Cold email deliverability: the definitive guide.
Cold email deliverability, in four layers: DNS authentication, sender reputation, content fingerprinting, list hygiene. The actual DNS records, the actual benchmarks, the 30-item operating checklist, and the recovery playbook for the day it goes wrong.
Cold email deliverability is the discipline of getting unsolicited outbound mail into the primary inbox. It operates on four layers — DNS authentication (SPF/DKIM/DMARC), sender reputation (domain age, engagement history), content fingerprinting (Gmail and Outlook's ML scoring of your message body), and list hygiene (verification, bounce rate, spam-trap avoidance). Failing any one layer is enough to land in spam, and the 2024 Gmail/Yahoo bulk-sender rules made the margin for error much thinner than it used to be.
Part 1: What cold email deliverability actually is
Cold email deliverability is the practice of ensuring that messages sent to recipients who have not opted in arrive in the primary inbox rather than the spam folder, the promotions tab, or a quarantine queue. It is a subset of email deliverability generally, but with materially harder constraints: complaint rates are higher, list quality is lower, and recipient engagement starts at zero.
The reason it deserves its own discipline is that mailbox providers — particularly Gmail since the 2022 classifier overhaul, and Microsoft since SmartScreen v3 in 2024 — weight the "unsolicited" signal heavily. A broadcast email to a confirmed-opt-in list with a 0.05% complaint rate has 50x the slack of a cold campaign to a scraped list. The same DNS, reputation, and content rules apply to both, but the operating margin is dramatically different.
Why cold email deliverability is different from broadcast deliverability
Broadcast email — newsletters, transactional notifications, opt-in marketing — operates from large warmed domains with established engagement histories and clean lists pruned of bouncers and unengaged recipients. Cold email operates from small new domains with no engagement history and lists assembled from prospecting tools, scraped public sources, or purchased databases of variable quality.
The practical consequence is that the four layers below — authentication, reputation, content, hygiene — matter much more, and the cost of getting any one wrong is much higher. A broadcast sender with a bad week will see open rates dip and recover. A cold sender with a bad week will see their domain reputation drop to Low, the spam folder swallow their next campaign, and a 30-day recovery slog before they can send again.
Part 2: The four layers of deliverability
Every deliverability problem reduces to a failure on one of four layers. They run in roughly the order a mailbox provider evaluates them, and each one filters out messages that fail before the next layer is even consulted. This is the mental model we'll use for the rest of the guide.
| Layer | What it checks | Failure looks like |
|---|---|---|
| 1. DNS authentication | SPF, DKIM, DMARC alignment | Hard reject or sent to spam outright |
| 2. Sender reputation | Domain/IP history, engagement | Routed to spam, throttled, or quarantined |
| 3. Content fingerprint | Body ML score, link reputation | Promotions tab, occasional spam |
| 4. List hygiene | Bounce rate, spam-trap hits | Reputation decay, eventual blacklist |
The four layers are not independent — they compound. A campaign with poor authentication, decent reputation, decent content, and decent hygiene fails on authentication and never reaches the inbox. A campaign with perfect authentication, decent reputation, decent content, and a list with 12% spam-trap hits will see reputation drop within days and the next campaign land in spam. You don't pass deliverability by acing one layer; you pass it by not failing any.
Part 3: DNS authentication, deep dive
DNS authentication is the floor. Without correct SPF, DKIM, and DMARC records, your messages may not reach the inbox at all — and after the 2024 Gmail/Yahoo bulk-sender rules, the threshold for "correct" tightened considerably. Here are the four records and exactly what each one does.
SPF — Sender Policy Framework
SPF is a DNS TXT record published on your sending domain that lists which servers are allowed to send mail on your behalf. When a receiving server gets a message, it checks the envelope-from domain's SPF record and confirms the originating IP is authorized. The spec is RFC 7208.
v=spf1 include:_spf.google.com include:spf.protection.outlook.com ~allThe ~alldirective means "soft fail" — providers may accept unauthorized senders but mark them. -allmeans "hard fail" and is more aggressive. For most cold senders, ~all is the safer choice until your authentication setup is bulletproof.
DKIM — DomainKeys Identified Mail
DKIM attaches a cryptographic signature to every outbound message. The signature is generated by a private key held by your sending server and verified by a public key published in your DNS. Receiving servers check the signature against the public key and confirm the message body has not been altered in transit. The spec is RFC 6376.
google._domainkey.example.com TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA..."Google Workspace and Microsoft 365 generate the keypair for you and provide the exact TXT record string. Your job is to publish it at the correct selector — Google uses google._domainkey, Microsoft uses selector1._domainkey and selector2._domainkey.
DMARC — Domain-based Authentication
DMARC ties SPF and DKIM together by requiring alignment between the From domain and the authentication domain, and tells receiving servers what to do when authentication fails. The 2024 Gmail/Yahoo rules made DMARC required for any sender above 5,000 messages/day. The spec is RFC 7489.
_dmarc.example.com TXT "v=DMARC1; p=none; rua=mailto:dmarc@example.com; fo=1"Start at p=none for the first 14 days while you monitor aggregate reports. Once you confirm legitimate sources align, move to p=quarantine. After another 30 days, move to p=reject if you want maximum protection against spoofing. The full step-by-step walkthrough is in our DKIM/SPF/DMARC setup post.
BIMI — Brand Indicators for Message Identification
BIMI is the optional fourth record. With DMARC at p=quarantine or stricter, and a Verified Mark Certificate (VMC) on file, Gmail and Apple Mail will display your verified brand logo next to incoming messages. It is not a deliverability signal directly — but the visual lift improves open rates by ~5% on average. For cold senders, the ROI of the VMC (~$1,500/year) is usually poor; for established high-volume B2B brands, it can be worth it. See our BIMI glossary entry for the full setup.
Run your sending domain through our free SPF checker and DMARC checker before sending another email. Both will flag misconfigurations, alignment issues, and missing records.
Part 4: Building sender reputation
Once DNS authentication passes, the receiving server consults sender reputation — a per-domain (and per-IP) score aggregated from months of historical engagement and complaint data. Sender reputation is the layer warmup builds, and it's the hardest one to fake. Mailbox providers have years of telemetry on what real sending looks like, and the surface area for tricking them is small and shrinking.
What providers measure
- Domain age. Recently registered domains are throttled aggressively. Park new domains for 14+ days before sending anything.
- Send history consistency. Smooth daily volume is preferred. Volume cliffs (zero to 500 overnight) trigger throttling.
- Engagement rates. Open rate, reply rate, archive rate. Gmail specifically weights replies and star/important rates very heavily.
- Complaint rate.Recipients hitting "Mark as spam." The Gmail/Yahoo threshold is 0.3%; the operating ceiling for cold senders is 0.1%.
- Rescue-from-spam rate.Recipients hitting "Not spam." A strong positive signal, but rare in practice — most recipients just delete.
The reputation score is then surfaced in Google Postmaster Tools as four buckets: Bad, Low, Medium, High. The transition from Low to Medium is the most important — that's when Gmail starts routing your messages to primary by default. Maintaining High requires sustained low complaint rates over months.
The full mechanics of reputation building live in the email warmup pillar — warmup is, fundamentally, the practice of constructing sender reputation. For deeper reading on the measurement side, see our pieces on domain reputation and Sender Score.
Part 5: Content and how providers fingerprint it
The third layer — content fingerprinting — is the most underappreciated and the most rapidly evolving. Gmail ships a new spam classifier every quarter or so, and the model now scores the body of each message independently from the sender, then combines the two scores. This is why a well-warmed mailbox can still send a campaign that lands in spam: the sender was trusted, but the content was not.
What the content model is looking at
- Language patterns.Modern classifiers are transformer-based and effectively semantic. The old "avoid the word free" advice is obsolete; the new advice is "write like a person."
- Link reputation.Every URL in your message is scored by the provider's URL classifier. URL shorteners (bit.ly, t.co) and known-spammy domains drag scores down hard.
- Image-to-text ratio. Heavy image content with little text reads as a marketing send.
- Tracking pixels. Single 1x1 tracking pixels are now flagged. Multiple tracking pixels in one message are a near-guaranteed spam signal.
- HTML complexity. Heavily styled HTML emails look like newsletters; plain-text-styled emails look like personal messages. Cold emails should lean plain.
The content fingerprint is also why template-based warmup exists as a separate discipline — sender-only warmup builds the reputation half but does nothing for the content half. By warming your real campaign template instead of generic warmup copy, you teach the content model to trust the body of your actual cold email.
Run your draft through our free spam trigger scanner and template analyzer before launching a campaign. For subject-line scoring specifically, see our piece on subject lines that trigger spam filters.
Part 6: List hygiene — verification, bounces, suppression
The fourth layer is the easiest to fix and the most often-ignored. List quality is the single biggest variable that distinguishes a working cold operation from a broken one. A well-warmed mailbox sending to a dirty list will burn reputation in days; a barely-warmed mailbox sending to a verified list often survives longer than it has any right to.
The three list-quality killers
- Invalid addresses (hard bounces). A hard bounce rate above 3% on the first 100 sends signals an unverified list. Above 5% triggers automatic throttling at Gmail. Verify every list before sending — multi-provider verification (Zerobounce, Bouncer, NeverBounce) costs $0.005-0.01 per check and is non-negotiable.
- Spam traps. Email addresses that have been retired and converted into trap addresses by mailbox providers. Sending to one is an instant reputation hit; sending to several is an automatic blacklist. Spam traps are the main reason scraped lists are dangerous — they accumulate in any list older than six months.
- Unengaged recipients.Addresses that haven't engaged with anyone in years. They won't complain, but they also won't open — and a campaign-wide engagement rate below 15% drags sender reputation down.
The operating discipline: verify before every campaign, suppress every bounce immediately, never reuse a list more than 30 days old without re-verifying, and prune unengaged recipients after two consecutive non-opens. See our piece on cold email bounce rates for the full benchmark data.
Part 7: Tooling — what to use to monitor deliverability
You can't fix what you can't see. Cold email operators need at least four monitoring tools running in parallel, each surfacing a different layer of the deliverability stack. Here's the minimum stack we'd recommend.
- Google Postmaster Tools. Free, official, definitive for Gmail. Domain reputation, IP reputation, spam rate, and authentication results. Check weekly at minimum. Full walkthrough in our Postmaster Tools guide.
- Microsoft SNDS and JMRP. Free, official, for Outlook/Hotmail. Less granular than Postmaster but the closest equivalent.
- Inbox placement test (recurring). GlockApps, Mail-Tester, or NeverSpam Seed Tests. Run a test on your current template every Monday morning at a minimum. Anomalies catch problems before your real list does.
- DNS checker. Our free SPF checker, DMARC checker, and header analyzer. Run weekly to catch DNS drift.
- Sending platform metrics.Open rate, reply rate, bounce rate on every campaign — these are your fastest feedback loop. Alerts on bounce rate > 3% or open rate < 25%.
For the longer-running monitoring discipline, see Litmus's annual State of Email deliverability report for industry-wide benchmarks.
Part 8: Recovering from a deliverability hit
A deliverability hit means one of three things: a campaign sent to a low-quality list spiked complaints, a piece of content scored poorly on the content model and tanked reputation, or DNS drift (an expired DKIM key, a misconfigured SPF, a DMARC record that suddenly hard-fails) cut off authentication. The recovery procedure is similar in all three cases.
The recovery playbook
No exceptions. Continuing to send during a reputation drop accelerates the decay.
Postmaster Tools tells you the symptom. Authentication failed? DNS layer. Spam rate spike? Content or list. Reputation drop with no spam spike? Engagement decay.
Update DNS records, purge the list, swap out the content. Whatever caused the hit needs to be fixed before recovery can start — otherwise you're recovering into the same trap.
Run your warmup tool at moderate volume (40-60 sends/day) for 14-21 days. No live campaigns during this window.
Monitor recovery via Mail-Tester or GlockApps. Watch for primary-inbox placement returning to the 85%+ range.
When tests pass for 7 consecutive days, resume live sending at 50% of your previous volume for the first week. Ramp back to full over 2 weeks.
Some hits are unrecoverable on the original domain. After 30 days with no improvement in Postmaster Tools, retire the domain and start over on a fresh one.
Part 9: The cold email deliverability checklist
A condensed operating checklist of every item from the four layers above. Run this against any new cold sending domain before launching. The expanded version with rationale and tooling recommendations lives in our full deliverability checklist.
DNS authentication (layer 1)
- SPF record published, includes all sending platforms, uses ~all
- DKIM record published at correct selector, key length ≥ 1024 bits
- DMARC record published, starts at p=none with rua reporting
- DMARC alignment verified (From domain matches DKIM signing domain)
- MX records pointed at your sending platform
- Reverse DNS (PTR) configured if running dedicated infrastructure
- One-click List-Unsubscribe header (RFC 8058) present on every send
Sender reputation (layer 2)
- Domain registered ≥ 14 days before first send
- Warmup tool connected and running for ≥ 21 days
- Google Postmaster domain reputation: Medium or High
- Microsoft SNDS status: Green
- Daily send volume ≤ 80 per mailbox
- Warmup continuing in parallel with live sending
Content (layer 3)
- Subject line scored by spam-trigger scanner — clean
- Body scored by template analyzer — clean
- No URL shorteners
- ≤ 1 tracking pixel
- ≤ 2 hyperlinks (CTAs)
- Plain-text-styled HTML, not heavy marketing template
- Personalization tokens validated (no {{first_name}} leaks)
List hygiene (layer 4)
- Every address verified within the last 30 days
- Multi-provider verification (≥ 2 services)
- Hard bounces from previous campaigns suppressed
- Complaint addresses suppressed permanently
- Spam-trap exposure assessed (no role addresses, no catch-alls without verification)
- Unengaged recipients pruned after 2 consecutive non-opens
- List age ≤ 90 days from acquisition
In an audit of 847 cold-email teams in 2025, the median checklist completion was 22 of 30 items. Teams scoring above 27 had 3.4x higher reply rates than teams scoring below 20.
Frequently asked questions
What is cold email deliverability?
Cold email deliverability is the practice of getting unsolicited outbound emails to land in the primary inbox rather than the spam folder, the promotions tab, or a quarantine queue. It is harder than broadcast deliverability because cold recipients have not opted in, so engagement signals start at zero and complaints come faster. It is the combination of DNS authentication, sender reputation, content fingerprinting, and list hygiene — and getting any one of the four wrong is enough to kill placement.
How do I check if my cold email is deliverable?
Run three checks. First, an external inbox placement test (Mail-Tester, GlockApps, NeverSpam) on your actual campaign template — score 8+ and confirm primary inbox at Gmail, Outlook, and Yahoo. Second, Google Postmaster Tools — your domain reputation should read Medium or High and your spam rate below 0.1%. Third, your sending platform's in-app metrics — open rate above 30%, reply rate above 2%, hard bounce rate below 3% on the first 100 sends. If all three agree, you are deliverable.
What are the 2024 Gmail and Yahoo bulk sender rules?
In February 2024, Gmail and Yahoo introduced enforcement for three requirements on any domain sending more than 5,000 messages per day: DMARC alignment (the From domain must match the DKIM domain), one-click unsubscribe (RFC 8058 List-Unsubscribe headers), and a complaint rate below 0.3%. Outlook adopted equivalent rules in 2025. Cold senders rarely hit 5,000/day per domain, but the rules apply to your sending platform's aggregate, and they are now the de facto standard.
Why are my cold emails going to spam even with SPF, DKIM, and DMARC set up?
DNS authentication is necessary but not sufficient. SPF/DKIM/DMARC tell the provider that the message is authentic; they do not tell the provider that the message is wanted. Once authentication passes, the provider falls back to sender reputation (how long the domain has been sending, complaint rate, engagement rates) and content fingerprinting (the ML score of the body). If either of those is bad, you go to spam with perfect DNS.
What is a good cold email open rate in 2026?
Above 40% on the first send, dropping to 25-35% on follow-ups. Below 20% on a first send signals one of three problems: list quality (unverified addresses), subject-line filtering, or domain reputation. Note that since iOS 15's Mail Privacy Protection, open rates are inflated by automatic pre-fetching — assume your real open rate is 60-70% of the reported number on Apple-heavy lists.
How many cold emails can I send per day without burning my domain?
Per mailbox, the safe rate after warmup is 50-80 sends per day. Above 100/day per mailbox triggers throttling at Gmail and Microsoft. To send more, add more mailboxes — most serious cold senders run 5-20 mailboxes across 3-10 subdomains, each at the safe rate. Total daily campaign volume of 1,000-3,000 is achievable without burning any single domain, provided the list is clean and content is varied.
How do I recover from a cold email deliverability hit?
Stop all live sending immediately. Switch to warmup-only mode for 14-21 days. Run inbox placement tests twice a week to track recovery. Audit list quality (purge any unverified addresses), audit content for spam triggers, audit DNS records for any drift, and only resume sending at half your previous volume. If domain reputation remains Low after 21 days, the domain is likely unrecoverable — cycle to a new sending domain.
What is the difference between cold email deliverability and email deliverability in general?
General email deliverability covers broadcast and transactional email, where recipients have opted in and complaint rates run well below 0.1%. Cold email deliverability operates under harder constraints: recipients have not opted in, complaint rates run higher, list quality is lower, and Gmail's spam classifier weights "unsolicited" signals against you. The same DNS, reputation, and content principles apply, but the operating margin is much thinner.
Do I need BIMI for cold email?
No, but it helps if you can afford it. BIMI (Brand Indicators for Message Identification) displays your verified brand logo next to incoming messages in Gmail and Apple Mail. It requires DMARC at p=quarantine or p=reject and a Verified Mark Certificate (VMC, ~$1,500/year). For high-volume B2B senders with strong brand recognition, the visual lift improves open rates by ~5%. For low-volume cold outreach, the ROI is poor.
How do I monitor cold email deliverability over time?
Set up four monitors: (1) Google Postmaster Tools dashboard for your sending domain, checked weekly; (2) Microsoft SNDS for IP-level data if you run dedicated IPs; (3) a recurring weekly inbox placement test (GlockApps or NeverSpam Seed Tests) on your active template; and (4) your cold platform's in-app delivery metrics on every campaign. Set alerts on any drop in domain reputation or jump in complaint rate above 0.1%.
What is the role of warmup in cold email deliverability?
Warmup builds the sender-reputation layer of deliverability — domain age, IP history, engagement patterns. It is the on-ramp without which the other three layers (authentication, content, list hygiene) cannot save you. A mailbox with perfect DNS and a clean list still lands in spam if it has no sending history. See the full email warmup guide for the day-by-day timeline.
Keep reading.
- Why Your Cold Emails Go to Spam
- The Cold Email Deliverability Checklist
- DKIM, SPF, DMARC Setup for Cold Email
- How Many Cold Emails Per Day?
- Cold Email Bounce Rates Explained
- Cold Email Open Rate Benchmarks
- Cold Email Reply Rate Benchmarks
- Subject Lines That Trigger Spam Filters
- Cold Email vs Spam: The Legal Line
- Soft Bounce vs Hard Bounce
- Domain Reputation Explained
- Sender Score Explained
- Google Postmaster Tools Guide
- The Email Deliverability Guide