Cold Email Deliverability Basics
4 layers, 1 build order. Infrastructure fails before content does. This guide tells you which layer to fix first and which tools handle each one.
TL;DR
Infrastructure fails before content: the 4 layers in order
Cold email deliverability fails at the infrastructure layer before it fails at the content layer. Most teams diagnose copy when the real problem is an authentication record, an unwarmed domain, or a contact list with a 6% bounce rate.
The four layers in build order: authentication (SPF/DKIM/DMARC), warmup, list verification, and inbox placement testing. Each layer includes the failure pattern, the fix, and the tools that handle it.
Deliverability Architecture
The 4-layer cold email deliverability framework at a glance
- Authentication: SPF, DKIM, and DMARC on every sending domain
These three DNS records authorize your domain to send, verify message integrity, and define failure handling. Missing any one produces inconsistent inbox placement from day one.
- Warmup: building sender history before cold volume
New mailboxes have no sending history, so mail servers treat them with suspicion. Warmup tools build that history over 3 to 4 weeks before cold sequences start.
- List verification: removing invalid, catch-all, and disposable addresses
A bounce rate above 3% damages sender reputation faster than any content issue. Verification removes invalid and risky addresses before they enter a campaign.
- Inbox placement testing: confirming delivery before sequences launch
Placement tests send to seed inboxes across major providers and report inbox vs spam vs promotions per provider. Run one before any sequence goes live.
Layer 1
Authentication: what SPF, DKIM, and DMARC each do
SPF is a DNS TXT record listing which mail servers are authorized to send on behalf of your domain. A missing or misconfigured SPF causes delivery failures and signals an unknown sender to receiving servers.
DKIM adds a cryptographic signature verified against a public key in your DNS. DMARC ties SPF and DKIM together, specifying what happens when a check fails: none, quarantine, or reject. Start with "none" to monitor, then tighten once legitimate mail authenticates cleanly.
SPF, DKIM, and DMARC must be set on every domain in your rotation, not just the primary. An auth gap on a single domain creates inconsistent placement across the campaign. Use GlockApps or Mail-Tester to verify all three before a domain enters active sending.
Layer 2
Mailbox warmup: 3 to 4 weeks minimum, and why skipping it costs you
Warmup tools send small volumes of real email from your mailbox to a network of inboxes, generating opens, replies, and positive engagement signals. These build sending history that mail servers use to score your domain's reputation before cold sequences start.
Keep warmup running in the background once campaigns go live. Pausing it entirely while actively sending is one of the most common triggers for deliverability drops, because warmup activity sustains the engagement signals that keep reputation stable.
Before any mailbox enters cold rotation: SPF/DKIM/DMARC verified, warmup running for 21+ days with a stable score, inbox placement test showing above 80% on Google and Microsoft. All four checks must pass.
Layer 3
List verification: keeping bounce rate below 3%
Verification classifies each address as deliverable, invalid, risky, or catch-all before it enters a campaign. Removing invalid and risky addresses keeps bounce rates below the 3% threshold that triggers reputation damage at major providers.
Verification is a pre-import step, not a permanent fix. B2B lists decay at 2% to 3% per month as people change roles and domains expire. Re-verify any list older than 90 days before reuse.
- Upload your list and run bulk verification before any import
Remove undeliverable addresses before importing. Flag risky and catch-all addresses for a separate, lower-volume segment if you contact them at all.
- Target a post-verification bounce rate under 3%
A verified list from a quality source should bounce well below 3%. Above that: check for stale data, catch-all handling errors, or disabled bounce detection in your sending platform.
- Re-verify lists older than 90 days before reuse
A list that verified clean six months ago can carry a 5% bounce rate today. Re-run any list over 90 days old through a verifier before importing into a campaign.
A catch-all domain accepts all inbound mail at the server level, so a verifier cannot confirm whether the specific address will bounce. Segment catch-alls into a smaller, lower-cadence batch and monitor results before scaling.
Layer 4
Inbox placement testing: 80%+ inbox rate before sequences go live
A placement test sends a real email to seed addresses across Google, Outlook, Yahoo, and other providers, then reports inbox, spam, or promotions per provider. Run one after initial domain setup and before the first campaign goes live.
Run another test any time you change your email template, add a sending domain, or see a drop in open rates. Open rate drops often signal a shift from inbox to spam that placement testing confirms faster than other diagnostics.
Inbox placement above 80% on Google and Microsoft, no blacklist hits, and all three auth checks returning pass. Below 80% on either provider: pause, diagnose, and retest before sending to real prospects. Mail-Tester (free) and GlockApps (paid, with DMARC monitoring) handle these tests.
Recommended Tools
Warmup Inbox, NeverBounce, Mail-Tester, GlockApps: one per layer
Common Questions
5 questions on cold email deliverability setup
3 to 4 weeks minimum for a new domain. 21 days is the practical floor to build enough sending history to avoid aggressive filtering. Run a placement test at the end of warmup to confirm inbox rates before the first campaign goes live.
Above 3% damages sender reputation. Above 5%, most platforms throttle automatically. Target under 2% on a verified list. If you hit 4%+ after verification, check for stale data or catch-all addresses being treated as deliverable.
Yes. DMARC defines what receiving servers do when SPF or DKIM fails. Google and Yahoo required it for bulk senders starting in 2024. Begin with a "none" policy to monitor, then move to "quarantine" once all sending sources pass auth cleanly.
Yes, but only after infrastructure layers (auth, warmup) are stable. Content factors that matter: link-to-text ratio, spam-trigger words, and broken HTML all affect SpamAssassin scoring. Run a Mail-Tester check on every new template before live sends.
Minimum 2 to 3 sending domains per active sender. Single-domain sending concentrates all reputation risk in one place. Domain variants warm up in parallel and rotate across campaigns, distributing risk. Each domain needs its own SPF, DKIM, and DMARC before entering rotation.
Infrastructure is set. Now pick the platform that keeps it stable.
Compare the best deliverability-first cold email platforms with verified pricing and honest tradeoffs on warmup, rotation, and inbox placement controls.