Cold Email Deliverability in 2026: Domain Warming, SPF, DKIM and DMARC

Published: March 2026 | Cluster 4: Cold Email Lead Generation | Reading time: 16 minutes

TL;DR

Cold email deliverability is the invisible variable that determines whether your outreach generates leads or disappears into spam folders. You can write the best cold email ever crafted — if it never reaches the inbox, it never gets read. In 2026, Google and Microsoft have tightened enforcement on email authentication, domain reputation, and sending patterns. This guide covers the complete technical setup: SPF, DKIM, DMARC configuration, domain warming schedules, inbox rotation, sending limits, spam trigger avoidance, and monitoring. If you are running cold email campaigns without this infrastructure, you are burning money.

Why Cold Email Deliverability Is the Only Metric That Matters First

Most businesses obsess over open rates and reply rates. Those metrics are important — but they are downstream of a more fundamental question: did the email reach the inbox at all?

Industry data suggests that 21% of legitimate B2B emails never reach the primary inbox. They land in spam, promotions tabs, or get silently dropped by mail servers. For cold email — where the sender has no prior relationship with the recipient — that number climbs to 30-45% without proper infrastructure.

Think about what that means. If you send 200 cold emails per day and 40% land in spam, you are effectively sending 120 emails. Your "5% reply rate" is actually a 5% reply rate on 120 delivered emails — which means only 6 replies from 200 sends. Fix cold email deliverability to 95%+ inbox placement and those same 200 sends generate 9-10 replies. A 50% improvement without changing a single word of copy.

Cold email deliverability is not a technical detail. It is the foundation everything else sits on.

The Three Pillars of Email Authentication

Every email you send is evaluated by the receiving mail server. That server asks three questions: Is this sender who they claim to be? Are they authorised to send from this domain? Has the domain owner told me what to do with unauthenticated messages?

These three questions are answered by three DNS records: SPF, DKIM, and DMARC.

SPF (Sender Policy Framework)

SPF tells receiving mail servers which IP addresses are authorised to send email on behalf of your domain. Without an SPF record, any server in the world could send email pretending to be you — and mail servers treat that suspicion accordingly.

How to set up SPF:

1. Log into your domain registrar (GoDaddy, Cloudflare, Namecheap, etc.)
2. Navigate to DNS management
3. Add a TXT record with the following format:

` Type: TXT Host: @ Value: v=spf1 include:_spf.google.com include:sendgrid.net ~all `

The include: directives specify which email services are authorised to send on your behalf. Replace with your actual sending services.

Key rules:

• You can only have ONE SPF record per domain. Multiple records will fail validation.
• Use ~all (soft fail) rather than -all (hard fail) for cold email domains — hard fail is stricter and can cause legitimate emails to bounce if your SPF record is incomplete.
• Maximum of 10 DNS lookups in your SPF record. Exceeding this causes the entire record to fail.
• Update your SPF record every time you add a new email sending service.

DKIM (DomainKeys Identified Mail)

DKIM adds a cryptographic signature to every email you send. The receiving server checks this signature against a public key published in your DNS. If the signature matches, the email has not been tampered with in transit.

How to set up DKIM:

1. Generate your DKIM key pair through your email provider (Google Workspace, Microsoft 365, or your cold email platform).
2. Your provider will give you a TXT record to add to your DNS. It looks something like:

` Type: TXT Host: google._domainkey Value: v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GN... (long key string) `

1. Add this record in your DNS management panel.
2. Enable DKIM signing in your email provider's admin console.

Key rules:

• DKIM keys should be at least 2048 bits. Some providers still default to 1024-bit — upgrade.
• Rotate your DKIM keys annually. Stale keys are a security risk and can impact inbox placement.
• Each sending service needs its own DKIM record. If you use Google Workspace AND a cold email tool, both need DKIM configured.

DMARC (Domain-based Message Authentication, Reporting and Conformance)

DMARC ties SPF and DKIM together and tells receiving servers what to do when authentication fails. It also provides reporting so you can monitor who is sending email on behalf of your domain.

How to set up DMARC:

1. Add a TXT record to your DNS:

` Type: TXT Host: _dmarc Value: v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com; pct=100 `

1. Start with p=none (monitoring only). This lets you see who is sending on your behalf without blocking anything.
2. After 2-4 weeks of monitoring, move to p=quarantine (suspicious emails go to spam).
3. Once confident, move to p=reject (unauthenticated emails are blocked entirely).

DMARC policies explained:

Critical for cold email deliverability: Google and Microsoft now require DMARC records for any domain sending more than 5,000 emails per day. Even below that threshold, having DMARC significantly improves inbox placement. As of early 2026, Google rejects emails from domains without basic DMARC records when sent in volume.

Domain Warming: The Schedule That Prevents Disaster

Sending 200 cold emails from a brand-new domain on day one is the equivalent of walking into a bank with a balaclava and asking for a withdrawal. Technically legal, practically suicidal.

New domains have zero reputation. Mail servers have never seen them before and treat them with maximum suspicion. Domain warming is the process of building sending reputation gradually — proving to Google, Microsoft, and other providers that your domain sends legitimate email that real people engage with.

The 21-Day Warming Schedule

Warming rules:

• Replies matter more than sends. Mail servers track engagement. A domain that sends 50 emails and gets 20 replies looks legitimate. A domain that sends 50 emails and gets zero replies looks like spam. During warming, send emails to people who will respond — colleagues, friends, existing contacts.
• Mix email providers. Send to Gmail, Outlook, Yahoo, and custom domains in roughly equal proportions. Over-indexing on one provider flags your domain.
• Never skip warming. We see businesses try to shortcut this every month. They buy a domain, configure DNS, and start sending 200 cold emails on day one. By day three, they are in spam across every provider. Recovering a burned domain takes 4-8 weeks — longer than proper warming.
• Use automated warming tools. Services like Instantly, Warmbox, and Mailreach automate the warming process by sending and replying to emails from real inboxes across providers. These tools run in the background and maintain domain reputation even while you scale cold outreach. For a broader look at how AI automation is transforming UK SME operations — including email infrastructure management — see our dedicated guide.

Multiple Sending Domains

Professional cold email operations use 3-5 sending domains, not one. This provides:

• Volume distribution. Instead of 200 emails from one domain, send 60-70 from each of three domains. Lower per-domain volume means lower spam risk.
• Risk isolation. If one domain gets flagged, your entire campaign does not collapse. The other domains continue operating while the flagged one recovers.
• Testing flexibility. Run different subject lines, copy angles, or ICPs from different domains to isolate performance data.

Domain naming convention: Use variations of your main brand domain. If your company is brightlaw.co.uk, your sending domains might be getbrightlaw.co.uk, brightlawgroup.co.uk, and trybright.co.uk. Each needs its own SPF, DKIM, and DMARC records. Each needs its own warming period.

Inbox Rotation and Sending Limits

Why Inbox Rotation Matters for Inbox Placement

Each email inbox (e.g., james@getbrightlaw.co.uk) has its own sending reputation within the domain. If one inbox sends 100 emails per day and gets a spike in spam reports, that inbox's reputation tanks — and it drags the domain reputation down with it.

Inbox rotation spreads your daily volume across multiple inboxes within each domain. Instead of one inbox sending 60 emails, three inboxes each send 20. The risk is distributed and each inbox maintains a healthy sending pattern.

Recommended Sending Limits (2026)

Our recommendation: 30-50 cold emails per inbox per day, rotated across 3-4 inboxes per domain, across 3 domains. That gives you 270-600 cold emails per day with minimal risk to any single inbox or domain.

Time-of-Day Sending Patterns

Do not send all 50 emails from an inbox at 8:00 AM. That is not how humans send email. Spread sends across the working day — 8:00 to 17:00, with randomised intervals of 3-8 minutes between emails.

Most cold email platforms handle this automatically. If you are using a custom setup, build in randomisation. Mail servers track sending patterns, and 50 emails sent within 10 minutes from a single inbox is a red flag.

Spam Trigger Words and Formatting Traps

Words That Trigger Spam Filters

Spam filters in 2026 use machine learning rather than simple keyword matching — but certain words and patterns still increase your spam score. Avoid these in subject lines and email bodies:

High-risk words:

• Free, guaranteed, limited time, act now, urgent, exclusive
• Click here, buy now, order today, special offer
• 100%, zero risk, no obligation, no cost
• Congratulations, winner, selected, chosen

Moderate-risk phrases:

• "I hope this email finds you well" (not a spam trigger per se, but so common in spam that filters weight it negatively)
• "Dear Sir/Madam" (signals mass mail)
• "To whom it may concern" (same)
• Excessive use of recipient's first name (more than twice in a short email)

Formatting That Kills Email Deliverability

• HTML templates. Cold emails should be plain text. No images, no buttons, no colour styling. HTML-heavy emails trigger spam filters and signal "marketing email" to both filters and humans.
• Links in the first email. Avoid including more than one link in your initial cold email. Zero links is even better. Save links for follow-ups once you have established a thread.
• Tracking pixels. Open tracking uses invisible pixels that some spam filters detect. If your open rates seem artificially low, try disabling tracking pixels on your first email.
• Large signatures. Keep your signature under 5 lines. Images in signatures (logos, banners) increase spam scoring.
• Attachments. Never attach files to cold emails. Attachments are the number one spam trigger. Link to hosted content instead.

Google and Microsoft Policy Changes in 2026

Both Google and Microsoft have significantly tightened their email authentication requirements. Here is what changed and what it means for deliverability.

Google (Gmail / Google Workspace)

• DMARC required for domains sending more than 5,000 emails per day. This took effect in February 2024 and has been strictly enforced since.
• One-click unsubscribe required for bulk email. Cold B2B email is technically exempt (it is not "bulk" if it is individually addressed), but including an easy opt-out improves deliverability regardless.
• Spam rate threshold: Google now monitors your spam complaint rate. If more than 0.3% of recipients mark your emails as spam, your domain reputation degrades rapidly. At 0.5%, expect significant inbox placement issues.
• AMP email restrictions tightened — irrelevant for cold email, but worth noting for mixed-use domains.

Microsoft (Outlook / Office 365)

• Enhanced sender verification rolled out in late 2025, with stricter SPF/DKIM checking.
• SmartScreen filtering now uses AI-powered content analysis that goes beyond keyword matching. It evaluates email structure, sender behaviour patterns, and engagement signals.
• Junk Email Reporting Programme (JMRP) provides feedback loops. Enrol your sending IPs to receive notifications when recipients mark your email as junk.
• Throttling behaviour: Microsoft throttles new senders more aggressively than Google. If you see delayed delivery (emails arriving 4-6 hours late), your domain is being throttled. Reduce volume and allow reputation to build.

What This Means for Your Cold Email Infrastructure

The era of "buy a domain, start sending" is over. In 2026, cold email deliverability requires:

1. Full authentication (SPF + DKIM + DMARC) on every sending domain
2. Proper warming (21+ days before full volume)
3. Volume discipline (30-50 emails per inbox per day)
4. Engagement monitoring (track spam complaints, not just opens)
5. Multi-domain architecture (3-5 domains, rotated)

Skip any one of these and your emails will land in spam. All of them. Not some — all. The filters are that sophisticated now.

Monitoring and Maintaining Deliverability

Setting up your infrastructure is not a one-time task. Maintaining strong inbox placement requires ongoing monitoring and maintenance.

Essential Monitoring Tools

Weekly Monitoring Checklist

1. Check Google Postmaster Tools. Is your domain reputation "High"? If it has dropped to "Medium" or "Low," reduce volume immediately and investigate.
2. Review bounce rates. Hard bounce rate should be below 2%. Above 5% indicates list quality problems. Clean your list.
3. Monitor spam complaint rate. Keep below 0.1% for safety, 0.3% maximum. Above that, pause sending and diagnose.
4. Run inbox placement tests. Send test emails to seed accounts across Gmail, Outlook, and Yahoo. Verify they land in primary inbox.
5. Check blacklists. Use MXToolbox to verify your sending domains and IPs are not on any email blacklists. If listed, follow the delisting procedure immediately.
6. Review engagement metrics. Open rates below 25% suggest deliverability issues (emails are being filtered). Reply rates below 1% suggest copy problems — but fix deliverability first.

When Things Go Wrong: Recovery Playbook

If your domain reputation tanks, here is the recovery process:

1. Stop all cold email sends immediately. Continuing to send from a damaged domain makes it worse.
2. Identify the cause. Was it a bad list (high bounces)? Spam complaints? Sending volume spike? Authentication failure?
3. Fix the root cause. Clean your list, adjust your copy, fix DNS records — whatever caused the problem.
4. Begin re-warming. Treat the domain like a brand-new domain. Follow the 21-day warming schedule from scratch, starting with known contacts who will reply.
5. Monitor daily during recovery. Check Google Postmaster Tools every day until reputation returns to "High."
6. Consider retiring the domain. If a domain has been severely burned (blacklisted by multiple providers), it may be faster to retire it and start with a fresh domain than to attempt recovery. Recovery can take 4-8 weeks; warming a new domain takes 3 weeks.

The Infrastructure Stack We Recommend

At Ampliflow, cold email deliverability is not an afterthought — it is the first thing we build. When we onboard a new client through SCALeMAIL, the technical setup takes 2-3 weeks before a single outreach email is sent.

Here is the infrastructure we recommend for UK B2B cold email in 2026:

• 3 sending domains with full SPF, DKIM, and DMARC on each
• 9-12 inboxes across those domains (3-4 per domain)
• Automated warming running continuously in the background
• Inbox rotation with randomised sending intervals
• Daily volume of 30-50 per inbox — scaling to 270-600 total sends per day
• Weekly deliverability audits using the monitoring checklist above
• Separate tracking domain for link tracking (never track from your sending domain)

Combined with AmpliSearch for organic visibility and Amplio for multi-channel follow-up, this infrastructure turns cold email from a gamble into a system. Once your deliverability foundation is solid, the next lever is what happens after the reply — our guide to AI email marketing automation covers how to build nurture sequences that convert warm leads into paying clients.

For the full strategic picture — including list building, copywriting, and follow-up sequences — read our pillar guide: Cold Email Lead Generation for UK Businesses: The 2026 Playbook.

Advanced: Custom Tracking Domain Setup

Most cold email platforms include link tracking (to measure click-through rates). By default, these links route through the platform's domain — which means every user of that platform shares the same tracking domain reputation. If another user gets their emails flagged, it can affect your click-through tracking.

The fix is a custom tracking domain:

1. Create a subdomain like track.getbrightlaw.co.uk
2. Add a CNAME record pointing to your cold email platform's tracking server
3. Configure the platform to use your custom tracking domain
4. Add SPF and DKIM records for the tracking subdomain

This isolates your tracking reputation from other users and gives you full control over your deliverability stack.

Key Takeaways

• Cold email deliverability is the foundation of every cold email campaign — without inbox placement, nothing else matters.
• SPF, DKIM, and DMARC are mandatory in 2026. Configure all three on every sending domain before sending a single email.
• Domain warming takes 21 days minimum. Attempting to skip or shorten this process results in spam folder placement.
• Use 3-5 sending domains with 3-4 inboxes each, sending 30-50 emails per inbox per day.
• Google and Microsoft have tightened enforcement — DMARC is required for volume senders, spam complaint rates above 0.3% trigger penalties.
• Monitor deliverability weekly using Google Postmaster Tools, Microsoft SNDS, and inbox placement testing.
• Plain text emails with minimal links outperform HTML templates for cold email deliverability.
• If a domain's reputation tanks, stop sending immediately, diagnose the cause, and re-warm from scratch.

Frequently Asked Questions

How long does domain warming take?

A minimum of 21 days for a new domain. Some practitioners recommend 30 days for additional safety. During this period, you gradually increase sending volume from 5-10 emails per day to your target volume (150-200 per domain), prioritising sends to contacts who will reply. Automated warming tools can run in the background to accelerate the process, but you should not begin full cold outreach until at least day 14-21. For more on the complete setup, see Why Most Cold Email Campaigns Fail.

Can I use my main business domain for cold email?

We strongly advise against it. If your cold email domain gets flagged or blacklisted, it affects all email from that domain — including your regular business communications, invoices, and client correspondence. Use separate sending domains (variations of your brand name) specifically for outreach. Keep your primary domain clean for transactional and relationship email only.

What is a good spam complaint rate for cold email?

Below 0.1% is excellent. Below 0.3% is acceptable. Above 0.3%, Google begins degrading your domain reputation. Above 0.5%, expect significant deliverability problems. If your spam complaint rate is high, the most common causes are poor list quality (emailing people who never asked to hear from you at irrelevant addresses), aggressive copy (too salesy, too pushy), or excessive sending volume. Fix the root cause before continuing. Our guide to writing cold emails covers copy best practices.

Do I need DMARC if I send fewer than 5,000 emails per day?

Yes. While Google's strict DMARC requirement applies to domains sending 5,000+ emails per day, having a DMARC record significantly improves deliverability at any volume. Microsoft also evaluates DMARC presence in its filtering decisions. Start with p=none (monitoring only) and escalate to p=quarantine or p=reject once you have verified your authentication setup is complete. There is no downside to implementing DMARC — only upside.

How do I check if my domain is blacklisted?

Use MXToolbox's blacklist checker (mxtoolbox.com/blacklists.aspx). Enter your sending domain and it checks against 70+ blacklists simultaneously. If you are listed, each blacklist has its own delisting procedure — some are automatic (wait 24-48 hours), others require manual submission. Regular monitoring prevents surprises. We recommend checking weekly as part of your deliverability maintenance routine. If you would rather have professionals handle your entire cold email infrastructure, explore our services or book a free audit.