What authentication (SPF, DKIM, DMARC) should be in place?

Complete email authentication is non-negotiable for cold email. Missing elements give mailbox providers easy reasons to filter your messages.

SPF (Sender Policy Framework): Publish a DNS TXT record listing IP addresses authorized to send for your domain. Include your email provider and any sending services you use. End with ~all or -all.

DKIM (DomainKeys Identified Mail): Generate a key pair and publish the public key in DNS. Your sending system signs messages with the private key. Use 2048-bit keys for security. Configure proper selector names.

DMARC (Domain-based Message Authentication, Reporting, and Conformance): Publish a policy telling receivers what to do with failing messages. Start with p=none to monitor, then move to p=quarantine or p=reject. Enable reporting to see authentication results.

For cold email specifically: Authentication won't make unwanted email welcome, but failing authentication guarantees problems. These are your ship's papers. Without them, every port authority turns you away before examining your cargo.