DEV Community

Sabo Nagy
Sabo Nagy

Posted on • Originally published at maildeck.co

We Audited 1,000+ Cold Email Domains. 67% Had Broken DNS Authentication.

#email #dns #devops #security

If you manage domains for cold email, there is a good chance your DNS authentication is silently broken.

We audited DNS configurations across 1,000+ domains onboarded to MailDeck (we provide cold email infrastructure across Microsoft 365, Google Workspace, and SMTP for 1,500+ clients). Two thirds of those domains had at least one critical SPF, DKIM, or DMARC error before we fixed it.

The errors are silent. You won't see a bounce. You won't get an alert. Your emails just quietly move to spam and you have no idea why.

Here are the top 5 errors by frequency:

1. Multiple SPF records (23% of domains)

Someone adds an SPF record for Microsoft 365. Later, someone else adds a separate SPF record for a marketing tool. Now there are two v=spf1 records. Per RFC 7208, only one is allowed. Result: permerror, SPF fails.

# Wrong: two separate records
v=spf1 include:spf.protection.outlook.com -all
v=spf1 include:sendgrid.net -all

# Correct: merged into one
v=spf1 include:spf.protection.outlook.com include:sendgrid.net -all
Enter fullscreen mode Exit fullscreen mode

Check yours: dig TXT yourdomain.com +short | grep "v=spf1"

If you see more than one line, fix it now.

2. No DMARC record (19%)

SPF and DKIM configured. DMARC missing entirely. Without DMARC, receiving servers have no policy guidance for failed authentication. Add this immediately:

v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com;
Enter fullscreen mode Exit fullscreen mode

Then progress to p=quarantine after 2-4 weeks, then p=reject.

3. SPF ending with +all (14%)

This literally tells every server in the world "anyone can send email as my domain." There is no legitimate reason to use +all. Replace with -all.

4. Exceeding 10 DNS lookups (12%)

Each include: in your SPF record counts as a lookup. Nested includes count too. Over 10 total and SPF fails silently. Check with MXToolbox SPF Lookup.

5. DKIM never turned on (11%)

Both Microsoft 365 and Google Workspace require manual DKIM activation. It is not on by default. Verify by sending a test email to mail-tester.com.

Quick verification commands 

# Check SPF
dig TXT yourdomain.com +short | grep "v=spf1"

# Check DMARC
dig TXT _dmarc.yourdomain.com +short

# Check DKIM (Microsoft 365)
dig CNAME selector1._domainkey.yourdomain.com +short
Enter fullscreen mode Exit fullscreen mode

All three should return results. If any is empty, you have a problem.

At MailDeck we automate SPF, DKIM, and DMARC for every domain during our 48 hour onboarding, specifically because manual setup fails so often. But whether you use MailDeck or manage DNS yourself, these five errors account for 79% of all authentication failures we see.

Full guide with all 10 errors, setup checklists for Microsoft 365 and Google Workspace, and free verification tools: Read on maildeck.co

Top comments (0)