You can write the perfect cold email -- researched, personalized, compelling, with a subject line that begs to be opened. If it lands in spam, none of that matters.
Email deliverability is the invisible foundation of outreach. When it works, you do not notice it. When it breaks, everything breaks. According to Return Path research, approximately 20% of legitimate emails never reach the inbox. For cold outreach from new domains, that number can exceed 50% without proper technical setup.
This checklist covers every technical element you need to get right. Work through it systematically before you send your first campaign.
Part 1: Domain Authentication
Domain authentication is how you prove to inbox providers that you are who you claim to be. Without it, your emails are treated as potentially fraudulent -- because they might be.
SPF (Sender Policy Framework)
What it does: SPF tells inbox providers which mail servers are authorized to send email on behalf of your domain. When Gmail receives an email claiming to be from you@yourdomain.com, it checks your SPF record to verify that the sending server is on the approved list.
How to set it up:
- Identify every server and service that sends email for your domain. This includes your outreach email provider, transactional email service (if separate), and any other system that sends on your behalf.
- Create a TXT DNS record with the appropriate SPF syntax listing all authorized senders.
- End the record with
-all(hard fail) to tell inbox providers to reject emails from unauthorized servers. Some guides recommend~all(soft fail) during initial setup, but hard fail provides stronger protection.
Common mistakes:
- Having multiple SPF records (only one is allowed per domain -- combine them).
- Exceeding the 10 DNS lookup limit (SPF records can only reference 10 external lookups; exceeding this causes SPF to fail silently).
- Forgetting to include all sending services (if you use one service for outreach and another for transactional emails, both must be in the SPF record).
Verification: Use MXToolbox SPF Lookup to confirm your record is valid and passes checks.
DKIM (DomainKeys Identified Mail)
What it does: DKIM adds a cryptographic signature to every email you send. The recipient's mail server verifies this signature against a public key published in your DNS. If the signature matches, the email has not been tampered with in transit and genuinely came from your domain.
How to set it up:
- Generate a DKIM key pair through your email provider. Most providers (Google Workspace, Microsoft 365, dedicated email services) have built-in DKIM key generation.
- Publish the public key as a TXT record in your DNS, typically at a subdomain like
selector._domainkey.yourdomain.com. - Enable DKIM signing in your email provider's settings.
- If you use multiple email services, set up DKIM for each one with different selectors.
Common mistakes:
- Not enabling DKIM signing after publishing the DNS record (the record alone does nothing -- the email service must actively sign outgoing emails).
- Using a key size below 1024 bits (2048-bit keys are now recommended).
- Forgetting to configure DKIM for secondary sending services.
Verification: Send a test email to a Gmail address and check the email headers for "DKIM=PASS."
DMARC (Domain-based Message Authentication, Reporting, and Conformance)
What it does: DMARC ties SPF and DKIM together and tells inbox providers what to do when authentication fails. It also enables reporting so you can see who is sending email on your behalf (legitimately or not).
How to set it up:
- Start with a monitoring policy:
v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com - This tells inbox providers to send you reports about email authentication results without taking action on failures. Run this for 2-4 weeks to identify any legitimate sending sources you missed in your SPF and DKIM setup.
- Once you are confident all legitimate sources pass authentication, move to
p=quarantine(failed emails go to spam) and eventuallyp=reject(failed emails are blocked entirely).
Common mistakes:
- Jumping straight to
p=rejectbefore verifying all legitimate senders pass authentication (this can block your own emails). - Not monitoring DMARC reports (they reveal authentication problems and potential spoofing attempts).
- Not setting DMARC at all (many senders configure SPF and DKIM but skip DMARC, which means inbox providers have no policy guidance).
Verification: Use MXToolbox DMARC Lookup and review your aggregate reports weekly.
Part 2: Domain and IP Reputation
Authentication proves you are you. Reputation determines whether inbox providers want to deliver your email.
Dedicated Outreach Domain
Never send cold outreach from your primary business domain. If your company is acme.com, register a secondary domain (getacme.com, tryacme.com, hello-acme.com) specifically for outreach.
Why: If something goes wrong -- a high spam complaint rate, a blocklist addition, a sudden volume spike -- you want the reputation damage to hit the outreach domain, not the domain your entire company uses for communication. This is standard practice, not deception.
Setup: Register the domain, configure the same SPF/DKIM/DMARC stack, and set up a simple website at the domain (even a redirect to your main site) so it does not look like a purely disposable sending domain.
Domain Age
Brand new domains have minimal reputation. Inbox providers are inherently suspicious of new domains sending cold email because spammers frequently register fresh domains.
Best practice: Register your outreach domain at least 2-4 weeks before you plan to send. Let it age with the DNS records configured. Some senders register 2-3 months in advance for optimal results.
IP Reputation
If you are sending through a shared email service, your IP reputation is partially shared with other senders on the same service. If you are on a dedicated IP, you own the reputation entirely.
For shared IPs: Choose a reputable email service provider with strict sender policies. Your reputation is only as good as your neighbors.
For dedicated IPs: You must warm the IP separately from the domain. Start with very low volume (10-20 emails per day) and ramp gradually over 4-6 weeks.
Blocklist Monitoring
Blocklists are databases of IPs and domains known to send spam. If your domain or IP appears on a major blocklist, your deliverability drops immediately.
Check regularly: Use MXToolbox Blocklist Check or similar tools weekly. If you find yourself listed, most blocklists have a removal process -- but prevention is far easier than remediation.
Part 3: Sending Practices
Technical setup is necessary but not sufficient. How you send matters as much as the infrastructure you send from.
Volume Management
Ramp gradually. New domains and IPs should start at 10-20 emails per day and increase by 10-20% per week. Sudden volume spikes are a primary spam signal.
Maintain consistency. Sending 100 emails per day for two weeks, then zero for a month, then 200 per day looks erratic. Consistent daily volume is a positive reputation signal.
Set daily limits. Most deliverability experts recommend a maximum of 50-100 cold emails per day per mailbox. If you need higher volume, use multiple mailboxes and rotate sending.
List Hygiene
Verify before sending. Use an email verification service to check every address before sending. Bounce rates above 3% damage your sender reputation. Above 5% can trigger blocklisting.
Remove unengaged contacts. If a prospect has not opened any of your last 5 emails, remove them from active sequences. Sending to contacts who never engage trains inbox providers that your emails are unwanted.
Honor unsubscribes immediately. Both legally and practically, unsubscribe requests must be processed within 24 hours. Include an unsubscribe mechanism in every outreach email.
Content Best Practices
Avoid spam trigger words. "Free," "guaranteed," "act now," "limited time," "click here" -- these phrases trigger content-based spam filters. Write like a human, not a marketer.
Minimize links and images. Cold emails with multiple links or embedded images are flagged more frequently. One link maximum in your signature is ideal for initial outreach.
Use plain text or minimal HTML. Rich HTML emails with heavy formatting look like marketing blasts. Plain text or very simple HTML looks like a person writing an email -- because that is what it should be.
Personalize genuinely. Spam filters are increasingly sophisticated about detecting mass-sent emails. Genuine personalization -- unique content per email, specific references, varied phrasing -- helps you pass content filters.
Part 4: Ongoing Monitoring
Deliverability is not a set-it-and-forget-it configuration. It requires ongoing attention.
Monitor open rates. A sudden drop in open rates (e.g., from 40% to 15%) usually indicates a deliverability problem, not a messaging problem.
Check inbox placement. Periodically send test emails to accounts across Gmail, Outlook, and Yahoo to verify they land in the primary inbox.
Review DMARC reports. Monthly review of DMARC aggregate reports reveals authentication failures and potential spoofing.
Track bounce and complaint rates. Keep bounces below 3% and spam complaints below 0.1%. These are the two metrics inbox providers weight most heavily.
Putting It All Together
When R:AIDE onboards new clients, this checklist is built into the readiness assessment. The system verifies domain authentication, monitors warmup progress, and alerts on deliverability issues before they damage sender reputation.
Whether you use an automated system or manage deliverability manually, the principles are the same: authenticate your domain, protect your reputation, send responsibly, and monitor continuously.
Every outreach strategy, every brilliant email, every perfect subject line depends on the email actually reaching the inbox. This checklist is the foundation. Get it right, and everything else you do in outreach becomes dramatically more effective.