Cold Email Deliverability: SPF, DKIM, DMARC & Sender Reputation (B2B Guide)

What "Deliverability" Really Means

Most founders think deliverability is a binary — "did it send or not?" It isn't. Every email you send lands in one of five buckets, and four of them are bad:

The only metric that matters is Inbox Placement Rate (IPR) — the percentage of your sends that land in the primary inbox of a real human. Not open rate. Not delivery rate (which counts spam folder deliveries as "delivered"). IPR.

A healthy cold email program runs at 85-95% primary IPR. Below 80%, you have a problem. Below 60%, you're being filtered before the recipient ever sees you — and no amount of clever subject lines will save you.

The 3 Authentication Pillars: SPF, DKIM, DMARC

Google and Microsoft made authentication mandatory in February 2024. If you don't have SPF, DKIM, and DMARC configured correctly, your mail is either rejected outright or dumped into spam — full stop. Here's what each one does in plain language:

SPF (Sender Policy Framework) is a TXT record in your DNS that lists which servers are allowed to send mail on behalf of your domain. When Gmail receives an email claiming to be from you@yourdomain.com, it checks the SPF record and confirms the sending IP is approved.

DKIM (DomainKeys Identified Mail) is a cryptographic signature attached to every outgoing message. The receiving server fetches your public key from DNS and verifies the signature matches — proving the message wasn't tampered with in transit and genuinely came from your infrastructure.

DMARC (Domain-based Message Authentication, Reporting & Conformance) is the policy layer that ties SPF and DKIM together. It tells receiving servers what to do when authentication fails (nothing, quarantine, or reject) and sends you reports about who is trying to send mail as you.

All three live as TXT records on your domain. Missing any one of them — or having them misconfigured — and you're invisible to every modern inbox.

How to Set Them Up Correctly

SPF: Create one TXT record at the root of your domain. The syntax is v=spf1 include:_spf.google.com -all for Google Workspace, or v=spf1 include:spf.protection.outlook.com -all for Microsoft 365. The -all at the end means "reject anything not on this list" — use ~all (soft fail) while you're still testing, then tighten to -all.

DKIM: In Google Workspace, go to Apps → Google Workspace → Gmail → Authenticate email. Click "Generate New Record" (use 2048-bit keys, not 1024), copy the TXT record value into DNS at google._domainkey, wait for propagation, then come back and click "Start Authentication." For Microsoft 365, enable DKIM in the Defender portal — Security → Policies → Email authentication settings → DKIM, select your domain, and toggle it on. M365 generates two CNAME records you point at Microsoft's selectors.

DMARC: Never skip to p=reject on day one. The progression is:

Always include rua=mailto:dmarc@yourdomain.com in your DMARC record. The aggregate reports show you exactly which IPs are sending as your domain — including the shadow SaaS tools your sales team signed up for without telling you, and the spoofers pretending to be you. Run reports through a free parser like Postmark's DMARC tool or pay for Valimail / dmarcian if you want a dashboard.

The Dedicated Cold-Email Domain Strategy

Never send cold email from your primary domain. This is non-negotiable. One bad campaign — one spam complaint spike, one bounce rate over 5%, one blocklist hit — and your transactional mail (invoices, support, calendar invites, password resets) collapses overnight. Your business email becomes unusable for weeks.

The fix is dirt simple: buy 3-5 lookalike domains specifically for cold outreach. If your primary is quickomate.com, register variants like:

On each cold domain, set up 2-3 mailboxes (first.last@, firstname@, f.last@). Set up the full auth stack — SPF, DKIM, DMARC — on every single one. Configure a 301 redirect from each lookalike to your primary domain so the URL still works if a prospect pastes it into a browser.

This isolation is the entire point. If try-quickomate.com gets torched, your primary domain — and the 6 other lookalikes — keep sending. You rotate the dead one out, spin up a replacement, and the program keeps running.

Mailbox Warm-Up: The 2-3 Week Timeline

A brand-new mailbox has zero sender reputation. The moment you send 50 cold emails from it on day one, every major inbox provider flags you as a spammer and your IPR craters to near zero. Warm-up is the process of building that reputation gradually before you do real outreach.

Warm-up tools (Mailreach, Warmbox, Lemwarm, Smartlead's built-in warmer, Instantly's warmer) work by automatically sending and replying to emails between thousands of pooled mailboxes. The receiving mailbox marks your messages as "important," moves them from spam to inbox if they land there, stars them, and replies. Every one of those signals tells Google and Microsoft that real humans want your emails.

If you skip warm-up, you are not running cold email — you are running a domain incinerator. The 2-3 weeks of patience saves you 2-3 months of reputation rebuild later.

Sending Volume Thresholds

Inbox providers cap how much mail a single mailbox can send before they flag it. The safe ceiling is 30-40 cold emails per mailbox per day — total, including follow-ups. Go above that and your spam rate spikes almost linearly.

To hit meaningful volume, you scale horizontally — more mailboxes, not more sends per mailbox. The math:

Always send during business hours in the recipient's local timezone — 8am-11am Tuesday through Thursday is the sweet spot. Sending at 3am their time looks robotic and gets flagged. Spread sends across the window with 60-120 second random gaps between emails per mailbox.

Reputation Killers (What NOT to Do)

Inbox providers don't read your copy — they read signal patterns. Some patterns scream "automated cold blast" so loudly that even perfect authentication can't save you:

The winning format is unglamorous and works: plain text, two to four short paragraphs, one signature line with your name and a single URL (your site, no UTM params). No images. No HTML wrapper. No "unsubscribe here" footer — for cold B2B under 50,000 contacts/year, a polite "let me know and I'll stop" line at the end is enough.

Branded HTML signatures with social icons and disclaimers underperform plain text by 30-50% in our tests. They scream "marketing automation." The email that gets a reply looks like a one-off note a human typed in two minutes.

Monitoring Inbox Placement

You cannot fix what you can't see. Open rates lie — Apple Mail Privacy Protection pre-fetches images and inflates them to 60-80% across the board. The only reliable measure of deliverability is a seed test: send a campaign to a basket of dummy inboxes across Google, Outlook, Yahoo, and corporate domains, then check where each one landed.

The tools we use:

Run a seed test every two weeks per sending domain. Log primary IPR as a single number. If it drops below 80%, pause that domain's campaigns immediately and diagnose before you keep burning reputation. Catching a slide at 78% is a one-day fix. Catching it at 40% is a domain rebuild.

What to Do When You Get Blocklisted

Eventually, a domain or IP will hit a blocklist. It happens to everyone — the goal isn't to never get listed, it's to detect it fast and recover cleanly. The major lists to monitor:

Run your sending domains and IPs through MXToolbox's blocklist checker weekly. When you get listed, the delisting process is usually free and self-serve — visit the blocklist's site, submit your domain/IP, and confirm you've fixed the underlying issue. Most lists clear within 24-48 hours.

The diagnosis step is more important than the delisting. A blocklist hit almost always traces to one specific mailbox behaving badly — high bounce rate, complaint spike, or sending to a spam-trap address. Pull mailbox-level metrics from your sending platform, isolate the offender, pause it, and rotate in a fresh warmed mailbox. Don't just delist and restart — you'll be back on the list within a week.