[INSERT IMAGE: hero diagram — horizontal flow showing the 5-tier deliverability stack (DNS authentication → IP/domain reputation → sender score → content signals → engagement) with a 7-step setup checklist overlaid as numbered nodes. Color code green=done, yellow=in progress, red=blocked. 1200x630 png, alt text="Cold email deliverability 7-step setup diagram 2026"]

Cold Email Deliverability: 7-Step Setup Guide (2026)

TL;DR: Cold email deliverability is the percentage of your sent messages that actually land in the primary inbox — not spam, not Promotions. The global average inbox placement rate sits around 84% (Mailgun State of Email Deliverability 2025), but cold outreach from new domains routinely runs 40-60% if you skip the 7 setup steps below. This guide walks you through SPF, DKIM, DMARC, warmup, content rules, testing, and recovery — verified against Google and Yahoo's February 2024 enforcement rules and the October 2025 Postmaster Tools v2 changes.

You hit send. Your reply rate is 0.4%. You blame the copy, the list, the offer — but the actual culprit is almost always the same: your emails never reached the inbox. Roughly one in six legitimate emails never makes it to the primary folder (Mailgun 2025), and for cold outreach from a brand-new domain that ratio is much worse.

Most "cold email deliverability" guides on page one of Google are written by tool vendors trying to sell you a $99/month warmup subscription. This one is vendor-neutral. It comes from running cold outbound at yolox for our own SaaS pipeline and watching what survives Gmail's February 2024 enforcement and the October 2025 Postmaster Tools v2 changes.

In the next 30 minutes you will set up SPF, DKIM, and DMARC correctly, choose a defensible warmup schedule, learn the 3 free tests that matter, and get a recovery playbook for when (not if) you eventually land on a blocklist.

Quick path: if your sequence is already running and you suspect a setup issue, jump to Step 7: Run the 3-minute diagnostic — it catches 80% of broken setups in under 3 minutes. Want the full B2B context first? Start with our B2B AI tools Pillar guide.

---

Before you start: what cold email deliverability actually means

Cold email deliverability is the share of your outbound messages that land in the recipient's primary inbox. It is not the same as "delivery rate" — and nearly 88% of senders cannot correctly define the email delivery rate metric (Mailgun 2025), which is exactly why most teams optimize the wrong number.

Three terms get confused constantly:

Term	What it measures	Why it lies
Delivery rate	Sent minus hard bounces	A message in spam still counts as "delivered"
Inbox placement rate	Sent that land in primary inbox	The number that actually drives replies
Open rate	Recipient opened the email	Inflated by Apple Mail Privacy Protection and bot prefetches since 2021

Cold email deliverability tracks inbox placement, not delivery. If a vendor only reports "98% delivery rate" they are hiding the spam-folder problem.

You will need before starting the 7 steps:

• A secondary sending domain (e.g. getyolox.com if your brand is yolox.ai) — never burn your main domain for cold outbound
• DNS access at your registrar (Cloudflare, Namecheap, GoDaddy) — 10-minute task
• A Google Workspace or Microsoft 365 mailbox on the secondary domain
• 2-4 weeks of patience before you ramp volume — there is no shortcut around warmup

If you do not have a secondary domain yet, register one before continuing. Cold outbound on your primary domain is the single fastest way to permanently damage corporate email and your transactional flow.

💡 Soft CTA: If managing setup across multiple secondary domains feels heavy, our cold outreach AI agent automates the per-domain checks below. Either way, the steps stay the same.

---

Step 1: Pick and isolate a secondary sending domain

In this step you decide which domain will carry the cold outbound load — and you make sure it cannot damage your primary brand domain's reputation.

How to do it. Buy a domain that is a close cognate of your main one: if your brand is yolox.ai, register getyolox.com, tryyolox.com, or yolox-team.com. Point its MX records at Google Workspace or Microsoft 365. Set up a forwarding rule so replies land in a real inbox you check daily. Then set this domain's website to a simple 1-page redirect to your main brand site — empty domains look suspicious to spam filters.

Common error. Sending cold email from the same domain you use for billing receipts and customer support. Once that domain's reputation tanks (and it will, on the first list you scrape), your real customers stop receiving order confirmations. The fix is non-recoverable in the short term.

How to verify. Open a private browser tab. Visit your secondary domain — does it load a real page? Send a test email from the new mailbox to your personal Gmail. Does it arrive in the primary tab (not Promotions)? If both pass, continue.

---

Step 2: Set up SPF, DKIM, and DMARC correctly

This is the step where 90% of cold outreach fails before it begins. As of February 2024, Google and Yahoo require SPF, DKIM, and DMARC for any sender pushing more than 5,000 emails per day to consumer accounts (Mailgun · Yahoogle Bulk Sender chapter). Below that threshold the rules are softer, but inbox placement still collapses without all three records.

Set up SPF. SPF tells receiving servers which IPs are allowed to send mail for your domain. In your DNS provider, add a TXT record at the root:

Type: TXT
Host: @
Value: v=spf1 include:_spf.google.com ~all

For Microsoft 365 use include:spf.protection.outlook.com. Never publish more than one SPF record — multiple records invalidate each other.

Set up DKIM. DKIM cryptographically signs each outbound message. In Google Workspace, go to Admin → Apps → Google Workspace → Gmail → Authenticate email, then generate a 2048-bit DKIM key. Google gives you a TXT record with host like google._domainkey. Paste it into DNS, wait 48 hours, then click "Start authentication." DKIM is non-optional — Postmaster Tools only reports reputation for DKIM-authenticated mail (Google Workspace Admin docs).

Set up DMARC. DMARC tells receivers what to do when SPF or DKIM fails — and gives you reports on who is sending mail using your domain. Start at p=none to collect data without disrupting delivery:

Type: TXT
Host: _dmarc
Value: v=DMARC1; p=none; rua=mailto:[email protected]; pct=100

After 2-4 weeks of clean reports, move to p=quarantine and eventually p=reject. Only 2.5% of all domains enforce p=reject (dmarcdkim.com 2026), so this single move puts you in the top 3% of sender hygiene.

Common error. Stopping at p=none forever. Monitoring-only DMARC does not block spoofers using your domain — and Gmail's spam filter increasingly favors senders with enforcement enabled. Schedule a calendar reminder to step up policy at week 4.

How to verify. Send a test message from your sending domain to [email protected]. The reply will list SPF, DKIM, and DMARC results. All three must show "pass."

---

Step 3: Warm up the domain over 3-5 weeks

In this step you build the sender reputation that Gmail and Yahoo use to decide whether to trust your new domain at all.

How to do it. A new domain with zero sending history looks identical to a spammer's burner domain. The fix is gradual ramp:

Week	Daily volume cap	Activity mix
Week 1	5-10 emails/day	100% replies to internal addresses, mark as important
Week 2	20-30 emails/day	70% internal warmup, 30% real cold replies
Week 3	50-80 emails/day	50% warmup, 50% real outreach
Week 4	100-150 emails/day	Mostly real cold; remove training wheels
Week 5+	Scale to your target	Watch Postmaster Tools daily

The 3-4 week ramp lines up with industry consensus — most authentication and reputation guides recommend 3-5 weeks before any meaningful cold volume (Skylead 2025 warmup guide).

Pro tip. Run warmup across 3-5 inboxes per domain rather than blasting from one. Distributing the load mimics how a real human team uses email and avoids the single-mailbox red flag spam filters look for.

Common error. Buying a warmup tool, setting it to "auto," and ramping to 200 emails/day in week 2. That pattern is exactly what a spam ring does. Slow is the only safe option.

How to verify. At the end of week 3, check Google Postmaster Tools' Spam Rate dashboard. If your rate is under 0.1% you are clear to start real cold outreach. Above 0.3% means pause and audit your list quality.

---

Step 4: Personalize each message above the threshold spam filters now flag

In this step you cross the line from "template" to "personalized," which is what modern engagement-based filters reward.

How to do it. Spam classifiers in 2025 weight engagement signals (replies, forwards, mark-as-important) heavily. Templates with first-name-only personalization no longer clear the bar. Each email needs one specific reference that proves a human wrote it: a LinkedIn post the prospect shared, a GitHub repo they commit to, a recent funding announcement, a podcast they were on.

Manual research is the bottleneck. Doing it well takes 5-10 minutes per prospect. At 50 prospects per day that is a full workday on research alone — which is why most teams skip it and tank deliverability.

Tool option. The Email Closer agent and cold outreach AI agent automate the research → draft loop for cold outreach. We use both internally for yolox's own pipeline. The DIY equivalent: open LinkedIn, scan the prospect's last 30 days of activity, pick one specific detail, and reference it in the opening line. Skip generic personalization tokens like {{firstName}} alone.

Common error. Pasting the prospect's company name into a template and calling it personalization. Spam filters see thousands of these exact-pattern messages per day. They are now a near-deterministic spam trigger.

How to verify. Read your draft out loud. If you could send the exact same body to 5 other prospects by swapping the company name, it is still a template. Rewrite one sentence to be unsendable to anyone else.

---

Step 5: Run content through the 7 cold-friendly rules

In this step you make sure the body of your email does not trip the content-based spam filters that operate in parallel to reputation filters.

Apply all 7 rules to every send. None are optional in 2026:

1. Word count between 50-125 words. Short enough to read on mobile, long enough to be more than 1-line spam.
2. Plain text only — no images, no logos, no fancy HTML. Cold email should look like a 1:1 message from a real person.
3. One link maximum. Two or more links to external domains lights up the spam classifier. If you need a meeting link and a brochure, drop the brochure.
4. No unsubscribe link on first send. Yes, this is counterintuitive. Footer disclaimers signal "marketing automation" — and B2B cold (1:1) is legally exempt under CAN-SPAM. Add a 1-line "let me know if this isn't relevant and I will stop" instead.
5. No emoji in subject lines. Subject-line emoji correlates strongly with promotional spam in classifier training data.
6. Avoid spammy phrases. Common triggers in 2026 include "free trial," "act now," "100% guaranteed," "click here," "limited time." Run your subject through mail-tester.com before sending to a list.
7. HTML signature ≤ 3 lines. Name + role + 1 link. No banner images, no quote, no calendar widget.

Common error. Designing cold email like it is a newsletter. Newsletter design conventions trigger every spam signal cold email needs to avoid.

How to verify. Send the email to mail-tester.com from your sending domain. Score must be 9/10 or higher. Anything under 8/10 means rewrite before scaling.

---

Step 6: Pick your testing stack (3 free, 1 paid worth it)

In this step you build the monitoring loop that tells you whether deliverability is holding before reply rates collapse.

The 3 free tools every cold sender needs:

Tool	What it tests	Cost
mail-tester.com	Per-message spam score, SPF/DKIM/DMARC pass, link reputation	Free, 3 tests/day
Google Postmaster Tools	Spam rate, compliance status, encryption for your domain on Gmail	Free, requires 100+ daily sends to Gmail
MXToolbox SuperTool	Blocklist lookup across 100+ blocklists	Free

The Postmaster Tools v1 reputation dashboards were retired in October 2025; the v2 interface now centers on the Compliance Status and Spam Rate dashboards (Google Workspace Admin Help). Watch the spam rate daily — anything above 0.3% triggers Gmail filtering and a cliff in inbox placement.

The one paid tool worth it. GlockApps runs seed-list inbox placement tests across 50+ ISP/folder combos — the only reliable way to see whether your message lands in Inbox, Promotions, or Spam at Gmail, Outlook, Yahoo, etc. Starts around $59/month. Worth it once you scale past 500 sends/day.

Common error. Only checking sent-to-yourself emails. Your own mailbox already trusts your domain — it is not a real deliverability signal. Use a fresh seed list or a third-party test tool.

How to verify. Set a weekly recurring calendar block: 10 minutes to check Postmaster Tools and run one mail-tester score. If you do not have this on the calendar, you will not do it.

---

Step 7: Run the 3-minute diagnostic when things go wrong

In this step you isolate the cause when reply rates suddenly drop or you suspect you have hit a blocklist.

Run these 3 checks in order:

1. MXToolbox blocklist check. Plug your sending domain and IP into mxtoolbox.com/blacklists.aspx. If you are listed on Spamhaus, SORBS, or SpamCop, stop sending immediately and start a delist request. Most blocklists clear in 24-72 hours after you fix the underlying issue.
2. Postmaster Tools Spam Rate trend. If spam rate jumped above 0.3% in the last 7 days, the issue is list quality or content — not infrastructure. Pause cold sends and re-verify your list with a tool like ZeroBounce.
3. Authentication re-check. Run a message through [email protected] again. DNS changes silently break — a recent CDN migration or registrar change can null your SPF without warning.

Recovery playbook when reply rate has collapsed:

Phase	Duration	Action
Phase 1 — Stop	Week 1	Pause all cold sends. Send only internal warmup mail.
Phase 2 — Fix	Week 2	Repair DNS, validate list, rewrite content. Audit every step 1-6.
Phase 3 — Ramp	Weeks 3-5	Restart at 50 sends/day, double weekly to your previous volume.

The instinct is to push through. Do not. Continuing to send while in spam jail teaches Gmail's filter that your domain is a persistent offender and the recovery window stretches from weeks to months.

🛠️ Mid-article CTA: Running this 3-minute diagnostic across 4 sending domains gets old fast. The yolox cold-email skill bundles the checks into one pass and produces a remediation list — useful when you are managing outbound at scale. The free tools above stay the right starting point.

---

Common errors and troubleshooting

Error 1: SPF passes but DKIM fails on every send

• Cause: DKIM record was added but the selector name in DNS does not match the one your ESP is signing with.
• Fix: In Google Workspace Admin, copy the exact host string from the DKIM page. Paste it as the DNS host without your domain appended — DNS providers add the domain automatically.

Error 2: Postmaster Tools shows "no data"

• Cause: You are sending fewer than 100 messages per day to Gmail, or DKIM is not authenticating (Mailgun · Postmaster Tools guide).
• Fix: Wait until you cross the 100/day threshold. If you are already there, verify DKIM with port25's checker.

Error 3: First emails landed fine, week 3 they all hit Promotions

• Cause: Engagement signals trended negative — low open rate, no replies, deletions without reading.
• Fix: Pause for 5 days. When you resume, send only to your highest-intent prospects (ones who recently visited your site, downloaded a resource, or replied to a teammate). Rebuild the engagement signal before scaling again.

Error 4: Yahoo and AOL bounce everything, Gmail is fine

• Cause: Yahoo is stricter than Gmail on DMARC alignment. Your DKIM domain probably does not match your From domain.
• Fix: In your ESP, set the DKIM signing domain to match your From domain exactly (not the ESP's default subdomain).

Error 5: Reply rate is healthy but Postmaster spam rate is climbing

• Cause: Recipients are clicking "Report spam" instead of replying with "stop." This is normal at scale — the fix is process, not infrastructure.
• Fix: Cut every prospect who has not engaged in 5+ touches. Hard. The marginal reply they might give you is not worth the inbox damage.

---

Quick recap

You shipped a 7-step cold email deliverability setup:

1. Pick a secondary sending domain — protect your main brand
2. Configure SPF + DKIM + DMARC — non-negotiable since Feb 2024
3. Warm up over 3-5 weeks — slow ramp, mixed activity
4. Personalize each message — one specific human reference per send
5. Apply the 7 content rules — short, plain text, one link, no spam triggers
6. Build a testing stack — Postmaster Tools + mail-tester weekly, GlockApps at scale
7. Run the 3-minute diagnostic — when reply rate drops, isolate before you pivot

If you only have 5 minutes today, do Step 2. SPF, DKIM, and DMARC alone move most cold senders from sub-50% inbox placement to the 70-85% range. Everything else compounds on top.

Final hard CTA: Cold email deliverability is the floor. The ceiling is what you write once your inbox actually gets opened. The yolox sales agents library covers the next layer — personalization, follow-up sequencing, reply triage. Browse the sales agents →

---

FAQ

Why are my cold emails going to spam?

The 3 most common causes, in order: (1) missing or broken DKIM authentication — fix with Step 2 above; (2) sending volume ramped too fast on a new domain — warmup over 3-5 weeks instead; (3) content trips spam filters (too many links, image-heavy HTML, emoji in subject). Run a message through mail-tester.com — anything under 9/10 needs a rewrite before scaling.

How long does email warmup take?

Plan for 3-5 weeks on a brand-new domain. Established domains with prior sending history can compress to 1-2 weeks. The volume rule: start at 5-10 emails per day in week 1 and double weekly until you reach your target daily cap. Skipping warmup is the single highest-leverage way to permanently damage a new domain's reputation.

Can I send cold email from Gmail?

Technically yes, practically no. Standard Gmail has a 500 recipient/day cap and Google Workspace tops out at 2,000/day per user. More important, Gmail's stricter consumer-domain policies mean cold outreach from a @gmail.com address often fails DMARC alignment when forwarded. Always send cold outreach from a custom domain on Google Workspace or Microsoft 365, never from a @gmail.com mailbox directly.

What is a good open rate for cold email?

Cold email open rates typically land between 20-40% in 2025 (SalesCaptain 2025 benchmark) — but open rates lie now. Apple Mail Privacy Protection and email-protection bots inflate the number by 10-20 points. Track reply rate instead. Healthy B2B cold reply rates run 3-5% average, with top performers above 10% (Apollo Technical 2026).

Do I need a separate domain for cold email?

Yes. Always. Cold outreach will degrade the sending domain's reputation over time — that is a feature of how spam filters learn, not a sign of bad execution. Run cold outbound on a secondary domain that you treat as disposable. If the secondary's reputation eventually tanks, you buy another one for $12 and move on. Your primary domain stays clean for transactional, contractual, and customer-facing email.

How does cold email deliverability relate to AI search visibility?

Adjacent but distinct. Email reputation lives in DNS records and engagement signals; AI visibility lives in your published content. Both reward technical hygiene. The same discipline pays off in getting cited by AI Overview on the inbound side.

---

Keep reading

• B2B AI tools Pillar guide — the upstream context for cold email in a broader B2B sales motion
• AI in recruiting outreach — how the same deliverability rules apply to recruiter cold outreach
• Automating sales workflows with AI agents — the layer on top of deliverability: sequencing, follow-up, and reply routing

---

Verified May 2026. Stats and standards: Mailgun State of Email Deliverability 2025, EasyDMARC 2025 Adoption Report, Google Workspace Postmaster Tools docs, Google + Yahoo bulk sender rules · Mailgun, SalesCaptain 2025 benchmark, Apollo Technical 2026, Skylead 2025 warmup guide, dmarcdkim.com adoption tracker.