Book a call
Deliverability • 16 min read

Email Deliverability: SPF, DKIM, DMARC and Domain Warmup Explained

Deliverability is 70% of cold email. Here's how the technical layer works, what breaks, and how to fix it before sending.

Deliverability is the boring, technical layer that decides whether your cold email ever gets read. It's also the single biggest reason most cold email programs fail. This guide walks through the full stack, SPF, DKIM, DMARC, domain warmup, sender reputation, in the order you should actually implement them.

Why deliverability matters more than copy

A 50% inbox placement vs a 95% inbox placement is the difference between a campaign that works and one that doesn't. The math: if 1,000 emails go out and 50% land in spam, your effective volume is 500. Even with perfect copy, you've cut your meeting potential in half before anyone has a chance to read.

SPF, Sender Policy Framework

SPF is a DNS TXT record that lists which mail servers are allowed to send email for your domain. If a receiving server gets mail claiming to be from you@acme.com but the sending IP isn't in your SPF record, the receiver knows it's likely spoofed.

A typical SPF record for a domain using Google Workspace plus a sending tool:

v=spf1 include:_spf.google.com include:sendgrid.net ~all

The ~all at the end means "soft fail anything else." Use ~all, not -all, on a sending domain, strict failures cause silent drops at some receivers.

DKIM, DomainKeys Identified Mail

DKIM cryptographically signs every outgoing message with a private key. The receiver looks up your public key in DNS and verifies the signature. If the signature is valid, the receiver knows the message wasn't modified in transit and that the sending system has authority to send for your domain.

Setup is per-sending-platform: Google Workspace, Microsoft 365, SendGrid, Postmark, etc. each give you a CNAME or TXT record to add. Always use 2048-bit keys (1024 is deprecated).

DMARC, the policy that ties it together

DMARC tells receivers what to do when SPF or DKIM fails: monitor, quarantine, or reject. It also gives you reports on who's sending mail claiming to be from your domain.

Start with monitoring mode for 14 days:

v=DMARC1; p=none; rua=mailto:dmarc@acme.com; pct=100;

Once your reports look clean, move to quarantine, then reject. Skipping this and going straight to p=reject is how teams accidentally block their own legitimate mail.

Why you must use a secondary sending domain

Never send cold email from your primary business domain. Even with perfect setup, cold sending volume changes your domain's reputation profile, and one bad campaign can damage transactional, marketing and internal email for months.

The right pattern:

  • Primary: acme.com, used for normal business mail
  • Secondary: get-acme.com or try-acme.com, used only for cold sending
  • Both domains should resolve to your real website (301 redirect the secondary)
  • Both should have full SPF, DKIM, DMARC

We covered the buying and routing steps in Domain warmup for cold email: a practical 4-week schedule.

Domain warmup, the 28-day plan

A new domain has no sending reputation. If you send 200 emails on day one, mailbox providers treat you as suspicious. The fix is a gradual ramp.

Rough schedule for a single inbox:

  • Days 1–7: 5–15 emails/day, mostly to seed accounts that reply
  • Days 8–14: 15–30/day, mix of warmup and small real sends
  • Days 15–21: 30–50/day, mostly real sends
  • Days 22–28: 50–80/day, full production

Use a warmup tool (Mailwarm, Warmbox, Smartlead's built-in warmup) for the first three weeks. Full schedule with daily volume targets: domain warmup guide.

Sender reputation, what affects it

  • Bounce rate: keep under 3%. Anything higher and Gmail starts filtering.
  • Spam complaints: keep under 0.1%. One complaint per 1,000 sends is the limit.
  • Engagement: opens and replies signal legitimate mail. Low engagement signals spam.
  • Volume consistency: sending 200 one day and 0 the next looks suspicious. Steady daily volume wins.
  • Content: images, links, attachments and "spammy" words all lower placement.

The deliverability checks you should run weekly

  1. Send a test to a Gmail and an Outlook account, confirm inbox placement
  2. Check Google Postmaster Tools for domain reputation
  3. Monitor bounce rate per inbox; pause any inbox over 5%
  4. Review DMARC reports for unauthorized sending
  5. Run a tool like Mail-Tester for a content score (aim for 9+/10)

Common mistakes that ruin deliverability

  • Buying unverified lists. Bounces alone will tank a new domain in a week.
  • Tracking pixels. Mailbox providers detect them and lower placement.
  • HTML signatures with images. Plain text always wins for cold.
  • Ramping volume too fast. Doubling daily volume looks like spammer behavior.
  • Sending from your primary domain. A bad campaign can wreck transactional mail.

When to outsource the deliverability layer

If you're sending under 500 emails/week and have a technical person who enjoys DNS, run it yourself. If you're sending 2,000+/week, the deliverability layer becomes a part-time job: monitoring reputation across multiple inboxes and domains, rotating senders, fixing bounces, adjusting volume. Most sales teams don't have the bandwidth.

That's the boring half of what a managed cold email agency does, and it's where most teams see the biggest immediate lift. Book a 30-minute fit call if you'd like a deliverability audit on a real call.

Keep reading

Deliverability
Domain Warmup for Cold Email: A Practical 4-Week Schedule
← All resources
Next step

Theory's done. Want it run for you?

Ready now

Book a 30-minute fit call.

We'll take what's in this guide and apply it to your ICP, live, on the call.

Book your call →
Not yet, first

See pricing →

Three volume tiers, infra at cost. Decide if it pencils out before you book.

Take me there →

14-day guarantee · No setup fee · Pause anytime