Pillar 01 — Operator Guide
Cold Email Sending Domain Setup
End-to-end setup of a deliverability-grade cold email sending domain using Google Workspace + Instantly. SPF + DKIM + DMARC authenticated. 14–21 day automated warm-up before first cold send. Repeatable for any service business sending 100+ cold emails per week. This is the SOP we built and run at Tailored Intelligence and FilterSwap.
When to use this guide
Run this when a business needs to send cold outbound email at scale (100+ contacts/week) and wants:
- A separate sending domain from the main brand (so deliverability issues never damage the primary domain reputation)
- Authenticated email (SPF + DKIM + DMARC) for inbox placement
- Automated warm-up so cold sends actually land in inboxes, not spam
Do NOT use for: customers sending fewer than 50 emails/week (use existing Gmail), customers with an already-warmed sending domain (skip to the Instantly connect step), or transactional email (use Postmark or SendGrid instead).
Hard rule — sending domain selection: Never send cold email from the primary brand domain. Spin up a sibling domain.
- Primary
tailoredstays.co→ sendingtailoredintelligence.co - Primary
filterswap.com→ sendingfilterswapcrm.com - Primary
[clientname].com→ sending[clientname]-team.comorget[clientname].com
Prerequisites
- Domain registered (Namecheap, GoDaddy, or similar)
- Credit card for Google Workspace (~$14/mo) and Instantly (~$37/mo)
- ~30 minutes uninterrupted time
- DNS access to the domain (admin login at registrar)
Setup steps (~30 min active + 14–21 day warm-up)
Step 1 — Buy Google Workspace Business Standard
- Go to workspace.google.com
- Click Get started → Business Standard ($14/user/mo)
- Domain: enter the sending domain (e.g.,
tailoredintelligence.co) - Admin email:
anson@<sendingdomain>(or first.last@) - Complete checkout
Stop here. Do NOT verify MX records yet — we'll do that in Step 2.
Step 2 — Add MX records in registrar DNS
In Namecheap (or whatever registrar): Domain List → Manage → Advanced DNS tab. Delete any existing MX records first, then add:
| Type | Host | Value | Priority | TTL |
|---|---|---|---|---|
| MX Record | @ | smtp.google.com | 1 | Automatic |
Save. Propagation: 5–30 min usually. Then in Google Admin Console → activate Gmail → Google verifies the MX → green checkmark.
Step 3 — Add SPF record
| Type | Host | Value | TTL |
|---|---|---|---|
| TXT Record | @ | v=spf1 include:_spf.google.com ~all | Automatic |
If a default TXT @ record already exists from registrar defaults, check whether it conflicts. Only ONE SPF record per domain.
Step 4 — Generate and add DKIM record
Part A — Generate in Google: admin.google.com → Apps → Google Workspace → Gmail → Authenticate email → Selected domain: the sending domain → Click Generate new record → key length 2048 → Generate. Copy the DNS Host name (google._domainkey) and the TXT record value.
Part B — Add to registrar:
| Type | Host | Value | TTL |
|---|---|---|---|
| TXT Record | google._domainkey | v=DKIM1; k=rsa; p=<your key> | Automatic |
Part C — Activate in Google: Wait 5–10 min for DNS propagation. Back in Google Admin → click Start authentication. If error "TXT record not found" → wait another 10 min, retry. Status changes to "Authenticating email with DKIM" (green) when active.
Step 5 — Add DMARC record
| Type | Host | Value | TTL |
|---|---|---|---|
| TXT Record | _dmarc | v=DMARC1; p=none; rua=mailto:anson@<sendingdomain>; pct=100 | Automatic |
Start with p=none (monitor mode). Tighten on schedule below.
Step 6 — Verify all four records
Use MXToolbox SuperTool:
- MX Lookup → should show smtp.google.com
- SPF Record Lookup → should show your v=spf1 record, no errors
- DMARC Lookup → should show your DMARC record
- DKIM check happens inside Google (already verified in Step 4C)
Step 7 — Sign up for Instantly Growth plan
- Go to instantly.ai
- Sign up with the new sending mailbox email (e.g., anson@tailoredintelligence.co)
- Pick Growth plan ($37/mo) — NOT the cheaper plan, which excludes warm-up
Step 8 — Whitelist Instantly in Google Workspace
This is the step most people get stuck on. Workspace blocks third-party OAuth apps by default.
- In Instantly: Add Email → Connect existing → Google/Gmail → it shows a Client-ID. Copy it.
- In a new tab: Google Admin → Manage Third-Party App Access (admin.google.com/ac/owl/list?tab=configuredApps)
- Click Add app → OAuth App Name Or Client ID
- Paste the Client-ID → Search → Select Instantly oAuth Email v1
- Scope: All in <yourdomain> (all users) → Continue
- Access: Trusted: Can access all Google services → Continue
- Confirm → Finish
- Back in Instantly tab → click Login → Google OAuth flow → grant permissions
- Mailbox appears in Instantly's Email Accounts list with green dot
Step 9 — Configure warm-up
- In Instantly → Email Accounts → click the new mailbox row → Warmup tab
- Toggle Warmup to ON
- Increase warmup emails per day by: 5
- Daily warmup emails (max): 40
- Reply rate: 35 (35%)
- Save
Step 10 — Wait 14–21 days before first cold send
Critical discipline: Do not send any cold email from this address during warm-up. Warm-up only works if mailbox providers see Instantly's warm-up volume as the dominant pattern.
If the business needs to start outbound TODAY, send from a different existing mailbox and explain the brand mismatch in the email body:
"Quick context on why this email is from a [primarydomain] address: [Primary Brand] is one of two operating businesses I run. The other is [Sending Brand], which is what this email is about. New domain spinning up this week — easier to just write you from here today."
After day 14–21: warm-up health score should be 80%+. Then start campaigns through Instantly at 20–30 cold sends/day.
DMARC tightening schedule
| Timeline | Policy | Notes |
|---|---|---|
| Days 1–30 | p=none | Monitor only — no enforcement |
| Days 31–60 | p=quarantine | Unauthenticated mail goes to spam |
| Day 60+ | p=reject | Unauthenticated mail rejected outright |
Troubleshooting
DKIM "TXT record not found" error
- DNS propagation is still in progress — wait 10 min, retry.
- Check the TXT record in Namecheap is exactly
google._domainkey(notgoogle._domainkey.tailoredintelligence.co).
Instantly OAuth fails after Login
- Workspace whitelisting in Step 8 didn't go through. Re-do Step 8.
- Or the user signing into Google is not the Workspace admin. Use the admin email.
Warm-up score not moving after 48h
- Mailbox may have been disconnected (token expired). Reconnect in Instantly.
- Check Gmail Inbox — there should be incoming warm-up emails arriving.
MX lookup still shows old records
- Old MX records weren't fully deleted in registrar. Go back to Step 2, verify only google MX exists.
Want this set up for your business — without doing it yourself?
See the Comprehensive Audit →Or book a 30-minute call to talk through your setup.