The Cold Email Deliverability Guide: From Inbox to Spam in 7 Decisions

Cold email deliverability isn't a single setting you flip — it's the cumulative result of seven decisions you make before you ever press send. Most cold email programs that fail do so because they got 5 of the 7 right and assumed that was enough.

This is the deliverability checklist we run for every client engagement. Skip any of these and your messages start landing in Promotions, then in Spam, then nowhere at all.

Decision 1: Use a sending domain you can afford to burn

Never run cold outbound from your primary business domain. Ever. If your reputation tanks — and it will, eventually, for some campaign — you'll lose all of your real business email along with it.

The standard pattern is a dedicated send domain. Buy a variant of your main domain (e.g., yourcompany-team.com or yourcompany.io if you're on .com) and run sending from it. The domain is cheap, replaceable, and isolated from your primary brand.

Decision 2: Set up SPF, DKIM, and DMARC correctly

These three are the deliverability fundamentals. Skipping any of them is the fastest way to end up in spam in 2026 — Gmail and Microsoft both started enforcing DMARC for senders over 5,000 messages/day in early 2024.

SPF (Sender Policy Framework)

An SPF record tells receiving servers which IPs are authorized to send on behalf of your domain. Set this on day one. Use v=spf1 include:_spf.google.com -all if you're sending through Google Workspace; the include changes for other providers.

DKIM (DomainKeys Identified Mail)

DKIM signs each message with a private key your domain publicly advertises. It proves the message wasn't tampered with in transit. Most ESPs let you generate a 2048-bit DKIM record from their settings page — copy/paste into your DNS provider.

DMARC (Domain-based Message Authentication)

DMARC tells receiving servers what to do when SPF or DKIM fails. Start with p=none for the first 30 days (monitor only), then move to p=quarantine, then p=reject once you've confirmed all your legitimate sources pass authentication. Include a rua=mailto:dmarc@yourdomain.com so you get the weekly report.

Decision 3: Warm the domain before you send anything cold

A brand-new domain has zero sending reputation. If you spin up a new domain on Monday and start sending 200 cold emails a day on Tuesday, you'll be in spam by Friday.

Domain warmup is a 21-day ramp where the domain gradually builds reputation by sending small volumes of replied-to mail. Day 1: 5 sends. Day 7: 30 sends. Day 14: 80 sends. Day 21: 200 sends. By day 28 you can run at full cold volume without tanking reputation.

Most modern email tools have built-in warmup that exchanges artificial reply traffic with a network of mailboxes. Use it. Skip warmup and the reputation hit lasts months.

Decision 4: Cap your daily volume per mailbox

Even a fully-warmed mailbox has a sustainable daily limit. The 2026 thresholds:

• Google Workspace: 100-150 cold sends/day per mailbox sustainably. The hard cap is higher (500/day) but you'll see deliverability decay above 200.

• Microsoft 365: 80-120 cold sends/day. Microsoft is stricter than Google in 2026.

• Custom SMTP relays (SendGrid, Mailgun, etc.): use these only for transactional, never for cold outbound. They share IP pools with senders you don't control.

If you need higher volume, add mailboxes — never push a single mailbox past its sustainable cap.

Decision 5: Write content that doesn't look like content

Spam filters in 2026 are sophisticated enough to flag messages that look like marketing even when the technical headers are clean. Patterns that get filtered:

Heavy HTML formatting

Tables, images, branded headers, footer banners — anything that looks like a newsletter trips marketing-content filters. Cold outbound should be plain text or minimal HTML. If you can't tell whether your message looks like a newsletter, it does.

Tracking pixels

Open tracking adds a 1×1 pixel from a known marketing domain. Filters notice. Track click-throughs (which prospects can opt into by clicking a link), not opens.

Multiple links

More than 1-2 links in a cold message is a known spam indicator. The exception: the unsubscribe link, which CASL and CAN-SPAM both require — keep that one.

Trigger words

"Free," "limited time," "act now," "click here," "guarantee" — Bayesian filters score these heavily. Read your sequence and look for any of them. Rewrite.

Decision 6: Manage your bounce and reply rates

Receiving servers are watching what happens after delivery, not just whether you delivered.

Bounce rate target: <2%

If you're bouncing more than 2% of sends, your list is stale and your sender reputation is taking damage on every campaign. Verify your list with a bounce-checker before launch — every campaign, not just the first.

Reply rate matters

Inboxes that get replies (positive or negative) signal to receiving servers that the sender is having actual conversations. If your reply rate is below 1%, you'll start seeing inboxing decay regardless of authentication. The fix is content, not infrastructure.

Spam complaint rate target: <0.1%

Anything above 0.3% triggers automatic suppression on most inbox providers. The biggest predictor of complaint rate is list quality and content relevance — not technical setup.

Decision 7: Monitor reputation continuously

Deliverability isn't set-and-forget. Tools to run weekly:

Inbox placement testing

Tools like GlockApps, MXToolbox, or Gmass let you send a test campaign to seed inboxes across providers and see exactly where you're landing. Run one before every new campaign and weekly during active sends.

Domain reputation monitoring

Google Postmaster Tools (free) shows your domain's reputation status across Gmail. Set it up on day one and check weekly. A drop from "high" to "medium" is your early warning before deliverability cracks.

Blacklist monitoring

Major blacklists (Spamhaus, SURBL, others) will sometimes flag a sending IP or domain. MXToolbox runs a free blacklist check. If you land on one, your campaign is dead until you remediate.

Putting it together

If you only remember one thing: cold email deliverability is a system, not a setting. The seven decisions above are interlocking. Get six right and the seventh will undermine the rest.

We run cold email programs for clients with the full deliverability stack handled — domain selection, authentication, warmup, volume management, content review, monitoring. If you'd rather skip the 21-day warmup and the weekly inbox-placement testing, that's exactly what we do.