Cold Outreach

Cold Email Deliverability: Why Your Emails Hit Spam and How to Fix It

You can write the most relevant cold email of your life and still lose, because the recipient never sees it. It sits in a spam folder nobody opens, or it gets silently dropped before delivery, and your reply rate quietly craters while you blame the copy. The frustrating part is that deliverability feels like luck — some days you land, some days you don't — but it isn't luck. Mailbox providers run deterministic checks and a reputation score, and once you can see what they actually measure, getting to the inbox becomes an engineering problem with known fixes.

The takeaway up front: inbox placement is decided by three things in order — authentication (can the provider prove the mail is really from your domain), reputation (does your sending domain and IP have a history of wanted mail), and engagement (are real people opening and replying instead of deleting and complaining). Nail authentication, build reputation slowly through warm-up, and protect engagement with a clean list, and you fix the vast majority of spam problems. This is the unglamorous foundation under everything in the cold outreach guide.

What actually happens when you press send

A cold email passes through several gates before it reaches an inbox, and any one of them can sink it. First, the receiving server checks authentication: does this message cryptographically prove it came from your domain? Then it checks reputation: what is the sending history of this domain and IP — mostly wanted mail, or mostly complaints and dead addresses? Finally, it weighs content and engagement signals: spammy phrasing, a bad text-to-link ratio, and — most importantly over time — whether recipients open, reply, and don't mark you as spam.

Notice what is not on that list: how clever your subject line is. Copy matters for replies, but it is nearly irrelevant to placement compared to the three gates above. Reps obsess over wording while sending from an unauthenticated, cold domain to a scraped list — and then wonder why nothing lands. The order of operations is the whole point: fix the gates first, then optimize the message.

Authentication: prove the mail is really yours

Authentication is the one part of deliverability that is pass/fail and fully in your control, so it is where you start. Three DNS records do the work, and modern mailbox providers increasingly reject or junk mail that fails them.

  • SPF (Sender Policy Framework) is a DNS record listing which servers are allowed to send mail for your domain. The receiver checks the sending server's IP against that list. If you send through a sequencer or ESP, you add their include to your SPF record so their servers count as authorized.
  • DKIM (DomainKeys Identified Mail) attaches a cryptographic signature to each message, signed with a private key; the matching public key lives in your DNS. The receiver verifies the signature, which proves the message genuinely came from your domain and wasn't altered in transit.
  • DMARC (Domain-based Message Authentication) ties the two together. It tells receivers what to do when SPF or DKIM fails — none (monitor only), quarantine (send to spam), or reject (refuse outright) — and where to send reports. It also enforces alignment: the visible From domain must match the authenticated domain, which is what stops spoofing.

A practical starting DMARC record looks like this — a TXT record at _dmarc.yourdomain.com:

v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com; adkim=s; aspf=s

Set up all three before you send a single cold email. There is no clever workaround for missing authentication; it is the price of admission, and providers like Google and Yahoo now treat it as mandatory for bulk senders rather than optional.

Reputation: why a brand-new domain gets junked

Even perfectly authenticated mail from a cold domain gets treated with suspicion, because reputation is earned over time and a domain with no history is an unknown quantity — and to a spam filter, unknown leans toward unwanted. Sending reputation attaches to both your domain and your sending IP, and it is built from the pattern of your behavior: consistent volumes, low bounce rates, low complaint rates, and real engagement.

This is why domain warm-up exists. You start a new (or newly-sending) domain at a low daily volume and ramp gradually over two to four weeks, so the provider sees a steady, growing pattern of wanted mail instead of a sudden blast that looks exactly like a spam cannon firing up. A few rules carry most of the weight:

  • Ramp slowly. Begin with a low daily volume and increase gradually; a brand-new domain jumping straight to hundreds of cold sends a day is the single fastest way to get filtered.
  • Send to engaged recipients first. Early sends to people who open and reply (colleagues, existing contacts, warm leads) teach the provider your mail is wanted.
  • Keep volume steady. Sudden spikes and erratic patterns look automated. Consistency reads as legitimate.
  • Use a separate domain for cold outreach. Send cold campaigns from a dedicated domain — often a close variant of your brand — so that if reputation takes a hit, it never touches your primary corporate domain or your team's day-to-day email.

Reputation is a slow asset to build and a fast one to destroy, which is exactly why the steps that protect it are non-negotiable.

Engagement and list hygiene: the slow killers

Once you are authenticated and warmed, your ongoing placement is governed mostly by engagement — and the fastest way to wreck it is a dirty list. Every email you send to a dead address, a spam trap, or someone who never wanted to hear from you is a vote against your reputation.

  • Verify before you send. Run your list through verification to strip invalid and risky addresses. A high bounce rate is one of the loudest negative signals there is; sending to dead mailboxes tells providers you don't know your own list.
  • Never send to scraped or purchased lists. They are full of invalid addresses and spam traps — addresses planted specifically to catch senders who didn't get permission. Hitting a few can tank a domain.
  • Watch the complaint rate. When recipients mark you as spam, providers notice immediately. Keeping it low means targeting people who plausibly want your message and making it trivial to opt out instead of forcing a spam-button click.
  • Prune the unengaged. Continuing to mail people who never open trains the provider that your mail is ignorable. Remove or pause cold contacts after a sensible number of no-response touches.

Good list hygiene and good targeting are the same discipline viewed from two angles: send wanted mail to real people, and engagement takes care of itself.

Content signals you can actually control

Content is the smallest of the levers, but a few mechanical issues will get even legitimate mail filtered, so they are worth a pass before each campaign:

  • Balance text and links. A near-empty email that is mostly a giant link or image reads as spam. Lead with real text and keep links minimal — often a single relevant one.
  • Skip the spam-bait phrasing and formatting. ALL CAPS subject lines, "FREE!!!", fake RE: prefixes, and walls of exclamation points are pattern-matched to junk. Plain, specific language both reads better and filters better.
  • Authenticate your tracking and links. Tracking domains and link shorteners that don't match your sending domain, or that sit on blacklisted shared domains, drag down placement. Use a tracking domain aligned to your own.
  • Always include a real opt-out. A working unsubscribe is both a legal requirement in many regions and a reputation protector — it gives unhappy recipients an exit that isn't the spam button.

None of these will save mail sent from a cold, unauthenticated domain to a bought list. They are the finishing touches on a foundation that is already sound.

A deliverability checklist before any campaign

Run this list before you send cold mail at volume:

  1. SPF, DKIM, and DMARC are all configured and passing for your sending domain.
  2. A dedicated sending domain is in use for cold outreach, separate from your primary domain.
  3. The domain is warmed — ramped gradually over two to four weeks, not blasted on day one.
  4. The list is verified and free of scraped, purchased, or unverified addresses.
  5. Volumes are steady and within sane daily limits, with no sudden spikes.
  6. Every message has a working opt-out and a sensible text-to-link ratio.
  7. You monitor bounce and complaint rates and pause to fix the cause the moment either climbs.

Work top to bottom. Most deliverability emergencies are a failure at step one, two, or three — long before the message itself is the problem.

FAQ

Why are my cold emails going to spam?

Almost always a deliverability issue rather than your copy: missing or failing SPF/DKIM/DMARC, a cold domain blasted too fast, a dirty list driving high bounces, or spammy formatting. Fix authentication first, then warm-up, then list hygiene, and only then look at the wording.

How long does it take to warm up a new domain?

Plan on roughly two to four weeks of gradually increasing volume before you send cold campaigns at full scale. Start low, ramp steadily, and lean on engaged recipients early so the provider builds a positive history for the domain before it ever sees a cold blast.

Should I send cold email from my main company domain?

No. Use a separate, dedicated domain — usually a close variant of your brand — for cold outreach. That way a reputation hit from cold sending never threatens your primary domain or your team's everyday email, and you can warm and manage it independently.

Do SPF, DKIM, and DMARC really matter that much?

Yes, and increasingly they are mandatory rather than optional. Major providers now expect bulk senders to authenticate, and unauthenticated mail is far more likely to be junked or rejected outright. Authentication is the one pass/fail part of deliverability fully within your control, so it is non-negotiable.

What bounce or complaint rate is too high?

There is no universal magic number, but both should stay low and steady — a sudden climb in either is your early warning that something is wrong. Treat any spike as a signal to stop, find the cause (usually a bad list segment or a too-fast ramp), and fix it before sending more.

Next step

Before your next campaign, do the unglamorous work first: add or verify SPF, DKIM, and DMARC on a dedicated sending domain, then warm it for two weeks at a low, steadily rising volume while you clean your list. A relevant message only earns replies if it reaches the inbox — and the inbox is won at the DNS record and the warm-up, long before the subject line.

Comments are disabled for this article.