Cold email deliverability basics – how to land in the inbox

March 24, 2026

I once sent 200 cold emails from a new domain with no authentication records. Open rate: 28%.

I set up SPF, DKIM, and DMARC. Warmed the domain for 2 weeks. Sent the same 200 emails to a comparable list.

Open rate: 52%.

That’s 24 points from infrastructure alone. Not better copy. Not better subject lines. Just making sure the emails actually arrive.

Deliverability is the least exciting part of cold email and the most important. If your emails land in spam, nothing else you do matters – not your personalization, not your subject lines, not your CTA. You’re optimizing messages that nobody sees.

Here’s the practitioner-level setup guide. No theory – just what to do.

The 3 authentication records

SPF (Sender Policy Framework)

What it does: Tells receiving email servers which servers are allowed to send email from your domain.

Why it matters: Without SPF, any server can claim to be sending from your domain. Email providers see this as a spam signal. With SPF, you’re saying “only these servers are authorized – anything else is fake.”

How to set it up:

Go to your domain’s DNS settings (wherever you bought the domain – Namecheap, Cloudflare, Google Domains, etc.)
Add a TXT record:

Type: TXT
Host: @
Value: v=spf1 include:[your email provider's SPF] ~all

For common providers:

Google Workspace: v=spf1 include:_spf.google.com ~all
Microsoft 365:    v=spf1 include:spf.protection.outlook.com ~all
Mailgun:          v=spf1 include:mailgun.org ~all
SendGrid:         v=spf1 include:sendgrid.net ~all

If you use multiple providers, combine them:

v=spf1 include:_spf.google.com include:mailgun.org ~all

Common mistake: Adding multiple SPF records instead of one combined record. You can only have one SPF TXT record per domain. Multiple records will cause authentication failures.

DKIM (DomainKeys Identified Mail)

What it does: Adds a cryptographic signature to every email you send. The receiving server checks the signature against a public key in your DNS. If it matches, the email is verified as coming from your domain and unmodified in transit.

Why it matters: DKIM proves the email wasn’t forged or tampered with. Without it, email providers can’t verify that you are who you claim to be.

How to set it up:

Your email provider generates a DKIM key pair
They give you a TXT record to add to your DNS
Add it – the record looks something like:

Type: TXT
Host: [selector]._domainkey
Value: v=DKIM1; k=rsa; p=[long string of characters]

The selector and value come from your email provider. Google Workspace, Mailgun, SendGrid – they all have docs that walk you through generating the key.

The key thing: You don’t generate DKIM yourself. Your email provider does. You just publish the public key in DNS.

DMARC (Domain-based Message Authentication, Reporting & Conformance)

What it does: Tells receiving servers what to do when an email fails SPF or DKIM checks. It also sends you reports so you can monitor who’s sending email from your domain.

Why it matters: DMARC ties SPF and DKIM together into a policy. Without it, a server that detects SPF/DKIM failure might still deliver the email. With DMARC, you control what happens.

How to set it up:

Start with a monitoring-only policy:

Type: TXT
Host: _dmarc
Value: v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

This tells servers: “Don’t reject anything yet, but send me reports about what’s passing and failing.” Once you’ve confirmed everything is working, tighten the policy:

v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com

Then eventually:

v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com

My recommendation: Start with p=none for 2 weeks. Check the reports. Make sure all your legitimate email is passing SPF and DKIM. Then move to p=quarantine. Only move to p=reject once you’re confident.

Domain warming

Setting up authentication is step 1. Step 2 is warming the domain – building a sending reputation before you start cold outreach.

The problem: A brand new domain with no sending history is suspicious to email providers. Even with perfect SPF/DKIM/DMARC, sending 100 cold emails from a domain that’s never sent anything before is a red flag.

The fix: Gradually increase sending volume over 2-3 weeks.

Here’s the warm-up schedule I follow:

Week 1:
  Day 1-2: Send 5 emails/day to people you know (colleagues, friends)
  Day 3-4: Send 10 emails/day – mix of known contacts and opt-in list
  Day 5:   Send 15 emails/day

Week 2:
  Day 1-3: Send 20 emails/day – start mixing in cold prospects
  Day 4-5: Send 30 emails/day

Week 3:
  Day 1-3: Send 40 emails/day
  Day 4-5: Send 50 emails/day (my target daily volume)

Key details:

The early emails should generate replies. Send to people who will respond – that tells email providers your messages are wanted.
Use your warm-up emails for real communication, not filler. “Hey, testing my new email setup” gets flagged as low-quality. An actual business email does not.
Some people use warm-up tools (Lemwarm, Warmbox, etc.) that automate this by sending and replying between pools of domains. They work. I’ve used Lemwarm. But real replies from real people are better.

Daily sending limits

The limits I follow:

Domain age	Max sends per day	Notes
Under 2 weeks	5-15	Warm-up phase only
2-4 weeks	20-30	Start mixing cold sends
1-2 months	30-50	Full cold campaigns
3+ months	50-75	Established reputation

I never send more than 50 cold emails per day from a single domain. If I need higher volume, I use a second domain.

Some people push to 100-200 per day from one domain. It works for a while. Then one day, the domain reputation craters and every email goes to spam. I’ve seen it happen to others. Not worth the risk.

Multiple domains: For volume campaigns (200+ per month), I use 2-3 domains. Each domain sends 30-50/day. The domains are variations – scouter.io, tryscouter.com, getscouter.com. Each has its own SPF/DKIM/DMARC and warm-up history.

Spam trigger words

These don’t matter as much as they used to – modern spam filters look at sender reputation more than keywords. But certain patterns still trip filters, especially for newer domains.

Words and phrases I avoid in cold emails:

“Free” in the subject line
“Limited time offer”
“Act now”
“Guaranteed results”
“No obligation”
“Click here” (use descriptive link text instead)
ALL CAPS anything
Multiple exclamation marks

What actually matters more than individual words:

Link-to-text ratio. Too many links in a short email looks spammy. I use 0-1 links in cold emails. Never more than 2.
Image-to-text ratio. Images in cold emails are a red flag. I don’t include any. No logos, no signatures with images, no tracking pixels in the email body.
HTML complexity. Simple plain text outperforms HTML templates for cold email. No fancy formatting, no colored buttons, no designed layouts. Plain text looks like a real email because it is one.

Testing your setup

Before sending any cold campaign, test your deliverability.

Free tools:

Mail Tester – Send a test email, get a score out of 10. Aim for 9+.
MX Toolbox – Check your SPF, DKIM, and DMARC records.

What to check:

SPF record is valid and includes your sending provider
DKIM signature is being added to outgoing emails
DMARC record exists with at least p=none
Your sending domain isn’t on any blacklists
Test emails land in inbox (not spam) for Gmail, Outlook, and Yahoo

If your Mail Tester score is below 7, fix the issues before sending any cold email. Every email that goes to spam hurts your domain reputation, which makes the next email more likely to go to spam. It’s a spiral.

My deliverability checklist

Before every new cold email campaign:

[ ] SPF record configured and valid
[ ] DKIM enabled and verified
[ ] DMARC record live (at least p=none)
[ ] Domain warmed for 2+ weeks
[ ] Daily send volume under 50 per domain
[ ] Mail Tester score 9+
[ ] Test email lands in inbox for Gmail and Outlook
[ ] No images in email body
[ ] Plain text format (no HTML templates)
[ ] 0-1 links maximum
[ ] No spam trigger words in subject or body

This takes about 30 minutes to verify. That’s 30 minutes that determines whether your campaign reaches inboxes or goes to spam.

Deliverability is the foundation. Once your emails are landing in inboxes, the subject line earns the open, the first line earns the read, and the CTA earns the reply.

If you’re ready to send and want to see what a full campaign looks like end to end, the templates post has 5 complete emails with results. And the mistakes post covers the 8 other things that kill reply rates after deliverability is handled.

For the metrics to track once you’re sending, the metrics post breaks down what to measure, what’s good, and what means something is broken.