send. Bounce rates above 2% to Gmail or Yahoo trigger throttling regardless of how clean your authentication is. EmailShield's list cleaning hits 99.8% verified accuracy via real SMTP handshakes on self-hosted proxy infrastructure, which catches addresses that DNS-only verifiers miss at 91 to 94% accuracy.

SPF setup for cold email domains

SPF (Sender Policy Framework) is a single DNS TXT record at the apex of your sending domain. It lists every IP and service authorized to send mail as your domain.

What an SPF record looks like

A typical cold email domain SPF record:

v=spf1 include:_spf.google.com include:amazonses.com ip4:198.51.100.0/24 -all

Breakdown of every part:

Part	Meaning
`v=spf1`	SPF version. Always v=spf1 in 2026.
`include:_spf.google.com`	Authorize Google Workspace senders
`include:amazonses.com`	Authorize AWS SES
`ip4:198.51.100.0/24`	Authorize this IPv4 range directly
`-all`	Hard fail. Reject anything else.

The qualifier at the end is your enforcement policy:

Qualifier	Behavior	Use for cold email
`-all`	Hard fail. Receivers reject unauthorized senders.	Recommended
`~all`	Soft fail. Receivers accept but mark suspicious.	Weak
`?all`	Neutral. No policy.	Effectively no SPF
`+all`	Pass everything.	Never use this

Use -all. The "soft fail" defense is a legacy compromise from when SPF was new and operators were nervous about breaking mail. In 2026 it just leaves a door open for spoofers.

How SPF gets evaluated

Recipient server receives mail claiming to be from you@yourdomain.com.
Sending IP is 203.0.113.10.
Recipient looks up yourdomain.com's SPF record via DNS.
Recipient walks the record and checks whether 203.0.113.10 is authorized.
Result: pass, fail, softfail, neutral, none, permerror, or temperror.

The result feeds into DKIM, then DMARC, then the final placement decision (inbox / junk / reject).

The full SPF specification is in RFC 7208. For Gmail-specific guidance, see Google's SPF setup documentation.

The 10-lookup limit that silently breaks SPF

This is the single most common SPF failure in cold email operations. SPF allows a maximum of 10 DNS lookups during evaluation. Every include:, a:, mx:, exists:, and redirect: mechanism consumes at least one lookup. Some include: mechanisms themselves contain nested includes, multiplying the cost.

A worked example. This SPF record looks fine at first glance:

v=spf1 include:_spf.google.com include:spf.mandrillapp.com include:sendgrid.net 
       include:_spf.salesforce.com include:_spf.hubspotmail.net 
       include:spf.smartlead.ai include:amazonses.com -all

Seven includes, you would expect seven lookups. In practice:

Include	Lookups consumed
`_spf.google.com`	4 (nested includes for Google's regional infrastructure)
`spf.mandrillapp.com`	2
`sendgrid.net`	2
`_spf.salesforce.com`	5 (nested)
`_spf.hubspotmail.net`	3
`spf.smartlead.ai`	1
`amazonses.com`	1
Total	18

The record returns permerror and receivers treat your mail as if you had no SPF at all. Reply rates collapse and no one understands why because the SPF "looks fine."

Audit lookup counts every time you add or remove a sender. EmailShield's DNS tools include an SPF validator that counts lookups including nested includes and flags when you cross 8 (the safe threshold). You can also verify against MXToolbox SPF Lookup.

If you cross the limit, options:

Remove includes for services you no longer use (most common fix).
Replace include: with direct ip4: ranges if the sender publishes static IPs.
Use SPF flattening services that resolve includes into a single record (carries ongoing maintenance cost as upstream IPs change).

Common SPF mistakes

Mistake	Consequence
Multiple SPF records	Permerror. Only one TXT record starting with `v=spf1` is allowed per hostname.
Exceeding 10 DNS lookups	Permerror. Mail treated as unauthenticated.
Using `+all`	Authorizes everyone. Defeats SPF entirely.
Forgetting subdomain SPF	If `mail.yourdomain.com` sends, it needs its own SPF record.
Wildcard subdomain without SPF	Spoofers can use `random.yourdomain.com` as the bounce address.

Subdomains do not inherit SPF from the parent automatically. If you send from mail.yourdomain.com, that hostname needs its own TXT record.

DKIM setup for cold email domains

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to every message you send. The receiving server fetches your public key from DNS, verifies the signature against the message headers and body, and gets a pass/fail.

A passing DKIM is the strongest authentication signal. It survives forwarding (unlike SPF, which fails when a forwarder's IP no longer matches), and the signature is hard to forge.

How DKIM works mechanically

Your sending service generates a key pair (public + private).
You publish the public key as a DNS TXT record at <selector>._domainkey.yourdomain.com.
When you send mail, the sending server signs the headers and body with the private key and adds a DKIM-Signature header.
The receiver reads the header, sees which selector you used, fetches the public key from DNS, verifies the signature.
Result: pass, fail, or none.

A real DKIM-Signature header looks like:

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=yourdomain.com; s=google;
        h=from:to:subject:date:message-id;
        bh=47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=;
        b=Hzv8Tm9Lkj3kqL+e9...

The receiver uses d= (domain) and s= (selector) to look up the public key, then verifies the signature b= against the hashed headers and body bh=.

Selectors and why you need a unique one per service

A selector is a short label that lets you publish multiple DKIM keys for one domain. Example:

google._domainkey.yourdomain.com for Google Workspace
selector1._domainkey.yourdomain.com for Microsoft 365
s1._domainkey.yourdomain.com for SendGrid
smartlead._domainkey.yourdomain.com for Smartlead

Each service gets its own selector. This lets you rotate keys per service without affecting others.

The common mistake we see at EmailShield Full Scan: an operator enables DKIM in Google Workspace, copies that DKIM record into DNS, and thinks they are done. Their Smartlead sends arrive unsigned at the Smartlead selector, fail DKIM, and fail DMARC alignment. Half the campaign goes to spam, and the cause is invisible until someone runs a Full Scan or opens the DMARC reports.

A DKIM DNS record

The DNS record at <selector>._domainkey.yourdomain.com:

v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDpYV...

Parts:

Part	Meaning
`v=DKIM1`	DKIM version
`k=rsa`	Algorithm. RSA is standard. Ed25519 also supported.
`p=...`	The public key (base64 RSA)

The private key never leaves your sending server.

Key size and rotation cadence

Key size	Status in 2026
RSA 1024-bit	Deprecated. Modern receivers downgrade trust.
RSA 2048-bit	Current recommended standard
Ed25519	Modern, smaller signatures, gaining adoption

Rotate keys every 6 to 12 months, or immediately after staff changes that touched the private key. The dual-selector rotation pattern:

Generate a new key pair in the sending service.
Publish the new public key at a new selector (e.g., google2._domainkey.yourdomain.com).
Wait 48 hours for DNS propagation.
Switch the sender to sign with the new selector.
Leave the old selector in DNS for 30 days (in-flight mail signed with the old key needs to verify).
Remove the old selector.

DKIM key truncation: a quiet failure mode

DNS TXT records have a 255-character per-string limit. A full 2048-bit RSA public key is longer than that. Some DNS providers split the key into multiple quoted strings automatically:

"v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNAD" "CBiQKBgQDpYV..."

Budget DNS providers sometimes truncate silently, leaving you with a partial key that fails verification. If DKIM fails despite the record being present, check the published key against what your provider issued, byte for byte. EmailShield's DKIM selector discovery tool probes common selectors, returns the published key, and validates format and size.

Common DKIM mistakes

Mistake	Consequence
Truncated public key in DNS	Verification fails. Mail looks unsigned.
Wrong selector in DNS vs. signing config	Mismatch. Receivers cannot find the key.
Multiple TXT records at the same selector	Some receivers fail to verify.
Key smaller than 1024 bits	Modern receivers reject outright.
Failing to rotate	Compromised key stays valid indefinitely.

DMARC setup for cold email domains

DMARC (Domain-based Message Authentication, Reporting, and Conformance) sits on top of SPF and DKIM. It tells receivers what to do when SPF and DKIM both fail alignment with the visible From domain, and gives you daily reports of who is sending mail as your domain.

DMARC passes when at least one of SPF or DKIM passes and aligns with the From domain. DMARC fails when both fail or neither aligns.

The full DMARC specification is in RFC 7489.

How DMARC evaluation works

When a receiver gets mail claiming to be from you@yourdomain.com:

Check SPF. Does the sending IP match your SPF record? Pass or fail.
Check DKIM. Is the message signed by your domain? Pass or fail.
Check alignment. Does the domain in the SPF or DKIM result match the domain in the From: header?
Check DMARC policy. Look up _dmarc.yourdomain.com for your policy.
Apply policy based on the result.

A DMARC record

A starter DMARC record for a cold email domain:

v=DMARC1; p=none; rua=mailto:reports@yourdomain.com; ruf=mailto:forensic@yourdomain.com; pct=100; aspf=r; adkim=r

Parts:

Part	Meaning
`v=DMARC1`	DMARC version
`p=none`	Policy. Options: none, quarantine, reject
`rua=`	Where to send aggregate (daily summary) reports
`ruf=`	Where to send forensic (per-failed-message) reports
`adkim=r`	DKIM alignment: r (relaxed) or s (strict)
`aspf=r`	SPF alignment: r or s
`pct=100`	Percentage of failing mail to apply policy to
`sp=`	Subdomain policy (optional, inherits from p= if omitted)

Alignment: strict vs relaxed

**Relaxed (r, default)**: organizational domain must match. mail.yourdomain.com aligns with yourdomain.com.
**Strict (s)**: exact domain match required. mail.yourdomain.com does not align with yourdomain.com.

Most senders use relaxed. Strict is for high-security setups where any subdomain mismatch should fail.

The DMARC policy ramp: do not jump to p=reject on day one

This is where most cold email programs blow up. Setting p=reject before every legitimate sender is aligned blocks your own mail. We have audited domains where the operator set p=reject on launch, then could not figure out why their transactional emails (password resets, calendar invites, billing receipts) were rejected.

The correct progression:

Week 1-2:    p=none           Reporting only. No enforcement.
Week 3:      p=quarantine; pct=25     Quarantine 25% of failures.
Week 4:      p=quarantine; pct=50     Quarantine 50% of failures.
Week 5:      p=quarantine; pct=75     Quarantine 75% of failures.
Week 6:      p=quarantine; pct=100    All failing mail goes to spam.
Week 7-8:    p=reject; pct=100        Failing mail is rejected outright.

At each step, watch the aggregate reports for unexpected failure spikes. A spike means a legitimate sender just got blocked. Pause the ramp, identify the sender, fix SPF or DKIM, then continue.

Specific gates between phases:

From	To	Gate
`p=none`	`p=quarantine; pct=25`	Zero unknown senders in rua reports for 7 days
`p=quarantine; pct=25`	`p=quarantine; pct=50`	No spike in your own bounce rate at Gmail Postmaster Tools
`p=quarantine; pct=100`	`p=reject; pct=100`	14 consecutive days of pass rate above 99% on known senders

DMARC reports (rua aggregate)

Aggregate reports are XML files that mailbox providers send daily to the address in your rua= tag. They include:

Which IPs sent mail claiming to be from your domain.
How many messages from each IP.
SPF and DKIM results per source.
Whether DMARC alignment passed or failed.

Raw XML is unreadable. A single day's report from Gmail for a moderately active domain can be 200 KB of XML with hundreds of <record> elements. You need a parser that aggregates and visualizes the data. EmailShield's DMARC monitoring ingests the XML at a unique reporting address, groups by sending source, and surfaces a policy-readiness indicator that tells you when it is safe to move from p=none to p=quarantine.

Free alternatives exist (Postmark's DMARC weekly digest, dmarcian's free tier) but they all hit volume or domain limits quickly. For more than 1 to 2 domains under monitoring, dedicated tooling is non-negotiable.

Common DMARC mistakes

Mistake	Consequence
Jumping straight to `p=reject`	Block your own legitimate mail.
Forgetting subdomain policy (`sp=`)	Subdomains inherit `p=` unless overridden.
Setting `pct=` low and forgetting to raise it	Permanent partial enforcement.
Wrong or unreachable `rua=` address	No reports. No visibility.
Strict alignment when senders use subdomains	Legitimate mail fails alignment.

Validation: the step nine out of ten operators skip

This is the difference between a cold email program that produces meetings month after month and one that fails in week 8. After every DNS change, validate with a real test send before sending a single prospect.

The 4-tool validation playbook

Real test send to Gmail. Send a message from each authorized sender to a Gmail address you control. Open the message, click the three-dot menu, "Show Original." Verify:

SPF: PASS with IP <sending IP>
DKIM: 'PASS' with domain <yourdomain.com>
DMARC: 'PASS'

If any of the three shows FAIL, fix it before doing anything else.

MXToolbox SuperTool. Run lookups on:

<yourdomain.com> MX
<yourdomain.com> TXT (returns SPF and any other TXTs)
_dmarc.<yourdomain.com> TXT
<selector>._domainkey.<yourdomain.com> TXT for each selector

Confirm each returns exactly one record of the expected type.

Google Postmaster Tools. Add your sending domains to Google Postmaster Tools. Watch:

Spam rate: must stay under 0.3% per Google's Bulk Sender Guidelines.
Domain reputation: target "High" or "Medium."
IP reputation: secondary signal.
Authentication: SPF, DKIM, DMARC pass rates should be 99%+.

EmailShield Full Scan. Run a Full Scan on each sending domain. Free for one-off diagnostics. It audits SPF (including lookup count), DKIM (selector discovery and key size), DMARC (policy and alignment), and cross-references against 100+ blacklists in a single report. If anything is broken, the scan flags it with the specific record and the specific fix.

Specific failures to watch for in production

Symptom	Likely cause	Where to look
SPF returns permerror	Lookup count over 10	MXToolbox SPF Lookup
DKIM signature missing	Sender not configured to sign	Sender's admin console
DKIM verifies but DMARC fails	Selector domain mismatch (alignment)	Show Original headers
Mail rejected at Outlook	Authentication failure + reputation	Microsoft SNDS
Reply rate drops 30%+ overnight	DNS change broke a record	Diff DNS against backup

For Microsoft-specific monitoring, Microsoft SNDS gives you per-IP reputation data. Combined with Postmaster Tools for Gmail and DMARC monitoring for everything else, you have full visibility into how every major provider sees your mail.

Domain warmup: authentication is necessary but not sufficient

Authentication gets your mail past the first filter. Sender reputation determines what happens next. A new domain or mailbox that immediately starts sending 50 emails per day will land in spam from day one regardless of how clean the DNS is.

The 2026 warmup cadence we recommend:

Week	Daily volume per inbox	Activity
Week 1	5 to 10	Auto-warmup tool only
Week 2	10 to 20	Warmup + first manual replies
Week 3	20 to 30	Warmup + 5 to 10 real prospect sends
Week 4	30 to 40	Warmup tapering, more real sends
Week 5 to 6	40 to 50	Full prospect volume, warmup tapered to baseline

A few hard limits:

Hard cap at 50 emails per mailbox per day for Gmail and Microsoft 365 in 2026. Above that, throttling kicks in.
Total daily volume goes up by adding inboxes, not by raising per-inbox volume.
Authentication must be live before warmup starts. Warming up without DKIM signing teaches receivers to trust an unauthenticated sender, which is meaningless once you turn DKIM on.

For a worked architecture: a team targeting 500 cold emails per day needs roughly 10 to 12 mailboxes distributed across 3 to 5 sending domains, each fully authenticated, each warmed for 4 to 6 weeks before full volume.

Pre-launch checklist

Before sending a single prospect email from a new domain, every one of these must be green:

[ ] Dedicated sending domain registered (separate from primary brand domain)
[ ] Mailbox provider DKIM signing enabled
[ ] All sequencer / CRM / transactional services inventoried
[ ] SPF record published with all authorized senders, under 10 DNS lookups, ending in -all
[ ] DKIM published at unique selector per sending service
[ ] DKIM keys verified at 2048-bit RSA minimum
[ ] DMARC published at p=none with valid rua= address
[ ] Test send to Gmail shows SPF=PASS, DKIM=PASS, DMARC=PASS
[ ] MXToolbox shows clean lookups for SPF, DKIM, DMARC
[ ] Google Postmaster Tools account created and domain added
[ ] Microsoft SNDS account requested
[ ] Warmup tool configured at 5 to 10 emails per day per mailbox
[ ] Prospect list verified through EmailShield (bounce rate target under 2%)
[ ] DMARC policy ramp calendar scheduled (weeks 3, 5, 7 transitions)

Run this checklist before every new domain goes live. The 30 minutes it takes saves you the 60 days of debugging that happens when a record is wrong.

Frequently asked questions

What is the difference between SPF, DKIM, and DMARC?

SPF lists the IP addresses authorized to send mail as your domain. DKIM adds a cryptographic signature to every message so receivers can verify the body and headers were not altered. DMARC tells receivers what to do when SPF and DKIM both fail alignment with the visible From domain, and provides daily reports of who is sending as your domain. All three are required for inbox placement above 5,000 emails per day to Gmail, Yahoo, and Outlook as of 2026.

Do I need DMARC for cold email?

Yes. Gmail and Yahoo require a published DMARC record for any sender above 5,000 emails per day since February 2024, and Microsoft extended the same requirement to Outlook in May 2025. Cold email volume at scale crosses these thresholds across a few mailboxes per day. Domains with SPF, DKIM, and DMARC properly configured hit roughly 89% inbox placement in third-party testing versus 61% for SPF-only domains.

How long does SPF, DKIM, and DMARC take to propagate?

DNS propagation typically completes in 15 minutes to 4 hours, occasionally up to 48 hours for slow resolvers. Wait at least 24 hours after publishing SPF and DKIM before publishing DMARC so receivers cache the underlying records first. Validate with a real test send before assuming propagation is complete.

How often should I rotate DKIM keys?

Rotate DKIM keys every 6 to 12 months, or immediately after staff changes that touched the private key. Use the dual-selector method: publish the new selector, wait 48 hours for DNS propagation, switch the sender to sign with the new selector, then leave the old selector in DNS for 30 days before removing it. RSA 2048-bit is the current standard.

What DMARC policy should I start with for cold email?

Start with p=none and rua reporting for 2 weeks minimum. This generates aggregate reports without enforcement so you can identify every legitimate sender that is failing alignment. Move to p=quarantine; pct=25 once your known senders show stable pass rates, then increase pct gradually to 100 over 4 weeks. Move to p=reject only after the quarantine phase produces zero unexpected failures for 2 consecutive weeks.

Can I use one SPF record for multiple sending services?

Yes, and you must. Only one SPF record per hostname is allowed by RFC 7208. Combine every authorized sender into a single TXT record using include: mechanisms. Keep the total DNS lookups at or below 10 or receivers will return permerror and treat your mail as if you had no SPF at all. Audit the lookup count every time you add a new service.

Need pre-configured cold email inboxes?

Setting up SPF, DKIM, and DMARC across 10 to 12 mailboxes on 3 to 5 dedicated domains is a 6 to 10 hour exercise the first time you do it, and an ongoing maintenance burden every time you add or remove a sender. Most cold email teams either skip steps and pay for it in deliverability.

If you want cold email inboxes that arrive with SPF, DKIM, and DMARC already configured to current best practice, at the best prices on the market, go to maildeck.co. Pre-warmed dedicated domains, authentication done right on day one, ready to plug into Smartlead, Instantly, or whatever sequencer you run.

For the deliverability layer on top (list verification, blacklist monitoring, DMARC report aggregation), EmailShield handles the verification side at $0.00018 per email starting price, versus $0.00449 at MillionVerifier and $0.008 at ZeroBounce. Sign up at emailshield.co for 40,000 free credits and a free Full Scan on every sending domain.

Methodology

Data sources: EmailShield platform verification data across millions of cold email sends in 2025 to 2026, published bulk sender requirements from Google (February 2024) and Microsoft (May 2025), DMARC aggregate report parsing across EmailShield-monitored domains, RFC 7208 (SPF), RFC 6376 (DKIM), and RFC 7489 (DMARC).

Time period: data points reflect EmailShield's verification and monitoring activity from January 2025 through May 2026. Inbox placement comparisons (89% / 74% / 61%) sourced from InboxKit's published 2026 testing data across their account base.

Limitations: third-party inbox placement numbers vary by sample, vertical, and warmup state. The 89/74/61 split is directionally consistent across multiple 2026 benchmarks but specific percentages will shift by mailbox provider, domain age, and complaint rate. SPF lookup counts on common ESPs change as those providers update their infrastructure, so audit your record at least quarterly rather than trusting a single point-in-time measurement.

Last updated: May 2026.

Written by Pavel Stoletov, CTO at EmailShield. Pavel runs Email Verification & Deliverability Engineering, with 12+ years building SMTP verification systems and authentication monitoring infrastructure for senders processing 100,000+ emails per minute. Author page - LinkedIn