Email Sending Infrastructure: Complete DNS and IP Setup Guide for Cold Email

TL;DR

• Essential DNS records: SPF, DKIM, DMARC, MX, and custom tracking CNAME—all five must be configured correctly before sending any email
• SPF limit: Maximum 10 DNS lookups in your SPF record. Exceeding this causes SPF to fail silently, destroying deliverability
• DMARC policy: Start with p=none (monitor only), move to p=quarantine after 30 days, then p=reject after 60 days for maximum deliverability boost
• Shared vs dedicated IP: Use shared IPs (Google Workspace, Microsoft 365) for cold email under 5,000 emails/day. Dedicated IPs only make sense above 10,000/day
• Provider recommendation: Google Workspace for Gmail-heavy audiences, Microsoft 365 for Outlook-heavy audiences, or both for maximum coverage

Email Infrastructure: The Foundation of Deliverability

Your email sending infrastructure is the invisible foundation that determines whether your messages reach the inbox or disappear into spam. Before any email copywriting, list building, or campaign strategy matters, your infrastructure must be correctly configured. A perfectly written cold email sent from a misconfigured domain will never reach its intended recipient.

This guide covers everything you need to set up a professional email sending infrastructure from scratch, including DNS configuration, authentication protocols, provider selection, and ongoing maintenance.

DNS Records Explained

MX Records (Mail Exchange)

MX records tell the internet which servers handle email for your domain. Without MX records, your domain can send email but can't receive it—which looks suspicious to email providers.

Setup: These are automatically configured when you add your domain to Google Workspace or Microsoft 365. Verify they're correct using MXToolbox.

SPF Record (Sender Policy Framework)

SPF tells receiving servers which IP addresses and services are authorized to send email on behalf of your domain. It's a TXT record in your DNS that lists allowed senders.

Example for Google Workspace:

v=spf1 include:_spf.google.com ~all

Example for Google Workspace + a sending tool:

v=spf1 include:_spf.google.com include:sendgrid.net ~all

Critical rule: The 10 DNS lookup limit. SPF records can include a maximum of 10 DNS lookups (each "include:" counts as at least one lookup). Exceeding this limit causes SPF to return a "permerror" result, which many receiving servers treat as a fail. This is one of the most common and hardest-to-diagnose deliverability issues.

Check your SPF lookup count using MXToolbox's SPF record checker. If you're at or near 10, consider using SPF flattening services that replace DNS lookups with direct IP addresses.

DKIM (DomainKeys Identified Mail)

DKIM adds a digital signature to every email you send, allowing receiving servers to verify that the email wasn't modified in transit and that it genuinely came from your domain.

Setup: Google Workspace and Microsoft 365 both provide DKIM keys that you add as TXT or CNAME records in your DNS. The process varies by provider:

• Google Workspace: Admin console → Apps → Google Workspace → Gmail → Authenticate email → Generate new record → Add CNAME records to DNS
• Microsoft 365: Admin center → Settings → Domains → Select domain → DNS records → Add the two CNAME records shown

Important: DKIM must be explicitly enabled in Google Workspace—it's not on by default. Many senders skip this step and wonder why their authentication fails.

DMARC (Domain-based Message Authentication, Reporting & Conformance)

DMARC ties SPF and DKIM together and tells receiving servers what to do when authentication fails. It also provides reporting on who is sending email using your domain.

Progressive DMARC policy:

Phase	Record	What It Does	When
Monitor	v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com	Reports failures but doesn't block anything	Day 1-30
Quarantine	v=DMARC1; p=quarantine; pct=50; rua=mailto:dmarc@yourdomain.com	Sends 50% of failing emails to spam	Day 31-60
Enforce	v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com	Rejects all failing emails	Day 61+

Starting with p=reject on day 1 is risky—if any legitimate emails fail authentication, they'll be rejected. The progressive approach lets you identify and fix issues before enforcement begins.

Custom Tracking Domain (CNAME)

If you use an email sending platform that tracks opens or clicks, configure a custom tracking domain to avoid using the platform's shared tracking domain. Shared tracking domains can carry reputation from other senders.

Email Provider Selection

Provider	Cost/Mailbox	Daily Limit	Best For	Reputation Advantage
Google Workspace	$7/mo	500/day (new), 2,000/day (established)	Gmail-heavy audiences	Native Gmail reputation signals
Microsoft 365	$6/mo	10,000/day	Outlook/M365-heavy audiences	Native Microsoft reputation
Zoho Mail	$1-3/mo	500/day	Budget setups	Neutral—neither advantage nor disadvantage
Amazon SES	$0.10/1,000	50,000+/day	High-volume transactional + cold mix	Requires careful IP warmup
SMTP.com / Postmark	Varies	Varies	Dedicated sending infrastructure	Clean IP pools

Recommendation for most cold email senders: Use Google Workspace as your primary sending provider. Gmail-originated emails receive favorable treatment within Gmail's ecosystem, and Google Workspace's built-in reputation management helps maintain deliverability. For audiences heavily weighted toward Outlook, add Microsoft 365 mailboxes.

Shared IPs vs Dedicated IPs

When you send through Google Workspace or Microsoft 365, you're sending from their shared IP pools—alongside millions of other senders. This is actually an advantage for cold email senders for several reasons:

• Inherited reputation: Google and Microsoft's IP pools have excellent baseline reputation. Your emails benefit from this shared reputation.
• No IP warmup needed: Dedicated IPs require weeks of gradual volume increase. Shared IPs are pre-warmed.
• Volume flexibility: You can scale up and down without IP reputation consequences.

Dedicated IPs only make sense if you're sending 10,000+ emails per day consistently. Below that volume, dedicated IPs are actually riskier because you don't have enough positive sending volume to build and maintain IP reputation.

Multi-Domain Infrastructure Strategy

For cold email at any meaningful scale, you need multiple sending domains. Here's the recommended structure:

• Primary domain: yourcompany.com — Never use for cold email. Reserved for transactional, marketing, and internal email.
• Secondary domains (3-5): Variations like tryyourcompany.com, getyourcompany.io, yourcompanymail.com — Used for cold outreach, each with 1-3 mailboxes.
• Mailboxes per domain: 2-3 mailboxes per domain maximum. More than 3 concentrates too much sending volume on a single domain.
• Emails per mailbox: 30-50 new prospects per day per mailbox (including follow-ups).

Infrastructure Verification Checklist

Before sending your first campaign, verify every item:

1. SPF: Check with MXToolbox. Must show "Pass" and be under 10 lookups.
2. DKIM: Send a test email to mail-tester.com. DKIM must show "Signed and verified."
3. DMARC: Verify with MXToolbox DMARC checker. Must show a valid record.
4. Reverse DNS (PTR): Your sending IP should resolve back to your domain. Usually handled by your email provider.
5. Blacklist check: Search your domain and IP on MXToolbox blacklist checker. Must be clean.
6. Website: Your sending domain should have a basic website with SSL. Domains with no web presence look suspicious.
7. Warmup active: Email warmup should be running for at least 14 days before any campaign sending.

Email infrastructure is a set-it-and-maintain-it foundation. Get it right once, verify it regularly, and your cold email campaigns will start from a position of strength. Skip or misconfigure any element, and even the best email copy in the world won't reach the inbox.