You can write the best cold email in the world. Perfect subject line. Personalized opener that references a real trigger event. Clear CTA. And none of it matters if the email lands in spam.
Deliverability is the invisible foundation of cold outreach. When it works, you don't notice it. When it fails, nothing else you do compounds โ your cold email strategy, your personalization, your follow-up sequence all run on a broken track. Most cold email campaigns that "don't work" actually have a deliverability problem, not a copywriting problem.
This guide covers the full deliverability stack: why emails land in spam, how to set up authentication correctly, the domain warming protocol that builds sender reputation, content triggers to avoid, and how to monitor everything once you're sending at volume.
Why Cold Emails Land in Spam
Email providers โ Gmail, Outlook, Yahoo โ use hundreds of signals to decide whether an email reaches the inbox or gets buried. Four categories account for most cold email spam issues:
Authentication failures. If your domain doesn't have SPF, DKIM, and DMARC records configured correctly, email providers treat your messages as potentially spoofed. In 2024, Google and Yahoo started requiring DMARC for all bulk senders. In 2026, that requirement is effectively universal. Missing authentication doesn't just lower your deliverability โ it can get your domain blacklisted entirely.
Domain reputation. Every sending domain has a reputation score that email providers track over time. A new domain with no send history has no reputation โ which is almost as bad as a negative one. Sending 200 cold emails on day one of a new domain is the fastest way to get flagged. ISPs see a sudden volume spike from an unknown sender and assume the worst.
Content triggers. Spam filters scan email content for patterns associated with spam: excessive links, certain phrases ("act now," "limited time," "100% free"), all-caps subject lines, image-heavy emails with little text, and HTML formatting that looks like a marketing blast. Cold emails that read like newsletters or promotions trip these filters even when the sender is legitimate.
Engagement signals. After 2024's sender requirements update, engagement-based filtering became the primary signal. If recipients consistently delete your emails without reading them, mark them as spam, or never reply โ ISPs learn that your emails aren't wanted. Low open rates and high spam complaint rates create a feedback loop: poor engagement leads to worse placement, which leads to even poorer engagement.
The deliverability game changed in 2024-2025. Authentication went from "best practice" to "requirement." Engagement signals now outweigh content signals. The senders who adapted are landing in inboxes. The ones who didn't are wondering why their reply rates collapsed.
The Deliverability Stack: SPF, DKIM, and DMARC
These three DNS records are the foundation. Without all three, you're sending cold emails with one hand tied behind your back. Here's what each does and how to set them up.
SPF (Sender Policy Framework)
SPF tells receiving servers which IP addresses are authorized to send email on behalf of your domain. Without it, anyone can send email pretending to be you โ and email providers know that.
Add this as a TXT record on your domain's DNS. Replace the include: values with whichever email services you actually use (Google Workspace, SendGrid, Mailgun, etc.). The ~all at the end means "soft fail" anything not on the list โ use -all for strict enforcement once you're confident everything is configured.
DKIM (DomainKeys Identified Mail)
DKIM adds a cryptographic signature to every outgoing email that proves it wasn't tampered with in transit. Your email provider generates a public/private key pair โ the public key goes in your DNS, the private key signs each email.
Most email providers (Google Workspace, Microsoft 365) have a setup wizard that generates the record for you. Copy it into your DNS exactly โ DKIM is sensitive to formatting. Verify it's working with a test email to mail-tester.com or similar.
DMARC (Domain-based Message Authentication)
DMARC ties SPF and DKIM together and tells receiving servers what to do when an email fails authentication: nothing (monitor), quarantine it, or reject it outright.
Start with p=none (monitor mode) for the first two weeks. This lets you see DMARC reports without affecting delivery. Once you've confirmed SPF and DKIM are passing consistently, move to p=quarantine and eventually p=reject. The rua= tag sends aggregate reports to your email so you can monitor authentication results.
| Record | Purpose | Without It | Setup Time |
|---|---|---|---|
| SPF | Authorizes which servers can send as your domain | Emails look spoofed | 5 min |
| DKIM | Proves emails weren't altered in transit | No integrity verification | 10 min |
| DMARC | Policy for handling failed auth + reporting | Required by Gmail/Yahoo since 2024 | 5 min |
Domain Warming Protocol
A new domain (or one that hasn't sent email in months) has no sender reputation. Sending at full volume immediately is the single most common deliverability mistake in cold email. ISPs flag sudden volume from unknown senders as spam-like behavior โ because that's exactly what spammers do.
Domain warming builds reputation gradually by sending a small, increasing number of emails over 2-3 weeks. The goal is to demonstrate legitimate sending patterns before you scale.
14-Day Warming Schedule
| Day | Emails/Day | Target | Notes |
|---|---|---|---|
| 1-2 | 5 | Known contacts who will reply | Friends, colleagues โ people who open + reply |
| 3-4 | 10 | Warm contacts, newsletter signups | Encourage replies; engagement signals matter |
| 5-7 | 20 | Mix of warm and cold prospects | Monitor bounce rate โ should be under 3% |
| 8-10 | 35 | Cold prospects (verified emails only) | If bounce rate spikes, pause and verify your list |
| 11-14 | 50 | Full cold outreach | Steady-state volume; don't jump past 50/day/domain |
Critical rules during warming:
- Only send to verified email addresses. Bounces during warming destroy reputation faster than anything else. Use an email verification service before sending a single email.
- Space sends throughout the day. Sending 20 emails in 2 minutes looks automated. Sending 20 emails over 8 hours looks human.
- Encourage replies. Early engagement signals are disproportionately important. Ask questions that prompt replies โ ISPs weight reply signals heavily.
- Use a separate domain for cold outreach. Never send cold emails from your primary business domain. Use a variant (e.g.,
trydealfox.cominstead ofdealfox.app). If the cold domain gets flagged, your primary domain is protected.
Content Optimization: Avoiding Spam Triggers
Even with perfect authentication and a warmed domain, your email content can still trip spam filters. Here's what to watch for.
Spam Trigger Words
These phrases don't guarantee spam placement, but they increase your spam score โ especially when combined with other risk factors. Avoid them in subject lines entirely, and minimize them in body copy:
-
Sales pressure phrases: "Act now," "Limited time offer," "Don't miss out," "Exclusive deal," "Order now"
-
Free/money language: "100% free," "No cost," "Save $$$," "Double your revenue," "Make money fast"
-
Clickbait patterns: "You won't believe," "This one trick," "Secret method," "Guaranteed results"
-
Formatting red flags: ALL CAPS subject lines, excessive exclamation marks!!!, colored/oversized fonts, image-only emails
Text-to-Link Ratio
Spam filters flag emails with too many links relative to text content. For cold emails, stick to one link maximum โ your CTA or calendar link. Two links is acceptable. Three or more and you're playing with fire, especially on a newer domain. Every link is a signal to the spam filter that this might be a marketing email.
Personalization Impact on Deliverability
Personalization isn't just a reply rate strategy โ it's a deliverability strategy. Identical emails sent to a large list are the textbook spam pattern. When every email has a unique opening line, unique references, and unique structure, spam filters can't pattern-match them into a bulk template. AI-generated personalized cold emails are inherently more deliverable than generic templates because each one is structurally unique.
The best deliverability hack isn't technical โ it's writing emails that people actually want to read. High reply rates, low spam complaints, and genuine engagement signals tell ISPs your emails belong in the inbox.
Monitoring and Troubleshooting
You can't fix what you can't see. Set up monitoring before you start sending at volume, not after deliverability tanks.
Tools to Check Domain Health
| Tool | What It Checks | Cost |
|---|---|---|
| MXToolbox | DNS records, blacklists, SPF/DKIM/DMARC validation | Free |
| Mail-tester.com | Spam score for individual emails (send a test, get a score) | Free (3/day) |
| Google Postmaster | Domain reputation, spam rate, authentication results for Gmail | Free |
| Blacklist checkers | Whether your domain/IP appears on major blacklists (Spamhaus, Barracuda, etc.) | Free |
Bounce Rate Thresholds
Bounce rates are the canary in the coal mine. Track them obsessively:
- Under 2%: Healthy โ your list is clean and your domain is in good standing.
- 2-5%: Warning โ verify your email list immediately. Some addresses are stale or invalid.
- Over 5%: Critical โ stop sending. Clean your entire list with a verification service. Sending with a 5%+ bounce rate actively damages your domain reputation.
Spam complaint rate should stay under 0.1% (Google's threshold). If more than 1 in 1,000 recipients mark you as spam, Google will start routing your emails to junk. Monitor this in Google Postmaster Tools.
How DealFox Handles Deliverability
Deliverability isn't optional โ it's built into the send infrastructure. Here's what DealFox does automatically so you don't have to think about it:
-
1
Built-in rate limiting
50 emails per day hard cap per sending account, with 30-second intervals between sends. No accidental volume spikes that trigger ISP flags. The queue processes continuously in the background โ you set it and DealFox paces it.
-
2
AI-generated unique content
Every email is generated per-prospect with AI โ unique subject lines, unique openers, unique body copy. Spam filters can't pattern-match your sends into a bulk template because every email is structurally different. This is the deliverability advantage of AI over template-based tools.
-
3
Automated follow-up sequencing
Follow-ups are threaded on the original email (via Gmail threadId), spaced 2-3 days apart, and auto-cancelled when a prospect replies. No double-sending, no follow-ups to people who already responded, no manual tracking.
-
4
Reply detection and auto-cancellation
DealFox polls for replies every 15 minutes and immediately cancels pending follow-ups for anyone who responds. This prevents the worst deliverability signal: continuing to email someone who already told you they're not interested.
See DealFox's deliverability in action โ no signup
Generate a personalized cold email in 5 seconds. See the AI output quality, the unique-per-prospect formatting, and the send pacing that keeps you in the inbox.
Try the AI Email Writer Free โNo account required ยท No credit card ยท No sales call
Pre-Send Deliverability Checklist
Run through this before every campaign. Skipping any step is how deliverability problems start โ and by the time you notice, the damage to your domain reputation is already done.
-
SPF record published โ Verify with MXToolbox that your SPF record is valid and includes all sending services.
-
DKIM signing active โ Send a test email to mail-tester.com and confirm DKIM passes.
-
DMARC policy set โ At minimum
p=nonewith reporting. Move top=quarantineonce stable. -
Sending domain warmed โ 14+ days of graduated volume, starting at 5/day. Don't skip this.
-
Email list verified โ Run every address through a verification service. Target <2% bounce rate.
-
Content checked for spam triggers โ No all-caps, no excessive links, no pressure language in subject line.
-
One link maximum โ Calendar link or CTA. Not both. Definitely not three.
-
Personalization per prospect โ Every email should be unique. Identical batches are the fastest path to spam.
-
Unsubscribe mechanism โ Required by law (CAN-SPAM, GDPR). Include a one-click unsubscribe or reply-to opt-out.
-
Test email sent โ Send yourself a test to Gmail, Outlook, and Yahoo. Check it lands in the primary inbox, not promotions or spam.
-
Monitoring active โ Google Postmaster Tools connected. Bounce rates tracked per campaign. Spam complaint rate visible.
The Bottom Line
Deliverability isn't a set-it-and-forget-it problem. It's an ongoing discipline that compounds โ good sending practices build reputation over time, and bad practices erode it faster than you'd expect. One bad campaign can tank a domain that took weeks to warm.
The sequence matters: authentication first (SPF, DKIM, DMARC), then domain warming, then content optimization, then monitoring. Skip a step and you're building on a broken foundation โ the same pattern that makes most cold email campaigns fail before the copy is even read.
If you're starting from scratch, budget two weeks for setup and warming before you send a single campaign email. If you're already sending and seeing poor results, audit authentication and domain reputation first โ most "bad copy" problems are actually deliverability problems in disguise. The complete cold email guide covers the strategy layer that sits on top of this foundation.