I built the infrastructure that delivers 50M+ emails monthly across 3,000+ domains at MailDeck, maintaining 98% inbox placement for 1,631+ clients. Every domain goes through the same audit before a single cold email leaves the server. This article gives you that exact checklist.
Below is a 15-point cold email deliverability checklist you can copy, paste, and run before every campaign. After the checklist, I break down the infrastructure factors that have the highest impact on inbox placement, and share the operational protocols we use to keep deliverability stable at scale.
The 15-Point Cold Email Deliverability Checklist
Copy this checklist and run through it before launching any cold email campaign. Each item includes the specific threshold or pass/fail criteria we use across MailDeck's 3,000+ domains.
DNS and Authentication (Items 1-5)
1. SPF Record: Single, Valid, Properly Terminated
- [ ] Only ONE SPF record exists on the domain (check with
dig TXT yourdomain.com) - [ ] Record ends with
-allor~all(never+all) - [ ] Total DNS lookups in the SPF chain stay under 10
- [ ] Record length stays under 255 characters per string
Why this matters: 23% of the 1,000+ domains we audited had multiple SPF records. Having two SPF records on one domain doesn't merge them. It invalidates SPF entirely. Every email from that domain fails authentication silently.
2. DKIM: Enabled and Signing
- [ ] DKIM record is published in DNS for the correct selector
- [ ] Outgoing emails carry a valid DKIM signature (verify by sending a test email and checking headers)
- [ ] DKIM key is 2048-bit (1024-bit keys are deprecated by most providers)
Why this matters: 11% of audited domains had DKIM either not enabled or configured with the wrong selector. Without DKIM, your emails lack cryptographic proof of origin. Receiving servers treat unsigned emails with suspicion, especially at high volume.
3. DMARC: Published and Enforcing
- [ ] DMARC record exists on the domain (
_dmarc.yourdomain.com) - [ ] Policy is set to
p=quarantineorp=reject(notp=nonefor production sending) - [ ]
ruareporting email address exists and receives aggregate reports
Why this matters: 19% of audited domains had no DMARC record at all. Another 9% were stuck on p=none, which tells receiving servers "do nothing if authentication fails." Google and Microsoft increasingly penalize domains without DMARC enforcement. Starting with p=none for initial monitoring is fine, but move to p=quarantine within 2 weeks of confirming SPF and DKIM pass consistently.
4. MX Records: Present and Reachable
- [ ] At least one MX record points to a valid mail server
- [ ] The mail server responds and accepts connections on port 25
Why this matters: 2% of audited domains were missing MX records entirely. A domain without MX records looks abandoned to receiving servers. Some ESPs reject outbound mail from domains with no MX, and many spam filters add negative scoring.
5. Custom Tracking Domain (if using link tracking)
- [ ] Tracking domain is a subdomain of your sending domain (e.g.,
track.yourdomain.com) - [ ] CNAME record is properly configured and propagated
- [ ] You are NOT using your sequencer's default shared tracking domain
Why this matters: Shared tracking domains are used by thousands of senders. If one sender on that shared domain gets flagged, every sender using it inherits the penalty. For Outlook sends, our recommendation is stronger: skip link tracking entirely. Outlook checks embedded links before delivery, and tracking URLs spike spam detection.
Infrastructure and IP Configuration (Items 6-8)
6. Inbox Type Matches Your Target Audience
- [ ] Identify your ICP's primary email provider (Gmail-heavy, Outlook-heavy, or mixed)
- [ ] Select inbox infrastructure that delivers best to that provider
- [ ] Verify your sending IPs belong to official provider pools (Microsoft or Google) or are dedicated IPs with clean history
| Inbox Type | IP Reputation | Best For | Deliverability Rank |
|---|---|---|---|
| Google Workspace | Official Google IP pools | C-suite, enterprise, high-ACV deals | #1 Best |
| Microsoft 365 Premium | Official Microsoft IP pools | High-volume bulk sends, SMB/mid-market | #2 Excellent |
| Microsoft 365 Normal | Official Microsoft IP pools | Budget bulk sends | #3 Good |
| Private SMTP | Dedicated IP (built from scratch) | Volume buffer, testing new angles | #4 Variable |
Why this matters: Infrastructure determines roughly 60% of your deliverability outcome. Google Workspace and Microsoft 365 inboxes inherit established sender reputation from official IP pools that are whitelisted by virtually every receiving server. Private SMTP starts with zero reputation and takes 3-4 weeks of warmup to build trust.
One Australian consulting agency we work with was sending everything through SMTP and hitting 72% inbox placement. After diversifying across all three infrastructure types at MailDeck with a 50/30/20 ratio (Outlook/SMTP/Google), their inbox placement stabilized at 96% within 3 weeks. That consistency helped them grow from $70K MRR to $95K MRR because they could finally maintain even sending volume without deliverability swings across all three channels.
7. Infrastructure Diversification
- [ ] Sending volume is distributed across at least 2 infrastructure types
- [ ] No single provider carries more than 60% of total volume
- [ ] 50% of total sending capacity is kept as warm reserve
| Layer | Provider | Allocation | Purpose |
|---|---|---|---|
| Primary (50%) | Microsoft 365 Outlook | 50% of volume | High-trust bulk, fast warmup, bulletproof Microsoft IPs |
| Volume (30%) | Private SMTP | 30% of volume | Cheap buffer, absorbs spikes, protects primary inboxes |
| Premium (20%) | Google Workspace | 20% of volume | Highest deliverability for best segments and C-suite ICPs |
Why this matters: Relying on a single infrastructure type creates a single point of failure. If Microsoft throttles your tenant or your SMTP IP gets blacklisted, your entire operation stops. Diversification means one provider going down never kills more than a portion of your volume. The warm reserve absorbs the overflow while you fix or replace the affected infrastructure. Based on MailDeck platform data from 1,631+ clients, operations running a diversified stack experience 40-60% fewer total campaign interruptions compared to single-provider setups.
8. IP and Domain Blacklist Check
- [ ] Sending IP is not listed on Spamhaus, Barracuda, SORBS, or URIBL
- [ ] Sending domain is not listed on any major domain blacklist
- [ ] Check using MXToolbox Blacklist Check or Spamhaus Lookup
Why this matters: A single blacklist entry can drop inbox placement by 20-40% overnight. Google Workspace and Microsoft 365 users rarely face IP-level blacklisting because they send from official provider pools. SMTP users need to check weekly because dedicated IPs have no inherited trust to buffer a blacklist hit.
Warmup and Sending Limits (Items 9-11)
9. Warmup Completed Before Cold Sending
- [ ] Warmup has run for the minimum required period for your inbox type
- [ ] Daily warmup emails are at target volume
- [ ] Reply rate from warmup pool is 30-35%
- [ ] You are using a trusted warmup pool (Smartlead Premium, Instantly, or Pipl.ai)
| Inbox Type | Minimum Warmup | Ideal Warmup | Daily Ramp-Up |
|---|---|---|---|
| Google Workspace | 15 days | 20-25 days | 2-3 emails/day increase |
| Outlook Premium | 3-5 days | 10-14 days | 2 emails/day increase |
| Outlook Normal | 5-7 days | 10-14 days | 2 emails/day increase |
| Private SMTP | 3-4 weeks | 6+ weeks | Gradual, provider-dependent |
Why this matters: Skipping warmup or using a low-quality warmup pool is worse than no warmup at all. Bad warmup pools contain spam traps and recycled addresses that actively damage your sender reputation. We have seen domains go from clean to blacklisted within 5 days of using an untrusted warmup provider. Based on MailDeck infrastructure data, Q2 2026.
10. Per-Inbox Sending Limits Enforced
- [ ] Cold email volume per inbox stays within safe daily limits
- [ ] Total email volume (cold + warmup) does not exceed provider thresholds
- [ ] Minimum interval between sends is 61+ minutes per inbox
| Inbox Type | Cold Sends/Day/Inbox | Warm Sends/Day/Inbox | Max Total/Day/Inbox |
|---|---|---|---|
| Google Workspace | 18-22 | 20-22 | 40-44 |
| Outlook Premium | 8-10 | 8-12 | 16-22 |
| Outlook Normal | 3-5 | 5-8 | 8-13 |
| Private SMTP | 11-14 | 12-15 | 23-29 |
Why this matters: Exceeding per-inbox limits triggers throttling at the provider level. Microsoft 365 is particularly aggressive: crossing the threshold can silently route your emails to junk for 24-72 hours without any bounce notification. Recovery requires reducing volume below 50% of your limit for 2-4 weeks. The 61-minute minimum interval between sends from the same inbox prevents burst-pattern detection, which is one of the first signals spam filters look for.
11. Domain-Level Volume Within Safe Range
- [ ] Total sends per domain per day stays within provider capacity
- [ ] Volume is distributed evenly across inboxes on each domain (no single inbox carrying disproportionate load)
| Provider | Inboxes/Domain | Sends/Day/Domain | Sends/Month/Domain |
|---|---|---|---|
| Google Workspace | 5 | ~100 | ~2,000 |
| Outlook Premium | 100 | ~900 | ~18,000 |
| Outlook Normal | 100 | ~400 | ~8,000 |
| Private SMTP | 5 | ~65 | ~1,300 |
Why this matters: Even if each inbox stays within its individual limit, concentrating too many inboxes or too much volume on one domain accelerates domain burn. Google Workspace domains with 5 inboxes each sending 20 emails/day put 100 sends through a single domain. That's the safe ceiling. Push beyond it, and the domain starts accumulating negative signals faster than warmup traffic can offset them.
Email Content and List Quality (Items 12-14)
12. Email Copy Passes Spam Filter Review
- [ ] Plain text only (no HTML formatting, no images)
- [ ] Body is 25-50 words maximum
- [ ] No links in the email body (especially for Outlook sends)
- [ ] No open tracking or click tracking pixels
- [ ] No spam trigger words ("free," "guarantee," "limited time," "act now")
- [ ] Spintax applied every 2-3 words for Outlook sends
- [ ] Subject line is casual and conversational (no corporate templates)
- [ ] Test email scored 9+ on Mail-Tester
Why this matters: Email content is the deliverability factor you control directly in every campaign. Links are the number one spam trigger for cold emails. Open tracking pixels tell receiving servers the email is automated. MailDeck platform data from 270M+ cold emails shows that plain text emails with zero links consistently outperform HTML emails on inbox placement by 15-25%. For Outlook specifically: treat it like SMS. Text only, 50 words max, zero financial language.
13. Email List Verified and Cleaned
- [ ] Every address verified through EmailShield before import
- [ ] Catch-all domains flagged and handled separately (lower volume, separate inbox pool)
- [ ] Role-based addresses removed (info@, support@, sales@)
- [ ] Bounce rate from previous campaigns on this list is below 3%
- [ ] List age is under 90 days (addresses go stale)
Why this matters: A bounce rate above 7% triggers domain-level penalties at most providers. Even a 4-5% bounce rate sustained over multiple campaigns accumulates negative sender reputation. Catch-all domains accept every email regardless of whether the address exists, which inflates your apparent delivery rate while many of those emails go nowhere. Separating catch-all traffic onto dedicated inboxes protects your primary sending infrastructure from hidden bounces.
14. Unsubscribe Mechanism in Place
- [ ] One-click unsubscribe header is present (RFC 8058 compliant)
- [ ] Unsubscribe link is functional and processes requests within 48 hours
- [ ] Suppression list is synced across all sending tools and campaigns
Why this matters: Google and Microsoft enforce bulk sender rules requiring one-click unsubscribe for all commercial email. As of May 2025, Microsoft joined Google in requiring this. Missing the unsubscribe header does not just risk spam complaints. It can get your entire sending domain blocked at the provider level. Spam complaint rate must stay below 0.3%. Every complaint that could have been an unsubscribe instead is a preventable hit to your domain reputation.
Ongoing Monitoring and Domain Rotation (Item 15)
15. Monitoring Dashboard Active and Domain Rotation Plan in Place
- [ ] Google Postmaster Tools connected for all sending domains
- [ ] Inbox placement tests running weekly (send to seed accounts across Gmail, Outlook)
- [ ] Bounce rate, spam complaint rate, and open rate tracked per domain per day
- [ ] Domain burn thresholds defined and alert triggers set
- [ ] 20-25% of active domain count held as warmed reserves
- [ ] Replacement timeline documented: same day with pre-warmed reserves, 7-10 days without
Domain Burn Thresholds (rotate or rest the domain when any of these hit):
| Metric | Warning Threshold | Rotate Immediately |
|---|---|---|
| Spam complaint rate | Above 0.2% | Above 0.3% |
| Bounce rate | Above 5% | Above 7% |
| Open rate | Below 15% for 5 days | Below 10% for 7 days |
| Google Postmaster reputation | "Low" | "Bad" |
Why this matters: At enterprise scale (100K+ emails/month), 10-20% of domains burn monthly. Domain lifespan under active cold email load is 45 days to 2 months. Without warmed reserves, a burned domain means 7-10 days of lost capacity while a replacement warms up. With reserves, you swap in a fresh domain same day and keep volume stable. Monitor daily. By the time you notice deliverability has dropped "for a while," the domain has likely been accumulating damage for weeks. Based on MailDeck data from 3,000+ domains under active management.
Infrastructure Factors That Impact Deliverability the Most
Not all deliverability factors carry equal weight. Here is the hierarchy based on what we see across 50M+ emails monthly at MailDeck. Each layer builds on the one below it. Fixing a higher layer without the foundation in place produces minimal improvement.
Factor 1: IP Reputation (Inherited vs. Built)
The IP address your email originates from carries a reputation score with every receiving server. This is the single most impactful deliverability factor because it is evaluated before any other signal.
Google Workspace sends from official Google IP pools. Microsoft 365 sends from official Microsoft IP pools. These pools carry decades of legitimate email history. Billions of non-spam emails flow through them daily. Receiving servers trust these IPs by default.
Private SMTP sends from dedicated IPs assigned to your server. These IPs start with zero history. Building trust from scratch takes 3-6 weeks of consistent, low-volume, high-engagement sending. One misstep during that period can set the IP back to baseline.
| IP Source | Trust Level at Launch | Time to Full Reputation | Risk of IP-Level Block |
|---|---|---|---|
| Google official pools | Highest (inherited) | Immediate | Near zero |
| Microsoft official pools | Very high (inherited) | Immediate | Near zero |
| Dedicated SMTP IP | Zero (built from scratch) | 3-6 weeks | Moderate (depends on sending behavior) |
This is why infrastructure selection matters more than any other deliverability optimization. You can have perfect DNS records, clean lists, and flawless copy. If your IP has no reputation or a damaged one, your emails still land in spam.
Factor 2: DNS Authentication Chain
SPF, DKIM, and DMARC form a three-layer authentication chain. Each layer serves a different purpose, and all three must pass for maximum deliverability.
```
SPF: "Is this server authorized to send for this domain?"
DKIM: "Was this email modified in transit?"
DMARC: "What should I do if SPF or DKIM fails?"
```
The most dangerous DNS errors are the silent ones. A domain with two SPF records does not throw errors. It simply fails SPF validation on every email, and most senders never check because outbound volume looks normal. Our audit of 1,000+ domains ranked the errors by frequency:
| DNS Error | Frequency | Impact |
|---|---|---|
| Multiple SPF records on one domain | 23% | Complete SPF failure on every email |
| No DMARC record | 19% | Receiving servers apply their own policy (usually junk) |
| SPF ending with +all | 14% | Allows anyone to send as your domain (spoofing risk) |
| Exceeding 10 DNS lookups in SPF | 12% | SPF permerror, treated as fail |
| DKIM not enabled | 11% | No cryptographic proof of origin |
| DMARC stuck on p=none | 9% | No enforcement, authentication failures go unpunished |
| Wrong DKIM selector | 4% | DKIM fails silently |
| SPF record over 255 characters | 3% | Record truncation, unpredictable behavior |
| Missing MX records | 2% | Domain looks abandoned |
| DMARC rua email doesn't exist | 1% | No aggregate reports, blind to failures |
Run your domain through MXToolbox SPF Check and EasyDMARC Domain Scanner before sending a single cold email. These tools catch the issues in the table above in under 60 seconds.
Factor 3: Sending Patterns and Volume Control
Spam filters analyze sending behavior in patterns, not individual emails. A sudden spike from 50 emails/day to 500 emails/day triggers the same alarm as a compromised account. Consistent, predictable volume signals legitimate use.
The critical patterns spam filters watch for:
- Volume spikes: Any increase greater than 30% day-over-day triggers review at most providers
- Burst sending: Multiple emails from one inbox within minutes (maintain 61+ minute intervals)
- Weekday-only sending: Real business email flows 7 days a week. Sending only Monday-Friday at exactly 9am looks automated
- Identical content: Sending the same email body to hundreds of recipients without variation
The right sending cadence treats each inbox as an individual sender. At MailDeck, clients send 3-5 cold emails per inbox per day (Normal Outlook) or 8-10 per day (Premium) with randomized intervals and spintax variation on every message. This pattern mimics natural human sending behavior at scale.
Factor 4: Domain Age and History
New domains carry no reputation. Most spam operations use freshly registered domains and burn through them. Receiving servers know this pattern. A brand-new domain sending cold email in its first week receives extra scrutiny regardless of IP reputation or DNS configuration.
Best practices for domain age:
- Register domains 2-4 weeks before you plan to start warmup
- Set up a basic landing page (a single page with your company name and contact info is sufficient)
- Configure DNS records immediately at registration
- Begin warmup traffic after 1 week of the domain being live with DNS records active
This "aging" period gives receiving servers time to index your domain, resolve your DNS, and establish that the domain exists for a purpose beyond sending email.
Practical Domain and Campaign Management for Sustained Deliverability
Running a cold email deliverability checklist once is necessary. Maintaining deliverability over weeks and months requires ongoing operational discipline. These are the protocols we enforce across MailDeck's managed infrastructure.
Domain Rotation Protocol
Every domain has a lifespan under cold email load. Planning for rotation before a domain burns prevents gaps in your sending capacity.
The Three-Pool System:
| Pool | Status | Activity | Duration |
|---|---|---|---|
| Active | Currently sending cold emails | Full campaign volume + warmup maintenance | 45-60 days |
| Reserve | Warmed and ready to activate | Warmup traffic only (5-10 engagement emails/day) | Until needed |
| Recovery | Pulled from active sending | Warmup only, no cold volume | 4-6 weeks minimum |
Scaling Volume Safely
Adding more volume requires adding more infrastructure first. Never increase sends per inbox. Instead, add more inboxes and more domains.
The wrong way to scale from 50K to 100K sends/month:
Double the sends per inbox from 5 to 10. This burns inboxes and domains twice as fast.
The right way to scale from 50K to 100K sends/month:
Double the number of inboxes and domains while keeping per-inbox volume constant. At MailDeck, the Growth Diversified Stack provides 933 inboxes across Outlook, SMTP, and Google Workspace for $400/month, supporting 100K+ sends at safe per-inbox limits.
List Hygiene as a Continuous Process
List verification is not a one-time pre-campaign task. Addresses decay. People change jobs. Domains expire. A list verified 90 days ago has an estimated 5-8% decay rate.
Continuous hygiene protocol:
- Verify every list before import using EmailShield
- Remove hard bounces from all lists within 24 hours of detection
- Suppress soft bounces after 3 consecutive failures
- Re-verify any list older than 60 days before re-use
- Maintain a global suppression list synced across all sequencers and campaigns
- Remove role-based addresses (info@, admin@, support@) before every campaign
- Flag and isolate catch-all domains into a separate sending pool with reduced daily volume
Sequencer Configuration
Your sequencer (Instantly, Smartlead, Saleshandy, or any SMTP-compatible tool) is a scheduler. It does not affect deliverability directly. But misconfigured sequencer settings can override the safe sending limits your infrastructure supports.
Critical sequencer settings to verify:
- [ ] Daily send limit per inbox matches your infrastructure type (see item 10)
- [ ] Minimum interval between sends is set to 61+ minutes
- [ ] Randomization is enabled at 15-25%
- [ ] Open tracking is OFF (especially for Outlook sends)
- [ ] Click tracking is OFF or uses your custom tracking domain
- [ ] Bounce handling removes hard bounces automatically
- [ ] ESP matching is OFF for Outlook inboxes (Outlook-to-Outlook targeting amplifies spam rate)
How to Use This Checklist
Before launching a new campaign: Run items 1-14. Every item should pass before the first email goes out.
Weekly: Run item 15 monitoring checks. Review per-domain metrics. Pull underperforming domains.
Monthly: Re-audit DNS records (item 1-4). Rotate domains preventively. Replenish reserves.
When deliverability drops suddenly: Run the full 15-point checklist again. In our experience managing 3,000+ domains, sudden drops are almost always caused by one of these three issues: a DNS record was accidentally changed or deleted (items 1-4), sending volume spiked beyond safe limits (items 10-11), or a domain hit burn thresholds and was not rotated in time (item 15).
FAQ
How do I check my cold email deliverability before sending?
Run the 15-point checklist in this article before every campaign launch. At minimum, verify SPF, DKIM, and DMARC records pass authentication using MXToolbox or EasyDMARC. Send test emails to seed accounts across Gmail and Outlook to confirm inbox placement. Check your sending domain and IP against major blacklists (Spamhaus, Barracuda, SORBS). At MailDeck, we run this full audit across 3,000+ domains before any inbox goes live, which is how we maintain 98% inbox placement across 50M+ emails monthly.
What DNS records do I need for cold email deliverability?
Three records must be configured correctly: SPF (specifies which servers can send on your domain's behalf, must end with -all or ~all), DKIM (adds a cryptographic signature to every outgoing email), and DMARC (tells receiving servers what to do with emails that fail SPF or DKIM). Our audit of 1,000+ cold email domains found that 67% had at least one critical authentication error. The most common: 23% had multiple SPF records on one domain, which automatically invalidates SPF entirely.
How many emails can I send per day without hurting deliverability?
Safe daily limits depend on your inbox type. Google Workspace: 18-22 cold emails per inbox per day. Microsoft 365 Premium: 8-10. Microsoft 365 Normal: 3-5. Private SMTP: 11-14. These limits come from MailDeck platform data across 833K+ managed inboxes. Exceeding these thresholds triggers spam classification at the provider level, and recovery takes 2-4 weeks of reduced volume.
How often should I rotate domains for cold email?
At enterprise scale (100K+ emails/month), 10-20% of domains burn monthly. Domain lifespan under active cold email load is 45 days to 2 months. Keep 20-25% of your active domain count as warmed reserves ready to swap in same day. Without reserves, replacement takes 7-10 days including warmup. Monitor these burn thresholds: spam complaint rate above 0.3%, bounce rate above 7%, or open rate below 10% for 7+ consecutive days. For a deeper dive, see our complete domain rotation guide.
What is a good inbox placement rate for cold emails?
Industry average inbox placement for cold email sits around 75-85%. Top-performing operations hit 90-98%. MailDeck maintains 98% inbox placement across 50M+ emails monthly by combining infrastructure diversification (Microsoft 365 + Google Workspace + SMTP), automated DNS verification before first send, and strict per-inbox sending limits. If your placement drops below 85%, your infrastructure or authentication likely has a fixable issue.
Does email infrastructure affect cold email deliverability?
Infrastructure determines roughly 60% of your deliverability outcome. The inbox type you send from carries inherited IP reputation: Google Workspace and Microsoft 365 use official IP pools trusted by every major receiving server. Private SMTP uses dedicated IPs that start with zero reputation. The remaining 40% comes from domain health and copy quality. Choosing the right infrastructure is the single highest-leverage deliverability decision you can make. Read more about cold email infrastructure setup on our main site.
Methodology
Data in this article comes from the MailDeck platform: 833K+ managed inboxes, 3,000+ domains, 1,631+ clients, 50M+ emails delivered monthly. DNS audit data is based on a scan of 1,000+ client domains conducted in Q4 2025. Sending limits, warmup timelines, and burn thresholds are derived from aggregate platform performance data across Q4 2025 through Q2 2026. Inbox placement rates reflect weighted averages across all three infrastructure types (Microsoft 365, Google Workspace, Private SMTP). Client case study data is anonymized with permission. Individual results vary based on list quality, copy, and target audience.
Last updated: April 2026
Ready to Scale Your Email Infrastructure?
Join top outbound teams using MailDeck for enterprise-grade deliverability.
Get Started