Cold Email Deliverability: How to Stay Out of the Spam Folder in 2026

Why Emails Land in Spam

Inbox providers like Gmail, Outlook, and Yahoo use hundreds of signals to decide whether an email reaches the primary inbox or gets filtered into spam. The exact algorithms are proprietary, but the core signals are well understood.

The 3 categories that matter most:

Sender reputation. Every domain and IP address has a reputation score based on historical sending behavior. New domains have no reputation, which is why they need warmup. Domains that get flagged for spam, generate high bounce rates, or trigger unsubscribes see their reputation drop. Once reputation is damaged, recovery takes weeks or months.

Authentication. SPF, DKIM, and DMARC are DNS records that prove your emails are legitimate. Without them, inbox providers have no way to verify that an email from your domain was actually sent by you. Missing authentication is the single easiest deliverability problem to fix, and the one most teams overlook.

Content signals. Certain words, phrases, formatting patterns, and link structures trigger spam filters. These are less impactful than reputation and authentication, but they compound. An email from a warm domain with proper authentication can survive a few content triggers. An email from a cold domain with missing records cannot survive any.

HubSpot's email deliverability research estimates that roughly 1 in 5 marketing emails never reaches the inbox. For cold email, which faces additional scrutiny from inbox providers, the number is likely higher for teams that skip proper setup.

Email Deliverability

The ability of an email to reach the recipient's primary inbox rather than being filtered into spam, promotions, or blocked entirely. Deliverability depends on sender reputation, DNS authentication, content quality, and sending behavior. It is measured as the percentage of sent emails that reach the inbox.

DNS Authentication: SPF, DKIM, and DMARC

DNS authentication is not optional. If you are sending cold emails without SPF, DKIM, and DMARC configured, a significant portion of your emails are landing in spam regardless of how good the content is.

SPF (Sender Policy Framework)

SPF is a DNS TXT record that lists the servers and services authorized to send email on behalf of your domain. When an inbox provider receives an email claiming to be from yourdomain.com, it checks the SPF record to verify the sending server is on the approved list.

A basic SPF record looks like this: v=spf1 include:_spf.google.com ~all

That record says "Google's servers are authorized to send email from this domain. Treat emails from other servers with suspicion." If you use multiple sending services (your cold email tool, your CRM, your marketing platform), each one needs to be included in the SPF record.

Common mistakes: using multiple SPF records (you can only have 1 per domain), exceeding the 10 DNS lookup limit, and forgetting to include all sending services.

DKIM (DomainKeys Identified Mail)

DKIM adds a digital signature to every email you send. The signature is generated using a private key stored on your sending server, and inbox providers verify it using a public key published in your DNS records.

The purpose is tamper detection. If anyone modifies the email content after it leaves your server, the DKIM signature breaks and the email fails authentication. This protects against spoofing and man-in-the-middle attacks.

DKIM setup is usually handled by your email provider (Google Workspace, Microsoft 365) or your cold email platform. You add the DKIM record to your DNS, and the platform handles the signing automatically.

DMARC (Domain-based Message Authentication, Reporting, and Conformance)

DMARC ties SPF and DKIM together and tells inbox providers what to do when an email fails authentication. Without DMARC, providers make their own decisions about how to handle failed emails. With DMARC, you set the policy.

A basic DMARC record: v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com

The p=quarantine policy tells providers to send failed emails to spam rather than the inbox. You can also use p=reject (block failed emails entirely) or p=none (monitor only, take no action). Start with p=none while you verify everything is working, then move to p=quarantine or p=reject.

The rua tag sends you aggregate reports showing which emails passed and failed authentication. These reports are essential for catching issues early. Salesforce's email deliverability documentation recommends monitoring DMARC reports weekly to catch authentication failures before they impact sender reputation.

DNS Records

Domain Name System records that control how your domain behaves. For email deliverability, the relevant DNS records are SPF (authorizes sending servers), DKIM (adds cryptographic signatures), DMARC (sets authentication policies), and MX (routes incoming email). These records are managed through your domain registrar or DNS provider.

Email Warmup: What It Is and How Long It Takes

A brand new email account has no sending history. Inbox providers do not know whether it is legitimate or a spam operation. Warmup solves this by establishing a positive track record before you start sending cold emails.

Here is how warmup works in practice:

1. Week 1. The warmup tool sends 5 to 10 emails per day from your account to other accounts in the warmup network. Those accounts open the emails, reply, and mark them as "not spam" if they land there. This builds initial positive signals.
2. Week 2. Volume increases to 15 to 25 emails per day. The warmup tool varies send times, reply rates, and engagement patterns to mimic natural email behavior.
3. Week 3. Volume reaches 30 to 40 emails per day. By now, inbox providers have enough data to assign your account a baseline reputation.
4. Week 4. You can start sending cold emails alongside the warmup activity. Begin with 10 to 15 cold emails per day and increase gradually. Keep warmup running indefinitely to maintain reputation.

Rushing warmup is the most common mistake. Teams that skip it or compress it to a few days end up with accounts that get flagged within the first week of cold sending. The damage is hard to reverse. A flagged account may never fully recover its reputation on that domain.

Most cold email platforms (Instantly, Smartlead, Lemlist, Woodpecker) include built-in warmup tools. You can also use standalone warmup services, but using the one built into your sending platform is simpler and ensures compatibility. We compare all 6 major platforms in our best cold email tools for 2026 guide.

Sending Limits and Domain Rotation

Sending volume is the lever most teams pull first when they want more pipeline. It is also the lever most likely to destroy their deliverability if used wrong.

Here are the numbers that matter:

Domain rotation is the practice of spreading your sends across multiple domains to reduce risk. Instead of sending 200 emails per day from 1 domain, you send 20 per day from 10 domains. If 1 domain gets flagged, you lose 10 percent of your capacity instead of 100 percent.

Each domain needs its own email accounts, DNS authentication, and warmup period. That is overhead, but it is the cost of doing cold email at scale without burning infrastructure.

Domain naming matters too. Your sending domains should look legitimate. They should be related to your actual brand but not identical to your primary domain. If your main site is companyname.com, your sending domains might be companynameHQ.com, trycompanyname.com, or hellocompanyname.com. Avoid random strings or domains that look like they were bought in bulk.

Sender Reputation

A score assigned by inbox providers (Gmail, Outlook, Yahoo) to your domain and IP address based on historical sending behavior. Factors include bounce rate, spam complaint rate, engagement metrics (opens, replies), and sending volume patterns. Higher reputation means more emails reach the inbox. Reputation is domain-specific and takes weeks to build, but can be damaged in days.

Content Signals That Trigger Spam Filters

Content-based spam filtering has gotten more sophisticated, but the core triggers have not changed much. Here is what to avoid.

Spam words. Inbox providers maintain lists of words and phrases commonly used in spam. Using them in cold email, especially in subject lines, increases the probability of landing in spam. The highest-risk categories:

• Financial language: "free," "discount," "save," "earn," "investment," "profits"
• Urgency language: "act now," "limited time," "hurry," "expires," "urgent"
• Overpromise language: "guaranteed results," "risk-free," "unbelievable," "exclusive"
• Marketing buzzwords: "unlock," "leverage," "transform," "revolutionary," "game-changing"

Woodpecker maintains a comprehensive spam word list that gets updated regularly. It is worth checking before every new campaign.

Excessive links. Keep links to 1 per email, 2 at most. Every link is a signal that the email might be marketing content. Cold emails should contain a single link (your CTA) and nothing else. No social media links in the signature. No tracking links if you can avoid them.

HTML formatting. Rich HTML emails with images, buttons, colored text, and styled layouts look like marketing emails because they are. Cold emails should be plain text or very minimal HTML. The goal is to look like a regular email from a colleague, not a newsletter. For more on what the email itself should say, see our guide on writing cold emails that get replies.

Tracking pixels. Open tracking uses an invisible image pixel that loads when the email is opened. Inbox providers know about this. Heavy use of tracking pixels is a signal that the email is bulk outreach. Some platforms let you disable tracking pixels for the first email in a sequence and enable them for follow-ups, which is a reasonable middle ground.

Attachments. Never include attachments in cold emails. They trigger spam filters and many corporate email systems block them automatically. If you need to share a document, link to it instead.

Monitoring Deliverability

Deliverability is not a set-and-forget configuration. It requires ongoing monitoring because sender reputation changes over time based on your sending behavior.

The metrics to track weekly:

• Open rate. A healthy cold email campaign should see 40 to 60 percent open rates. If your open rate drops below 30 percent, something is wrong with deliverability, not your subject lines. Subject line changes move open rates by 5 to 10 percent. Deliverability problems move them by 20 to 40 percent.
• Bounce rate. Keep this under 2 percent. High bounces tell inbox providers your list quality is poor, which damages reputation. Verify email addresses before sending. Tools like NeverBounce, ZeroBounce, or your cold email platform's built-in verification can catch invalid addresses before they become bounces.
• Spam placement rate. Use inbox testing tools (GlockApps, Mail Tester, or your platform's built-in tests) to check where your emails are landing. Run these tests before every new campaign and weekly on active campaigns.
• DMARC reports. Review your DMARC aggregate reports weekly. They show which emails passed and failed authentication, and from which sending services. If you see failures from a service you use, it means your DNS records need updating.
• Reply rate. A sudden drop in reply rate without a corresponding change in messaging could signal deliverability degradation. Replies are positive engagement signals that improve reputation, so declining reply rates can create a negative spiral.

Gartner's email marketing analysis recommends treating deliverability as a continuous ops function, not a one-time setup task. The teams with the most consistent inbox placement are the ones actively monitoring and adjusting.

The Infrastructure Checklist

Here is the complete infrastructure setup, in order. Do not skip steps. Do not compress timelines.

1. Purchase sending domains. Buy 5 to 10 domains related to your brand. Use a reputable registrar (Google Domains, Namecheap, Cloudflare). Avoid bulk domain providers or domains with previous negative history.
2. Configure DNS authentication. Set up SPF, DKIM, and DMARC for every sending domain. Verify each record using MXToolbox or Google's DNS lookup tools. Do not proceed until all records pass validation.
3. Create email accounts. Set up 2 to 3 email accounts per domain using Google Workspace or Microsoft 365. Use real-looking names and signatures. Avoid generic addresses like info@ or sales@.
4. Start warmup. Enable warmup on every account. Run for a minimum of 2 weeks, ideally 3 to 4. Do not send any cold emails during this period. Just warmup.
5. Verify your lead list. Run every email address through a verification tool. Remove invalid, catch-all, and role-based addresses (info@, admin@, support@). Target a bounce rate under 1 percent on verified lists.
6. Set sending limits. Configure your cold email platform to send 20 to 30 emails per account per day. Set up inbox rotation so sends distribute evenly across all accounts.
7. Run inbox placement tests. Before launching to real prospects, send test emails to seed accounts across Gmail, Outlook, and Yahoo. Verify they land in the primary inbox, not spam or promotions.
8. Launch at low volume. Start with 50 to 75 percent of your target daily volume for the first week. Monitor open rates, bounce rates, and spam placement daily. Increase to full volume only if metrics look healthy.
9. Keep warmup running. Do not turn off warmup when you start sending cold emails. Run both simultaneously. Warmup activity continues to generate positive engagement signals that support your reputation.

This setup takes 3 to 4 weeks from start to first cold email sent. That timeline frustrates teams that want results immediately. But the alternative, skipping setup and burning domains in the first week, costs more time and money than doing it right the first time.

We manage this entire infrastructure layer for every client. Domain purchasing, DNS configuration, warmup management, sending limits, rotation, monitoring. It runs in the background so the focus stays on what matters: sending emails that are worth reading.