You can write the best cold email in the world, but if it lands in spam, none of it matters. Email deliverability is the ceiling on outbound: it caps how many of your messages a human ever sees, no matter how good your targeting or copy is. And since the major mailbox providers tightened their bulk-sender requirements, that ceiling has gotten lower for sloppy senders and higher for disciplined ones.
This is the cold sender's checklist for 2026: the rules that now apply, how to set up your sending infrastructure, why list quality is half the battle, and exactly what to verify before you press send.
Why deliverability is the real bottleneck
Most outbound teams obsess over copy and subject lines while ignoring the plumbing. But mailbox providers decide inbox-vs-spam before the recipient ever judges your writing. They look at how you authenticate, how people react to your past sends, and whether your sending behavior looks like a legitimate business or a blast cannon.
Get the plumbing wrong and your reply rate isn't low because of bad copy; it's low because half your emails never showed up. That's why deliverability work has the highest leverage of anything in outbound. Fix it once and every future campaign benefits.
It's also the part teams notice last. A bad subject line shows up as a low open rate you can see and fix. A deliverability problem hides: the dashboard says the email "sent," the recipient simply never sees it, and you spend weeks rewriting copy that was never the issue. Building the plumbing properly from the start saves you from chasing the wrong problem for months.
The bulk-sender requirements you can't skip
In 2024, Google and Yahoo rolled out shared requirements for bulk senders, and they're now simply the baseline expectation across providers. The headline rules:
- Authenticate with SPF, DKIM, and DMARC. All three. SPF and DKIM prove the mail is authorized and unaltered; DMARC ties them together and tells receivers what to do with failures. A published DMARC policy (even
p=noneto start) is now expected. - One-click unsubscribe. Marketing and bulk mail must support one-click list-unsubscribe per RFC 8058 (the
List-Unsubscribeheader plusList-Unsubscribe-Post), and you must process opt-outs promptly. - Keep your spam-complaint rate low. Google has guided senders to stay under roughly 0.3% complaints, and to never let it spike. Cross that and throttling or spam-foldering follows quickly.
These were framed around high-volume senders, but here's the practical reality: meeting them is now table stakes for anyone who wants to reach the inbox. There's no downside to authenticating properly and every downside to skipping it.
| Requirement | What it means | Why it matters |
|---|---|---|
| SPF | DNS record listing authorized senders | Proves the server may send for your domain |
| DKIM | Cryptographic signature on each message | Proves the mail wasn't altered in transit |
| DMARC | Policy tying SPF + DKIM to your domain | Tells receivers how to handle failures |
| One-click unsubscribe (RFC 8058) | Functional List-Unsubscribe header | Required for bulk; reduces complaints |
| Spam rate under ~0.3% | Complaint threshold to stay below | Above it, you get throttled or spam-foldered |
Domain and inbox setup
Authentication gets you in the door. Sending behavior keeps you there.
Use a separate sending domain. Never run cold outreach from your primary company domain. If a cold campaign tanks your reputation, you don't want it taking your real email and your team's deliverability down with it. Buy a lookalike domain (e.g. try-acme.com), authenticate it, and isolate the risk.
Warm up before you scale. A brand-new domain and inbox with zero history that suddenly sends hundreds of emails looks exactly like a spammer. Ramp gradually over a few weeks, building positive engagement, before you push real volume.
Keep volume sane per inbox. Spread sending across multiple inboxes rather than blasting from one. Lower per-inbox daily volume looks human and protects each mailbox's reputation. Many teams cap each inbox well below the limits and add inboxes to scale.
Personalize and keep it text-like. Heavy images, lots of links, and tracking pixels all nudge the spam filters. Plain, personalized, conversational mail performs best, which conveniently is also what gets replies. More on that in our guide to B2B cold email.
Mind your links and tracking. Every link you add is a small risk, and a brand-new domain used as a redirect or tracker can drag down the reputation of the email that contains it. For early sends, keep links minimal, avoid URL shorteners, and be cautious with open-tracking pixels, which some filters treat as a spam signal. Once the domain is warmed and trusted you have more room, but a young sender should stay lean.
Match content to audience size. A single, highly personalized email to ten people behaves very differently from the same template fired at ten thousand. Providers read the pattern. Smaller, well-targeted batches with genuine personalization look like the legitimate one-to-one business mail they're designed to deliver, which is another reason tight targeting helps deliverability and not just reply rates.
List quality is a deliverability feature
Here's the part most senders underrate: your list is part of your deliverability stack. Every email you send to a dead address is a hard bounce, and a high bounce rate is one of the fastest ways to wreck a young domain's reputation. Spam traps, recycled addresses, and role accounts make it worse.
Clean data fixes this at the source. When you start from a verified lead source and re-check the list before a big send, your bounce rate stays low, your engagement signals stay clean, and providers keep trusting your domain. Dirty data does the opposite, no matter how good your authentication is.
This is also why where you get your data matters. A database that validates every email and continuously refreshes stale records hands you a list that's already deliverability-friendly. Accuracy is the first thing to look for in any data source, because bad data is a deliverability problem disguised as a data problem.
A simple list-quality routine for senders:
- Pull from a verified source and export only valid contacts.
- Re-verify right before major campaigns. Data ages between pull and send.
- Segment risky addresses (accept-all, role-based) into a low-volume track.
- Suppress past bouncers and opt-outs permanently.
A pre-send checklist
Run this before every campaign. It takes minutes and saves domains.
| Check | What to confirm | Pass condition |
|---|---|---|
| SPF | Record published for sending domain | Passes on a test send |
| DKIM | Signing enabled and aligned | Valid signature |
| DMARC | Policy published | p=none or stricter, aligned |
| Sending domain | Separate from primary | Not your main domain |
| Warmup | Domain/inbox aged and ramped | Weeks of positive history |
| List verification | Re-checked recently | Bounce risk low |
| Suppression | Opt-outs and bouncers excluded | No known-bad addresses |
| Unsubscribe | One-click header present | RFC 8058 compliant |
| Volume | Per-inbox cap set | Sane daily limit |
| Content | Light on images/links | Plain, personalized |
If every row passes, you've removed the avoidable reasons to land in spam. What's left is targeting and copy, which is where your effort should go.
A note on order of operations: do the infrastructure work before you build the list, not after. Teams routinely scrape a few thousand contacts, fire off a campaign from an unauthenticated domain, watch it flop, and blame the data. The data was probably fine. The domain had no SPF record, no warmup, and no DMARC policy, so providers had no reason to trust it. Set up authentication and warmup first, then point a clean list at it. The sequence matters as much as the steps.
Monitoring: the numbers to watch
Deliverability isn't set-and-forget. Watch a few signals and react fast.
- Bounce rate. The early-warning metric. If it climbs past a few percent, stop and re-verify the list before you do more damage.
- Spam-complaint rate. Keep it well under the ~0.3% guidance. Use postmaster tools where available to monitor it.
- Reply and engagement rates. Positive engagement (opens, replies, "not spam") builds reputation; ignored mail erodes it. Falling replies can signal you're quietly being filtered, not just ignored.
- Open-rate cliffs. A sudden drop across a campaign often means a deliverability problem, not a copy problem. Investigate the plumbing first.
Track these per sending domain so a problem on one cold domain doesn't hide in a blended average.
A practical way to stay ahead of trouble is to set thresholds and react before a metric becomes a crisis. If bounce rate crosses a couple of percent, pause and re-verify rather than pushing the next batch. If replies on a domain quietly fall while everything else looks normal, assume filtering and test inbox placement with a few seed accounts across the major providers. The teams that keep good deliverability aren't the ones who never have problems; they're the ones who catch a slipping number early and slow down instead of doubling the volume. Treat your sending reputation like a credit score: easy to spend down in a bad week, slow to rebuild.
Frequently asked questions
Do the Google and Yahoo rules apply to cold outreach?
The 2024 requirements were aimed at bulk senders, but the practical answer is yes: SPF, DKIM, DMARC, one-click unsubscribe, and a low complaint rate are now the baseline for reaching the inbox at all. Treat them as mandatory regardless of your volume.
What spam-complaint rate is "too high"?
Google has guided senders to stay under roughly 0.3% and to never let it spike. Practically, aim far below that. Even occasional spikes hurt, so relevant targeting and easy unsubscribes matter as much as the headline number.
Should I really use a separate domain for cold email?
Yes. A cold campaign that damages reputation should never touch the domain your business and team rely on for real email. Use an authenticated lookalike domain, warm it up, and keep cold sending isolated.
How does list quality affect deliverability?
Directly. Dead addresses cause hard bounces, and a high bounce rate is one of the fastest ways to lose a domain's reputation. Starting from verified data and re-checking before sends keeps bounces low and engagement clean. See our email verification guide.
What's the single highest-leverage fix?
For most teams, it's authentication plus list cleanliness. SPF/DKIM/DMARC get you trusted; verified data keeps bounces low. Together they remove the two most common reasons cold mail lands in spam.
Leadriv feeds the top of this funnel: verified, continuously refreshed B2B contacts you can filter, score, and export clean, so your bounce rate stays low and your sending domain stays trusted. Build a list, re-verify before you send, and export one click to your own sequencer, from $29/month.
