Server infrastructure representing email deliverability setup
Cold Emailtechnical

Email Deliverability Setup: The Complete Guide for Cold Email (SPF, DKIM, DMARC, Warmup)

AJ Cassata 9 min read

Cold email deliverability is the difference between a campaign that fills your pipeline and one that disappears into spam folders without a trace.

We’ve seen companies spend $5,000 on copy and list building, then send from a brand-new domain with no warmup and no authentication records — and wonder why they’re getting 8% open rates. The answer is always the same: their emails aren’t reaching the inbox.

This guide covers the complete deliverability setup we implement before launching any client campaign. Follow it in order.

Why Deliverability Is Non-Negotiable

Major email providers — Google (Gmail), Microsoft (Outlook), and the rest — score every sending domain in real time. They’re looking for signals that distinguish legitimate email from spam. When your domain looks like a spam source, they filter your emails before they reach the inbox.

The three things that get you filtered:

  1. No authentication records (SPF/DKIM/DMARC) — providers treat unauthenticated senders as high-risk
  2. Poor sending history — new domains, volume spikes, and low engagement all signal spam
  3. Content signals — certain patterns (image-heavy templates, unsubscribe footers, certain words) trigger promotions or spam categorisation

Getting deliverability right before sending is far easier than fixing it after you’ve damaged a domain’s reputation.

Step 1: Set Up Dedicated Sending Domains

Never cold email from your primary business domain. Your primary domain (yourcompany.com) is the domain tied to your brand, your website, your team’s email, and your transactional email. Sending cold email from it puts all of that at risk if the domain’s reputation drops.

Instead, register dedicated sending domains specifically for cold outreach. These are secondary domains that mirror your primary brand but aren’t your main identity.

How to choose sending domains:

  • Use variations of your primary brand: yourbrand.io, getyourbrand.com, yourbrandHQ.com, tryourbrand.com
  • Avoid domains that look spammy or unrelated to your company
  • Register from a reputable registrar (Namecheap, GoDaddy, Google Domains)

How many domains do you need?

  • Up to 50 emails/day: 1 sending domain (2–3 inboxes)
  • 50–200 emails/day: 3–5 sending domains
  • 200–500 emails/day: 8–12 sending domains

Each inbox should send a maximum of 40–50 emails per day. Running 3 inboxes per domain gives you 120–150 emails per day per domain.

Step 2: Configure SPF Records

SPF (Sender Policy Framework) tells receiving email servers which IP addresses are authorised to send email on behalf of your domain. Without an SPF record, mail from your domain has no authentication — and will be treated with suspicion by major providers.

How to set up SPF:

  1. Log into your domain registrar’s DNS management panel
  2. Add a new TXT record with the following format:
Name: @ (or your domain name)
Type: TXT
Value: v=spf1 include:[your-email-provider] ~all

The include: value depends on your sending service:

  • Google Workspace: include:_spf.google.com
  • Microsoft 365: include:spf.protection.outlook.com
  • SendGrid: include:sendgrid.net
  • Instantly.ai: refer to their DNS setup guide
  • Lemlist: refer to their DNS setup guide

If you use multiple sending services, combine them:

v=spf1 include:_spf.google.com include:sendgrid.net ~all

What ~all vs -all means:

  • ~all (softfail): Messages failing SPF are accepted but marked. Recommended for most setups — less likely to cause legitimate email to bounce.
  • -all (hardfail): Messages failing SPF are rejected outright. More aggressive; use only once SPF is verified working.

Step 3: Configure DKIM

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to every outgoing email. The receiving server uses this signature to verify that the email wasn’t tampered with in transit and that it genuinely came from your domain.

How to set up DKIM:

DKIM keys are generated by your email sending service. Log into your email platform (Google Workspace, Microsoft 365, your sequencing tool) and find the DKIM setup section. They’ll provide a DNS TXT record that looks like:

Name: google._domainkey (or default._domainkey, or another selector)
Type: TXT
Value: v=DKIM1; k=rsa; p=[long string of characters]

Add this TXT record to your domain’s DNS. Allow up to 48 hours for DNS propagation.

Verify DKIM is working: Send a test email to a Gmail account and open the email. Click the three-dot menu → “Show original.” Look for:

  • dkim=pass — DKIM is working correctly
  • dkim=fail — something is misconfigured; check the DNS record exactly matches what your sending service provided

Step 4: Configure DMARC

DMARC (Domain-based Message Authentication, Reporting, and Conformance) builds on SPF and DKIM to tell receiving servers what to do when an email fails authentication — and optionally sends you reports on authentication failures.

DMARC is the final authentication layer. Without it, even properly configured SPF and DKIM don’t fully protect your domain from spoofing, and some advanced spam filters penalise DMARC-less domains.

How to set up DMARC:

Add a TXT record to your domain’s DNS:

Name: _dmarc
Type: TXT
Value: v=DMARC1; p=none; rua=mailto:you@yourdomain.com

DMARC policy options (p=):

  • p=none: Monitor mode — collect reports without taking action. Start here.
  • p=quarantine: Move failing emails to spam.
  • p=reject: Block failing emails outright.

Start with p=none and a reporting address you check. After 2–4 weeks of reviewing reports to confirm SPF and DKIM are passing consistently, upgrade to p=quarantine, then eventually p=reject.

Verify all three records: Use MXToolbox (mxtoolbox.com/SuperTool.aspx) to check SPF, DKIM, and DMARC for any domain. Enter your sending domain and run all three checks. All should show “PASS.”

Step 5: Set Up Custom Tracking Domain

Cold email tools often use shared tracking domains for open and click tracking. When those shared domains appear in your emails, they can trigger spam filters — because many senders (including spammers) use the same shared domain.

Setting up a custom tracking domain points the tracking URLs to a subdomain you control rather than the tool’s shared domain.

How to do it: In your sequencing tool (Instantly, Lemlist, Apollo, etc.), find the “Custom Tracking Domain” or “Custom Domain” setting. They’ll ask you to add a CNAME record to your sending domain’s DNS, like:

Name: track (or click, or link)
Type: CNAME
Value: tracking.instantly.ai (or your tool's CNAME target)

This doesn’t change functionality — it just routes tracking URLs through your domain instead of the tool’s shared domain, improving inbox placement.

Step 6: Warm Up Your Sending Inboxes

With authentication in place, start the warmup process. A brand-new inbox sending 200 cold emails on day one will be flagged as a spam source and penalised — regardless of how well the domain is authenticated.

What warmup does: Warmup tools send emails between a network of real email accounts, generating positive engagement signals: emails sent from your domain, emails opened, emails replied to. This builds a history that signals legitimate sender behaviour to mail providers.

Warmup schedule:

  • Week 1: 10 emails/day from each inbox
  • Week 2: 20 emails/day
  • Week 3: 35 emails/day
  • Week 4: 50 emails/day
  • Week 5–6: Continue building; monitor reputation
  • Campaign launch: Week 6–8

Warmup tools:

  • Mailreach: Strong reputation monitoring and a large warmup network
  • Warmup Inbox: Good for multiple inboxes in parallel
  • Instantly.ai: Includes warmup as a built-in feature
  • Smartlead.ai: Warmup + sequencing combined

Keep warmup running even after launch. Active warmup on sending inboxes continuously replenishes reputation that cold email volume consumes.

Step 7: Configure Sending Infrastructure

Before launching, set up your sequencing tool with the inboxes you’ve warmed.

Key settings to configure:

  • Daily send limit: Set to 40–50 emails per inbox per day. Never exceed this.
  • Send window: Set emails to send during business hours in the recipient’s timezone (9 AM – 5 PM), not overnight.
  • Inbox rotation: Distribute sends across multiple inboxes automatically — this spreads volume and protects reputation
  • Tracking: Enable open and click tracking via your custom tracking domain
  • Unsubscribe handling: Configure automatic opt-out processing for any reply containing “unsubscribe”, “remove me”, or similar

Step 8: Email List Verification

Before sending to any contact, verify that their email address is valid. Sending to invalid addresses produces hard bounces, which damage your domain reputation quickly.

Email verification tools:

  • ZeroBounce: Cleans lists and identifies invalid, disposable, and catch-all addresses
  • NeverBounce: Real-time verification with batch processing
  • Hunter.io: Verifies email addresses when finding them

Target metrics after verification:

  • Remove all “invalid” addresses
  • Flag and limit sends to “catch-all” addresses (servers that accept all email — validity is uncertain)
  • Keep bounce rate under 2% on all campaigns

The 10 Deliverability Rules We Enforce on Every Campaign

These are the non-negotiables we check before any campaign launches:

  1. SPF, DKIM, and DMARC are all configured and verified passing via MXToolbox
  2. Sending domain is separate from the primary business domain
  3. Sending inbox has been warmed for at least 6 weeks
  4. Send volume is under 50 emails per inbox per day
  5. Custom tracking domain is configured (no shared tool tracking domains)
  6. Contact list has been verified — bounce rate target under 2%
  7. Email template is plain text or minimal HTML — no images, no unsubscribe footers, no marketing banners
  8. Sending window is set to recipient business hours
  9. Inbox rotation is active across multiple inboxes/domains
  10. Warmup is running continuously alongside active campaigns

Diagnosing Deliverability Problems

If you’re seeing low open rates (under 30%) despite all the above being in place, here’s the diagnostic sequence:

Step 1: Run a deliverability test using Mail-Tester (mail-tester.com) or GlockApps. These tools tell you where your email lands (primary inbox, promotions, spam) across major providers.

Step 2: Check your domain’s blacklist status using MXToolbox Blacklist Check. If any sending domain is blacklisted, stop sending from it immediately and contact the blacklist provider for removal.

Step 3: Review your email content for spam triggers. Use a tool like SpamAssassin or GlockApps to score your email template. Look for: excessive links, ALL CAPS, spam trigger words (“free”, “guaranteed”, “100%”), and marketing-style HTML.

Step 4: Check sending volume. If any inbox is sending above 50 emails/day, reduce volume immediately and run 1–2 weeks of heavy warmup.

Step 5: Check bounce rate on recent campaigns. If above 3%, pause sending, clean the list with a verification tool, and resume at reduced volume.

Deliverability isn’t exciting — but it’s the infrastructure that determines whether everything else works. Get this right first. Everything downstream depends on it.

If you want us to audit your current cold email setup, book a call here and we’ll run through your configuration together.

#deliverability#spf#dkim#dmarc#email-warmup#technical-setup

Related Articles

Email outreach dashboard showing campaign metrics

Best Cold Email Software for B2B Outbound in 2026 (Reviewed)

 Email analytics dashboard showing open and reply rate metrics

Cold Email Statistics 2026: Benchmarks From 400+ B2B Campaigns

 LinkedIn and email icons representing two outbound channels

Cold Email vs LinkedIn Outreach for B2B Lead Generation: Which Channel Wins in 2026?