Back to blog
Cold Email March 3, 2026 11 min read Thomas Ryan Oakes

Cold Email Deliverability Guide (2026)

Cold email deliverability decides whether outreach books meetings or dies in spam. Master SPF, DKIM, DMARC, warmup, and the 2026 Gmail and Yahoo rules.

Cold email deliverability is the share of your emails that reach the recipient’s primary inbox instead of the spam folder, the Promotions tab, or an outright rejection. It is the single biggest factor in whether your outreach books meetings, because a message nobody sees cannot earn a reply. You can write the perfect email to the perfect prospect and still get nothing back if it never lands in the inbox.

Disclosure: This guide mentions GTM Bud alongside third-party tools. We have a bias toward our own product, but we kept the technical guidance vendor-neutral. Use whatever fits your stack.

We are not writing this from theory. Our outbound agency, Referral Program Pros, has booked over 7,000 meetings for clients across dozens of industries. We have burned domains, recovered from blacklists, and navigated every major provider policy change. This is the distilled version of what works in 2026, not what worked three years ago.

What cold email deliverability actually means

Cold email deliverability is not the same as delivery rate, and the difference decides whether your campaigns work. Delivery rate measures the share of emails a receiving server accepts rather than bounces. The catch: “accepted” includes messages the server routes straight to spam. The server took your email, then buried it. Inbox placement measures the share that actually reaches the primary inbox where a prospect will read it, and that is the number that drives replies and booked meetings.

You can post a strong delivery rate while most of your emails sit in spam. The lever you control most directly is your spam complaint rate. Google’s published Gmail sender guidelines tell every sender to keep the spam rate reported in Postmaster Tools below 0.3 percent, and ideally under 0.1 percent, and to avoid ever reaching 0.3 percent or higher. That is the one hard number the mailbox provider itself puts in writing, so treat it as your ceiling.

Deliverability is not a one-time setup. It is an ongoing discipline. Your sender reputation shifts with every email you send, every bounce you take, and every spam complaint filed against you. The infrastructure work gets you in the door. Your sending behavior decides whether you stay.

Why do cold emails go to spam?

Cold emails go to spam for a short list of reasons: missing or failing SPF, DKIM, and DMARC authentication, a domain or IP with poor sender reputation, bounces from unverified lists, spam complaints from the wrong recipients, and content that trips filters. As of 2024, Gmail, Yahoo, and Outlook made authentication effectively mandatory for bulk senders, so a message that fails these checks now lands in spam or gets rejected outright.

Here is where campaigns break down most often:

  • Broken authentication. No SPF, DKIM, or DMARC, or records that fail alignment. This is the fastest way to spam.
  • Bad list quality. Stale or unverified addresses drive bounces, and bounces signal to providers that you are not maintaining a clean list.
  • Spam complaints. Reaching the wrong people gets you marked as spam, which is the most damaging signal of all.
  • Filter-triggering content. HTML-heavy templates, multiple links, images, and spam-trigger words all raise your spam score.
  • No warmup. A brand-new mailbox that immediately sends at volume looks like a spammer to every provider.

Fix these in order, starting with authentication, and most inbox problems disappear.

The 2026 sender rules you need to know

The rules every cold email sender must follow in 2026 come straight from the mailbox providers. Google’s Gmail sender guidelines, Yahoo’s Sender Hub, and Microsoft’s high-volume sender requirements now share the same core demands: authenticate with SPF and DKIM, publish a DMARC policy (a minimum of p=none is accepted), keep spam complaints low, encrypt with TLS, and maintain valid reverse DNS. Google and Yahoo define a bulk sender as anyone sending more than 5,000 messages per day to their users, and Microsoft applies its high-volume rules at the same 5,000-per-day mark for consumer domains like Outlook.com and Hotmail.

The enforcement is real and escalating. Per Google’s own timeline, Gmail’s requirements took effect in February 2024, and by late 2025 Google was rejecting non-compliant traffic with permanent errors rather than just filtering it. Microsoft’s high-volume requirements took effect on May 5, 2025, first routing non-compliant mail to the Junk folder, with rejection signaled for the future.

RequirementGmail (Google)Outlook (Microsoft)Yahoo
SPF authenticationRequiredRequiredRequired
DKIM authenticationRequired (1024-bit key or longer)RequiredRequired (1024-bit key)
DMARC policyRequired for bulk (min p=none)Required (min p=none)Required (min p=none)
Spam complaint rateBelow 0.3% (ideally under 0.1%)Keep lowBelow 0.3%
One-click unsubscribeBulk senders (over 5,000/day)High-volume sendersBulk senders (over 5,000/day)
Valid reverse DNS (PTR)RequiredRequiredRequired
TLS encryptionRequiredRequiredRequired

Most cold emailers running a handful of mailboxes fall below the 5,000-per-day bulk threshold, so the one-click unsubscribe header is not strictly mandatory for them. Include it anyway. It gives recipients an alternative to the spam button, which does far more damage to your reputation than an unsubscribe ever will.

Set up SPF, DKIM, and DMARC correctly

These three authentication protocols are non-negotiable. Think of them as a layered identity check for your email.

SPF (Sender Policy Framework) is the guest list. It tells receiving servers which mail servers are authorized to send on behalf of your domain. If the sending server is not on the list, the email fails SPF. To set it up, add one TXT record to your domain’s DNS:

v=spf1 include:_spf.google.com ~all

Replace the include value with your provider’s SPF domain, and add every service that sends on your behalf. The ~all at the end is a soft fail. Some senders use -all (a hard fail), which is stricter but breaks if you forget to include a legitimate sender.

DKIM (DomainKeys Identified Mail) is the wax seal. It cryptographically signs your outgoing mail so the receiver can verify the message was not altered and genuinely came from your domain. Your provider generates the keys, which you publish as a DNS record. Note that Google and Yahoo both require a DKIM key of 1024 bits or longer for mail to personal inboxes. DNS changes can take up to 48 hours to propagate.

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is the bouncer. It tells receivers what to do when a message fails both SPF and DKIM: nothing (p=none), quarantine, or reject. Start in monitoring mode:

v=DMARC1; p=none; rua=mailto:[email protected]

This lets you see who is sending from your domain without blocking anything. After a few weeks of clean reports, move to p=quarantine, then eventually p=reject.

How to test it: send an email to a Gmail account, open it, click the three dots, and choose “Show original.” SPF, DKIM, and DMARC should each show PASS. Free spam-scoring and inbox-placement tools give you a second opinion.

Common mistakes:

  • More than one SPF record on the same domain (you can only have one; combine them into a single record with multiple includes)
  • Forgetting to enable DKIM in your provider after adding the DNS record
  • Jumping to p=reject before confirming every legitimate sender passes
  • Ignoring your DMARC reports, so misconfigured or unauthorized senders go unnoticed

For a deeper walkthrough of the full stack, see our guide to cold email infrastructure tools.

Build your sending infrastructure for scale

Never send cold email from your primary business domain. This is the single most important rule in cold email infrastructure. If a cold email domain gets blacklisted, your primary domain stays clean and your team’s regular business email keeps reaching inboxes.

Use secondary domains. Buy domains close to your primary. If your company is acme.com, register getacme.com, tryacme.com, meetacme.com, or acmehq.com. Stick with .com. Providers and recipients trust it more than newer TLDs, and it draws fewer suspicious flags.

Scale by adding accounts, not by pushing harder. Grow total volume by adding more mailboxes and sending domains rather than cranking any single account, which spreads reputation risk so one flagged account cannot sink the whole operation. This is where a cold email automation tool earns its keep, managing rotation and schedules across many accounts. (More on per-day limits below.)

Let domains age. New domains need time to build reputation before they send. Register secondary domains well ahead of your first campaign. A domain registered yesterday that immediately sends is a red flag to every provider.

Create real sender profiles. Each mailbox should have a real name, a professional headshot on the account, and a consistent signature. Providers weigh these signals when judging legitimacy.

Warm up your accounts before sending

Email warmup is the process of gradually building a positive sender reputation on a new mailbox before it sends cold email. Warmup tools automate this by sending and receiving mail across a network of real accounts, simulating organic conversation and generating the engagement signals providers reward.

The core principle is simple: start low and ramp gradually. Begin with a small daily volume of warmup traffic only, then increase it over several weeks before you mix in any cold email. Sending real campaigns before a mailbox has warmed is gambling with the domain. Keep some warmup running even after you reach full sending, so engagement signals stay healthy. For the full ramp schedule and tactics, read our email warmup guide for cold outreach.

The warmup tool debate. Some operators argue warmup tools are unnecessary if you build volume organically, and they have a point: real engagement from real prospects is the strongest positive signal there is. But for teams that need campaigns live within a month, warmup tools reduce the risk of early spam placement. Use them as a safety net, not a substitute for good sending habits.

Watch for warmup failing. Pause cold sending and increase your warmup ratio if warmup emails start landing in spam, if Google Postmaster Tools shows your domain reputation slipping, or if replies dry up after an early burst of engagement. Then investigate your content and list quality before resuming.

Keep your sending list clean

Bad data is the silent killer of cold email deliverability. One batch of unverified addresses can undo weeks of careful warmup.

Verify every address before sending. Run your list through a verification service to catch invalid addresses before they become hard bounces, and bounces are a direct signal to providers that you are not maintaining a clean list. Our roundup of the best email verification tools covers the options.

Avoid purchased lists entirely. Pre-built lists from data vendors are riddled with outdated addresses, spam traps, and catch-all domains. Spam traps are addresses planted specifically to catch senders mailing unverified lists. Hit enough of them and your domain lands on a blacklist.

Handle catch-all addresses carefully. Catch-all domains accept mail to any address, so verification cannot confirm a specific mailbox exists. Send to catch-alls only from your most established mailboxes, and watch the bounce trend closely.

Set a sunset policy. If a contact has ignored a long string of your emails, stop mailing them. Continuing to send to the unengaged tells providers people do not want your messages, which drags down your reputation. Structure your cadence deliberately with our guide to cold email follow-up sequences.

Deduplicate aggressively. Mailing the same person from multiple campaigns is a fast track to spam complaints. Keep one global suppression list across everything you send.

Write emails that pass filters

Content matters for deliverability. Even with perfect infrastructure, a poorly built email trips spam filters. Here is what to focus on in 2026.

Use plain text, not HTML. Cold emails should read like a person wrote them, not a marketing platform. No templates, no colored buttons, no heavy formatting.

One link maximum. Every link is a signal providers evaluate, and multiple links, especially to different domains, raise your spam score. Include one link at most, ideally a calendar or a simple landing page. Skip link shorteners like bit.ly, which are strongly associated with spam.

No images or tracking pixels. Images add weight, trigger image-blocking filters, and make your email look like a blast. Tracking pixels for open tracking are increasingly detected and penalized. If you must track opens, know it carries a deliverability cost.

Avoid spam-trigger language. Phrases like “free,” “guaranteed,” “act now,” and “click here” have tripped filters for decades. So do excessive capitals, strings of exclamation points, and dollar figures. Write like you are emailing a colleague, not writing an ad.

Personalize to earn engagement. When your emails are relevant, people open, reply, and move them to the primary inbox, and those positive signals tell providers your mail is wanted. Generic templates get ignored, and ignored mail gets deprioritized. Our guide to writing cold emails that get replies breaks down the copy. An AI cold email writer can generate personalized first lines at scale, but only if the underlying research is solid. Tools like GTM Bud ground the personalization in real prospect data rather than generic variables.

How many cold emails can you send per day?

There is no official per-mailbox send limit for cold email, and any specific daily figure circulating online is a community convention, not a published rule. What the mailbox providers actually publish is a bulk-sender threshold: Google, Yahoo, and Microsoft all apply their strictest requirements to domains sending more than 5,000 messages per day to their users.

The practical answer follows: keep each mailbox’s daily volume conservative, especially on new domains with no reputation, and let new domains ramp gradually while they build trust. If you need real volume, the answer is more mailboxes sending conservatively, not fewer accounts running hot. That way a single flagged account cannot take down your whole pipeline.

Monitor your sender reputation

Deliverability is not set-and-forget. You have to watch your reputation and catch problems before they escalate.

Google Postmaster Tools is free and essential. It reports your domain reputation, spam rate, authentication results, and encryption for mail sent to Gmail. Set it up on day one for every sending domain and check it regularly. Google labels domain reputation as High, Medium, Low, or Bad:

  • High: you are in good standing. Maintain current practices.
  • Medium: some issues detected. Review recent campaigns for bounces or complaints.
  • Low: significant problems. Reduce volume and investigate now.
  • Bad: your mail is almost certainly hitting spam. Pause all sending and find the root cause before you resume.

SenderScore by Validity rates a sending IP on a 0-to-100 reputation scale, where higher is better. It is most relevant if you send from a dedicated IP rather than a shared one.

MxToolbox checks your domains and IPs against dozens of DNS blacklists. Run it weekly. A listing on a major blacklist like Spamhaus can wreck your inbox placement, and most blacklists let you self-delist only after you fix the behavior that got you listed.

Run a weekly loop: check Postmaster Tools for reputation changes, watch bounce and complaint trends, look for open-rate drops against your own baseline, run an MxToolbox blacklist check, and scan your warmup dashboards for spam placement.

What to do when emails hit spam

When deliverability tanks, work the problem systematically instead of changing everything at once.

Bounces spike. This is a list-quality problem. Pause the campaign, re-verify the entire list, remove invalid and risky addresses, and resume clean. If the bounces trace to one data source, stop using it.

Spam complaints climb. This is a targeting or content problem. You are reaching people who do not want your email, or your copy is provoking negative reactions. Revisit your ICP, confirm your unsubscribe works, and test copy on a small segment before scaling back up. If you run cold email for agencies, make sure each client’s offer actually matches the audience.

Open rate falls well below your baseline despite good delivery. Your mail is delivered but filtered to spam or Promotions. Confirm SPF, DKIM, and DMARC all pass, strip HTML, images, and extra links, cut volume, raise your warmup ratio, and seed-test to confirm placement.

A domain gets blacklisted. Pause all sending from it immediately. Identify the blacklist through MxToolbox, follow its delisting process, and resume only after warming the domain again. In severe cases, retiring the domain and starting fresh beats recovery.

Replies suddenly dry up with no other change. Provider algorithms shift constantly. Test new subject lines and send times, rotate mailboxes, or change channels. A multichannel outreach strategy that pairs email with LinkedIn reduces your dependence on any single channel’s deliverability.

Frequently asked questions about cold email deliverability

Do I need a separate domain for cold email?

Yes, always. Never send cold email from your primary business domain. Use secondary domains similar to your main one, such as getcompany.com or trycompany.com. If a cold email domain is blacklisted or reputation-damaged, your primary domain and all regular business email stay unaffected. Isolating cold sending on separate domains protects the address your invoices and client emails go out from.

How can I check if my cold emails are landing in spam?

Send test emails to your own Gmail and Outlook accounts and see whether they hit the primary inbox, the Promotions tab, or spam. Set up Google Postmaster Tools, which reports your domain reputation, spam rate, and authentication for mail sent to Gmail. Seed-based inbox placement testers and spam-scoring tools round out the picture across providers. If your test messages already land in spam, the problem is in your setup, not your list.

Does email warmup actually work?

Yes, when done correctly. Warmup tools simulate real conversations by sending and replying from a network of accounts, building the positive engagement signals providers use to judge reputation. The key is a gradual volume ramp over several weeks, not a switch you flip before blasting at full volume. Warmup complements good sending; it does not rescue bad lists or spammy content. Pair it with a clean list from a proper cold email automation tool for the best results.

Is cold email legal?

In most jurisdictions, B2B cold email is legal when you follow the rules. In the United States, CAN-SPAM requires accurate headers, a valid physical address, and a working opt-out. Under GDPR in the EU, you generally need a legitimate-interest basis and an easy opt-out. Google and Yahoo also require a working one-click unsubscribe for bulk senders. Honor every opt-out immediately, both to stay compliant and to protect your reputation.

How long does it take to fix cold email deliverability once it drops?

It depends on the cause. A misconfigured SPF, DKIM, or DMARC record can be corrected in a day, though DNS changes can take up to 48 hours to propagate. Reputation damage from bounces, complaints, or a blacklisting takes longer, because you have to fix the behavior, warm the domain back up, and rebuild trust with providers over weeks. Prevention is always cheaper than recovery.

Nail deliverability before you scale outreach

Cold email deliverability is the foundation every other outreach metric sits on. Your copy does not matter if it lands in spam. Your offer does not matter if nobody sees it. Before every campaign, confirm the essentials: a secondary domain in place and aged, SPF, DKIM, and DMARC passing, Postmaster Tools live, warmup running, every address verified, plain-text copy with one link, conservative per-mailbox volume, and weekly reputation checks scheduled. Skip a step and you risk a burned domain.

If you would rather skip the manual setup, GTM Bud handles domain rotation, sending limits, and warmup monitoring as part of its cold email automation platform. It is built on the same infrastructure discipline our agency, Referral Program Pros, has used to book over 7,000 meetings, applied consistently at scale so your emails reach the inbox instead of the spam folder.

Thomas Ryan Oakes

Co-Founder & Outbound Strategist

Outbound expert behind 7,000+ booked meetings. Co-founder of Referral Program Pros and GTM Bud.

cold email deliverabilityemail warmupSPF DKIM DMARCcold email infrastructuresender reputation

Ready to automate your outreach?

GTM Bud finds Leads, writes personalized messages, and sends them, all on autopilot.