Cold Email Deliverability — How to Actually Land in the Inbox in 2026

Last updated: April 2026 · 14 min read

If you're sending cold emails and getting <2% reply rates, the problem might not be your copy. It might be that your emails are landing in spam — or not arriving at all. This guide covers the complete technical infrastructure behind cold email deliverability, from DNS records to sending patterns, with specific commands you can run right now to audit your setup.

Why Cold Emails Go to Spam

Cold emails face three filters before they reach a human inbox:

1. Gateway filters — Proofpoint, Mimecast, Barracuda, and Google's own spam engine check your DNS authentication (SPF, DKIM, DMARC). Missing or broken records = instant spam folder.
2. Reputation filters — Gmail and Outlook track your domain and IP sending reputation. New domains (<30 days) start with zero reputation. High bounce rates destroy reputation fast.
3. Engagement filters — If recipients don't open, reply, or move your emails to folders, future emails rank lower. Cold emails by definition start with zero engagement history.

The result: 46% of legitimate cold emails never reach the inbox. That's not a copy problem — it's an infrastructure problem.

The Cold Email DNS Authentication Checklist

Before sending a single cold email, your domain needs these DNS records configured and verified:

• SPF — Authorizes your sending IPs. Must include all senders (Google, Mailgun, outreach tools)
• DKIM — Cryptographically signs each email. Configure for every sending service
• DMARC — Tells receivers what to do with unauthenticated emails. Start with p=none, graduate to p=reject
• MTA-STS — Enforces TLS for SMTP delivery. Prevents downgrade attacks. Most domains miss this
• TLS-RPT — Reports TLS failures. Detects interception or misconfiguration
• BIMI — Displays your logo in inboxes. Requires DMARC p=quarantine or p=reject
• rDNS (PTR) — Reverse DNS on your sending IP must match your HELO hostname

SPF for Cold Email — The Most Common Setup Mistake

SPF (Sender Policy Framework) tells receiving mail servers which IPs are allowed to send email from your domain. For cold outreach, the #1 mistake is forgetting to include all your sending services.

Your SPF Record Must Include Every Sender

If you use Google Workspace for personal email AND an outreach tool (like Mailgun for transactional + Lemlist for cold outbound), your SPF must include all three:

v=spf1 include:_spf.google.com include:mailgun.org include:lemlist.com ~all

SPF Flatten If You Hit the 10-Lookup Limit

DNS resolvers cap SPF at 10 DNS lookups. If your SPF chain has too many include: directives, it'll fail. Solutions:

• Flatten includes — Replace include: directives with their resolved IPs directly
• Use a subdomain — Send cold emails from outreach.yourdomain.com with its own SPF record
• Dedicated sending service — Route all cold email through one provider with one include

Read our SPF Flatten Guide for the step-by-step process.

DKIM Setup for Cold Email Domains

DKIM adds a cryptographic signature to every email you send. Receiving servers verify this signature against a public key in your DNS. For cold email, DKIM alignment is critical — if the d= domain in the DKIM signature doesn't match your From header domain, Gmail will flag it.

Setup Steps

1. Enable DKIM in your sending platform — Google Workspace, Mailgun, SendGrid, etc. all have DKIM setup in their settings
2. Publish the public key in DNS — Your provider gives you a TXT record like selector._domainkey.yourdomain.com
3. Set key length to 2048-bit — 1024-bit keys are considered weak. Most providers default to 2048 now
4. Verify alignment — Your DKIM d= domain must match your From address domain

Using a subdomain? Make sure DKIM is set up on that subdomain too. If you send from tom@outreach.example.com, the DKIM record goes on selector._domainkey.outreach.example.com.

DMARC — The Policy That Controls Your Domain's Email

DMARC tells receiving servers what to do when SPF or DKIM fail. It's the most important record for cold email because Gmail and Outlook require DMARC for inbox placement — without it, your emails are treated as unverified.

The Cold Email DMARC Graduation

# Phase 1: Monitor (start here)
v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com; ruf=mailto:dmarc@yourdomain.com; fo=1

# Phase 2: Quarantine (gradual enforcement)
v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc@yourdomain.com

# Phase 3: Reject (full enforcement)
v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com

How to Read DMARC Reports

DMARC aggregate reports (RUA) show you which senders are passing or failing authentication. Our DMARC Reports Guide covers the XML format, but the key fields are:

• auth_results.spf — Did SPF pass for this sending IP?
• auth_results.dkim — Did DKIM signature verify?
• policy_evaluated.dkim_alignment — Does the DKIM domain match the From domain?

If you see failures, use our Email Header Analyzer to diagnose the specific issue.

Domain Warm-Up — Don't Skip This

A brand-new domain has zero sender reputation. Gmail treats new domains with suspicion, especially if they start sending hundreds of cold emails on day one. Domain warm-up is not optional — it's the difference between 5% and 50% open rates.

The 21-Day Warm-Up Protocol

Key Warm-Up Rules

• Never send more than 200 emails/day from a single domain — Gmail's unofficial threshold for spam detection
• Use 2-3 domains for cold outreach — Rotate between them so one domain issue doesn't kill all outreach
• Monitor bounce rate — If bounces exceed 5%, stop and diagnose. Use our free domain checker to verify DNS is still correct
• Get replies — Gmail's #1 positive signal is someone hitting "Reply." Craft emails that invite responses
• Don't use link shorteners — bit.ly, tinyurl etc. are heavily penalized in cold emails

Sending Infrastructure for Cold Email

Your choice of sending infrastructure directly affects deliverability. Here's how the options compare:

Dedicated IP vs. Shared IP

For cold email, always use a dedicated IP when possible. Shared IPs pool your reputation with other senders — if someone on your shared IP gets blacklisted, your emails go to spam too.

Most sending services charge $20-30/month for a dedicated IP. It's worth it. If you're using Google Workspace directly, you're on Google's shared IP pool — generally fine as long as you follow warm-up protocols.

Content Factors That Affect Deliverability

Even with perfect DNS and warm-up, your email content determines whether Gmail's AI classifies it as spam:

What Hurts Cold Email Deliverability

• All-caps subject lines — "URGENT" or "FREE" trigger spam filters
• Excessive links — 3+ links in a cold email is a red flag
• HTML-heavy emails — Keep HTML minimal. Plain text with light formatting works best
• Attachment in first email — PDFs, images, and zip files in initial outreach get filtered
• Unsubscribe link that's hard to find — CAN-SPAM and GDPR require clear opt-out
• Spam trigger words — "free," "guarantee," "no obligation," "act now," "limited time"

What Helps Cold Email Deliverability

• Short, personal subject lines — 3-5 words, lowercased: "quick question" or "about your Series A"
• One link maximum — Your website or calendar link, nothing else
• Plain text preference — Plain text emails have higher inbox rates than HTML for cold outreach
• Clear sender identity — Use your real name, real company, and real email address
• Easy unsubscribe — "Reply STOP to unsubscribe" or a one-click link

Monitoring Your Cold Email Deliverability

Deliverability is not "set it and forget it." DNS records change, IPs get blacklisted, and provider algorithms update. Here's what to monitor continuously:

Weekly Checks

• SPF/DKIM/DMARC validation — Run curl https://korpo.pro/api/v1/check/yourdomain.com weekly to verify all records are still valid
• DMARC reports — Check RUA reports for authentication failures
• Blacklist checks — Use our blacklist guide to check 50+ DNSBLs
• Bounce rate — Keep below 5%. Above that = reputation damage

Monthly Checks

• Sender reputation score — Check via Talos Intelligence, Google Postmaster Tools, or our sender reputation guide
• MTA-STS policy — Verify https://mta-sts.yourdomain.com/.well-known/mta-sts.txt is still accessible
• DKIM key rotation — Rotate DKIM keys every 6-12 months for security

curl -s https://korpo.pro/api/v1/check/yourdomain.com | jq '.score'

The New Domain Playbook — Start to Inbox in 21 Days

Starting from zero? Here's the exact playbook:

1. Day 0 — Register domain, enable Google Workspace or Microsoft 365
2. Day 0 — Configure SPF, DKIM, DMARC (p=none), MTA-STS, TLS-RPT. Verify with our free checker
3. Day 0 — Set up rDNS (PTR record) on your sending IP
4. Day 0 — Create Google Postmaster Tools account and verify domain
5. Day 1-3 — Send 20-30 personal emails/day. Real conversations. No templates.
6. Day 4-7 — Increase to 40-50/day. Subscribe to newsletters. Reply to emails. Start getting engagement.
7. Day 8-14 — Begin warm outreach (replying to social media connections, conference follow-ups). 75-100/day.
8. Day 15-21 — Launch cold outreach at 100-150/day max. Monitor open/bounce rates. If open rate drops below 20%, pause and diagnose DNS.
9. Day 21+ — Gradually increase to 200/day max per domain. Move DMARC to quarantine.
10. Day 30+ — Move DMARC to p=reject. You're fully operational.

Advanced Techniques for Maximum Inbox Placement

Domain Rotation for High-Volume Outreach

If you're sending 500+ cold emails/day, use a domain rotation strategy:

• Register 3-5 similar domains (e.g., getproduct.com, tryproduct.com, producthq.com)
• Set up full DNS auth on each domain independently
• Send from different domains on different days or campaigns
• Forward all reply domains to a single inbox
• Redirect each domain's website to your main site

MTA-STS and TLS-RPT — The Underrated Duo

Most cold email guides skip MTA-STS entirely. Here's why you shouldn't:

• MTA-STS (RFC 8461) tells receiving servers that your domain requires TLS for email delivery. Without it, an attacker can downgrade SMTP connections to plaintext — intercepting or modifying emails in transit. Read our MTA-STS guide.
• TLS-RPT (RFC 8460) gives you reports when TLS delivery fails. If someone tries to downgrade your connection, you'll know. Read our TLS-RPT guide.

Currently, only 11% of domains have MTA-STS configured. Setting it up gives you a deliverability signal advantage — Gmail's enforcement uses MTA-STS presence as a positive reputation indicator.

BIMI — Logo in the Inbox

BIMI (Brand Indicators for Message Identification) displays your logo next to emails in Gmail and Apple Mail. This increases open rates by 10-30% according to Validity's research. Requirements:

• DMARC policy must be p=quarantine or p=reject
• SVG Tiny PS logo (specific format — not a regular SVG)
• VMC (Verified Mark Certificate) from a CA for Gmail

The VMC costs $500-1500/year, so it's a later-stage optimization. But just having BIMI with p=quarantine shows in Apple Mail without the VMC. Read our BIMI setup guide.

Troubleshooting Cold Email Deliverability Issues

"My emails are going to spam"

1. Check DNS with curl https://korpo.pro/api/v1/check/yourdomain.com
2. Is SPF passing? DKIM aligned? DMARC p=quarantine or p=reject?
3. Check Talos Intelligence for your IP reputation
4. Search for your domain/IP on major blacklists
5. Send a test email to mail-tester@grp1.delimail.fr and check the score

"My open rate dropped suddenly"

1. DMARC policy may have changed. Check with dig TXT _dmarc.yourdomain.com
2. Your sending IP may have been blacklisted. Check against DNSBLs.
3. Gmail may have throttled you. Check Google Postmaster Tools for complaint rate.
4. Your SPF includes may have grown past the 10-lookup limit. Flatten your SPF.

"My bounce rate is above 5%"

1. Verify email addresses before sending (use a verification service)
2. Check your domain isn't on any blacklists
3. Ensure rDNS (PTR) is set up on your sending IP
4. Your IP may be listed on a URIBL. Check sender reputation.

# Check a domain
curl https://korpo.pro/api/v1/check/example.com

# Batch check your outreach domains
curl -X POST https://korpo.pro/api/v1/batch \
  -H "Content-Type: application/json" \
  -d '{"domains":["outreach1.com","outreach2.com","cold.yourdomain.com"]}'

The Complete Cold Email Deliverability Checklist

• SPF record includes all sending services (~all, not +all)
• DKIM enabled and aligned with From domain (2048-bit key)
• DMARC published: start p=none, graduate to p=reject
• MTA-STS policy published and accessible via HTTPS
• TLS-RPT reporting configured (rua=mailto:)
• rDNS (PTR) set on sending IP matching HELO hostname
• Dedicated IP for outbound (not shared)
• Domain warmed up: 21-day protocol followed
• Daily send volume under 200 per domain
• Bounce rate below 5%
• Plain text or minimal HTML for cold emails
• Short, personal subject lines (3-5 words, lowercase)
• One link maximum per email
• Clear unsubscribe mechanism
• Weekly SPF/DKIM/DMARC verification via API
• Blacklist monitoring set up
• Google Postmaster Tools verified and monitored
• DMARC reports reviewed weekly

If you've completed every item on this checklist, your cold emails should reliably reach the inbox. If you're still having issues, run a free domain check to identify exactly which DNS records need attention.