The Ultimate Cold Email Deliverability Checklist (2026)
TL;DR
This checklist covers 25 actionable items across five categories: domain setup, DNS authentication, mailbox warmup, content and sending practices, and ongoing monitoring. Complete every item before launching a cold email campaign. Skip any one of them and you risk landing in spam.
Print this page. Bookmark it. Use it every time you spin up new infrastructure.
Why a Checklist Matters
Cold email deliverability is not a single setting you toggle on. It is the cumulative result of dozens of technical configurations, sending behaviors, and monitoring practices working together. Miss one critical step — an SPF record, a warmup phase, a DMARC policy — and the entire system underperforms.
The difference between 90% inbox placement and 40% inbox placement is usually not one big mistake. It is three or four small oversights compounding. This checklist ensures nothing falls through the cracks.
Section 1: Domain Setup (Items 1-5)
1. Purchase secondary domains — never send from your primary
Your primary business domain (yourcompany.com) is your brand’s email reputation. One spam complaint wave from a cold campaign can damage deliverability for your transactional emails, customer support, and internal communications. Always use secondary domains for outbound.
Action: Buy 2-5 secondary domains that are recognizable variations of your brand (e.g., getyourcompany.com, yourcompanyhq.com).
2. Choose reputable TLDs
Stick with .com as your first choice. Email providers maintain internal trust scores by TLD, and .com has the highest baseline. If .com is unavailable, .co and .io are acceptable alternatives for tech companies. Avoid .xyz, .click, .online, and other cheap TLDs — they carry disproportionate spam association.
Action: Register .com domains through a reputable registrar (Google Domains, Namecheap, Cloudflare).
3. Let new domains age before sending
A domain registered yesterday has zero reputation history. Email providers treat it as an unknown entity and apply stricter scrutiny. Sending cold email from a brand-new domain is one of the fastest paths to spam.
Action: Wait at least 14 days after registration before sending any email. During this period, set up a basic landing page and ensure DNS records are configured.
4. Set up a basic website on each domain
An active website signals legitimacy. Email providers and spam filters check whether a domain resolves to a real website. A blank domain with no web presence looks like a throwaway domain set up purely for spam.
Action: Create a simple one-page site with your company name, a brief description of what you do, and basic contact information. It does not need to be elaborate.
5. Plan your domain-to-mailbox ratios
Each domain should host 3-4 sending mailboxes maximum. Each mailbox should send 30-50 emails per day. Exceeding these thresholds degrades reputation faster than you can recover it.
Action: Calculate your domain needs using the formula: Domains = Daily volume / (40 emails × 3 mailboxes). See our domain planning guide for detailed tier breakdowns.
Section 2: DNS Authentication (Items 6-10)
6. Configure SPF records
Sender Policy Framework (SPF) tells receiving servers which IP addresses are authorized to send email on behalf of your domain. Without SPF, any server can forge your domain in the “From” field, and providers will treat your legitimate emails with suspicion.
Action: Add a TXT record to your domain’s DNS. For Google Workspace: v=spf1 include:_spf.google.com ~all. For Microsoft 365: v=spf1 include:spf.protection.outlook.com ~all. Use our SPF Checker tool to validate.
7. Set up DKIM signing
DomainKeys Identified Mail (DKIM) attaches a cryptographic signature to every outgoing email. The receiving server verifies this signature against a public key published in your DNS. DKIM proves the email was not tampered with in transit and that it genuinely came from your domain.
Action: Generate DKIM keys in your email provider’s admin console and publish the public key as a TXT or CNAME record in your DNS. Verify with our DKIM Checker.
8. Publish a DMARC policy
Domain-based Message Authentication, Reporting, and Conformance (DMARC) ties SPF and DKIM together. It tells receiving servers what to do when authentication fails and sends you reports about authentication results.
Action: Start with a monitoring-only policy: v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com. Once you confirm legitimate emails are passing, tighten to p=quarantine and eventually p=reject. Use our DMARC Checker to verify. Read our complete SPF, DKIM, and DMARC guide for detailed setup instructions.
9. Verify MX records
MX (Mail Exchange) records tell other servers where to deliver email for your domain. Incorrect or missing MX records can cause bounces and authentication failures.
Action: Confirm MX records point to your email provider (Google Workspace, Microsoft 365, or your SMTP service). Run our DNS Audit tool to check all records at once.
10. Avoid SPF record conflicts
SPF allows a maximum of 10 DNS lookups. Each include: directive counts as one lookup. Exceeding this limit causes SPF to fail entirely — meaning every email you send fails authentication.
Action: Audit your SPF record. Remove any include directives for services you no longer use. If you are close to the 10-lookup limit, consider using an SPF flattening service.
Section 3: Mailbox Warmup (Items 11-15)
11. Use a dedicated warmup service
Manual warmup — asking friends to exchange emails with you — does not scale and does not generate the consistent engagement patterns that providers look for. Automated warmup services exchange emails between pools of real mailboxes, generating opens, replies, and spam-folder rescues at scale.
Action: Connect your mailboxes to a warmup service before sending any cold email. Outspun’s warmup service handles this at ₹149/mailbox/month if you bring your own domains, or it is included in all managed plans.
12. Follow a gradual ramp schedule
Warmup is not instant. Jumping from 0 to 50 emails/day on a new mailbox is a red flag. Providers expect sending volume to build gradually over time, mimicking natural human behavior.
Action: Start at 5 emails/day and increase by 3-5 emails every 2-3 days. Reach your target volume (30-50/day) over 3-4 weeks. Use our Warmup Calculator to generate a custom schedule.
13. Warmup across both Google and Microsoft
If you only warm up with other Google Workspace accounts, your reputation with Microsoft stays cold (and vice versa). A balanced warmup touches both ecosystems.
Action: Ensure your warmup service includes mailboxes on both Google Workspace and Microsoft 365. Check that warmup emails land in both Gmail and Outlook inboxes.
14. Keep warmup running during active campaigns
Many operators make the mistake of stopping warmup once they start sending real campaigns. This is wrong. Warmup provides a baseline of positive engagement signals that offset the inevitable non-responses and spam markings from cold outreach.
Action: Run warmup continuously, even during active sending. Reduce warmup volume as real volume increases, but never turn it off completely.
15. Monitor warmup metrics
Not all warmup is created equal. If your warmup emails are landing in spam and not being rescued, the warmup is actively hurting your reputation instead of helping it.
Action: Check warmup dashboards weekly. Key metrics: inbox placement rate (should be 90%+), spam rescue rate, reply rate. If inbox placement drops below 85%, pause real sending and investigate.
Section 4: Content and Sending Practices (Items 16-21)
16. Verify your email lists before sending
Sending to invalid addresses generates hard bounces. A bounce rate above 2% is a strong negative signal to providers. Above 5%, you risk immediate blocklisting.
Action: Run every list through an email verification service before importing it into your sending tool. Remove invalid, catch-all, and role-based addresses (info@, admin@, sales@).
17. Personalize beyond first name
Spam filters in 2026 use content analysis that goes well beyond keyword matching. They evaluate whether an email looks templated versus genuinely personalized. Emails that are identical except for {{firstName}} trigger pattern detection.
Action: Include at least 2-3 personalization variables per email (company name, industry, recent news, specific pain point). Vary your opening lines across sequences.
18. Avoid spam trigger words and patterns
Certain words and formatting patterns correlate strongly with spam. Excessive capitalization, multiple exclamation marks, words like “free,” “guaranteed,” “act now,” and HTML-heavy formatting all increase spam scores.
Action: Write emails that read like a human wrote them to one specific person. Keep formatting simple — plain text or minimal HTML. Avoid images in cold emails (they increase spam score and many recipients block images by default).
19. Include an unsubscribe mechanism
Google’s 2024 sender guidelines (updated for 2026) require bulk senders to include a one-click unsubscribe option. This applies to anyone sending more than 5,000 emails per day to Gmail addresses. Even below that threshold, including an unsubscribe link reduces spam complaints because recipients have an alternative to hitting the spam button.
Action: Add an unsubscribe link to every cold email. Most sending platforms (Instantly, Smartlead, Lemlist) handle this automatically.
20. Limit daily volume per mailbox
This bears repeating because it is the single most violated rule in cold email. More than 50 emails per day from a single mailbox is the threshold where deliverability starts to degrade measurably.
Action: Set hard limits in your sending platform: 30-50 emails per mailbox per day. If you need more volume, add more mailboxes and domains — do not increase per-mailbox limits.
21. Space out your sends
Sending 40 emails in a 5-minute burst looks automated. Sending 40 emails spread across 8 hours looks human.
Action: Configure your sending platform to use randomized intervals. Aim for 3-8 minutes between sends. Enable sending windows that match business hours in your target timezone.
Section 5: Ongoing Monitoring (Items 22-25)
22. Check Google Postmaster Tools weekly
Google Postmaster Tools is the single most important monitoring tool for cold email senders. It shows your domain reputation, spam rate, authentication success rate, and delivery errors — directly from Google’s perspective.
Action: Register every sending domain in Google Postmaster Tools. Check weekly. If spam rate exceeds 0.1%, take action immediately. If it exceeds 0.3%, pause sending from that domain.
23. Monitor blacklist status
Real-time Blackhole Lists (RBLs) like Spamhaus, Barracuda, and SORBS maintain databases of known spam-sending domains and IPs. Getting listed on a major RBL can tank your deliverability across all providers simultaneously.
Action: Use a blacklist monitoring service to check your domains and IPs against major RBLs daily. Outspun’s monitoring service covers RBL checks, Postmaster Tools integration, and health alerts at ₹1,499 per 10 domains/month.
24. Track bounce rates by domain
Aggregate bounce rates hide problems. A 2% overall bounce rate might mean one domain is at 8% (dangerous) while the others are at 0.5% (healthy). You need per-domain visibility.
Action: Review bounce rates by domain weekly. Any domain above 3% bounce rate needs investigation — check if it has been blocklisted, if the list quality for that domain’s campaigns was poor, or if DNS records have changed.
25. Maintain a domain rotation schedule
Domains are not permanent assets. They have lifecycles. A domain might perform well for 3-6 months, then gradually decline. Having a rotation schedule ensures you always have fresh capacity coming online.
Action: Keep 15-20% of your domain portfolio in warmup at all times. When a domain’s reputation drops to “Low” in Google Postmaster Tools, move it to rest (stop sending) and bring a warmed replacement online. Review your entire domain portfolio monthly.
The Complete Checklist Summary
| # | Item | Category |
|---|---|---|
| 1 | Purchase secondary domains | Domain Setup |
| 2 | Choose reputable TLDs (.com) | Domain Setup |
| 3 | Age new domains 14+ days | Domain Setup |
| 4 | Set up basic website on each domain | Domain Setup |
| 5 | Plan domain-to-mailbox ratios | Domain Setup |
| 6 | Configure SPF records | DNS Authentication |
| 7 | Set up DKIM signing | DNS Authentication |
| 8 | Publish DMARC policy | DNS Authentication |
| 9 | Verify MX records | DNS Authentication |
| 10 | Avoid SPF record conflicts | DNS Authentication |
| 11 | Use dedicated warmup service | Mailbox Warmup |
| 12 | Follow gradual ramp schedule | Mailbox Warmup |
| 13 | Warmup across Google and Microsoft | Mailbox Warmup |
| 14 | Keep warmup running during campaigns | Mailbox Warmup |
| 15 | Monitor warmup metrics | Mailbox Warmup |
| 16 | Verify email lists before sending | Content & Sending |
| 17 | Personalize beyond first name | Content & Sending |
| 18 | Avoid spam trigger patterns | Content & Sending |
| 19 | Include unsubscribe mechanism | Content & Sending |
| 20 | Limit daily volume per mailbox | Content & Sending |
| 21 | Space out your sends | Content & Sending |
| 22 | Check Google Postmaster Tools weekly | Monitoring |
| 23 | Monitor blacklist status | Monitoring |
| 24 | Track bounce rates by domain | Monitoring |
| 25 | Maintain domain rotation schedule | Monitoring |
What Happens When You Skip Steps
To illustrate why every item matters, here are the three most common failure patterns we see:
Pattern 1: The DNS Shortcut. A team sets up SPF but skips DKIM and DMARC. Emails authenticate partially, which is worse than not at all in some cases — providers see a sender who started the authentication process but did not finish it, which can actually decrease trust.
Pattern 2: The Warmup Skip. A founder buys 5 domains, sets up DNS perfectly, and immediately starts sending 50 emails/day per mailbox. Within a week, all 5 domains are flagged. The infrastructure was technically correct but operationally premature.
Pattern 3: The Set-and-Forget. Everything is set up correctly, warmup is done, campaigns are running well. Three months later, deliverability has cratered. Why? Nobody was monitoring. A domain got listed on Spamhaus two months ago and nobody noticed. Bounce rates crept up because list hygiene was not maintained. Google Postmaster reputation dropped to “Low” six weeks ago.
All three patterns are preventable with this checklist.
Automate What You Can
Managing 25 items across multiple domains and mailboxes is operationally intensive. At scale (10+ domains), manual management becomes unsustainable. This is where automation and managed services earn their value.
Outspun’s managed infrastructure plans handle items 1-15 out of the box — domain provisioning, DNS configuration, and warmup are included. The monitoring layer (items 22-25) is available as an add-on or included in Growth and Agency plans. Content and sending practices (items 16-21) remain your responsibility, but they are the items that require human judgment rather than technical configuration.
Whether you manage everything yourself or use a service, the checklist stays the same. Every item matters. Complete all 25 before your first campaign send.