DELIVERABILITY
Cold email deliverability
guide 2026
You can write the best cold email in the world. If it lands in spam, nobody reads it. Here's how deliverability actually works.
15 min read01
What deliverability actually means
Deliverability is not about whether your email was sent. It's about whether it reached the inbox. Industry benchmarks consistently show roughly 1 in 6 legitimate emails never reaches the inbox — an 83–84% average inbox placement rate across major providers.
The metric you care about is inbox placement rate — what percentage of your sends actually land in the primary inbox, not promotions, not spam, not the void. Open rate does not measure this accurately. An email in the promotions tab that gets opened registers the same as an email in the primary inbox.
2026 enforcement change
Since February 2024, Gmail and Yahoo require SPF, DKIM, and DMARC for any sender sending more than 5,000 emails/day. Domains without all three in place face bulk delivery — or outright rejection. This is now table stakes, not a nice-to-have.
02
The authentication stack
Authentication is the foundation. Without it, nothing else matters. Three records work together to prove that your email is legitimate and wasn't tampered with in transit.
SPF (Sender Policy Framework)
A DNS record that tells receiving mail servers which IP addresses are allowed to send email on behalf of your domain. If an email arrives from an IP not on your SPF list, it fails the check.
DKIM (DomainKeys Identified Mail)
A cryptographic signature attached to every outgoing email. The receiving server checks the signature against a public key in your DNS. If the email was altered in transit, the signature fails.
DMARC (Domain-based Message Authentication)
A policy that ties SPF and DKIM together and tells mail servers what to do when authentication fails — nothing (p=none), quarantine, or reject. DMARC also provides aggregate reports so you can see what's failing.
All three are required. SPF alone isn't enough. DKIM alone isn't enough. DMARC without DKIM is misconfigured. See the SPF, DKIM, and DMARC setup guide for exact configuration steps.
Check your DNS records → DNS Health Checker
03
Domain and inbox setup
The most common way operators burn their reputation is sending cold email from their primary business domain. When that domain gets flagged — and it will, if you're doing volume — it takes your transactional email, customer correspondence, and brand reputation with it.
Never send cold email from your primary domain
Register dedicated sending domains. For a company at acme.com, consider acme-mail.com, getacme.com, or tryacme.io.
Use Google Workspace or Microsoft 365
These platforms have the sending infrastructure and IP reputation that inbox providers trust. Free email services (Outlook.com personal, Gmail personal) are not appropriate for cold outreach.
One inbox = max 50 cold emails per day
Exceeding this volume on a single inbox risks triggering rate limits and spam filters. Spread volume across multiple inboxes using inbox rotation.
One inbox per sending domain
Multiple inboxes per domain create SPF lookup complexity. Keep it clean: one domain per inbox, unless you're using a service specifically designed for multi-inbox domains.
04
Warmup
Inbox warmup is the process of gradually building send volume and reputation for a new inbox. Mail servers make reputation judgements based on sending history. An inbox that suddenly sends 200 emails on day one looks like a spam account — because it usually is.
Warmup tools work by sending small volumes of real email between pools of inboxes, building a positive send/receive/reply history. The inbox develops a reputation before cold outreach begins.
A standard warmup schedule
Never skip warmup for a new inbox. Even if you're in a hurry. The cost of a burned inbox — lost reputation, blocked campaigns, domain-level blacklisting — far exceeds the cost of four weeks of patience.
05
List quality
Bounce rate is one of the most powerful reputation signals available to inbox providers. A high bounce rate tells a mail server that you're sending to addresses you haven't verified — a pattern consistent with scraped, purchased, or outdated lists.
Below 2%
Safe zone
2–3%
Caution
Above 3%
Danger zone
Verify every list before you send. Three-tier verification — format check, MX record lookup, and live SMTP probe — removes addresses that will hard bounce. Risky or unverifiable addresses should be excluded, not attempted.
One high-bounce campaign can set back your reputation for weeks. The damage isn't limited to the inbox that sent it — in some cases, domain-level reputation carries across all inboxes on that domain.
Check if your domain is blacklisted → Blacklist Checker
06
Sending behaviour
How you send matters as much as what you send. These patterns collectively signal to inbox providers whether your sending looks human or automated.
Volume limits per inbox
50 cold emails per inbox per day maximum. Spread volume across multiple inboxes rather than pushing a single inbox beyond its safe limit.
Send time randomisation
Human beings don't send emails at 09:00:00.000 exactly. Add random delays between sends — 3–8 minutes between each email is a common pattern. Batch sends look automated.
Inbox rotation
Distribute campaign sends across all connected inboxes automatically. This reduces per-inbox volume, spreads reputation risk, and avoids single-inbox burnout.
Plain text over heavy HTML
Cold email is personal, not promotional. Plain text or minimal HTML formatting reads as human. Branded headers, multiple images, and marketing-style layouts register as bulk email.
07
When deliverability breaks
Deliverability problems usually appear gradually before they become catastrophic. These are the warning signs and the diagnosis steps.
Symptoms:
Diagnosis checklist:
ForgeSend checks all of this before you send
The pre-send guardrail checklist validates SPF, DKIM, DMARC, warmup status, and list quality before any campaign goes live. If something fails, the send is blocked — not warned. Blocked.
Start free trial →