Cold Email Deliverability: DNS, SPF, DKIM, DMARC
Your emails either reach the inbox or they don't. Everything in your outbound campaign depends on this.
Deliverability Is Infrastructure
Perfect cold email, perfect ICP, perfect timing. None of it matters if the email lands in spam. Target 90%+ inbox placement. Below 80%: you have an infrastructure problem. Below 60%: you're burning domains and need to stop sending immediately.
Deliverability is binary at scale. If you send 500 emails per day at 90% inbox placement, 450 reach the prospect. At 60% placement, only 300 reach. That 150-email gap compounds daily. Over a month, it's 4,500 missed contacts. At a 3% meeting rate, that's 135 lost meetings per month from the same campaign. Fix deliverability before you touch copy, targeting, or timing. See the warm-up guide for the companion piece on getting new domains ready.
SPF (Sender Policy Framework)
SPF is a TXT record in your DNS that lists which mail servers are authorized to send email from your domain. When a receiving server gets your email, it checks SPF to confirm the sending server is allowed.
Setup: One SPF record per domain. Multiple includes within a single record: v=spf1 include:_spf.google.com include:spf.instantly.ai ~all. The ~all softfail means non-listed servers get flagged but not rejected. Move to -all (hardfail) after you've confirmed all legitimate senders are included.
The 10-lookup limit: SPF allows a maximum of 10 DNS lookups. Each include: counts as one lookup, and nested includes within those count too. Google Workspace alone uses 3-4 lookups. Add Instantly, Smartlead, and a marketing email tool and you'll hit the limit. When you go past 10, SPF breaks silently and all your emails fail authentication.
Fix: SPF flattening. Services like AutoSPF ($5/month per domain) or manually resolving includes to IP addresses eliminate nested lookups. Check your current lookup count with MXToolbox's SPF lookup tool before adding new services.
Common mistake: Multiple SPF records. If you add a second TXT record starting with v=spf1 instead of merging into the existing one, both records become invalid. This is the single most common DNS error in cold outbound setups. Always merge, never add a second record.
DKIM (DomainKeys Identified Mail)
DKIM adds a cryptographic signature to every outgoing email. The receiving server checks this signature against a public key stored in your DNS. If the signature matches, the email hasn't been tampered with in transit.
Google Workspace setup: Admin Console, then Apps, then Gmail, then Authenticate email. Generate a 2048-bit key. Google gives you a TXT record to add to DNS. After adding it, return to the Admin Console and click "Start authentication." The record takes 24-48 hours to propagate.
Microsoft 365 setup: Microsoft Defender, then Email authentication, then DKIM. Select your domain and enable signing. Microsoft generates the CNAME records. Add them to your DNS provider.
Multiple DKIM records are OK (unlike SPF). Each service gets its own DKIM selector. Google uses google._domainkey, Instantly uses its own selector. They don't conflict.
Key rotation: Rotate DKIM keys every 6-12 months. Google Workspace makes this easy: generate a new key in the Admin Console and update the DNS record. Old keys stop working 48 hours after you switch. Mark a calendar reminder.
DMARC
DMARC tells receiving servers what to do when SPF and DKIM fail. It also sends you reports about who is sending email from your domain (including spoofers).
Phase 1 (monitoring): v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com. This collects data without affecting delivery. Run for 2-4 weeks to see which services send from your domain and whether SPF/DKIM pass for all of them.
Phase 2 (quarantine): p=quarantine after you've confirmed all legitimate senders pass. Failed emails go to spam instead of inbox. This catches spoofers without blocking legitimate mail.
Phase 3 (reject): p=reject for your primary business domain. Failed emails get rejected outright. Don't apply this to cold outbound domains until you've verified everything works perfectly. A misconfigured reject policy blocks your own emails.
Report parsing: Raw DMARC reports are XML and unreadable. Use dmarcly.com ($7.99/month), EasyDMARC (free tier available), or Postmark's free DMARC tool. These show you which emails pass/fail and from which IP addresses. Check weekly during the first month, then monthly.
Custom Tracking Domains
Outbound tools like Instantly, Smartlead, and Lemlist track opens and clicks through redirect URLs. By default, these use shared tracking domains that hundreds of other senders also use. If one of those senders gets blacklisted, the shared domain's reputation drags yours down.
Setup: Create a CNAME record for each sending domain pointing to your outbound tool's tracking server. For Instantly: track.yourdomain.com CNAME custom.instantly.ai. For Smartlead: track.yourdomain.com CNAME custom.smartlead.ai. Each domain gets its own tracking subdomain.
Why this matters: Custom tracking domains isolate your reputation. If another sender on a shared domain gets blacklisted, it doesn't affect you. This is a 5-minute setup that prevents deliverability disasters you can not control.
Inbox Placement Optimization
Plain text over HTML. Cold emails that look like personal messages land in the inbox. HTML newsletters with images and styled formatting land in Promotions or spam. Use plain text for all cold outbound. Save HTML for marketing emails to opted-in lists.
One link maximum. Multiple links trigger spam filters. Include one link: either your calendar or your website. Not both. No link is even better for the first email in a sequence. Ask a question instead of including a CTA link.
No URL shorteners. bit.ly, tinyurl, and similar services are used heavily by spammers. Using them in cold email is a deliverability penalty. Use full URLs or custom tracking domains.
Subject line formatting: 3-5 words. Lowercase or sentence case. No punctuation except a question mark. Subject lines that look like internal emails outperform marketing-style subjects by 2-3x in open rate. Good: "quick question about [topic]." Bad: "Unlock Your Sales Potential with Our Platform!"
Consistent daily volume. Spikes in sending volume trigger spam filters. If you normally send 50/day and suddenly send 200, providers flag it. Ramp gradually. Space sends throughout the day (not all at 9 AM). Most outbound tools handle scheduling natively.
Verify every email before sending. Bounce rates above 3% damage sender reputation. Above 5%: stop sending immediately and clean your list. Verification costs $0.003-0.005 per email. At 500 emails, that's $1.50-2.50 to prevent deliverability damage that costs weeks to recover from.
Monitoring Stack
Google Postmaster Tools (free): Domain reputation, spam rate, IP reputation, DKIM/SPF/DMARC pass rates for Gmail. Required for any cold outbound operation. Takes 10 minutes to set up. Check weekly.
GlockApps ($59/month): Send test emails to seed addresses at Gmail, Outlook, Yahoo, and corporate providers. See exactly where your email lands: inbox, spam, promotions, or blocked. Run before launching a new campaign and weekly during active sends.
MXToolbox (free): Blacklist monitoring across 100+ blacklists. IP and domain checks. SPF/DKIM/DMARC validation. Bookmark the lookup page and check your sending domains weekly.
DMARC reporting: Your DMARC report parser shows authentication pass/fail rates and unauthorized senders. Check weekly during the first month of a new domain, monthly afterward.
Your outbound tool's dashboard: Open rates, bounce rates, reply rates, unsubscribe rates. If open rates drop below 30% suddenly, it's a deliverability issue, not a copy issue. If bounce rates spike above 3%, stop and investigate.
Recovery Playbooks
Blacklisted domain: Stop all sending immediately. Identify which blacklist(s) through MXToolbox. Submit delisting requests (most process in 24-72 hours). Pause the domain for 7-14 days after delisting. Resume with warm-up only. Re-introduce cold sends after 95%+ inbox placement for 7 consecutive days.
Inbox placement drops (below 80%): Reduce sending volume by 50%. Audit all DNS records (SPF, DKIM, DMARC). Check for content issues (spammy words, too many links). Run GlockApps test. Fix identified issues. Ramp volume back up over 2 weeks.
Bounce rate spike (above 5%): Stop sending immediately. The data is bad. Re-verify your entire send list. Remove all bounced, invalid, and catch-all addresses. Check your enrichment source: if a specific provider's data is bouncing, remove their results and replace via your waterfall. Resume only after re-verification shows under 2% estimated bounce rate.
Domain burned (consistent sub-50% placement): Retire the domain permanently. Don't try to recover it. The recovery process takes 4-6 weeks and often fails. Buy a new domain, warm it up for 3-4 weeks, and migrate. See the infrastructure guide for domain replacement.
Deliverability Tool Costs
Google Postmaster Tools (free): Required for any cold outbound operation. Shows domain reputation, spam rate, IP reputation, and authentication pass rates for Gmail. Takes 10 minutes to set up. No reason not to use it.
GlockApps ($59/month Starter): Inbox placement testing across Gmail, Outlook, Yahoo, and corporate providers. Send test emails to seed addresses and see exactly where they land. Run before every new campaign launch and weekly during active sends. The $59/month prevents deliverability problems that cost thousands in lost pipeline.
MXToolbox (free): Blacklist monitoring, DNS validation, SPF/DKIM/DMARC checks. The free tier covers everything most teams need. Pro ($129/month) adds automated monitoring with alerts, worth it if you manage 10+ sending domains.
Mail-tester.com (free, 3 tests/day): Send a test email to their address and get a deliverability score with specific fix recommendations. Perfect for quick pre-launch checks. Limited to 3 tests per day on the free tier.
EasyDMARC (free tier available): DMARC report parsing and monitoring. The free tier handles one domain. Paid tiers ($24.99/month+) support multiple domains with aggregate reporting. Better UX than reading raw XML reports.
AutoSPF ($5/month per domain): SPF flattening service that resolves the 10-lookup limit. If you have 4+ services sending from a single domain, the $5/month prevents SPF failures that break authentication silently.
Common Deliverability Mistakes
Sending from your primary domain. If you send cold email from yourbrand.com and it gets flagged, your company's regular business email suffers. Always use separate sending domains (getyourbrand.com, yourbrandhq.com) for cold outbound. Protect your primary domain at all costs.
Volume spikes. Jumping from 50 emails/day to 300 in one day triggers every spam filter. Ramp volume by 20-30% per week maximum. If you need to send a large batch urgently, spread it across multiple domains and multiple days.
Ignoring catch-all domains. Catch-all domains accept all emails regardless of whether the address exists. Your verification tool flags them as "accept-all" rather than "valid." Sending to catch-all domains produces unpredictable bounce rates. Route catch-all addresses to a LinkedIn-only outreach track instead of email sequences.
Shared tracking domains. The default tracking domain on Instantly, Smartlead, and Lemlist is shared with thousands of other senders. If one of them spams, the shared domain gets flagged and your tracking links get blocked. Set up custom tracking domains for every sending domain. It takes 5 minutes each.
Not monitoring spam complaints. Google triggers filtering at 0.3% complaint rate. At 500 emails/day, that is just 1.5 complaints. One bad day with irrelevant targeting can push you over the threshold. Monitor daily during active campaigns. If complaints spike, pause and audit your targeting before the damage compounds.
Deliverability Checklist
Run through this before sending any cold email campaign:
1. SPF record configured with all sending services merged into one TXT record. 2. DKIM 2048-bit key generated and DNS record added. 3. DMARC record set (start with p=none for monitoring). 4. Custom tracking domains configured for every sending domain. 5. Google Postmaster Tools verified for all sending domains. 6. GlockApps test showing 90%+ inbox placement. 7. MXToolbox blacklist check clean on all sending IPs and domains. 8. Email list verified with bounce rate under 2%. 9. Warm-up running at 20-30/day per mailbox alongside cold sends. 10. Daily volume limits set per mailbox (50-75 cold/day maximum). 11. Plain text format, one link maximum, no URL shorteners. 12. Unsubscribe mechanism in every email signature.
Frequently Asked Questions
Most common DNS mistake?
Multiple SPF records. Each domain allows one SPF TXT record. Merge into single record with multiple includes. Use MXToolbox to validate.
How to check if emails land in spam?
GlockApps or mail-tester.com. Send to seed addresses across providers. Run weekly during warm-up, monthly in production. Google Postmaster Tools for Gmail-specific data.
Can I fix deliverability after problems start?
Yes, but slowly. Pause sending 7-14 days. Run warm-up only. Resume at 25% volume. Full recovery: 2-4 weeks. Request blacklist delisting individually.
Does content affect deliverability?
Yes. Plain text outperforms HTML for cold outbound. One link max. No URL shorteners. No images. Short subjects (3-5 words). Look like a human note, not a campaign.
What bounce rate is too high?
Keep under 3% total. Hard bounces under 1%. Above 5%: stop immediately, clean list. Cause is almost always bad data.
Source: State of GTM Engineering Report 2026 (n=228). Salary data combines survey responses from 228 GTM Engineers across 32 countries with analysis of 3,342 job postings.