Domain Warmup Guide: Building Sending Reputation

DNS configuration, authentication setup, and the complete process for establishing domain credibility with email providers

Domain Warmup vs IP Warmup

While IP warmup focuses on building reputation for the actual sending servers, domain warmup establishes the credibility of your FROM domain. Both are necessary, but domain reputation often takes longer to establish—typically 6-12 weeks for full trust.

📡 What Domain Reputation Affects

Email authentication validity - Without proper domain authentication, emails fail DMARC
ISP filtering decisions - Gmail and Outlook both evaluate domain-level signals
SPF/DKIM alignment - DMARC requires proper alignment between envelope and header domains
Branded link reputation - Short links and tracking domains carry reputation signals

DNS Configuration Checklist

Before sending a single email, ensure all DNS records are properly configured. These records tell receiving mail servers WHO you are and that you authorize the sending servers.

Pre-Warmup DNS Checklist

  • SPF record includes ALL sending IPs and third-party services
  • DKIM record added with correct selector and public key
  • DMARC policy record published (at minimum: p=none)
  • PTR records created for all sending IPs
  • MX records properly configured if receiving mail
  • Domain verified in Google Postmaster Tools
  • Domain registered in Microsoft SNDS
  • Yahoo Plus Allied Senders registration complete

SPF Record Configuration

SPF (Sender Policy Framework) defines which mail servers are authorized to send email for your domain. It is the first authentication check most receiving servers perform.

Basic SPF Record

TXT @ v=spf1 include:_spf.cloudmails.eu ~all 3600

SPF Record with Multiple Sending Sources

TXT @ v=spf1 ip4:YOUR_IP_1 ip4:YOUR_IP_2 include:_spf.cloudmails.eu include:servers.mcsv.net ~all 3600

⚠️ SPF Includes are Cumulative

When you use include: statements, all included IP ranges are added to your authorized sending list. Running more than 10 DNS lookups in your SPF record will cause soft failures. Use -all instead of ~all once you're certain all sources are correct.

DKIM Record Configuration

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to every email. Receiving servers verify this signature against your published public key in DNS.

DKIM Record Format

TXT selector._domainkey.yourdomain.com
v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC7K8t... 3600

Testing DKIM Signature

After adding your DKIM record, test it using Google's DKIM validation tool or send a test email to check-auth@verifier.port25.com

🔑 DKIM Key Length Requirements

Modern DKIM implementations require minimum 1024-bit keys. 2048-bit keys are recommended for future compatibility. Some older DNS providers have limits on TXT record values—split long keys if necessary.

DMARC Record Configuration

DMARC (Domain-based Message Authentication, Reporting & Conformance) ties SPF and DKIM together with a policy that tells receivers what to do when authentication fails.

Initial DMARC Record (Monitoring)

TXT _dmarc.yourdomain.com
v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; pct=100 3600

Progressive DMARC Policies

Phase 1: v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; pct=100

Phase 2: v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@yourdomain.com; pct=100

Phase 3: v=DMARC1; p=reject; rua=mailto:dmarc-reports@yourdomain.com; pct=100

✅ DMARC Progression Timeline

Week 1-4: p=none (monitor only)
Week 5-8: Analyze reports, fix alignment issues
Week 9-12: p=quarantine (send suspicious mail to spam)
Week 13+: p=reject (block unauthorized mail completely)

PTR (Reverse DNS) Configuration

Reverse DNS maps IP addresses back to domain names. It is checked by most enterprise email systems and should match your forward DNS.

PTR mail.yourdomain.com YourSendingIP

Most cloud providers allow setting PTR records through their console:

  • AWS EC2: Elastic IP association in EC2 console
  • Google Cloud: Cloud DNS reverse lookup configuration
  • DigitalOcean: Networking → Networking → Create reverse DNS
  • Vultr/Linode: Networking → IP Management → Reverse DNS

⚠️ PTR Mismatch Causes Instant Rejection

If forward DNS for mail.yourdomain.com resolves to IP 1.2.3.4, but the PTR record for 1.2.3.4 points to mail.differentdomain.com, many servers will reject mail outright. Always ensure alignment.

Domain Warmup Timeline

Week 1-2: Authentication Verification

Verify all DNS records propagate correctly. Use dig or online DNS lookup tools to confirm. Send test emails to personal accounts at Gmail, Outlook, Yahoo. Verify they arrive in inbox and authentication passes.

Week 3-4: Seed List Distribution

Distribute your sending domain to 50-100 highly-engaged subscribers. These should be people who regularly open and click your emails. Monitor delivery rates closely. Begin building engagement signals.

Week 5-8: Gradual Volume Increase

Slowly increase sending volume while maintaining high engagement rates. Domain should begin appearing in Google Postmaster Tools and Microsoft SNDS with established reputation scores.

Week 9-12: Full Production Readiness

Domain has established sending history. Continue monitoring authentication pass rates. Domain is ready for full production volume and cold email campaigns.

Warmup Indicators Dashboard

Track these metrics to know when your domain is fully warmed:

Indicator Target Value Tool
SPF/DKIM/DMARC Pass Rate 100% DMARC reports
Gmail Postmaster Reputation Good/Excellent Google Postmaster
Microsoft SNDS Reputation 80+/100 SNDS portal
Yahoo Plus Allied Status Approved Yahoo Postmaster

CloudMails Domain Setup Assistance

CloudMails handles domain authentication configuration automatically:

  • Automatic SPF/DKIM/DMARC record generation
  • DNS configuration guide customized to your DNS provider
  • Automated authentication verification before first send
  • Domain warmup monitoring dashboard
  • DMARC report aggregation and analysis

Configure Domain Authentication →