The cold email infrastructure playbook

Home › Services › Programmatic Outbound › Deliverability

Here's the pattern we see weekly. A team buys 120 inboxes across 40 domains from a reseller. Warms for two or three weeks. Launches campaigns. Gets zero replies, not even out-of-office pings. Panics. Changes copy. Still nothing. Six weeks in, deliverability tanks entirely. The infrastructure gets scrapped and they start over.

Nine out of ten times, the issue is infrastructure, not copy. “Bad” copy sent on properly authenticated infrastructure delivers. “Good” copy sent on broken infrastructure doesn't. Framing and authentication matter 10x more than spam words.

The authentication triangle: SPF, DKIM, DMARC

Every cold sending domain needs three DNS records, configured in alignment. When any one is missing or misconfigured, deliverability collapses.

SPF (Sender Policy Framework)

SPF tells receiving mail servers which IPs are authorized to send from your domain. A standard Google Workspace SPF record looks like v=spf1 include:_spf.google.com ~all. The critical rule: the return address (envelope-from) must match the sender address for SPF to pass — this is called SPF alignment. Forwarding breaks alignment, which is why a different “reply-to” address on a cold campaign often tanks deliverability.

DKIM (DomainKeys Identified Mail)

DKIM is cryptographic signing — the postage stamp that proves the message actually came from the domain that claims to have sent it. Google Workspace generates the DKIM key inside the admin console; you copy it into DNS as a TXT record. Microsoft 365 works similarly. Verify it passes by sending an email to yourself at Gmail and running “Show original” — SPF, DKIM, and DMARC should all show PASS.

DMARC (Domain-based Message Authentication)

DMARC is the policy that tells receivers what to do when SPF or DKIM fails. The three policies are none, quarantine, and reject. Best practice for cold sending is:

• v=DMARC1; p=reject; pct=100; rua=mailto:dmarc@yourdomain.com; sp=none

p=reject is the gold standard once SPF and DKIM are passing. It forces clean infrastructure — nothing unauthenticated gets through. Adding rua= (aggregate report URI) means you receive daily reports on who's trying to send as you. Skipping rua= is a common rookie mistake; without it you're flying blind.

Domain warmup: 28 days, not two weeks

Fresh domains need a minimum of 28 days of warmup before you run real campaigns. Two weeks is not enough. Three weeks is the floor for marginal results. Four weeks is where reply rates stabilize.

Warmup tools — Warmup Inbox, Warmbox, Warmforge, Mailwarm, Folderly, Mailreach, Warmy — simulate conversations to build domain reputation. Use one that integrates with your sequencer. During warmup, inbox health scores should climb from zero toward 80-100. If scores stay below 20 after three weeks on fresh domains, something is broken upstream — usually the reseller's IP block or a DNS misconfiguration.

What warmup actually does: establishes that your domain has legitimate human-looking email traffic. What it doesn't do: compensate for bad copy, unverified lists, or a domain registrar on a spam blocklist.

Placement testing, per provider

Each email provider has different deliverability seeds. Google's spam filter is not Microsoft 365's. Mimecast, Barracuda, and Proofpoint (enterprise anti-spam) each classify differently. Running a placement test tells you which providers are inboxing and which are quarantining before you waste a campaign on a silent audience.

Tools we use:

• mail-tester.com — basic health score, spam word check, auth verification
• Folderly — full placement testing plus ongoing deliverability monitoring
• GlockApps — detailed inbox placement across providers
• Emailguard / Mailreach / Warmy — continuous placement monitoring
• Inbox Placement (Smartlead) — cheapest quick check

Run placement tests on fresh infrastructure before going live, then re-test every two weeks. Deliverability drifts — a domain that inboxes in week four may be quarantined in week eight. Catch it early and rotate before replies die.

The multi-ESP, multi-registrar stack

The golden standard of 2026: two domain registrars, two ESPs (Google Workspace + Microsoft 365), minimum. Three of each at real scale. The reasoning is simple: a single point of failure kills the entire pipeline. When Google deprecates a grey-hat reseller or Microsoft tightens quotas, you rotate to your second stack while you fix the first.

What this looks like in practice for a team sending 100K+ emails per month:

• Batch 1: 30 domains on registrar A, Google Workspace, sequencer 1 — send for two weeks, then cool down
• Batch 2: 30 domains on registrar B, Microsoft 365, sequencer 2 — send while batch 1 rests
• Batch 3: hot-swap reserve — pre-warmed, ready to deploy when either batch burns

This is why agencies running 100+ inboxes with no rotation see deliverability cliff every six weeks. They're burning one stack at a time. Rotation distributes the burn and extends infrastructure lifespan.

Domain naming: letters, .com or .co, no exceptions

System administrators at enterprise targets actively block unusual TLDs and suspicious-looking domains. Your sending domain should look exactly like a normal company domain a sysadmin would trust at a glance.

• Use: .com, .co, and geo-specific TLDs (.de, .nl, .fr, .uk) for local campaigns
• Avoid: .xyz, .online, .site, .tech, .info, .biz — all flagged by enterprise filters
• Avoid: numbers (company1.com), hyphens (get-company.com) — phishing pattern
• Prefer: variants with letters only (trycompany.com, hqcompany.com, getcompany.com, usecompany.com, joincompany.com)

Your primary domain should never be used for cold sending — the reputation risk is too high. Use purchased look-alike domains on separate infrastructure, and keep your primary domain clean for customer-facing communication.

Two inboxes per domain, not three

Deliverability data from thousands of cold sending setups: two inboxes per domain on Google Workspace outperforms three. More inboxes per domain is not more throughput — it's more risk per domain burn. Fifteen domains with two inboxes each (30 mailboxes) beats ten domains with three inboxes each (30 mailboxes) on deliverability.

Spam words and copy hygiene

Spam word lists are overrated. Framing and infrastructure matter 10x more. That said, don't deliberately pack a message with “free,” “guarantee,” “urgent,” “act now,” or typical sales-y language. Use Mailmeteor's spam checker or Folderly's word checker for a quick sanity pass.

More important than individual words:

• Keep cold emails under 50-60 words (Leadbird copy data consistently shows shorter delivers better)
• Don't include HTML, CSS, or tracking pixels in the first touch — plain text wins
• No links in the first email unless you have an exceptional reason
• One CTA, not three
• Spintax or AI-generated variants across every line to avoid pattern fingerprinting

What we build for clients

A typical deliverability engagement:

• Audit existing domain fleet, auth records, warmup pools, and placement
• Set up multi-ESP, multi-registrar architecture sized to volume
• Configure SPF, DKIM, p=reject DMARC with rua= reporting
• Build rotation schedule (batch 1/2/3) and hot-swap reserve
• Integrate placement testing cadence (every 2 weeks, automated alerts)
• Ingest deliverability metrics into HubSpot alongside sequence and reply data
• Train your team to run the system and diagnose drift

Timeline: four to six weeks from contract to first clean send, depending on domain fleet size and warmup status. We run LinkedIn and cold calling campaigns during warmup so you're not waiting a month for pipeline.