ooligo
ENTRY TYPE · how-to

How to Keep Cold Email Out of Spam in 2026

By Marius Bughiu Last updated 2026-07-05 RevOps

To keep cold email out of spam in 2026 you have to do two separate jobs: pass the authentication checks every major mailbox provider now enforces, and protect the sending reputation those providers score you on. Authentication is a one-time DNS setup — SPF, DKIM, and DMARC on a dedicated sending domain. Reputation is ongoing — warm the domain before you send, keep daily volume low per inbox, and hold your spam-complaint rate under 0.1 percent. Skip either job and Gmail files you in spam; skip authentication entirely and Outlook now rejects the message outright.

The rules stopped being optional in 2024. Google and Yahoo began enforcing bulk-sender requirements in February 2024 for anyone sending more than 5,000 messages a day to Gmail. Microsoft followed for Outlook, Hotmail, and Live addresses, with enforcement starting in May 2025. All three now require the same authentication baseline, so the setup below satisfies every major inbox at once.

Prerequisites

  • A sending domain you control the DNS for. Do not send cold email from your primary brand domain (yourcompany.com). Buy a secondary domain — getyourcompany.com, tryyourcompany.co — so a reputation problem never poisons your corporate mail.
  • Access to your DNS provider (Cloudflare, Namecheap, Route 53).
  • A sending platform that exposes these headers and settings. Smartlead and Instantly both handle authentication setup and per-inbox rotation; a raw SMTP relay works too if you configure the records yourself.
  • A Google Postmaster Tools account and a Microsoft SNDS account for monitoring. Both are free.

Steps

  1. Register a dedicated sending domain and set up mailboxes on it. Point its MX records at your provider (Google Workspace, Microsoft 365, or the sending platform’s inboxes). Plan to scale volume by adding inboxes and domains, not by pushing more mail through one inbox — that is the single biggest lever on deliverability.

  2. Publish an SPF record. Add one TXT record at the domain root listing every service allowed to send for you. For Google Workspace: v=spf1 include:_spf.google.com ~all. Use ~all (softfail), not -all, until you are certain every sender is listed. SPF must exist and pass for the bulk-sender rules; a missing SPF record is an instant fail.

  3. Enable DKIM and publish the key. Turn on DKIM in your provider, then publish the public key as a TXT record at <selector>._domainkey.yourdomain.com. Use a 2048-bit key. DKIM is what survives forwarding, so this is the authentication signal providers weigh most heavily.

  4. Publish a DMARC record. Add a TXT record at _dmarc.yourdomain.com: v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com. p=none is the minimum the sender rules require, and it must align — the visible From domain has to match the SPF or DKIM domain. Start at p=none to collect aggregate reports for two weeks, then tighten to p=quarantine and eventually p=reject once the reports show only your legitimate senders passing.

  5. Add one-click unsubscribe to every message. Gmail and Yahoo require RFC 8058 one-click unsubscribe on bulk mail. Your platform must send both headers: List-Unsubscribe: <https://unsub.example.com/u/123>, <mailto:unsub@example.com> and List-Unsubscribe-Post: List-Unsubscribe=One-Click. Process the resulting opt-outs within two days — that window is part of the requirement, not a courtesy. A visible unsubscribe link in the body does not satisfy this; the headers are what mailbox providers check.

  6. Warm the domain before you send a single cold message. A brand-new domain has no reputation, and providers treat sudden volume from an unknown domain as a spam signal. Run automated warmup (Smartlead, Instantly, and dedicated warmup tools all do this) for at least three to four weeks. Ramp from roughly 5 to 10 messages a day per inbox toward 25 to 30, and never raise volume by more than about 20 to 30 percent in a day. Keep a light warmup running even after you go live.

  7. Cap steady-state volume and watch your complaint rate. After warmup, hold each inbox to roughly 50 cold sends a day — practitioner data consistently shows deliverability degrading past that on a single inbox. The hard ceiling that matters is the spam-complaint rate: Google’s threshold is 0.3 percent, but you want to stay under 0.1 percent. At 0.3 percent, Gmail starts filtering you; the gap between 0.1 and 0.3 is your safety margin, not your target.

  8. Monitor from the provider’s side, weekly. Check the spam-rate and domain-reputation dashboards in Google Postmaster Tools and Microsoft SNDS. These show what the provider sees, which is the only score that counts. If reputation dips, cut volume immediately rather than pushing through it.

Success criteria

  • Google Postmaster Tools shows domain reputation “High” or “Medium” and spam rate under 0.1 percent.
  • A test send to a fresh Gmail, Yahoo, and Outlook address lands in the primary inbox, not Promotions or Junk.
  • Your DMARC aggregate reports show 100 percent of legitimate mail passing SPF or DKIM alignment.
  • No 550 5.7.515 rejections in your bounce logs (that code is Microsoft refusing unauthenticated mail).

Common pitfalls

Sending from the primary domain to “look legitimate.” A single spam-trap hit or complaint spike can tank the reputation of the domain your whole company sends from, including invoices and support replies.

Guard: Isolate all cold outreach on secondary domains. Treat them as disposable infrastructure.

Treating warmup as a formality and ramping too fast. Sending 200 messages on day one from a two-week-old domain is the fastest route to a blocklist, and a burned domain rarely recovers — you replace it.

Guard: Enforce the ramp in the tool, not by memory. Cap the daily increase and let the platform throttle you.

Optimizing for volume instead of complaint rate. More sends past the per-inbox ceiling do not produce more meetings once you cross into the spam folder; they produce complaints that follow you.

Guard: Add inboxes and domains to grow volume. Track complaint rate as the primary health metric, ahead of send count.

Setting DMARC to p=none and never advancing. p=none clears the bulk-sender bar but leaves your domain spoofable, which erodes reputation over time.

Guard: Move to p=quarantine or p=reject within a month, after the aggregate reports confirm your legitimate senders all pass.

When to escalate

If reputation stays “Low” after a clean warmup and correct authentication, the problem is usually list quality — you are emailing addresses that bounce or complain. Stop sending, run the list through a verification pass, and remove role accounts and catch-alls before resuming. If 550 5.7.515 rejections persist after your DNS records validate, the alignment is broken: your From domain does not match your DKIM-signing domain. Fix the alignment before sending another batch.

  • Smartlead — cold email platform with built-in warmup, inbox rotation, and authentication setup
  • Instantly — sending platform pairing a lead database with deliverability tooling
  • Email deliverability monitor (n8n) — a flow that watches DMARC failures, complaint rate, and blocklist status and alerts before suppression
  • AI SDR — where cold-outreach volume comes from, and why deliverability is the constraint on autonomous sending