Your cold emails are landing in spam, and it is costing you pipeline. Cold email deliverability is the single biggest factor determining whether your outreach generates meetings or gets silently buried. You can write the perfect email, target the right people, and still get zero replies if your messages never reach the inbox.
Disclosure: This article mentions GTM Bud alongside other tools. We obviously have a bias toward our own product, but we have tried to keep the technical guidance vendor-neutral. Use whatever tools work for your stack.
We are not writing this from a theoretical perspective. Our outbound agency, Referral Program Pros, has booked over 7,000 meetings for clients across dozens of industries. We have burned domains, recovered from blacklists, navigated every major provider policy change, and tested every warmup strategy that exists. This guide is the distilled version of what actually works in 2026, not what worked three years ago.
What cold email deliverability actually means
Most people confuse delivery rate with deliverability. They are not the same thing, and the difference matters.
Delivery rate measures the percentage of emails accepted by the receiving mail server. If you send 100 emails and 97 are accepted (not bounced), your delivery rate is 97 percent. This sounds great until you realize that “accepted” includes emails routed directly to the spam folder. The server took your email. It just threw it in the trash.
Inbox placement rate measures the percentage of emails that actually land in the primary inbox where your prospect will see them. This is the metric that matters for cold outreach. You can have a 99 percent delivery rate and a 40 percent inbox placement rate, which means more than half your emails are going to spam despite being “delivered.”
Here are the benchmarks you should target:
- Delivery rate: 95-99 percent. Anything below 95 percent means you have a technical problem, likely bounces from bad data or a blocklisted domain.
- Inbox placement rate: 85 percent or higher. This is harder to measure directly, but tools like GlockApps and Mail-Tester give you seed-based inbox placement tests. If your open rates are consistently below 30-40 percent on well-targeted lists, you likely have an inbox placement problem.
- Bounce rate: Under 2 percent. Hard bounces above this threshold signal to providers that you are sending to unverified lists.
- Spam complaint rate: Under 0.1 percent. Google explicitly recommends this threshold. Exceeding 0.3 percent puts you in serious danger.
Cold email deliverability is not a one-time setup. It is an ongoing discipline. Your sender reputation changes with every email you send, every bounce you receive, and every spam complaint filed against you. The infrastructure work gets you in the door. Your sending behavior determines whether you stay.
The 2026 sender rules you need to know
The email provider landscape shifted dramatically starting in February 2024, and the rules have only gotten stricter since then.
Google’s enforcement timeline: Google announced bulk sender requirements in October 2023 and began enforcing them in February 2024. Initially, non-compliant senders received temporary errors. By June 2024, Google started rejecting a percentage of non-compliant traffic. As of November 2025, Google escalated to permanent rejection of messages from domains that fail authentication or exceed spam complaint thresholds. This is not a warning anymore. Your emails simply do not arrive.
Microsoft and Outlook: Microsoft followed with their own enforcement in May 2025, applying similar requirements to senders hitting Outlook.com, Hotmail, and Live domains. Microsoft’s rules mirror Google’s in most respects but add additional content filtering that penalizes overly templated messages.
Yahoo: Yahoo aligned with Google’s requirements early and enforces them with similar strictness.
Here is what every cold email sender must comply with in 2026:
| Requirement | Google (Gmail) | Microsoft (Outlook) | Yahoo |
|---|---|---|---|
| SPF authentication | Required | Required | Required |
| DKIM authentication | Required | Required | Required |
| DMARC policy | Required (minimum p=none) | Required (minimum p=none) | Required (minimum p=none) |
| Spam complaint rate | Under 0.3% (recommends under 0.1%) | Under 0.3% | Under 0.3% |
| One-click unsubscribe | Required for bulk senders (5,000+/day) | Required for bulk senders | Required for bulk senders |
| Valid forward/reverse DNS | Required | Required | Required |
| TLS encryption | Required | Required | Required |
| List-Unsubscribe header | Required for bulk senders | Required for bulk senders | Required for bulk senders |
The one-click unsubscribe requirement primarily applies to bulk senders (those sending 5,000 or more messages per day to a single provider). Most cold emailers sending 30-100 per mailbox per day fall below this threshold. However, including an unsubscribe link is still a best practice because it gives recipients an alternative to hitting the spam button, which is far more damaging to your reputation.
Set up SPF, DKIM, and DMARC correctly
These three authentication protocols are non-negotiable. Think of them as a layered security system for your email identity.
SPF (Sender Policy Framework) is like a guest list. It tells receiving servers which IP addresses and mail servers are authorized to send email on behalf of your domain. When a server receives your email, it checks your SPF record to see if the sending server is on the list. If it is not, the email fails SPF.
To set up SPF, add a TXT record to your domain’s DNS:
v=spf1 include:_spf.google.com ~all
Replace the include value with your email provider’s SPF domain. If you use multiple sending services, include all of them. The ~all at the end is a soft fail for unauthorized senders. Some people use -all (hard fail), which is stricter but can cause issues if you have services sending on your behalf that you forgot to include.
DKIM (DomainKeys Identified Mail) is like a wax seal on a letter. It cryptographically signs your outgoing emails so the receiving server can verify the message was not altered in transit and that it genuinely came from your domain. DKIM adds a signature header to every email, and the receiving server checks it against a public key published in your DNS.
Your email provider generates the DKIM keys. In Google Workspace, go to Admin, then Apps, then Google Workspace, then Gmail, then Authenticate email. Google gives you a TXT record to add to your DNS. Enable it, wait for DNS propagation (up to 48 hours), and verify.
DMARC (Domain-based Message Authentication, Reporting, and Conformance) is the bouncer. It tells receiving servers what to do when an email fails both SPF and DKIM checks: nothing (p=none), quarantine it (p=quarantine), or reject it outright (p=reject).
Start with a monitoring policy:
v=DMARC1; p=none; rua=mailto:[email protected]
This lets you see who is sending email from your domain without blocking anything. After a few weeks of monitoring, move to p=quarantine and eventually p=reject once you are confident all legitimate senders are properly authenticated.
How to test your setup: Send an email to a Gmail account, open it, click the three dots, and select “Show original.” You will see SPF, DKIM, and DMARC results at the top. All three should show PASS. You can also use Mail-Tester.com for a quick score or MxToolbox for detailed diagnostics.
Common mistakes:
- Multiple SPF records on the same domain (you can only have one; combine them with multiple include statements)
- Forgetting to enable DKIM in your email provider after adding the DNS record
- Setting DMARC to
p=rejectbefore you have confirmed all legitimate senders pass authentication - Not monitoring DMARC reports, which means you miss unauthorized senders or misconfigured services
Build your domain infrastructure for scale
Never send cold email from your primary business domain. This is the single most important rule in cold email infrastructure. If your cold email domain gets blacklisted, your primary domain stays clean and your team’s regular business emails continue reaching inboxes without interruption.
Use secondary domains. Buy domains that are close to your primary domain. If your company is acme.com, register domains like getacme.com, tryacme.com, meetacme.com, or acmehq.com. Stick with .com domains. They consistently outperform .io, .co, and other TLDs in deliverability tests. Providers trust .com domains more, and recipients are less likely to flag them as suspicious.
The math for scaling:
Each mailbox should send 30-100 emails per day depending on domain age and reputation. For new domains, start at 30 per day maximum. For established domains with strong reputation, you can push toward 100, but 50-70 is the sweet spot for most teams.
Set up 2-3 mailboxes per domain. This gives you 60-210 emails per domain per day.
Here is the formula: if you want to send 3,000 cold emails per month at 50 emails per mailbox per day, you need approximately 3 mailboxes (3,000 divided by 50 divided by 20 working days). Spread those across 2 secondary domains.
For larger volumes, say 10,000 emails per month, you need roughly 10 mailboxes across 4-5 domains. This is where a cold email automation tool becomes essential for managing rotation and sending schedules across multiple accounts.
Domain age matters. New domains need time to build reputation. Register your secondary domains at least 2-4 weeks before you plan to start warmup. A domain registered yesterday that immediately starts sending emails is a red flag to every provider.
Create proper sender profiles. Each mailbox should have a real name, professional headshot (on the Google Workspace account), and a consistent signature. Providers look at these signals when evaluating sender legitimacy.
Warm up your accounts before sending
Email warmup is the process of gradually increasing sending volume on a new mailbox to build a positive sender reputation. Warmup tools automate this by sending and receiving emails from a network of real accounts, simulating organic conversations.
Timeline:
- Weeks 1-2: 5-10 emails per day, all warmup traffic. No cold emails yet.
- Weeks 3-4: Increase to 15-25 per day. You can begin mixing in a small number of cold emails (5-10 per day) alongside warmup.
- Weeks 5-8: Gradually ramp cold email volume to 30-50 per day while maintaining warmup at 10-15 per day.
- Weeks 8-12: Full sending capacity. Keep warmup running at 5-10 per day indefinitely to maintain engagement signals.
The minimum viable warmup period is two weeks. Sending cold emails before that is gambling with your domain. Full sending capacity takes 8-12 weeks to reach safely.
The warmup tool debate. Some operators argue that warmup tools are unnecessary if you start with very low volume and build organically. They have a point: real engagement from real prospects is the strongest positive signal. But for most teams that need to get campaigns running within a month, warmup tools dramatically reduce the risk of early spam folder placement. Use them as a safety net, not a replacement for good sending practices.
Red flags that warmup is failing:
- Open rates on warmup emails dropping below 50 percent
- Increasing number of warmup emails landing in spam (most tools report this)
- Google Postmaster Tools showing a declining domain reputation
- Replies to cold emails drying up after an initial period of engagement
If you see these signals, pause cold sending, increase warmup ratio, and investigate your content and list quality.
Keep your list clean
Bad data is the silent killer of cold email deliverability. One batch of unverified emails can undo months of careful warmup and reputation building.
Verify every email address before sending. Use a verification service like ZeroBounce, NeverBounce, or MillionVerifier to check every address. This costs fractions of a cent per email and saves you from hard bounces that torch your sender reputation. Aim for a bounce rate under 2 percent. Anything above 3 percent triggers red flags with providers.
Avoid purchased lists entirely. Pre-built lists from data vendors are riddled with outdated addresses, spam traps, and catch-all domains. Spam traps are email addresses specifically designed to catch people sending to unverified lists. Hit enough of them and your domain lands on a blacklist overnight.
Handle catch-all emails carefully. Catch-all domains accept email sent to any address at that domain, which means verification tools cannot confirm whether a specific mailbox exists. Some teams send to catch-all addresses and accept the higher bounce risk. A safer approach is to send to catch-all addresses only from your most established mailboxes and monitor bounce rates closely.
Implement a sunset policy. If a contact has not opened any of your last 5-7 emails, stop emailing them. Continuing to send to unengaged recipients tells providers that people do not want your messages. This drags down your engagement metrics and, by extension, your deliverability. Learn more about effective sequencing in our guide on cold email follow-up sequences.
Deduplicate aggressively. Sending the same person multiple emails from different campaigns or sequences is a fast track to spam complaints. Maintain a global suppression list across all active campaigns.
Write emails that pass filters
Content matters for deliverability. Even with perfect infrastructure, poorly constructed emails trigger spam filters. Here is what to focus on in 2026.
Use plain text over HTML. Cold emails should look like they were written by a person, not generated by a marketing platform. Plain text emails consistently outperform HTML emails in deliverability tests. No templates, no fancy formatting, no colored buttons.
One link maximum. Every link in your email is a signal that providers evaluate. Multiple links, especially to different domains, increase your spam score. Include one link at most, and make it your calendar booking link or a simple landing page. Avoid link shorteners like bit.ly, which are heavily associated with spam and phishing.
No images in cold email. Images add HTML weight, trigger image-blocking filters, and make your email look like a marketing blast. Tracking pixels (tiny invisible images used for open tracking) are increasingly detected and penalized by providers. If open tracking is important to you, understand that it comes with a deliverability tradeoff.
Avoid spam trigger words. Words and phrases like “free,” “guaranteed,” “act now,” “limited time,” and “click here” have been spam filter triggers for decades. More subtle triggers include excessive capitalization, multiple exclamation points, and dollar amounts. Write like you are emailing a colleague, not writing ad copy.
Personalization improves deliverability indirectly. When your emails are personalized and relevant, recipients open them, reply to them, and move them to their primary inbox. These positive engagement signals tell providers your emails are wanted. Generic templates get ignored, and ignored emails tell providers to deprioritize your messages. For strategies on writing emails that actually earn replies, read our guide on how to write cold emails that get replies.
An AI cold email writer can help generate personalized first lines at scale, but the underlying research and targeting still need to be solid. Tools like GTM Bud combine prospect research with message generation so the personalization is grounded in real data, not generic variables.
Monitor your sender reputation
Deliverability is not a set-it-and-forget-it task. You need to actively monitor your sender reputation and catch problems before they escalate.
Google Postmaster Tools is free and essential. It shows you your domain reputation (high, medium, low, bad), spam rate, authentication results, and encryption metrics for emails sent to Gmail addresses. Set this up on day one for every sending domain. Check it at least twice per week.
Reputation levels in Postmaster Tools:
- High: You are in good standing. Maintain current practices.
- Medium: Some issues detected. Review recent campaigns for bounces or complaints.
- Low: Significant problems. Reduce volume immediately and investigate.
- Bad: Your emails are almost certainly going to spam. Pause all sending, investigate root cause, and consider whether the domain is recoverable.
SenderScore by Validity rates your sending IP on a scale of 0-100. Aim for 80 or above. Below 70 means most providers are throttling or filtering your emails. Note that SenderScore is IP-based, so it is most relevant if you are sending from a dedicated IP rather than a shared one.
MxToolbox provides blacklist monitoring across dozens of DNS-based blacklists. Run your sending domains and IPs through it weekly. Being listed on even one major blacklist (Spamhaus, Barracuda, SORBS) can devastate your inbox placement rate. Many blacklists offer self-service delisting, but you need to fix the underlying problem first or you will just get relisted.
Weekly monitoring checklist:
- Check Google Postmaster Tools for domain reputation changes
- Review bounce rates across all active campaigns (target under 2 percent)
- Review spam complaint rate (target under 0.1 percent)
- Check open rates for sudden drops (30 percent or more decline suggests deliverability issues)
- Run MxToolbox blacklist check on all sending domains
- Review warmup tool dashboards for spam folder placement trends
What to do when emails hit spam
When deliverability tanks, you need a systematic approach to diagnose and fix the problem. Do not start changing everything at once. Follow this decision tree.
Symptom: High bounce rate (above 3 percent)
This is a list quality problem. Your data is stale or unverified. Immediately pause the campaign, re-verify your entire list through a validation service, remove all invalid and risky addresses, and resume with the cleaned list. If bounces were concentrated on a specific data source, stop using that source.
Symptom: High spam complaint rate (above 0.3 percent)
This is a targeting or content problem. Either you are reaching the wrong people (they do not want your email) or your content is triggering negative reactions. Review your ICP targeting. Make sure your unsubscribe mechanism works. Test your email copy with a smaller segment before resuming full volume. If you are doing cold email for agencies, make sure your client’s offer actually matches the audience you are targeting.
Symptom: Low open rate (under 20 percent) despite good delivery rate
Your emails are being delivered but landing in spam or the Promotions tab. This is an inbox placement problem. Check authentication (SPF, DKIM, DMARC all passing). Review your content for HTML, images, or multiple links. Reduce sending volume by 50 percent and increase warmup ratio. Test with seed accounts to confirm spam folder placement.
Symptom: Domain on a blacklist
Pause all sending from the affected domain immediately. Identify the blacklist through MxToolbox and follow their delisting process. Most require you to submit a delisting request and demonstrate you have fixed the behavior that caused the listing. After delisting, restart warmup from scratch. Do not resume cold sending for at least one to two weeks. In severe cases, it may be more efficient to retire the domain and start fresh with a new one.
Symptom: Sudden drop in replies with no other changes
Provider algorithms update constantly. What worked last month may not work today. Test new subject lines, adjust sending times, rotate to a different mailbox, or try a different approach entirely. Sometimes the fix is switching channels. A multichannel outreach strategy that combines email with LinkedIn reduces your dependence on any single channel’s deliverability. Consider exploring the best AI tools for personalized cold emails to refresh your approach if your templates have gone stale.
Frequently asked questions about cold email deliverability
What is a good cold email deliverability rate?
Aim for a 95-99 percent delivery rate and 85 percent or higher inbox placement rate. Delivery rate only tells you the server accepted the email, which includes spam folder delivery. Inbox placement rate measures whether your email actually reached the primary inbox, and that is the metric that drives replies and booked meetings.
How long should I warm up an email account before sending cold emails?
Minimum two weeks for basic warmup, but full sending capacity takes 8-12 weeks of gradual volume increases. Start with 5-10 emails per day and increase by 5-10 per day each week. Rushing the warmup process is the fastest way to burn a domain. Keep warmup running at low volume even after you reach full capacity.
How many cold emails can I send per day without hurting deliverability?
For new domains, stay under 30 emails per mailbox per day. Established domains with good reputation can handle 40-100 per mailbox, though 50-70 is the safe range for most teams. Scale volume by adding mailboxes and domains rather than pushing individual accounts harder. Most successful teams use 3-5 mailboxes across 2-3 secondary domains.
Do I need a separate domain for cold email?
Yes, always. Never send cold email from your primary business domain. Use secondary domains similar to your main domain, such as getcompany.com or trycompany.com. If your cold email domain gets blacklisted or reputation-damaged, your primary domain and all regular business email remain unaffected. The cost of a few extra domains is trivial compared to the risk of losing your primary domain’s reputation.
Does email warmup actually work?
Yes, when done correctly. Warmup tools simulate real email conversations by sending and replying from a network of accounts, building the positive engagement signals that providers use to evaluate sender reputation. The key is gradual volume increases over 2-4 weeks minimum. Turning on a warmup tool and immediately blasting 100 cold emails per day defeats the purpose entirely. Warmup is a ramp, not a switch.
The deliverability checklist you need before every campaign
Before you launch any cold email campaign, run through this checklist. Skip a step and you risk burning a domain.
Infrastructure:
- Secondary domain registered (not your primary domain)
- Domain is at least 2-4 weeks old
- SPF record configured and passing
- DKIM enabled and passing
- DMARC record published (minimum p=none)
- Google Postmaster Tools set up for every sending domain
- Mailboxes created with real names and profile photos
Warmup:
- Warmup tool active for minimum 2 weeks before cold sending
- Warmup volume at 10-15 per day and stable
- No spam folder placement issues in warmup dashboard
- Domain reputation shows as “High” in Google Postmaster Tools
List quality:
- Every email address verified through a validation service
- Bounce rate from verification under 2 percent
- No purchased or scraped lists without verification
- Catch-all addresses flagged and handled separately
- Global suppression list applied (previous bounces, unsubscribes, complaints)
Content:
- Plain text format, no HTML templates
- One link maximum (calendar link or landing page)
- No images or tracking pixels (or accepted tradeoff documented)
- No spam trigger words
- Personalized first line for each recipient
- Unsubscribe option included
Sending:
- Volume under 30 per mailbox per day for new domains
- Sending spread across business hours with randomized delays
- Multiple mailboxes rotating across campaigns
- Warmup continuing alongside cold sends
Monitoring:
- Weekly Postmaster Tools check scheduled
- Weekly MxToolbox blacklist check scheduled
- Bounce and complaint rate alerts configured
- Open rate baseline established for comparison
Cold email deliverability is the foundation that every other outreach metric builds on. Your copy does not matter if it lands in spam. Your offer does not matter if no one sees it. Get the infrastructure right first, then focus on messaging and targeting.
If you want to skip the manual setup and get straight to sending, GTM Bud handles domain rotation, sending limits, and warmup monitoring as part of its cold email automation tool. We back our deliverability with a guarantee: 3 meetings per 800 leads, or a full refund. That confidence comes from the same infrastructure principles outlined in this guide, applied consistently at scale.