The problem is that deliverability is not one thing. It is a system of overlapping technical configurations, behavioral signals, and content decisions that mailbox providers evaluate in real time. Miss one piece and your inbox placement drops. Miss several and you are effectively blacklisted.
This cold email deliverability checklist covers every layer of that system. We use it internally at Arvani Media to audit client setups before launching any campaign. Whether you run cold email in-house or work with an agency, this is the baseline you need to get right.
Work through all 15 items. If you can check every box, your infrastructure is solid. If you cannot, you have found the gaps that are costing you meetings.
I. DNS & Authentication
DNS authentication is the foundation of email deliverability. These records tell receiving mail servers that you are who you claim to be. Without them, Gmail, Outlook, and every other provider will treat your messages as potentially spoofed and route them to spam or reject them outright.
SPF Record Configured
What it is: Sender Policy Framework (SPF) is a DNS TXT record that lists every server and service authorized to send email on behalf of your domain. When a receiving server gets your message, it checks your SPF record to verify the sending IP is permitted.
Why it matters: Without SPF, any server in the world could send email pretending to be your domain. Mailbox providers see missing or broken SPF as a major red flag. Gmail specifically requires SPF or DKIM to pass for messages to reach the inbox.
How to check and fix: Look up your domain on MXToolbox or use dig TXT yourdomain.com in the terminal. You should see a record starting with v=spf1 that includes your email sending service (e.g., include:_spf.google.com for Google Workspace). Make sure you have only one SPF record per domain. Multiple SPF records will cause authentication failures. If you use multiple sending services, combine them into a single record with multiple include: statements and end with ~all or -all.
DKIM Signing Enabled
What it is: DomainKeys Identified Mail (DKIM) adds a cryptographic signature to every email you send. The receiving server uses the public key published in your DNS to verify the message was not altered in transit and actually came from your domain.
Why it matters: DKIM is the strongest signal of email authenticity. Google, Microsoft, and Yahoo all weight DKIM heavily in their spam filtering decisions. If DKIM fails or is missing, your emails are far more likely to land in spam, even if SPF passes.
How to check and fix: In Google Workspace, go to Admin > Apps > Google Workspace > Gmail > Authenticate Email, then generate a DKIM key and add the provided CNAME or TXT record to your DNS. For third-party sending tools like Instantly or Smartlead, follow their DKIM setup guides, which typically involve adding one or two CNAME records. Verify with MXToolbox DKIM Lookup using the selector provided by your sending platform.
DMARC Policy Published
What it is: Domain-based Message Authentication, Reporting, and Conformance (DMARC) ties SPF and DKIM together. It tells receiving servers what to do when authentication fails: do nothing (p=none), quarantine the message (p=quarantine), or reject it entirely (p=reject). It also sends you reports about authentication results.
Why it matters: As of February 2024, Google and Yahoo require DMARC for bulk senders. Even for low-volume cold email, having a DMARC record signals that you take email security seriously. Without it, you are leaving deliverability on the table.
How to check and fix: Add a DNS TXT record for _dmarc.yourdomain.com with a value like v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com. Start with p=none to monitor without impacting delivery, then move to p=quarantine once you confirm SPF and DKIM are passing consistently. Use a free tool like DMARC Analyzer to read the XML reports and identify any unauthorized senders.
Dedicated Sending Domains (Not Your Primary)
What it is: Dedicated sending domains are separate domains used exclusively for cold outbound email. Instead of sending from yourbrand.com, you send from variations like yourbrand-mail.com, getyourbrand.com, or tryyourbrand.com.
Why it matters: Cold email carries inherent reputation risk. Spam complaints, bounces, and blacklistings happen even with good practices. If your cold email activity damages the reputation of your primary domain, it affects every email your company sends, including invoices, customer support, and internal communication. Dedicated domains isolate that risk completely.
How to check and fix: Purchase 2-5 secondary domains that are close variations of your brand name. Set up Google Workspace or Microsoft 365 accounts on each one. Configure SPF, DKIM, and DMARC on every domain. Do not use these domains for anything other than outbound campaigns. If a domain gets burned, you retire it and rotate in a new one without touching your primary domain. For more on how this fits into a full system, see our done-for-you cold email service.
II. Warmup & Reputation
A brand-new domain with perfect DNS records still has zero reputation. Mailbox providers do not know if you are a legitimate sender or a spammer. Warmup is the process of building that trust before you start real outbound campaigns. Skip it and your first campaign will tank.
New Domains Warmed 2-3 Weeks Before Sending
What it is: Domain warmup uses automated tools to exchange emails between your new mailbox and a network of real inboxes. These tools send, receive, open, and reply to messages, simulating the behavior of a healthy, active email account.
Why it matters: Google and Microsoft track sending patterns from the moment a domain starts sending. If a brand-new domain immediately sends 50 cold emails on day one, that is a massive spam signal. Warmup builds a baseline of positive engagement so that when you start cold outreach, the mailbox providers already recognize your domain as legitimate.
How to check and fix: Use a warmup tool like Instantly's built-in warmup, Warmup Inbox, or Lemwarm. Set it to send 20-40 warmup emails per day and let it run for a minimum of 14 days, ideally 21 days, before adding any cold outbound volume. Monitor your warmup inbox placement score. You want to see 90%+ inbox placement before launching campaigns.
Gradual Volume Ramp-Up
What it is: Rather than sending your full daily volume on day one of a campaign, you start low and increase gradually. For example: 5 emails on day one, 10 on day two, 15 on day three, and so on until you reach your target volume over 7-14 days.
Why it matters: Sudden spikes in sending volume are one of the most common triggers for spam filtering. Even warmed domains can get flagged if you jump from 0 cold emails to 50 overnight. Gradual ramp-up mimics natural sending behavior and gives mailbox providers time to evaluate your messages without alarm.
How to check and fix: Most cold email platforms (Instantly, Smartlead, Lemlist) have built-in ramp-up settings. Configure a daily increase of 2-5 emails per day per mailbox. If you are sending from 10 mailboxes and want to reach 30 emails per mailbox per day, plan for roughly 7-10 days of ramp-up before hitting full volume. Never exceed 50 cold emails per mailbox per day as a hard ceiling.
Ongoing Warmup Between Campaigns
What it is: Warmup is not a one-time setup task. You should keep warmup activity running in the background at all times, even while your cold campaigns are active, and especially during gaps between campaigns.
Why it matters: If you stop all sending activity for a week and then resume cold outreach, mailbox providers see that sudden restart as suspicious. Ongoing warmup maintains a consistent pattern of positive engagement that buffers your sending reputation. It also offsets the negative signals (bounces, ignores, spam reports) that inevitably come from cold outreach.
How to check and fix: Keep your warmup tool active at 15-30 emails per day per mailbox alongside your cold campaigns. When you pause campaigns for any reason, do not turn off warmup. If you discover that your cold emails are landing in spam, temporarily reduce cold volume and increase warmup volume to repair your reputation before resuming.
III. List Quality
Your sending infrastructure can be perfect and your reputation spotless, but if you are emailing invalid addresses, your bounce rate will destroy your deliverability within days. List quality is not optional. It is load-bearing.
Emails Verified for Deliverability
What it is: Email verification uses SMTP-level checks to determine whether an email address is valid, invalid, or risky before you send to it. Verification tools ping the receiving mail server (without sending an actual email) to confirm the mailbox exists and can accept messages.
Why it matters: Sending to invalid addresses generates hard bounces. A hard bounce rate above 2% is a clear spam signal to mailbox providers. Hit 5% and you risk getting your domain or IP blacklisted. Verification catches invalid addresses before they damage your reputation.
How to check and fix: Run every lead list through a verification tool like ZeroBounce, NeverBounce, or MillionVerifier before uploading to your sending platform. Only send to addresses marked as "valid" or "deliverable." Remove all "invalid," "unknown," and "disposable" results. If you are building B2B lead lists, verification should be the final step before any list goes live. At Arvani Media, we triple-verify every lead across multiple providers to keep bounce rates under 1%.
Catch-All Addresses Removed or Limited
What it is: A catch-all domain is configured to accept email sent to any address at that domain, whether the specific mailbox exists or not. Verification tools cannot determine if a specific address at a catch-all domain is real, so they return a "catch-all" or "accept-all" result instead of "valid."
Why it matters: Catch-all addresses are a gamble. Some are real people. Others are nonexistent mailboxes that will bounce, or worse, spam traps set up specifically to identify cold emailers. Sending to a high volume of catch-all addresses inflates your bounce rate and puts you at risk of hitting spam traps.
How to check and fix: After verification, filter your list to see how many results came back as "catch-all." If catch-all addresses make up more than 20-30% of your list, you are taking on significant risk. You have two options: remove them entirely for maximum safety, or limit them to 10-15% of your total sending volume and monitor bounce rates closely. If bounces spike, remove the remaining catch-alls immediately.
Bounce Rate Under 2%
What it is: Your bounce rate is the percentage of emails that are returned as undeliverable by the receiving server. Hard bounces (permanent failures, such as "mailbox does not exist") are far more damaging than soft bounces (temporary issues, such as "mailbox full").
Why it matters: Mailbox providers use bounce rate as a direct measure of list quality and sender legitimacy. A bounce rate under 2% signals that you are sending to verified, real people. Anything above 3% starts triggering warnings. Above 5% and your sending reputation will deteriorate rapidly, often within a single campaign.
How to check and fix: Check your bounce rate in your cold email platform's analytics dashboard after each campaign. If you are above 2%, stop the campaign immediately. Re-verify your remaining list, remove all bounced addresses, and investigate whether your verification provider is catching enough invalid addresses. Consider switching to a more accurate verification tool or adding a second verification layer. At the start of every new campaign, monitor the first 100-200 sends closely before scaling volume.
Want Us to Audit Your Setup?
Take the Outbound Readiness Scorecard. Answer 10 questions and get a personalized action plan in minutes.
Take the Scorecard →IV. Sending Practices
Even with perfect infrastructure and a clean list, how you send matters. Mailbox providers analyze your sending patterns, volume, and timing to determine whether you are behaving like a legitimate sender or a spammer. This is where most teams slip up after getting the technical foundation right.
Sending Volume Within Safe Limits
What it is: Safe sending limits refer to the maximum number of cold emails you should send per mailbox per day. The exact number depends on your mailbox provider, domain age, and warmup status, but there are widely accepted ceilings.
Why it matters: Exceeding safe volume limits is the fastest way to trigger rate limiting or spam filtering from Google and Microsoft. A single mailbox sending 100+ cold emails per day will almost certainly be flagged, regardless of how good your authentication and content are.
How to check and fix: For Google Workspace, keep cold email volume at 25-40 new emails per mailbox per day. For Microsoft 365, stay at 30-50 per day. These limits include both new outreach and follow-ups. If you need to contact more prospects, add more mailboxes rather than increasing volume on existing ones. A typical setup for sending 100 cold emails per day requires 3-4 mailboxes rotating across 2-3 dedicated domains.
Sending Spread Across Hours and Days
What it is: Instead of sending all your daily emails in a single burst, you distribute them across your sending window with randomized delays between messages. You also avoid sending on weekends and match the time zone of your recipients.
Why it matters: Sending 30 emails in 5 minutes looks like automation. Sending 30 emails spread across 8 hours looks like a human. Mailbox providers evaluate sending velocity, and bursts of identical outbound messages trigger spam filters far more than evenly distributed sends. Timing also affects open rates: emails sent during business hours in the recipient's time zone consistently outperform off-hours sends.
How to check and fix: Configure your sending tool to use a sending window of 8am-5pm in your target audience's time zone. Set random delays of 3-8 minutes between emails. Most platforms (Instantly, Smartlead, Woodpecker) have these settings built in. Avoid sending on weekends unless your audience is known to check email then. Review your sending analytics to confirm emails are distributing evenly rather than clustering.
Rotation Across Multiple Mailboxes
What it is: Mailbox rotation distributes your outbound volume across multiple email accounts so that no single mailbox handles too much cold sending. A campaign sending 100 emails per day might rotate across 4 mailboxes, each sending 25.
Why it matters: Rotation protects individual mailbox reputation. If one mailbox gets flagged or rate-limited, the others continue sending. It also makes your sending pattern look more natural, since the messages come from different accounts rather than a single automated source. Rotation is the foundation that enables you to scale cold email volume safely.
How to check and fix: Set up multiple mailboxes across your dedicated sending domains. Use first-name variations (anthony@, a.volz@, anthony.volz@) to create natural-looking sender identities. In your sending platform, enable mailbox rotation and set it to round-robin or random assignment. Monitor each mailbox's individual deliverability metrics. If one mailbox shows declining inbox placement, pause it, increase its warmup, and redistribute its volume to the remaining mailboxes.
V. Content & Compliance
Content filtering is the last gate your email passes through before reaching the inbox. Even with perfect infrastructure and sending practices, poorly written content or compliance violations can trigger spam filters at the message level.
No Spam Trigger Words or Excessive Links
What it is: Spam trigger words are terms and phrases that content-based spam filters flag as indicative of unsolicited commercial email. Excessive links, images, and HTML formatting also raise red flags. The goal is plain-text emails that read like one person writing to another.
Why it matters: Modern spam filters use machine learning to evaluate content, but they still weight specific signals heavily. Phrases like "act now," "limited time offer," "guaranteed results," and "click here" are associated with spam. More than 1-2 links in a cold email dramatically increases the chance of spam filtering. Tracking pixels (invisible images used for open tracking) also count as content that filters evaluate.
How to check and fix: Write cold emails in plain text, not HTML. Keep emails under 150 words. Include a maximum of one link, and make it your calendar booking link or website, not a tracked redirect. Avoid all-caps, exclamation marks, and salesy language. Do not include images or attachments in cold emails. Disable open tracking (tracking pixels) in your sending platform, as these are increasingly flagged by Google and Microsoft. Test your emails through Mail-Tester.com before launching to check your content spam score.
Unsubscribe Handling and Suppression Lists
What it is: Unsubscribe handling means giving recipients a clear way to opt out of future messages and honoring those requests immediately. Suppression lists are databases of email addresses that should never receive outbound messages from your organization, including people who have opted out, bounced addresses, and existing customers.
Why it matters: As of 2024, Google and Yahoo require a one-click unsubscribe mechanism for bulk senders. While cold email occupies a legal grey area depending on jurisdiction, providing an opt-out is both a best practice and a deliverability advantage. When recipients cannot unsubscribe, they mark you as spam instead, which is far more damaging to your sender reputation. Suppression lists prevent you from re-emailing people who have already said no, which reduces complaints and protects your reputation over time.
How to check and fix: Include a simple opt-out line at the bottom of every cold email, something like "Not interested? Reply and I'll remove you from the list" or a one-click unsubscribe link. When someone opts out, add them to your global suppression list immediately. Before every new campaign, cross-reference your lead list against your suppression list to remove any matches. Also suppress bounced addresses, existing customers, and current active conversations. Most cold email platforms maintain suppression lists automatically, but verify that yours is configured correctly. Review your team's compliance process regularly to catch any gaps.
Putting It All Together
This cold email deliverability checklist is not a one-time exercise. The best cold email operators run through it before every new campaign, every new domain setup, and every time deliverability starts to slip. Treat it as a living audit that keeps your outbound system healthy.
If you scored well on all 15 points, your infrastructure is in strong shape. Focus on copy, targeting, and offer optimization to drive more replies.
If you found gaps, prioritize in this order: DNS authentication first, then warmup, then list quality, then sending practices, then content. Each layer builds on the one before it. Fixing content issues will not help if your DNS is broken, and fixing DNS will not help if your list is full of invalid addresses.
Need help? At Arvani Media, we handle every item on this checklist as part of our done-for-you cold email service. From domain setup and warmup to verified lead lists and campaign management, we build the entire system so you can focus on closing deals. Take the Outbound Readiness Scorecard to see where your setup stands today.
Frequently Asked Questions
DNS authentication (SPF, DKIM, DMARC) can be configured in under an hour and propagates within 24-48 hours. Domain warmup takes 2-3 weeks. Repairing a damaged sending reputation can take 2-4 weeks of reduced volume and consistent warmup activity. Most setups can be fully audit-ready within 30 days.
A healthy cold email program should target an inbox placement rate of 85% or higher. If you are below 70%, there are likely DNS, reputation, or content issues that need immediate attention. Use tools like GlockApps or Mail-Tester to test inbox placement across Gmail, Outlook, and Yahoo before launching campaigns.
Yes. You should never send cold email from your primary business domain. If your cold outreach triggers spam complaints or blacklisting, it can damage the reputation of your main domain and affect all company email, including transactional and internal communications. Use dedicated secondary domains (e.g., yourbrand-mail.com or getyourbrand.com) and warm them for 2-3 weeks before sending any outbound campaigns.
