Cold Email Deliverability: The Technical Guide
to Landing in the Inbox

You wrote a great email. Personalized first line. Sharp CTA. Under 75 words. And it landed in spam. This happens to roughly 21% of all legitimate B2B cold emails, according to email deliverability benchmarks from 2025. The problem is almost never your copy. It is your infrastructure.

Email providers like Google Workspace and Microsoft 365 have gotten dramatically more aggressive about filtering. Gmail's 2024 sender guidelines now require proper authentication, low complaint rates (under 0.3%), and one-click unsubscribe headers for bulk senders. Microsoft's SmartScreen filters use machine learning that evolves monthly. If your domain reputation is weak, even a perfectly written email never reaches the inbox.

Deliverability is not a one-time setup. It is an ongoing discipline, like maintaining a credit score. One bad week of high bounce rates can tank a domain reputation you spent months building. Teams that treat deliverability as a 'set it and forget it' task consistently end up in the spam folder within 3 to 6 months.

The good news: deliverability is fully within your control. It is technical, not creative. Follow the checklist in this guide and you will land in the primary inbox for 95%+ of your sends. Skip it, and no amount of copywriting talent will save you.

Three authentication protocols determine whether email servers trust your messages: SPF, DKIM, and DMARC. Every cold email programme must have all three configured correctly before sending a single message. No exceptions.

SPF (Sender Policy Framework) tells receiving servers which IP addresses are authorized to send email on behalf of your domain. You publish an SPF record in your DNS as a TXT entry. It lists your email service provider's servers. If an email arrives from an IP not in your SPF record, the receiving server flags it. Setup takes 5 minutes. Check it at mxtoolbox.com. If your SPF record includes more than 10 DNS lookups, it will fail. Flatten it or remove providers you no longer use.

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to every email you send. The receiving server checks this signature against a public key published in your DNS. If the signature matches, the email is verified as unaltered in transit. Your email provider generates the DKIM key pair. You publish the public key as a DNS TXT record. This takes 10 minutes. Without DKIM, Gmail and Outlook will treat your emails with suspicion even if SPF passes.

DMARC (Domain-based Message Authentication, Reporting, and Conformance) ties SPF and DKIM together and tells receiving servers what to do when authentication fails. Start with a policy of 'none' (monitor only), then move to 'quarantine' after 2 weeks of clean data, then 'reject' after a month. A DMARC record also gives you daily reports showing who is sending email from your domain, which is critical for catching unauthorized use. Your DMARC record should include 'rua' and 'ruf' tags to receive aggregate and forensic reports.

Never send cold emails from your primary company domain. This is the single most common deliverability mistake, and it is the most expensive to recover from. If your cold email reputation tanks your primary domain, your entire company loses the ability to send and receive email reliably. That includes transactional emails, customer support, internal communications. Everything.

Set up dedicated sending domains that are closely related to your primary domain. If your company is acme.com, register acme-mail.com or getacme.com or tryacme.com. Use these exclusively for outbound prospecting. If one gets burned, you retire it and spin up another without affecting your core business.

Each sending domain should have its own Google Workspace or Microsoft 365 account. Create 2 to 3 inboxes per domain (e.g., [email protected], [email protected]). Keep each inbox under 50 sends per day. This means if you want to send 300 emails per day, you need at least 6 inboxes across 2 to 3 domains. This sounds like a lot. It is. But it is the cost of reliable deliverability.

Rotate domains monthly if you are sending at high volume. No single domain should carry all of your outbound load indefinitely. A rotation of 3 to 4 active domains, with 1 to 2 warming at any given time, gives you resilience against reputation dips and ensures consistent inbox placement.

A brand new email inbox has no reputation. Email providers do not know if you are a legitimate sender or a spammer. Warm-up is the process of gradually building a positive sending history so that providers start trusting your messages.

The warm-up process works like this: for the first 2 weeks, your inbox sends and receives emails with a network of real inboxes. These emails get opened, replied to, and marked as important. This simulates genuine engagement and tells Google and Microsoft that your inbox sends emails people want to read. There are several warm-up services that automate this. Budget $30 to $50 per inbox per month.

Week 1: 10 to 15 warm-up emails per day, zero cold sends. Week 2: 20 to 25 warm-up emails per day, 5 to 10 cold sends. Week 3: 25 to 30 warm-up emails, 20 to 30 cold sends. Week 4: 25 warm-up emails, 40 to 50 cold sends. After week 4, maintain at least 15 to 20 warm-up emails daily alongside your cold sends indefinitely. Never stop warming. The moment you stop, reputation erodes.

Common warm-up mistakes: warming for only 1 week (not enough), stopping warm-up once cold sends begin (reputation drops), warming with a service that uses the same IP pool as thousands of other cold emailers (association penalty), and warming a domain you already burned (warming cannot fix a blacklisted domain; register a new one).

Volume is the lever most likely to destroy your deliverability. Send too many emails too fast from a single inbox and you will trigger rate limits, spam filters, or outright blacklisting. The limits are lower than most teams think.

Google Workspace limits: 500 emails per day per inbox for new accounts, 2,000 per day for established accounts. But these are technical limits, not safe limits. For cold outbound, keep it under 50 emails per inbox per day. 30 is safer. This keeps you well below the thresholds that trigger Google's spam detection algorithms.

Microsoft 365 limits: 10,000 recipients per day, 30 messages per minute. Again, the safe limit for cold email is much lower. Stay under 50 per day per inbox. Microsoft's SmartScreen is particularly aggressive with new senders and will throttle your delivery if it detects a pattern of messages going unopened.

Sending patterns matter as much as volume. Do not send 50 emails at 9:00 AM sharp. Spread your sends across a 4 to 6 hour window with random intervals between messages. A human does not send 50 emails in 3 minutes. Email providers know this. GTMS's send scheduler distributes your emails across your sending window with natural-looking gaps so your outreach pattern mimics real human behavior.

If you get a bounce rate above 3% on any given day, pause sending from that inbox immediately. Investigate the cause. It is usually a bad list segment with outdated email addresses. Clean your list, verify addresses before adding them to sequences, and resume after the bounce rate normalizes. Tools like GTMS verify email addresses before enrollment to keep bounce rates under 1%.

You cannot fix what you do not measure. Domain reputation monitoring should be a weekly habit for any team sending more than 100 cold emails per day.

Google Postmaster Tools is free and essential. It shows your domain reputation (High, Medium, Low, Bad), spam rate, authentication success rate, and encryption percentage. Set up Postmaster Tools for every sending domain. If your reputation drops from High to Medium, cut volume by 50% immediately and investigate. A drop to Low or Bad means you should pause cold sends from that domain entirely.

Bounce rate tracking: hard bounces (invalid address) should be under 1%. Soft bounces (mailbox full, server temporarily unavailable) should be under 3%. If hard bounces exceed 2% on any campaign, your list quality is the problem. Stop sending, clean the list, and verify every remaining address. One campaign with a 5% hard bounce rate can damage a domain reputation that took months to build.

Spam complaint rate is the metric that matters most. Google requires senders to stay below 0.3% complaint rate. That means if you send 1,000 emails, fewer than 3 people should mark you as spam. In practice, aim for under 0.1%. If complaints spike after a particular campaign, pull that sequence immediately and rewrite the copy. Complaints are a signal that your targeting or messaging is off.

Blacklist monitoring: check your sending IPs and domains against major blacklists (Spamhaus, Barracuda, SORBS) at least weekly. Getting listed on Spamhaus will tank your deliverability across nearly every email provider. Most blacklists have a delisting process, but prevention is infinitely easier than cure.

Even with perfect infrastructure, your email content can trigger spam filters. Modern spam detection is AI-driven and analyzes patterns across billions of messages. Here are the content patterns that consistently cause problems in 2026.

Spam trigger words are real but overblown. Words like 'free', 'guaranteed', 'limited time', and 'act now' do raise spam scores, but a single occurrence rarely tips the balance. The bigger issue is density. An email with 3 or more spam trigger words in a 75-word body will flag more often than one with a single trigger word in 150 words. Avoid stacking them.

Links are the biggest content-based risk factor. Emails with more than 2 links have 3.4x higher spam filter rates than emails with 1 or zero links. Shortened URLs (bit.ly, etc.) are treated as suspicious by almost every spam filter. Always use full URLs with your own domain. And never include a link in the first email of a cold sequence if you can avoid it. Wait for the follow-up.

HTML formatting raises red flags in cold email. Bold text, colored text, embedded images, HTML tables, and styled signatures all increase spam scores. Your cold emails should be plain text. No HTML template. No logo. No banner. If your email looks like a marketing newsletter, it will be treated like one. That means promotions tab at best, spam folder at worst.

Sending the exact same email to hundreds of people is a pattern spam filters detect and penalize. Even small variations, like swapping the first line or the CTA, reduce the similarity score between messages. This is another reason why personalization matters: it is not just about reply rates. It is about deliverability. Unique content per recipient signals to the email provider that these are individual messages, not a blast.

Run this checklist on the first Monday of every month. It takes 30 minutes and prevents the slow reputation decay that kills cold email programmes over time.

Authentication check: verify SPF, DKIM, and DMARC records for every sending domain. DNS records can get accidentally deleted during domain transfers or DNS provider changes. Use mxtoolbox.com or dmarcian.com to validate. Confirm DMARC policy is 'quarantine' or 'reject', not 'none' (unless you are still in the initial monitoring phase).

Reputation check: log into Google Postmaster Tools for each sending domain. Record the reputation rating. Compare to last month. If any domain dropped a tier, flag it for investigation. Check Microsoft SNDS (Smart Network Data Services) for your sending IPs. Review blacklist status across Spamhaus, Barracuda, SORBS, and CBL.

Volume and bounce audit: pull last month's sending stats per inbox. Flag any inbox that exceeded 50 sends/day. Review bounce rates per campaign. Flag any campaign with hard bounces above 1.5%. Review spam complaints per domain. Flag any domain with complaint rate above 0.15%. Pull these numbers from your email sending tool or from GTMS sequence analytics.

Inbox health test: send a test email from each sending inbox to a seed list that includes Gmail, Outlook, Yahoo, and a corporate Exchange server. Check where the email lands (primary, promotions, spam, or not delivered). If any inbox consistently hits spam across multiple providers, it needs to be retired and replaced. Run this test before and after any major campaign launch.

List hygiene: remove all contacts who hard-bounced in the last 30 days. Remove all contacts who were enrolled in a sequence but had zero opens across 4+ emails (likely invalid or abandoned addresses). Verify any new contacts added to your database in the last month. A clean list is the foundation of strong deliverability, and it degrades every month if you do not maintain it.