Cold Email Deliverability 2026: Definitive Guide to SPF, DKIM, DMARC, Warmup, and Sender Reputation

Q: What is the right DMARC policy level for a new sending domain?

Start with p=none to collect reports without disrupting mail flow. Monitor the DMARC aggregate reports for 4–8 weeks to confirm all legitimate sending infrastructure is passing authentication. Then move to p=quarantine. After another monitoring period, move to p=reject for maximum protection. Do not rush to p=reject before you have confirmed all authorised sending sources are properly authenticated.

Last updated: May 2026 · Category: Sales · Author: Knowlee Team

Conflict of interest disclosure. Knowlee publishes this on its own domain and sells Knowlee 4Sales, a platform that includes email deliverability infrastructure. Where other platforms handle specific deliverability requirements more completely or at better price points, we say so. This is a technical reference guide, not a product pitch.

Cold email deliverability — the percentage of sent messages that arrive in the primary inbox rather than spam, promotions, or the void — has become the single most significant operational constraint on outbound sales performance in 2026. The combination of Google's AI spam filtering (updated in late 2024), Microsoft's Enhanced Sender Protection rollout, and the EU's regulatory attention to unsolicited email has made deliverability maintenance a full-time operational concern for any team sending at meaningful volume.

The good news: deliverability is largely engineering. Unlike reply rates (which depend on the quality of your ICP and messaging), deliverability depends on technical configuration, list hygiene, warmup discipline, and content quality — all of which are controllable. The bad news: the configuration surface has grown, the enforcement is more aggressive, and the failure mode (sender domain reputation collapse) is slow to diagnose and slow to recover from.

This guide maps every layer of the deliverability stack — technical authentication, domain reputation, warmup strategy, list hygiene, content quality, and sending infrastructure — and scores six vendors on how well their platforms support each layer. The goal is a complete reference that an outbound team can act on without having to assemble the knowledge from fifteen different blog posts.

For the compliance dimension of cold email, see /blog/gdpr-compliant-cold-email-2026 and /blog/eu-ai-act-cold-outbound-2026. For the AI SDR context, see /glossary/ai-sdr and /blog/agentic-ai-for-sales-teams-2026.

Layer 1: Technical authentication — SPF, DKIM, DMARC

Technical authentication is the foundation. Without correctly configured SPF, DKIM, and DMARC, your emails fail basic inbox provider checks before content or reputation are even evaluated. These are not optional.

SPF (Sender Policy Framework)

SPF (defined in RFC 7208) is a DNS TXT record that lists which IP addresses and servers are authorised to send email on behalf of your domain. An inbox provider receiving an email from your domain checks the SPF record to verify the sending server is authorised.

Common SPF mistakes:

Too many DNS lookups. SPF records are evaluated with a 10-lookup limit. Every include: mechanism that itself contains includes counts toward the limit. Exceeding 10 lookups causes a PermError, which many providers treat as an SPF failure. Use an SPF flattening tool to compress includes into direct IP ranges if you are approaching the limit.
Missing sending infrastructure. If your email is routed through a third-party sending platform (Mailgun, SendGrid, Postmark, your AI SDR platform), that platform's sending IPs must be authorised in your SPF record. New platform onboarding is a common source of SPF misalignment.
+all or ~all at the end. The SPF record should end with -all (hardfail — reject email from unauthorised senders) for maximum protection. ~all (softfail) is acceptable during migration but should not be a permanent configuration.

Verification: use MXToolbox SPF Check or Google's Workspace email validation to verify your SPF record before sending.

DKIM (DomainKeys Identified Mail)

DKIM adds a cryptographic signature to every outgoing email, tied to a public key published in your DNS. Inbox providers verify the signature against the DNS key to confirm the email was not modified in transit and was authorised by the domain owner.

Common DKIM mistakes:

Key length below 2048 bits. 1024-bit DKIM keys are increasingly flagged by strict inbox providers. Generate 2048-bit keys for all new DKIM configurations.
Selector namespace conflicts. If you add multiple sending platforms, each platform needs its own DKIM selector (a unique label in the DNS record). Conflicts between selectors cause authentication failures.
Key rotation neglect. DKIM keys should be rotated at least annually. A compromised key cannot be detected by email authentication — only key rotation limits the exposure window.

Verification: use mail-tester.com or DKIM Validator to check DKIM signature validity before a campaign launch.

DMARC (Domain-based Message Authentication, Reporting and Conformance)

DMARC (RFC 7489) sits on top of SPF and DKIM. It specifies what action the receiving server should take when either SPF or DKIM fails alignment — and it provides a reporting mechanism that lets you see when emails from your domain are failing authentication.

DMARC policy levels:

p=none — monitoring only; no action on failures. Use for initial DMARC deployment to collect reports without disrupting mail flow.
p=quarantine — failed messages go to spam. Use once you have confirmed your legitimate mail is passing authentication.
p=reject — failed messages are rejected. The strongest protection; also the most disruptive if misconfigured.

2026 inbox provider requirements: Google and Yahoo now require DMARC at minimum p=none for bulk senders (>5,000 emails/day). For cold outbound teams sending at meaningful volume, DMARC at p=quarantine or p=reject is recommended — not just required, but protective of your domain reputation.

DMARC aggregate reports (rua): configure the rua tag with an email address (or a DMARC report aggregation service like Postmark's DMARC Digests or Valimail) to receive weekly XML reports showing which servers are sending email on behalf of your domain and which are passing/failing authentication. This is how you detect spoofing and catch misconfigured sending infrastructure.

Verification: use MXToolbox DMARC Check and Google's Postmaster Tools to validate your DMARC configuration and monitor policy compliance.

Layer 2: Domain and sender reputation

Technical authentication establishes that you are who you say you are. Sender reputation determines whether inbox providers trust that your identity is worth delivering to.

Domain age and history

Newly registered domains have no sending reputation. Inbox providers are more suspicious of email from new domains, particularly new domains that immediately send at volume. The solution: register sending domains at least 60–90 days before the first production campaign, and warm them up during that period.

Secondary domain strategy for cold outbound: Many teams use secondary sending domains (e.g., company-mail.com, trycompany.com) rather than their primary brand domain (company.com) for cold outbound. The rationale: cold outbound carries a higher spam complaint risk than transactional or newsletter email, and reputation damage to a secondary domain is more recoverable than damage to the primary domain that also handles product emails, transactional email, and customer communication. Use a secondary domain that is clearly connected to your brand but distinct from the primary.

IP reputation

If you are using a shared sending pool (common with Mailgun, SendGrid, and most AI SDR platforms on standard plans), your email is sent from IP addresses shared with many other senders. A neighbour sender with a high spam complaint rate affects your deliverability. The mitigation: dedicated IPs (available on higher-tier plans of most sending platforms) or platforms that manage pool reputation carefully.

Dedicated IP warmup: A new dedicated IP has no reputation. It must be warmed up gradually — starting with a small volume of high-engagement email (transactional, newsletter) and increasing volume slowly over 4–8 weeks before running cold outbound at target volume.

Spam complaint rate

Google Postmaster Tools provides a daily complaint rate metric for your domain. The 2026 Google threshold: keep complaint rates below 0.10% for sustained sending. Exceeding 0.30% triggers deliverability degradation. Microsoft publishes similar guidance.

How AI SDR platforms affect complaint rates: AI-generated email that is poorly targeted (wrong ICP, irrelevant signal, generic personalisation) generates higher complaint rates than well-targeted human-written email. The deliverability cost of poor ICP definition is higher in AI SDR deployments than in human SDR deployments because AI sends at higher volume and cannot read the social signals that tell a human SDR "this prospect is likely to hit spam."

Layer 3: Email warmup — the correct approach

Email warmup is the process of establishing reputation for a new sending domain or IP by starting with low volume, high-engagement sends and gradually increasing volume as the inbox provider's systems register positive engagement signals.

What warmup actually does: inbox providers classify senders based on historical engagement — open rate, reply rate, move-to-inbox rate, complaint rate. A new sender with no history is classified as unknown and subject to higher spam scrutiny. Warmup creates a track record of positive engagement that moves the sender from unknown to known-good.

Warmup timeline:

Week 1–2: 20–50 emails/day, high expected engagement (internal recipients, opted-in contacts, newsletter subscribers).
Week 3–4: 100–200 emails/day, expanding to warm contacts.
Week 5–8: 300–500 emails/day, beginning first cold outbound to highest-fit ICP contacts.
Week 9–12: Target volume, with careful monitoring of complaint rates and bounce rates.

Automated warmup platforms: Services like Mailivery, Warmy.io, and Lemwarm (Lemlist's warmup product) create artificial warmup by exchanging emails between a network of seed accounts and marking them as not-spam. This creates warmup signals without real recipients. The approach works to establish initial reputation but does not substitute for genuine engagement — inbox providers are increasingly detecting and discounting automated warmup patterns. Use automated warmup as a floor, not a ceiling.

The right warmup signal mix: genuine replies and forwards are the highest-value engagement signal. Warmup networks generate opens, which are a weaker signal. Where possible, supplement automated warmup with real engagement: onboarded customers, opted-in prospects who receive a high-value newsletter, internal teams. The warmup period is the right time to send your best content — the content with the highest expected open and reply rate.

Layer 4: List hygiene

List hygiene — maintaining the quality and validity of your prospect list — is the deliverability input that outbound teams most consistently underinvest in.

Bounce rate management: Hard bounces (non-existent email addresses, rejected by server) above 2–3% per campaign signal poor list quality to inbox providers. Soft bounces (temporary delivery failures, full mailboxes) above 5–8% indicate structural list issues. Both rates should trigger list review.

Email validation before sending: Validate email addresses before adding them to your sending sequence. Email validation APIs (ZeroBounce, NeverBounce, Hunter's verification) check whether an address is syntactically valid, whether the domain exists and has MX records, and whether the specific mailbox is reachable. Validation does not eliminate bounces (mailboxes go dark after validation), but reduces them materially.

Catch-all domain handling: Some company domains are configured as catch-alls — they accept email to any address at the domain regardless of whether the specific mailbox exists. Catch-all addresses cannot be verified by standard email validation tools. Sending to catch-all domains at high volume inflates soft bounce rates. Filter catch-alls into a lower-volume, lower-cadence segment rather than treating them as standard verified contacts.

Suppression list maintenance: Every email sent should check against a suppression list of addresses that have previously bounced, opted out, or generated spam complaints. The suppression list must be maintained across campaigns — a contact who unsubscribed in campaign A must not receive campaign B. AI SDR platforms that do not enforce cross-campaign suppression create both deliverability risk (complaint rate increases) and GDPR compliance risk.

Re-engagement cadence: Contacts who have not opened or replied across multiple campaigns reduce your engagement rate and harm sender reputation. Segment non-responders after 3–4 touches and either (a) move them to a very low-cadence "check-in" sequence or (b) remove them from active sending. Continuing to send high-cadence email to contacts with zero engagement is one of the most common sources of deliverability decline.

Layer 5: Content quality and spam filter signals

The content of each email — the subject line, the body, the links, the structure — is evaluated by spam filters and by inbox providers' AI classification systems. In 2026, Google's spam classification runs on an LLM-based model that reads email content holistically, not just for keyword patterns.

Subject line hygiene:

Avoid spam trigger words: "FREE", "GUARANTEED", "NO RISK", "ACT NOW", "CLICK HERE". These patterns are associated with high-complaint email at training data level.
Avoid excessive punctuation: "!!!", "???" signal low-quality senders.
Avoid all-caps subject lines.
Personalised subject lines (including the contact's name, company, or a specific trigger event) perform better on both engagement and classification.

Body content:

Text-to-image ratio: emails that are mostly images with minimal text are flagged as potentially hiding content from spam filters. Cold outbound should be primarily text.
Link count: more than 2–3 links in a cold email raises spam risk. Each link should be on a domain with good reputation. URL shorteners (bit.ly, etc.) on cold email are heavily flagged — use full links.
HTML vs plain text: plain-text or minimal-HTML cold emails typically outperform heavy HTML templates on deliverability. Cold outbound is not newsletter design.
Personalisation quality: generic personalisation ("I saw your company is growing") performs worse than specific signal-triggered personalisation ("I noticed you posted a job for a RevOps Manager last week") on both engagement and spam classification — because spam filters are increasingly good at detecting templated low-quality content.

Unsubscribe mechanism: Google requires an unsubscribe link in bulk emails. For cold outbound, including an unsubscribe link in the first email is both a compliance best practice (GDPR) and a deliverability practice — contacts who would have hit spam can instead unsubscribe, reducing complaint rate.

Layer 6: Sending infrastructure and sending patterns

How you send — not just what you send — affects deliverability.

Sending volume ramp per domain: Even on a warmed domain, avoid large single-day volume spikes. Inbox providers track day-to-day sending pattern changes. Doubling volume overnight is a spike signal. Ramp volume increases by 20–30% per week.

Sending time distribution: Distribute sends throughout the business day rather than batch-launching at 9am. Concentrated batch sends from a single domain at a single time are a spam pattern signal.

Reply-to configuration: Cold email should use a reply-to address on the same domain as the from address, or a clearly related subdomain. Mismatched from/reply-to domains are a spam signal.

SMTP vs API sending: For cold outbound at scale, API-based sending (via a managed sending platform) is more reliable than SMTP relay and provides better bounce handling, delivery tracking, and feedback loop integration.

Vendor comparison on deliverability infrastructure

Capability	Knowlee 4Sales	Smartlead	Lemlist	Instantly	Mailshake	Mixmax
SPF/DKIM/DMARC setup guidance	Native wizard	Native wizard	Native wizard	Native wizard	Native wizard	Partial (via docs)
Automated warmup	Native	Native	Native (Lemwarm)	Native	Partial	Buyer-responsible
Bounce rate monitoring + auto-suppression	Native	Native	Native	Native	Native	Partial
Cross-campaign suppression	Native	Partial	Partial	Partial	Partial	Buyer-responsible
Complaint rate monitoring (Postmaster integration)	Native	Partial	Partial	Partial	Buyer-responsible	Buyer-responsible
Dedicated IP option	Partial (via infrastructure config)	Not available	Not available	Not available	Not available	Not available
Plain-text sending optimisation	Native	Native	Partial	Native	Native	Partial
GDPR suppression list propagation	Native	Buyer-responsible	Partial	Buyer-responsible	Buyer-responsible	Buyer-responsible

Notes:

Smartlead and Instantly are strong on pure deliverability infrastructure for high-volume cold outbound — their warmup networks are mature, their bounce handling is reliable, and their sending pattern management is well-designed. Their weakness is the compliance layer: cross-campaign suppression and GDPR-compliant data handling require buyer configuration rather than being native.

Lemlist's Lemwarm product is the most mature standalone warmup offering and integrates well with the Lemlist sending platform. The cross-campaign suppression gap is a compliance risk for EU senders.

Mailshake is adequate for lower-volume cold outbound but lacks the deliverability monitoring depth of Smartlead or Instantly at higher volumes.

Knowlee 4Sales focuses on the governance and compliance layer (cross-campaign suppression, GDPR, AI Act audit trail) alongside deliverability infrastructure. For very high-volume cold outbound (100K+ sends/week), Knowlee 4Sales can be configured with a dedicated sending infrastructure layer that combines Postmark or Mailgun for delivery with Knowlee's governance controls on top.

For the full vendor comparison including pricing and use-case fit, see /compare/4sales-vs-amplemarket, /compare/4sales-vs-zeliq, and /compare/knowlee-vs-clay.

Diagnosing deliverability problems: a systematic approach

When deliverability declines — open rates fall, meetings booked per send ratio drops, replies become sparse — the diagnostic sequence is:

Check Google Postmaster Tools for your sending domain: spam rate trend, IP reputation, domain reputation, feedback loop data. If spam rate is above 0.10%, there is a complaint volume problem — likely a list hygiene or targeting quality issue.
Check MXToolbox for SPF, DKIM, and DMARC configuration. Authentication failures produce immediate inbox rejection; they are the first thing to rule out.
Run a seed list test using a tool like GlockApps or Mail-Tester. Send your standard cold email template to a seed list of real mailboxes at Gmail, Outlook, Yahoo, and major European providers. Review where the email lands (primary, promotions, spam) and which providers are failing it.
Audit bounce rates for the last 30 days of campaigns. Hard bounce rates above 2% signal list quality problems. Identify the data source of the bouncing contacts and either validate or remove them.
Review content using a spam score checker (SpamAssassin, Mail-Tester). If the email is triggering rule-based spam filters, revise the template.
Check for blacklisting using MXToolbox Blacklist Check. If your sending IP or domain is on a blacklist, the path is delisting — which requires contacting the blacklist operator and demonstrating the spam issue is resolved.
Review cross-campaign suppression. Confirm that opt-outs and bounces from previous campaigns are excluded from the current campaign's send list.

Frequently asked questions

What is the most common deliverability mistake outbound teams make? Sending at volume to an unwarmed domain or IP. Teams that purchase a new domain, configure SPF/DKIM/DMARC, and immediately send 500 emails per day to cold contacts will hit spam at high rates because there is no reputation established. The warmup period (8–12 weeks for a new domain, with gradually increasing volume) is not optional — it is the investment that makes the subsequent sending viable.

How many emails can we send per domain per day without hurting deliverability? After a full warmup period, 150–300 emails per day per domain is a conservative safe range that most practitioners use for cold outbound. Some well-aged domains with strong reputation can sustain higher volumes, but the risk of reputation damage increases with volume. The standard practice for high-volume outbound is to use multiple sending domains (each warmed separately), rotating volume across them.

Does AI-generated personalisation help or hurt deliverability? High-quality AI-generated personalisation (grounded in specific, observable signals unique to each contact) helps deliverability by improving engagement rates, which are a positive sender reputation signal. Low-quality AI-generated personalisation (generic openers that are technically personalised but obviously templated) hurts deliverability by producing low engagement and potentially higher complaint rates. The deliverability outcome of AI personalisation depends entirely on the quality of the ICP and the quality of the signal driving the personalisation. Use /tools/cold-email-scorer to score your templates before sending.

Should we use Google Workspace, Microsoft 365, or a dedicated ESP for cold outbound? For cold outbound specifically, using your primary Google Workspace or Microsoft 365 account is not recommended for high-volume sending. Both platforms have sending limits and terms of service that apply to automated bulk sending. The recommended approach: use secondary domains with a dedicated email sending platform (Mailgun, Postmark, SendGrid, or the sending infrastructure built into your AI SDR platform) for cold outbound, reserving Google Workspace and Microsoft 365 for human-led and transactional email.

What is the right DMARC policy level for a new sending domain? Start with p=none to collect reports without disrupting mail flow. Monitor the DMARC aggregate reports for 4–8 weeks to confirm all legitimate sending infrastructure is passing authentication. Then move to p=quarantine. After another monitoring period, move to p=reject for maximum protection. Do not rush to p=reject before you have confirmed all authorised sending sources are properly authenticated.

How do we recover from a blacklisting? First, identify the blacklist operator (MXToolbox lists all active blacklists for a given IP or domain). Second, stop sending from the blacklisted infrastructure immediately. Third, diagnose why the blacklisting occurred — spam complaints, spam trap hits, or bounce rate. Fourth, fix the root cause. Fifth, apply for delisting through the blacklist operator's process (most have a self-service delisting form). Recovery time varies: some blacklists delist within 24–48 hours; others have waiting periods. The Spamhaus DBL (Domain Block List) and Microsoft SNDS are the most consequential for cold outbound deliverability.

Conclusion

Cold email deliverability in 2026 is not a set-and-forget configuration. It is an operational discipline that requires consistent monitoring of complaint rates, bounce rates, and domain reputation; technical authentication maintained across all sending platforms; list hygiene maintained across all campaigns; warmup discipline for new sending domains and IPs; and content quality controlled at the template and personalisation level.

The AI SDR era has raised the stakes: AI systems send at higher volumes and faster cadences than human SDRs, which means deliverability problems materialise faster and at larger scale when they occur. The teams that win on cold email deliverability in 2026 are the ones that treat it as infrastructure — invested in upfront, monitored continuously, and governed with the same seriousness as the ICP and messaging strategy.

Use /tools/cold-email-scorer to score your current setup and /tools/gdpr-cold-email-checker to validate the compliance layer before your next campaign.