Why Your Cold Emails Land in Spam (And How to Actually Fix Deliverability)

Why deliverability is the first problem to solve

You can write the best cold email in the world, with perfect personalization and a compelling offer — and if it lands in spam, it's worth exactly as much as the worst cold email ever written. Zero. Your reply rate isn't a measure of how good your emails are. It's a measure of how good your emails are times your deliverability rate.

Most cold email problems that get blamed on "bad copy" or "the wrong offer" are actually deliverability problems. If your open rates are below 20%, a significant portion of your emails aren't reaching the inbox at all. If open rates suddenly drop on a sequence that was working, something changed in your deliverability — not your copy.

The good news: deliverability is mostly a technical setup problem with specific, fixable causes. You don't need to understand every nuance of email infrastructure to get it right. You need to do about 8 things correctly and avoid about 5 common mistakes. This guide covers all of them.

Email authentication: SPF, DKIM, DMARC

Email authentication is a set of technical standards that tell receiving mail servers that you are who you say you are — that the email actually came from the domain it claims to come from. Without these records, receiving servers have no way to verify your identity, and their spam filters treat your emails with maximum suspicion.

Gmail and Outlook together handle the majority of cold email recipients' inboxes. Both have made SPF, DKIM, and DMARC effectively mandatory for bulk senders as of 2024. Without them, your emails either land in spam or get rejected outright.

Setting these up sounds technical. The actual process is straightforward: you add three DNS records to your domain registrar (GoDaddy, Cloudflare, Namecheap, etc.) and then verify they're working with a free tool. Most setups take under 30 minutes.

SPF: who is allowed to send from your domain

SPF (Sender Policy Framework) is a DNS record that lists which mail servers are authorized to send email on behalf of your domain. Without it, anyone can send an email claiming to be from your domain — and spam filters know this, so they're suspicious of domains without SPF.

An SPF record looks like this in your DNS settings:

Breaking this down: v=spf1 identifies this as an SPF record. include:_spf.google.com authorizes Google's servers (for Gmail/Google Workspace). include:sendgrid.net authorizes SendGrid (if you're using it to send). ~all means "softfail" — if email comes from somewhere not listed, treat it with suspicion but don't reject it outright.

The most common SPF mistake: having multiple SPF records. DNS only allows one SPF record per domain. If you add a second one, neither works. Combine all authorized senders into one record.

DKIM: cryptographic signature on every email

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to every email you send. The receiving mail server can use this signature to verify that the email wasn't tampered with in transit and that it genuinely originated from your domain. Think of it as a wax seal on a letter — if the seal is intact, the letter wasn't opened.

Your email service provider (Google Workspace, Outlook 365, etc.) handles generating and applying the DKIM signature. Your job is to add the DKIM public key to your DNS records so receiving servers can verify it.

In Google Workspace admin: go to Apps → Google Workspace → Gmail → Authenticate email → Generate new record. Google gives you the exact DNS record to add. After adding it, wait 24–48 hours for propagation and then click "Start authentication" in the admin panel.

If you're using a cold email sending tool (Smartlead, Instantly, etc.) you'll also need to add DKIM for that tool's sending infrastructure. The tool's documentation will specify the exact record format.

DMARC: the policy that ties them together

DMARC (Domain-based Message Authentication, Reporting and Conformance) tells receiving servers what to do with emails that fail SPF and DKIM checks. It also sends you reports showing which servers are sending email from your domain — which helps you catch unauthorized use.

Breaking this down: p=none means "monitor mode" — don't reject or quarantine failing emails yet, just report. This is the right starting point. rua=mailto: sends aggregate reports to the email address you specify. Once you've confirmed your legitimate emails are passing authentication, you can change p=none to p=quarantine or p=reject.

For most cold email senders, p=none is sufficient and the safest starting point. Moving to p=reject without verifying your full email infrastructure first can cause legitimate emails to be rejected.

Verify all three records are working correctly at mxtoolbox.com/SPFRecordLookup.aspx and dmarcian.com — free tools that confirm your setup is correct.

Domain warmup: the step everyone skips

Email service providers (Gmail, Outlook, etc.) track the sending history and reputation of every domain that sends through their systems. A brand new domain with no history looks suspicious — it matches the pattern of domains created specifically to send spam.

Domain warmup is the process of gradually increasing your sending volume over time so that the reputation of your domain grows naturally. Skipping warmup and sending 200 cold emails on day one is the single fastest way to get your domain flagged, your emails routed to spam, and your sending reputation permanently damaged.

The warmup schedule

A standard warmup schedule for a new sending domain:

The "manual, to real contacts" part matters during early warmup. Automated warmup tools (like Instantly's warmup feature or Mailwarm) send emails between their network's inboxes — which generates positive engagement signals (opens, moves out of spam, replies) that build domain reputation. Many cold email tools include this as a feature and run it automatically in the background.

Using a dedicated sending domain

Cold email should never be sent from your company's primary domain (e.g., yourcompany.com). If that domain gets flagged, your entire company's email — including customer support, investor communications, and product notifications — is compromised.

Register a variant domain for cold email: youcompany-hq.com, tryourcompany.com, oucompanyinc.com. Set up full authentication (SPF/DKIM/DMARC) and run warmup on this domain. Your primary domain stays clean.

Set up an MX redirect from the sending domain to your primary domain so that replies to the sending domain arrive in your regular inbox. Your email tool handles this configuration.

Safe sending limits and volume controls

Even with perfect authentication and a warmed domain, volume matters. Sending too many emails too fast triggers spam filters at the recipient's mail provider — regardless of how good your authentication setup is.

Per-inbox limits

Gmail personal accounts: limit of 500 emails/day. Google Workspace accounts: 2,000 emails/day. But these are the hard limits — you should stay well below them for cold email to maintain deliverability.

Best practice for a single inbox sending cold email: max 50–75 emails per day after warmup is complete. This is conservative by design. Staying below 100/day keeps you far from any threshold that would trigger spam review, and it's the right limit for maintaining long-term inbox placement.

If you need to send more volume, add more inboxes — not more emails from a single inbox. Four inboxes at 50/day is better than one inbox at 200/day, both for deliverability and for keeping your spam complaint rate manageable.

Throttling and send timing

Don't send 50 emails at 9:00am and then nothing for the rest of the day. This pattern looks like automated bulk sending. Spread emails throughout the working day: configure your sending tool to send 3–5 emails per hour, with random delays between sends (some tools call this "random delay" or "human-like sending").

Best send times for cold email: Tuesday–Thursday, 9am–11am and 1pm–3pm in the prospect's local time zone. Friday afternoons and Monday mornings are the worst — people are either clearing their inbox before the weekend or digging out from it after.

Bounce rate management

A bounce rate above 5% is a major deliverability red flag. Validate your email lists before sending — tools like ZeroBounce, NeverBounce, or Hunter's email verifier flag invalid addresses before you send to them. Sending to invalid addresses wastes your daily quota and damages your sender reputation every time you bounce.

Spam trigger words and content signals

Spam filters use a combination of technical signals (authentication, reputation) and content signals (the words and structure of the email itself) to decide where emails land. Content triggers are often overlooked because they're less technical — but they're also the easiest to fix.

Words that reliably trigger spam filters

These words and phrases appear disproportionately in confirmed spam and are weighted heavily by most spam filtering systems:

• Money-related: "free," "no cost," "earn money," "make money fast," "extra income," "cash bonus," "winner," "prize," "guaranteed," "risk free"
• Urgency/scarcity: "act now," "limited time," "don't delete," "urgent," "important offer," "expires," "last chance"
• Credibility overreach: "100%," "double your," "increase sales," "amazing," "incredible deal," "#1"
• Opt-out language in subject lines: "this is not spam," "you're receiving this because," "click to unsubscribe" (in subject)

Avoid these in both subject lines and email bodies. The risk is especially high in subject lines — that's the first thing spam filters evaluate.

Structural spam signals

Beyond individual words, spam filters also flag structural patterns common in bulk email:

• Excessive images or attachments in first emails: Don't attach PDFs or embed images in cold outreach. Plain text emails significantly outperform HTML-heavy emails for inbox placement.
• Multiple links: Keep it to zero or one link per cold email. Every link you add increases spam score. Use links for CTAs, not for header logos, social icons, or "view online" versions.
• Tracked links on new domains: Tracking links (bit.ly, click-tracking subdomains) are heavily associated with spam. During warmup, disable link tracking entirely. The deliverability benefit outweighs the analytics loss.
• All-caps words: "BIG OPPORTUNITY" or "FREE TRIAL" in the subject triggers spam filters and looks low-quality to humans.
• Excessive punctuation: "Ready to 3x your revenue!!?" Both a spam signal and a credibility signal to humans — neither in a good way.

Infrastructure: sending domains vs. root domain

A scalable cold email infrastructure uses multiple sending domains and multiple inboxes per domain — not a single inbox on your primary domain. Here's why and how to set this up:

Why multiple domains

When one domain's reputation takes a hit (a spam complaint spike, a bad list, an accidental limit breach), it doesn't affect your other domains. You can rotate to a backup domain while the affected one recovers. This redundancy is essential for any team sending meaningful volume.

A reasonable infrastructure for a 3-person SDR team sending 150 emails/day each:

Google Workspace vs. other providers

Google Workspace is the most common choice for cold email sending because Gmail has high deliverability when sending to Gmail recipients (which represent a huge portion of business email). Outlook 365 is the second-best option and often better for reaching Microsoft-hosted inboxes (Outlook.com, many enterprise domains).

A mixed infrastructure (some Google Workspace inboxes, some Outlook 365) gives you the best overall inbox placement across both major mail providers.

The deliverability checklist

Use this checklist to audit your cold email setup. If you can check every item, your deliverability problems are almost certainly in your list quality or your content — not your infrastructure.

The full checklist:

• ☐ Cold email sends from a dedicated domain — not your primary company domain
• ☐ SPF record is set and verified (mxtoolbox.com check shows "SPF Record Found")
• ☐ DKIM is enabled in Google Workspace / Outlook 365 admin and DNS record is live
• ☐ DMARC record is set at _dmarc.yourdomain.com — at minimum with p=none
• ☐ New sending domain completed minimum 3–4 weeks of warmup before cold campaigns started
• ☐ Max 50–75 cold emails per inbox per day after warmup
• ☐ Sending is distributed throughout the day (3–5/hour) with random delays between sends
• ☐ Email lists are validated before sending (ZeroBounce or equivalent) — bounce rate below 3%
• ☐ Cold emails use plain text or minimal HTML — no images, no tracking pixels in early outreach
• ☐ Maximum one link per email — no link tracking on new or warmed domains
• ☐ Email body contains no spam trigger words (free, guaranteed, act now, etc.)
• ☐ Subject lines avoid all-caps and excessive punctuation
• ☐ Unsubscribe mechanism is available (either a simple reply instruction or a link) — legally required in most jurisdictions
• ☐ Spam complaint rate stays below 0.1% (check Google Postmaster Tools for gmail.com complaints)
• ☐ Google Postmaster Tools is connected and monitored — alerts set up for reputation drops

The most common items missing from this list, in order of frequency: DMARC not set, warmup skipped or done for less than 2 weeks, email validation not run, and sending from the primary company domain. Fix those four first — they account for the vast majority of deliverability problems.

Deliverability isn't something you set up once and forget. Monitor your Google Postmaster Tools dashboard weekly. If your domain reputation shows "Low," pause sending immediately, investigate what caused it (usually a spike in spam complaints from a bad list), clean your lists, and resume warmup before restarting campaigns.

A clean sender reputation is a long-term asset. It takes weeks to build and can be destroyed in a single day of careless sending. Protect it.