The Cold Email Deliverability Checklist

Cold email has an invisible ceiling and it's not your copy. It's deliverability. You can write the most beautifully personalised sequence in the world, and if 60% of it lands in spam, your reply rate will look like a broken funnel. Conversely, average copy with great inbox placement quietly outperforms world-class copy with bad infrastructure every single quarter.

This is the 12-point checklist we run for every outbound client before they send a single live message. Skip any of these and you'll be debugging the wrong end of the funnel for a year.

§Part 1 — Domains and inboxes

Your primary domain is sacred. It runs your sales conversations, your billing, your hiring. You will not, under any circumstances, send cold email from it. The moment one campaign goes wrong on your primary, every transactional email — including the contracts you actually want delivered — starts landing in spam. Buy secondaries instead.

• Buy 2–4 secondary domains that are close variants of your brand (yourbrand.co, get-yourbrand.com, hi-yourbrand.com)
• One inbox per domain — never two. Each inbox sends a maximum of 30 cold messages per day
• Warm every inbox for a minimum of 14 days with real engagement before sending a single cold message
• Use a paid warmup tool (Instantly, Smartlead, Mailwarm) — never DIY it

§Part 2 — The DNS records that actually pass

If you cannot recite what SPF, DKIM and DMARC do from memory, your provider has probably set them up wrong. Each one solves a different inbox-provider concern, and each one needs to be configured correctly before you send anything.

SPF — proves your sending IPs are authorised

Single record. All sending platforms included. No conflicting entries from a previous email tool that's still listed. If you've ever used Mailgun, SendGrid, Outlook and Google all on the same domain at different times, audit this carefully — old SPF entries silently sabotage you.

DKIM — proves the message wasn't tampered with

Use 2048-bit keys (1024 is increasingly flagged), propagate them at the registrar, then wait 24 hours before sending. The most common mistake here is using your provider's default selector when your platform expects a specific one.

DMARC — tells inbox providers what to do with failures

Start at p=none for two weeks while you monitor reports. Move to p=quarantine. Only go to p=reject once you're certain every legitimate sending source is aligned. Skipping straight to p=reject is how teams accidentally hard-bounce their own invoices for a month.

• SPF — single record, all sending platforms included, no orphaned entries
• DKIM — 2048-bit, propagated 24h+, correct selector for your platform
• DMARC — start p=none, monitor 14 days, move to quarantine, then reject

§Part 3 — Content rules that kill spam scores

Once infrastructure is clean, content becomes the dial. Spam filters in 2026 are AI-driven and they pattern-match aggressively against the worst-performing cold templates of the last five years. If your message looks anything like the ones already getting flagged, you'll inherit their reputation in days.

• No images. None. Not even a signature logo on the first touch
• No links in the first message — drop the calendar link in touch three at the earliest
• Under 90 words. Spam filters read length as effort, and over-effort signals a pitch
• Plain text. Skip the HTML wrapper your CRM auto-adds
• One CTA per message — and never use the word ‘demo’ in a subject line

§Part 4 — The weekly hygiene loop

Deliverability is not a setup — it's a habit. Block 30 minutes every Friday to look at four things: open rate per domain, bounce rate, spam-complaint rate, and reply rate per inbox. If any domain drops 10 points week-over-week, pause it and warm it back up. If any inbox shows even a 0.3% spam complaint rate, retire it.

1. 01Friday morning: pull metrics per inbox (not just aggregate)
2. 02Pause any inbox with <40% open rate or >3% bounce rate
3. 03Re-warm paused inboxes for 7–10 days before re-introducing volume
4. 04Monthly: rotate one new domain in, retire your oldest
5. 05Quarterly: full DNS re-audit (records drift, especially after IT changes)

§What this all adds up to

Teams that do this right consistently see 45–55% open rates, 3–5% reply rates, sub-3% bounce, and almost zero spam complaints — sustained across months, not just in week one. Teams that skip the checklist see 18% opens for two weeks, then a slow death as their domains burn. The boring infrastructure work is what compounds. The clever copy is what gets the credit, but the infrastructure is what cashed the checks.