Cold Email Deliverability: The Complete Technical Guide

You can write the best cold email ever crafted. Perfect subject line. Body that speaks directly to the prospect's pain. A call to action so clean it practically books itself.

None of it matters if the email lands in spam.

I have been running cold email campaigns since 2016 and founded Alchemail in 2022. We manage deliverability across hundreds of domains and have generated over $55M in pipeline for our clients. Every dollar of that pipeline depended on one thing first: getting the email into the inbox.

This is the technical guide I wish existed when I started -- DNS authentication, reputation management, and the monitoring systems that keep campaigns alive at scale. For a broader view of the channel, start with our complete guide to cold email in 2026.

Why Deliverability Is the Foundation of Everything

Deliverability is the least glamorous part of cold email. Nobody brags about their SPF records on LinkedIn. But it is the single variable that separates agencies that book meetings from agencies that burn domains.

Here is the math. Say you send 1,000 emails per day with a 3% reply rate. That is 30 replies. If your inbox placement drops from 90% to 50% because of deliverability problems, your effective reply count drops from 27 to 15. You just cut your pipeline in half -- not because your copy got worse, but because your emails stopped reaching people.

At Alchemail, we do not write a single line of email copy until the sending infrastructure is fully built, authenticated, and warmed. That is not a philosophical stance. It is the only approach that works consistently at scale.

How Email Deliverability Actually Works

Before you can fix deliverability problems, you need to understand what happens every time you press send:

1. Your sending server dispatches the email. SmartLead, Instantly, Lemlist -- whatever platform you use. The email leaves from a specific IP address.
2. The receiving server performs a DNS lookup. It checks DNS records for your sending domain to verify you are who you claim to be.
3. Authentication checks run. SPF (is this IP allowed to send for this domain?), DKIM (has this email been tampered with?), DMARC (what should I do if authentication fails?).
4. Reputation checks run. The receiving server looks at the sending IP and domain reputation. Has this domain sent spam before? What is the complaint rate?
5. Content filtering runs. The email body, subject line, links, and formatting are analyzed for spam signals.
6. The inbox decision is made. Based on combined signals, the email goes to inbox, spam, or gets rejected outright.

Every link in this chain can break. A missing SPF record fails step 3. A burned domain reputation fails step 4. Spammy content fails step 5. This chain is the map you use to diagnose every deliverability problem you will ever face.

DNS Authentication: Your First Line of Defense

Without DNS authentication, you are asking email providers to trust you with no proof of identity. They will not.

Three protocols need to be configured on every sending domain: SPF, DKIM, and DMARC. We have a detailed step-by-step setup guide at SPF, DKIM, and DMARC for Cold Email. Here is what each one does and the common mistakes that break them.

SPF (Sender Policy Framework)

SPF tells receiving servers which IP addresses are authorized to send email on behalf of your domain. When you set up a sending tool like SmartLead or Google Workspace, they give you an SPF include to add to your DNS:

v=spf1 include:_spf.google.com include:sendgrid.net -all

This says: Google and SendGrid are allowed to send for this domain. Nobody else is. The -all is a hard fail -- reject email from any unlisted IP.

Common SPF mistakes:

• Too many DNS lookups. SPF allows a maximum of 10 DNS lookups. Every include: counts, and nested includes count too. Exceed 10 and your SPF record breaks silently. MXToolbox can check your lookup count.
• Using ~all instead of -all. Soft fail (~all) tells servers to accept but flag. Use hard fail (-all) for cold email.
• Missing includes. If you send through a platform but forget its include, every email from that platform fails SPF.

DKIM (DomainKeys Identified Mail)

DKIM adds a cryptographic signature to every email you send. The receiving server uses the public key published in your DNS to verify that the email has not been altered in transit and genuinely came from your domain.

DKIM is more important than most people realize. It is tied directly to your domain's sending reputation. ISPs use DKIM signatures to associate sending behavior with your domain consistently, even if you change sending IPs.

Setting up DKIM involves generating a key pair through your email provider, then publishing the public key as a DNS TXT record. Most platforms handle key generation for you.

Common DKIM mistakes:

• Not setting it up at all. Some operators skip DKIM because SPF is "enough." It is not. Major inbox providers weight DKIM heavily.
• Key rotation neglect. DKIM keys should be rotated every 6-12 months. Most people set them once and never touch them again.

DMARC (Domain-based Message Authentication, Reporting & Conformance)

DMARC is the policy layer on top of SPF and DKIM. It tells receiving servers what to do when authentication fails, and gives you reporting on who is sending email using your domain:

v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

Start with p=none (monitor only, no action on failures). Once all legitimate sending sources are authenticated, graduate to p=quarantine (send failures to spam) and eventually p=reject (block failures entirely).

DMARC aggregate reports are XML files sent to your rua address showing every IP that sent email using your domain and whether authentication passed or failed. Tools like DMARC Analyzer or Postmark's free DMARC tool parse these into readable dashboards.

Why DMARC matters for cold email: Without DMARC, anyone can spoof your domain. If a spammer sends email pretending to be your domain and generates complaints, that damages your reputation -- even though you had nothing to do with it.

For the full setup walkthrough, read our SPF, DKIM, and DMARC guide.

Domain and IP Reputation

Authentication gets your email past the front door. Reputation determines whether it gets invited to sit down or shown the spam folder.

Every domain and IP address has a sending reputation -- a score inbox providers maintain based on historical sending behavior. New domains start neutral. What you do in the first weeks of sending determines whether that reputation trends positive or negative.

Factors that build reputation:

• Low bounce rates (under 2%)
• Low spam complaint rates (under 0.1%)
• Consistent sending volume (no wild spikes)
• Positive engagement signals (opens, replies, emails moved out of spam)

Factors that destroy reputation:

• High bounce rates (sending to invalid addresses)
• Spam complaints (recipients marking your email as spam)
• Hitting spam traps (email addresses specifically designed to catch spammers)
• Sudden volume spikes (going from 10 emails/day to 1,000 overnight)
• Sending to purchased or scraped lists without verification

How to Monitor Reputation

• Google Postmaster Tools. Free. Shows your domain and IP reputation with Google specifically, plus spam rates, authentication results, and delivery errors. If you are sending to Gmail users (and you are -- Gmail has over 1.8 billion users), this is essential.
• Microsoft SNDS (Smart Network Data Services). Free. Shows your IP reputation with Microsoft's email ecosystem (Outlook, Hotmail, Live).
• MXToolbox blacklist check. Free. Checks whether your domain or IP appears on any of the major email blacklists.

Why You Never Send Cold Email From Your Primary Domain

This is non-negotiable. Your primary domain -- the one your company uses for proposals, contracts, and client communication -- must never be used for cold outreach.

If a cold email campaign generates complaints, the reputation damage applies to the sending domain. If that is your primary business domain, your regular email starts landing in spam too. Proposals disappear. Invoices go unread.

You always send from separate domains -- variants like acmemail.com, getacme.com, or tryacme.com if your business is acme.com. Each sending domain absorbs the risk independently.

For the math on how many domains you need, read our domain calculation guide.

The Warmup Process

Warmup is the process of gradually building a sending reputation for a new inbox. You cannot buy a domain and start sending 50 cold emails on day one. That inbox has zero reputation. Sending any meaningful volume immediately looks like spam behavior.

What Warmup Actually Does

Warmup tools send emails from your new inbox to a network of other inboxes. Those inboxes open the emails, reply to them, and move them out of spam if needed. This creates positive engagement signals that tell inbox providers: this sender is legitimate.

Over 2-4 weeks, the volume gradually increases. The inbox builds a track record and earns increasingly positive reputation scores.

Automated vs. Manual Warmup

Automated warmup tools -- built into SmartLead, Instantly, or dedicated tools like Warmbox -- handle this at scale. They manage the schedule, engagement simulation, and volume ramp automatically. Manual warmup (sending to real contacts who will engage) works but does not scale beyond a handful of inboxes.

At Alchemail, every inbox goes through a minimum of 14 days of warmup before a single cold email goes out. For high-volume campaigns, we extend to 21-28 days.

The Critical Mistake: Stopping Warmup

The mistake I see constantly: an operator warms up inboxes for two weeks, starts campaigns, and turns off warmup.

Do not do this. Warmup should run continuously alongside campaigns. Without it, the only signals inbox providers see are cold emails -- which naturally have lower engagement than warmup emails. Your reputation erodes.

Keep warmup running at 15-25 emails per day even after campaigns are in full swing. The cost is minimal. The protection is significant.

Volume Management

How many emails you send per inbox per day is one of the most important decisions you will make. Get it wrong and you will burn your reputation overnight.

The Safe Range

The safe range is 30-50 emails per inbox per day, including warmup volume. So if you are running 20 warmup emails per day, you have room for 10-30 cold emails from that inbox. Some operators push higher, but for most campaigns it is not worth the risk.

The Ramp-Up Schedule

When you start sending cold emails from a newly warmed inbox, do not jump to full volume. Ramp gradually:

• Days 1-3: 5 cold emails per day
• Days 4-7: 10 cold emails per day
• Days 8-14: 20 cold emails per day
• Days 15-21: 30 cold emails per day
• Day 22+: Steady state at 30-50 per day

Resist the impulse to move faster. Sending 50 emails from an inbox that was doing 5 yesterday is exactly the kind of spike that triggers spam filters.

The Math on How Many Inboxes You Need

Simple arithmetic. To send 1,000 cold emails per day at 30 per inbox, you need roughly 33 inboxes. At 2-3 inboxes per domain, that is 11-17 domains. That is real infrastructure. Cutting corners -- cramming volume through fewer inboxes -- is the most common cause of deliverability collapse.

For the full domain and inbox math, read our domain planning guide.

Content and Formatting Signals

Once your infrastructure and reputation are solid, content is the final filter your emails pass through. The good news: content filtering is less of a factor than most people think. The bad news: it can still trip you up if you are not paying attention.

Spam Trigger Words

Lists of "spam trigger words" float around the internet -- words like "free," "guarantee," "act now." The conventional wisdom is that using these words sends your email to spam.

The reality is more nuanced. Modern spam filters use machine learning, not keyword matching. A single word rarely triggers a spam classification. What matters is the overall pattern: aggressive language, excessive capitalization, exclamation points, and salesy phrasing that collectively signal "marketing spam."

Write like a human writing to another human. If your cold email reads like something a person would actually send to a colleague, the content filter will pass it.

Links and Tracking

Every link in your email is a potential spam signal. Tracked links are especially problematic because they route through a tracking domain before redirecting. Spam filters know what tracking redirects look like.

Best practices:

• One link maximum per email. Zero is better for the first email in a sequence.
• Avoid tracked open pixels if your deliverability is fragile. Spam filters detect the invisible tracking images.
• If you must use link tracking, use a custom tracking domain that is warmed and authenticated.

HTML vs. Plain Text

For cold email, plain text wins. Always.

HTML emails -- images, styled fonts, buttons -- look like marketing emails. Spam filters know this. Real 1-to-1 emails between professionals are plain text. Your cold email should look like it was typed by a person in Gmail. No images. No HTML buttons. Just text.

The Unsubscribe Link

Including an unsubscribe link is legally required (CAN-SPAM, GDPR). But beyond compliance, it is a positive deliverability signal. Gmail and other providers favor emails with easy opt-out mechanisms. Place it at the bottom. It costs you nothing and helps inbox placement.

Monitoring and Troubleshooting

Deliverability requires continuous monitoring. Things break. Reputations shift. Inbox providers change their algorithms. If you are not watching, problems compound silently until your campaigns are dead.

What to Watch

• Open rate drops. If open rates drop suddenly (not gradually -- suddenly), that is almost always a deliverability issue, not a copy issue. Your emails are landing in spam.
• Bounce rate spikes. A bounce rate above 3% on any given send is a red flag. Above 5% is an emergency. High bounces tell inbox providers your list is bad, which damages reputation fast.
• Reply silence. If you were getting replies and they suddenly stop, check deliverability before blaming the copy. A campaign that was working and then stopped is rarely a content problem.
• Spam complaint rate. Google Postmaster Tools shows this. Anything above 0.1% is a warning. Above 0.3% and you are in danger of serious reputation damage.

How to Diagnose

When something looks wrong, here is the diagnostic sequence:

1. Check blacklists. Use MXToolbox to see if your domain or sending IP has been blacklisted. If it has, that explains the problem immediately.
2. Test inbox placement. Tools like Mail-Tester, GlockApps, or InboxReady let you send a test email and see where it lands across major inbox providers. This tells you whether you are hitting inbox, spam, or getting rejected entirely.
3. Review DMARC reports. Check whether your authentication is passing. If SPF or DKIM failures are showing up in DMARC reports, something in your DNS configuration has changed or broken.
4. Check Google Postmaster Tools. Look at your domain reputation trend. If it has dropped from "High" to "Medium" or "Low," you need to reduce volume and focus on re-establishing positive engagement.
5. Review recent sending patterns. Did you spike volume? Change your sending tool? Add a new domain without proper warmup? Any change in sending behavior can trigger filter adjustments.

When Things Break: The Recovery Protocol

When deliverability collapses, do not keep sending and hope it fixes itself. That makes it worse:

1. Pause all cold campaigns immediately.
2. Diagnose using the steps above.
3. Fix the root cause -- blacklist removal, DNS repair, new domain, better data.
4. Re-warm. Treat the inbox like new. Reduce to warmup levels and ramp gradually.
5. Resume slowly. Ramp over 1-2 weeks while monitoring closely.

Recovery takes 2-4 weeks. There is no shortcut.

Managing Deliverability at Scale

Everything above applies to a single campaign with a handful of domains. When you are managing 50+ client campaigns across hundreds of domains -- which is what we do at Alchemail -- the challenges compound.

Automated Monitoring

At our scale, manual monitoring is impossible. We run automated systems that pull deliverability data across all domains and clients, flag anomalies in real time, and route alerts to the right operator. When a domain's reputation drops or a bounce rate spikes, we know within hours, not days. That speed is the difference between losing a domain and saving it.

Domain Rotation

Domains have a lifespan in cold email. Even with perfect management, a domain sending for 6-12 months accumulates reputation wear. We rotate proactively -- retiring domains showing fatigue and bringing warmed replacements into rotation. You always need domains in the warmup pipeline, ready to go. Running out means pausing campaigns, which means lost pipeline.

Separate Infrastructure Per Client

Every client gets dedicated infrastructure -- domains, inboxes, authentication, reputation -- all isolated. If one client's campaign generates complaints, it does not affect another client. This is expensive and operationally complex. It is also non-negotiable. Shared infrastructure creates cascading failures.

Real-Time Alerting

We have alerting thresholds that trigger escalation protocols automatically. Open rate drops below 35%: alert. Domain bounce rate exceeds 3%: alert. Blacklist appearance: alert. Each alert has a defined response protocol. Pause, diagnose, fix, re-warm.

This infrastructure took years to build. It is the invisible work that makes our results possible.

The Deliverability Checklist

Before you launch any cold email campaign, run through this checklist. Every item matters.

Infrastructure

• Sending domains purchased and separate from your primary domain
• 2-3 inboxes created per sending domain
• SPF records configured correctly (check lookup count with MXToolbox)
• DKIM records published and verified
• DMARC record set to p=none with a reporting address configured
• Custom tracking domain set up and authenticated (if using link tracking)

Warmup

• All inboxes warmed for a minimum of 14 days (21-28 for high-volume campaigns)
• Warmup volume set to continue running alongside campaigns
• Warmup engagement rates verified (open rates above 40%, no unusual bounce patterns)

Data Quality

• All email addresses verified through a dedicated verification tool
• Bounce rate on verification below 2%
• No role-based addresses (info@, support@, sales@) in your list
• Prospect data enriched and ICP-matched

Sending Configuration

• Daily send volume per inbox set at 30-50 (including warmup)
• Ramp-up schedule defined (start at 5/day, increase every 2-3 days)
• Send times configured for recipient's timezone during business hours
• Sending intervals randomized (not sending all emails at the same time)

Content

• Plain text formatting (no HTML, no images)
• Maximum one link per email (zero in the first email is better)
• Unsubscribe link included
• No excessive capitalization, exclamation marks, or salesy language
• Email body reads like a 1-to-1 message, not a marketing blast

Monitoring

• Google Postmaster Tools set up for all sending domains
• Blacklist monitoring active (MXToolbox or equivalent)
• DMARC report processing in place
• Alerting thresholds defined for open rates, bounce rates, and complaint rates
• Weekly deliverability review scheduled

Most deliverability problems come from skipping one of these steps -- usually the ones that feel tedious. They are all necessary.

The Bottom Line

Deliverability is not a feature you bolt on after building campaigns. It is the foundation underneath everything. The copy, the targeting, the offer -- none of it reaches anyone if the email lands in spam.

The work is technical and unglamorous. It requires patience during warmup, discipline in volume management, and constant vigilance in monitoring. But it separates operators who book meetings from operators who burn through domains wondering why nothing works.

Build the infrastructure right. Authenticate every domain. Warm every inbox. Monitor everything. And when something breaks -- because it will -- have a protocol ready.

Start with the infrastructure setup guide. Get your authentication configured properly. Figure out how many domains you need. Then come back to this guide as your ongoing reference.

If you want help building and managing deliverability infrastructure at scale, book a call with me directly. We will look at your current setup and give you an honest assessment of what it takes to get your emails into inboxes consistently.