Sending cold emails that actually reach the inbox takes more than good copy. This guide breaks down every technical and strategic factor that determines whether your outreach lands in primary, promotions, or spam.
Cold email deliverability is the ability of your outbound emails to reach a recipient's primary inbox rather than landing in spam, promotions, or getting blocked entirely. It depends on three things working together: your technical infrastructure (DNS records, domain age), your sender reputation (how mailbox providers view your sending history), and your email content (what you write and how you format it).
Most people assume deliverability is binary. Either the email arrives or it doesn't. In practice, there are several outcomes when you hit send:
The global average inbox placement rate currently sits around 83%, according to Validity's 2025 benchmark report. That means roughly 1 in 6 emails never reaches the inbox, even from established senders. For cold email specifically, the numbers are worse because you're contacting people who have never interacted with you before. Mailbox providers treat those messages with extra scrutiny.
Deliverability is not something you set up once and forget. It's an ongoing process that involves monitoring, adjusting, and responding to signals from mailbox providers. The rest of this guide walks through every factor that influences whether your cold emails land where they're supposed to.
DNS authentication tells receiving mail servers that you are who you claim to be. Without SPF, DKIM, and DMARC properly configured, most major providers will either reject your emails outright or send them straight to spam. Since February 2024, Google and Yahoo require all bulk senders to have these records in place. Microsoft followed with similar enforcement in 2025.
SPF is a DNS TXT record that lists every server authorized to send email on behalf of your domain. When a receiving server gets an email from your domain, it checks the SPF record to verify the sending server is on the list.
The most common mistake with SPF is exceeding the 10 DNS lookup limit. Every include: mechanism in your SPF record counts as a lookup. If you use Google Workspace, a cold email tool, and a marketing platform, those includes can stack up fast. When you exceed 10 lookups, the entire SPF check fails, and your emails start bouncing or hitting spam.
Keep your SPF record under 10 DNS lookups. Only include services that actively send from your domain. Use ~all (softfail) during setup, then move to -all (hardfail) once you've confirmed everything works. If you're running out of lookups, consider an SPF flattening service.
DKIM adds a digital signature to every email you send. The receiving server checks this signature against a public key published in your DNS records. If the signature matches, the server knows the email wasn't tampered with during transit.
You should use 2048-bit keys, which are now the standard. Shorter keys (1024-bit) are still accepted by most providers but are less secure and some enterprise spam filters will flag them. Rotate your DKIM keys at least once per year. If a key is compromised, someone else can send authenticated email on your behalf.
DMARC ties SPF and DKIM together and tells receiving servers what to do when a message fails both checks. It has three enforcement levels:
| DMARC Policy | What Happens to Failing Emails | When to Use |
|---|---|---|
p=none |
Nothing. Emails are delivered normally. You just get reports. | Initial setup and monitoring phase (first 2-4 weeks) |
p=quarantine |
Failing emails go to spam or junk. | After reviewing reports and confirming SPF/DKIM are clean |
p=reject |
Failing emails are blocked entirely. | Full enforcement for maximum protection |
Start with p=none so you can collect DMARC reports without impacting deliverability. Review those reports for 2 to 4 weeks. If everything looks clean (no legitimate emails failing authentication), move to p=quarantine. Once you're confident, move to p=reject.
For cold email specifically, p=none is the minimum required by Gmail and Yahoo. But senders with p=quarantine or p=reject tend to have better inbox placement because it signals to providers that you take authentication seriously.
Domains with SPF, DKIM, and DMARC fully implemented are 2.7 times more likely to reach the inbox compared to unauthenticated domains. Organizations that implement DMARC at enforcement level typically see phishing attempts drop by 80-90% and a 5-10% boost in overall email deliverability.
Never send cold email from your primary business domain. This is one of the most repeated rules in cold outreach, and it exists for a very practical reason: if your cold sending damages the domain's reputation, every email from that domain suffers. That includes your transactional emails, your team's regular communications, your support replies, everything.
Buy 2-5 domains that are closely related to your main domain. If your company is "acme.com," use variations like "acmemail.com," "getacme.com," or "tryacme.com." Avoid random or spammy-looking names.
Configure your sending domains to redirect to your primary website. When prospects look you up (and they will), the redirect builds legitimacy instead of leading to a dead page.
Every sending domain needs its own SPF, DKIM, and DMARC records. Don't skip this on secondary domains. Providers check authentication regardless of whether it's your primary domain or not.
Distribute your sending across multiple mailboxes. This keeps per-inbox volume low and gives you fallback options if one mailbox gets flagged. Name them with real-sounding names (not "sales@" or "outreach@").
Brand new domains have zero reputation. Most cold email experts recommend waiting at least 2 weeks after registration before starting warmup, and 4-6 weeks before launching campaigns. During this time, use the domain for light personal email to build initial signals.
If a sending domain gets permanently blacklisted or its reputation tanks beyond recovery, retire it. Don't keep pushing volume through a burned domain hoping it will improve. Register a new one, set it up properly, warm it up, and start fresh. The cost of a new domain is far less than the cost of tanked deliverability across your entire outreach operation.
Email warmup is the process of gradually increasing your sending volume on a new or dormant mailbox while generating positive engagement signals (opens, replies, messages pulled from spam). This builds a sending history that mailbox providers use to judge your reputation. Without warmup, jumping straight into cold campaigns from a new inbox will almost certainly land you in spam.
Mailbox providers track how recipients interact with your emails. A brand new mailbox has no history, so the provider has no data to judge whether your emails are wanted. Warmup solves this by simulating normal email behavior: sending and receiving messages, getting replies, having conversations.
Manual warmup means sending emails to colleagues, friends, or warm contacts and having them reply, open, and interact with your messages. It works, but it's slow and hard to scale if you're managing 5, 10, or 20 mailboxes.
Automated warmup tools handle this at scale. They connect your mailbox to a network of real inboxes that exchange emails, open them, reply to them, and pull any that land in spam back to the inbox. The engagement signals are real, and the volume is consistent.
| Week | Warmup Emails/Day | Cold Emails/Day | What to Watch |
|---|---|---|---|
| Week 1-2 | 10-20 | 0 | Monitor for bounces. Check spam folder placement. |
| Week 3 | 20-30 | 5-10 | Start small cold sends. Watch reply rates and bounce rates. |
| Week 4 | 20-30 | 15-25 | Gradually increase cold volume. Monitor Google Postmaster Tools. |
| Week 5+ | 15-20 (maintenance) | 30-50 | Full sending mode. Keep warmup running alongside campaigns. |
The critical thing most people get wrong: warmup doesn't stop when campaigns start. You should keep warmup running at a maintenance level (15-20 emails per day) for the entire lifetime of the mailbox. It continuously reinforces positive engagement signals and counteracts any negative signals from cold sends that don't get replies.
Never warm up to invalid or unverified addresses. Bounces during warmup are worse than bounces during campaigns because you're establishing your baseline reputation. Use a warmup tool that connects to real mailboxes across multiple providers (Gmail, Outlook, Yahoo) rather than a small closed network.
Powered by Mailivery's real warmup network. No extra cost, no per-mailbox fees.
Learn About WarmupThe safe range for cold email is 30-50 emails per mailbox per day for most senders. Established mailboxes with strong reputations can push toward 80-100 per day, but exceeding that consistently tends to trigger spam filters. The official limits from providers like Gmail (2,000/day) and Outlook (300/day for new accounts, 10,000/day for established) are for total sending, not cold outreach specifically. Hitting those limits with cold emails will get you flagged.
Volume is one of the biggest factors in cold email deliverability, and it's where most people trip up. The logic seems straightforward: send more emails, book more meetings. But mailbox providers don't see it that way. A new inbox that suddenly sends 200 messages a day looks like a compromised account or a spam operation.
| Mailbox Status | Recommended Daily Cold Sends | Notes |
|---|---|---|
| Brand new (0-2 weeks) | 0 | Warmup only. No cold sends. |
| Early warmup (2-4 weeks) | 5-15 | Start slow. Monitor bounce rates carefully. |
| Warmed up (4-8 weeks) | 30-50 | Sweet spot for most senders. |
| Established (2+ months, good reputation) | 50-100 | Only if bounce rate stays under 2% and spam rate under 0.1%. |
If you need to send 500 cold emails per day, don't try to push that through 5 mailboxes. Spread it across 10 to 15 mailboxes across 3 to 5 domains. This keeps per-inbox volume in the safe zone and reduces the risk of any single point of failure taking down your entire operation.
Space your sends out throughout the day. Sending 50 emails in 5 minutes looks like a mass blast. Sending 50 emails spread across 8 hours with 2-5 minute gaps between each looks like normal human behavior. Most cold email tools handle this automatically through send scheduling and mailbox rotation.
Your technical setup can be flawless, but if your email content looks like spam, it will get treated like spam. Modern spam filters use machine learning and analyze hundreds of signals, not just a list of "spam trigger words." That said, certain patterns consistently cause problems.
Keep subject lines to 4-6 words. Make them relevant to the recipient, not clever or clickbaity. "Quick question about [company]" or "Saw your post about [topic]" outperform "Unlock Your Revenue Potential" every time. Avoid re: or fwd: tricks. Providers are wise to them, and recipients find them annoying.
Your email list is the foundation of your deliverability. If you're sending to bad addresses, nothing else you do matters. A bounce rate above 3% will damage your sender reputation quickly. Above 5%, you're looking at potential blacklisting.
Run every single email address through a verification service before adding it to a campaign. Tools like ZeroBounce, MillionVerifier, NeverBounce, and Bouncer can check whether an address exists, whether it's a catch-all domain, whether it's a known spam trap, and whether it's likely to bounce.
This step is non-negotiable. Even if you purchased a "verified" list from a data provider, verify it yourself. Data decays fast. People change jobs, companies shut down old email systems, and addresses go inactive. Industry estimates suggest that B2B email data decays at roughly 2-3% per month.
| Bounce Rate | Status | Action |
|---|---|---|
| Under 1% | Excellent | No issues. Keep current verification process. |
| 1-2% | Acceptable | Normal range. Monitor and remove bouncers promptly. |
| 2-3% | Warning | Pause and re-verify your list. Check data sources. |
| Above 3% | Critical | Stop sending immediately. Re-verify entire list. Change data provider if needed. |
Some domains are configured to accept email sent to any address (info@, test@, anything@). These are called catch-all domains. They won't bounce, but that doesn't mean the address is real or monitored. Some catch-all domains are set up specifically as spam traps. Be cautious with catch-all addresses and consider sending to them at lower priority or removing them if you see low engagement.
Inbox placement testing sends your email to a panel of test addresses across major providers (Gmail, Outlook, Yahoo, etc.) and reports exactly where each one lands: primary inbox, promotions tab, spam folder, or not delivered. It gives you concrete data on deliverability before you launch a campaign to real prospects.
Most senders track open rates and assume that's a good proxy for deliverability. It's not. Open rates are unreliable because of Apple Mail Privacy Protection (which auto-loads tracking pixels), corporate firewalls that block tracking images, and the fact that an email can be "opened" in the promotions tab without the recipient ever seeing it in context.
Inbox placement tests cut through the noise. You send your actual email content from your actual mailbox, and the test tells you exactly where it lands across 20+ seed addresses at different providers.
If a placement test shows you're hitting spam at Gmail but landing in inbox at Outlook, you know the issue is likely content-related or reputation-specific to Gmail. That's actionable. Without the test, you'd just be guessing.
AutoMailer's placement testing shows you exactly where your emails land across every provider.
Try Placement TestingEmail blacklists are databases that track IP addresses and domains associated with spam. When your sending IP or domain appears on a blacklist, receiving servers that check that list will block or spam-filter your emails.
Not all blacklists carry the same weight. Spamhaus is the most influential. It's used by the majority of major mailbox providers and enterprise spam filters. Getting listed on Spamhaus can tank your deliverability overnight. Barracuda BRBL matters in enterprise environments. Smaller, less-known blacklists have minimal impact and sometimes list IPs incorrectly.
Step one is always to fix the root cause. If you request delisting without fixing the underlying problem, you'll be relisted within hours or days.
Common fixes: remove unverified contacts and old data from your lists, fix your SPF/DKIM/DMARC configuration, reduce sending volume, and stop sending to addresses that have complained. Once the cause is addressed, visit the specific blacklist's website and follow their removal process. Spamhaus, Barracuda, and most major lists have self-service delisting portals. Removal can take anywhere from a few hours to several weeks depending on the severity.
Don't wait until replies dry up to check your blacklist status. Run checks weekly at minimum using tools like MXToolbox, MultiRBL, or a dedicated blacklist monitoring service. If you notice a sudden drop in open rates or reply rates, check your blacklist status immediately.
The rules changed significantly in February 2024 when Google and Yahoo jointly announced new sender requirements. Microsoft followed with its own enforcement. These are no longer optional best practices. They're hard requirements, and non-compliant emails face temporary errors, spam filtering, or outright rejection.
| Requirement | Gmail | Yahoo | Outlook/Microsoft |
|---|---|---|---|
| SPF Authentication | Required | Required | Required |
| DKIM Authentication | Required | Required | Required |
| DMARC (p=none minimum) | Required for bulk senders | Required for bulk senders | Required |
| One-Click Unsubscribe | Required for bulk/marketing | Required for bulk/marketing | Recommended |
| Spam Rate Threshold | Under 0.1% (never exceed 0.3%) | Under 0.3% | Not publicly specified |
| Valid Forward/Reverse DNS | Required | Required | Required |
The "bulk sender" threshold for Gmail is 5,000 messages per day to Gmail addresses. But here's the thing: even if you're sending well under that number, these requirements effectively apply to everyone. Providers use the same infrastructure to evaluate all senders. Having proper authentication, low spam rates, and clean sending practices helps you regardless of volume.
Gmail maintains some of the highest deliverability rates (around 95% inbox placement for authenticated senders), but increasingly routes commercial and outreach emails to the Promotions tab. This isn't spam, but it reduces visibility. To stay in primary, keep your emails plain-text, short, personalized, and conversational.
Microsoft (Outlook, Hotmail, Live) has the tightest spam filtering among major providers. Average inbox placement for Outlook sits around 75-76%, and a higher share of legitimate emails end up misclassified as spam compared to other providers. Microsoft's filters weigh engagement heavily. If Outlook recipients aren't opening or replying to your emails, your reputation with Microsoft will decline faster than with other providers.
Yahoo follows Gmail's lead on most policy decisions. The main difference is enforcement timing. Yahoo tends to implement changes slightly after Google, giving senders a bit more runway to comply.
Some cold email practitioners recommend matching your sending provider to the recipient's provider (Gmail to Gmail, Outlook to Outlook). The theory is that same-provider emails are treated slightly more favorably. There's limited public data supporting this, but anecdotally many senders report better inbox placement when the ESP types match.
Here's everything from this guide condensed into a single actionable checklist. Run through this before launching any cold email campaign.
For cold email specifically, you should aim for 80% or higher inbox placement. The global average across all email types is around 83%, but cold email tends to run lower because you're contacting people with no prior relationship. If your inbox placement drops below 70%, something in your setup needs attention. Run an inbox placement test to pinpoint whether the issue is infrastructure, content, or reputation.
Most mailboxes need 2 to 4 weeks of warmup before they're ready for cold outreach. The exact timeline depends on the domain age, the provider (Gmail tends to warm up faster than Outlook), and the warmup tool you're using. Start with 10-20 warmup emails per day and increase gradually. Don't rush it. A properly warmed mailbox will perform far better long-term than one you pushed into campaigns too early.
Yes. If your cold outreach damages the reputation of your primary domain, it will affect everything: your team's daily emails, customer support, invoices, password resets, and every other message your business sends. Dedicated sending domains keep that risk isolated. If one gets flagged, you retire it and spin up a new one without impacting core operations.
The most common causes are: missing or misconfigured DNS authentication (SPF, DKIM, DMARC), no warmup or insufficient warmup before starting campaigns, sending too many emails too quickly from a single mailbox, email content that triggers spam filters (too many links, promotional language, heavy HTML), high bounce rates from unverified email lists, or a blacklisted domain/IP. Start by checking your DNS records and running an inbox placement test to narrow down the problem.
30 to 50 per mailbox per day is the safe range for most senders. Established mailboxes with strong reputations can go up to 80-100, but pushing beyond that consistently tends to cause problems. If you need higher volume, scale horizontally by adding more mailboxes and domains rather than pushing more through fewer inboxes.
Yes, when done properly. Warmup builds a sending history of positive engagement signals that mailbox providers use to evaluate your reputation. The key is using a warmup tool that operates on real inboxes across multiple providers, not a small closed loop. Warmup alone won't fix fundamentally broken infrastructure or bad content, but it's a necessary component of any cold email operation.
SPF tells receiving servers which servers are allowed to send email from your domain. DKIM adds a cryptographic signature to each email to prove it wasn't altered in transit. DMARC ties the two together and tells receiving servers what to do when a message fails both checks (nothing, quarantine, or reject). You need all three. They serve different purposes and work together to establish your domain's legitimacy.
Use a multi-blacklist checker like MXToolbox, MultiRBL, or a dedicated monitoring tool that checks your domain and sending IP against dozens of blacklists simultaneously. Check at least weekly, and immediately if you notice a drop in open rates or reply rates. The most impactful blacklists to monitor are Spamhaus, Barracuda BRBL, and SORBS.
AutoMailer gives you warmup, inbox placement testing, blacklist monitoring, and email sequencing in one platform. Built from the ground up for cold email deliverability.
Start Free Today