Cold emails going to spam trace back to six measurable causes, and the most common one is authentication. A MailDeck DNS audit of 1,000+ domains found 67% had at least one critical authentication error before we touched them. At MailDeck we manage 833.9K+ inboxes across 1,200+ domains for 1,631+ clients, sending 7.5M+ emails per day, and after fixing authentication and warmup we hold 98% inbox placement. This guide diagnoses the six real reasons your messages land in junk and gives the exact fix framework, in the order that recovers the most placement first.
Cold emails go to spam because of broken DNS authentication, low sender reputation, spam-trigger copy, skipped or rushed warmup, Outlook Defender pre-scanning your links and tracking pixels, and dirty lists that bounce. Fix them in that order. Authentication is a same-day fix that recovers the most placement per hour. Reputation and warmup take days to weeks. Copy is fast to fix but has to match the inbox type you send from.
This article covers each cause with the platform data behind it, a diagnostic table so you can find your specific problem in minutes, and a six-step repair procedure you can run yourself.
The 6 Real Reasons Cold Emails Are Going to Spam
Most guides list twenty tips with no priority. That wastes your time. Across 270M+ cold emails sent through the MailDeck platform, deliverability failures cluster into six causes, and they are not equally common or equally expensive to fix. The table below ranks them by how often they are the root cause and how fast the fix takes effect.
| # | Root cause | How often it is the primary problem | Fix speed | Where to check |
|---|---|---|---|---|
| 1 | Broken DNS authentication (SPF/DKIM/DMARC) | Most common. 67% of audited domains have a critical error | Same day (after DNS propagation) | MXToolbox, dig, Postmaster Tools |
| 2 | Low sender reputation / domain burn | Common at scale (100K+ sends/month) | Days to weeks | Google Postmaster Tools, Microsoft SNDS |
| 3 | Copy triggers (tracking, links, financial language) | Common on Outlook | Immediate (next send) | Your sequencer copy, Outlook test inbox |
| 4 | Skipped or rushed warmup | Common on fresh domains | 3 days to 3 weeks | Warmup tool dashboard, inbox age |
| 5 | Dirty list / high bounces | Common on scraped lists | Immediate (verify before send) | Bounce rate in sequencer |
| 6 | Wrong inbox type / shared IP | Structural | Requires migration | Inbox provider, IP model |
The golden rule that sits under all six: deliverability is determined by inbox type, domain health, copy quality, and list quality. Your sequencer is a scheduler. Instantly, Smartlead, Apollo, and Lemlist all send through the same SMTP handshake, so paying more for a sequencer will not move a message out of spam. The inbox type determines about 60% of deliverability. The other 40% is domain health and copy quality.
The rest of this guide takes the six causes one at a time.
Reason 1: Broken DNS Authentication (The 67% Problem)
Broken authentication is the single most common reason cold emails go to spam, and it is invisible until you look. A MailDeck DNS audit of 1,000+ domains found 67% had at least one critical authentication error. These are not exotic edge cases. They are the same handful of misconfigurations repeating across domain after domain.
Here is what we actually find, ranked by frequency across that audit.
| Rank | Error | Frequency | What it does |
|---|---|---|---|
| 1 | Multiple SPF records on one domain | 23% | Invalidates SPF entirely. Receivers see two records and fail the check |
| 2 | No DMARC record | 19% | No policy signal. Gmail and Yahoo bulk-sender rules now require DMARC |
| 3 | SPF ending with +all | 14% | Authorizes the entire internet to send as you. Filters treat it as spoofable |
| 4 | Exceeding 10 DNS lookups in SPF | 12% | SPF returns permerror and fails silently |
| 5 | DKIM not enabled | 11% | Messages are unsigned. No cryptographic proof of origin |
| 6 | DMARC stuck on p=none | 9% | Monitoring only. No enforcement, weaker trust signal |
| 7 | Wrong DKIM selector | 4% | Signature does not validate against the published key |
| 8 | SPF record too long (over 255 characters) | 3% | Record truncates and fails to parse |
| 9 | Missing MX records | 2% | Domain cannot receive, which some filters read as fake |
| 10 | DMARC rua email does not exist | 1% | Reports bounce, no aggregate data flows back |
Any one of these can send an otherwise clean campaign to spam. Since Google and Yahoo rolled out their bulk-sender requirements, missing DMARC alone is enough to get filtered, and a broken SPF record undermines the whole chain. The authoritative specifications are worth bookmarking: SPF is defined in RFC 7208, DKIM in RFC 6376, and DMARC in RFC 7489.
The fix is deterministic. One clean SPF record with fewer than 10 lookups and a hard fail (-all instead of +all), a valid DKIM key with the correct selector, and DMARC at p=quarantine or stronger with a working rua address. MailDeck automates SPF, DKIM, and DMARC configuration on every domain during onboarding and verifies end-to-end authentication before any email is sent, which is a large part of why placement holds at 98% from day one. For the full record syntax and a walkthrough of every error above, see our SPF, DKIM, DMARC setup guide for cold email.
Reason 2: Low Sender Reputation and Domain Burn
Reputation is the score mailbox providers assign your domain and IP based on how recipients react to your mail. When it drops, everything you send goes to spam regardless of copy or authentication. At enterprise scale, 10% to 20% of domains burn every month under active load, and a domain's usable lifespan under heavy sending runs 45 days to 2 months.
A domain is burning when it crosses any of these thresholds. These are the numbers we watch on the MailDeck platform.
| Signal | Burn threshold | Where to read it |
|---|---|---|
| Spam complaint rate | Above 0.3% | Google Postmaster Tools, Microsoft SNDS |
| Bounce rate | Above 7% | Sequencer, Postmaster Tools |
| Open rate | Below 10% for 7 or more days | Sequencer analytics |
| Domain reputation | "Bad" in Postmaster Tools | Google Postmaster Tools |
Once a domain crosses the line, you cannot copy-edit your way back. The move is to pause it, route sending to a warmed reserve domain, and let the burned domain cool. Replacement takes 1 to 3 days if you have warmed reserves ready and 7 to 10 days if you do not, which is why holding a reserve of 20% to 25% of your active domain count is not optional at scale. Google Postmaster Tools and Microsoft SNDS are the two dashboards that tell you the truth before the burn spreads.
Reputation also explains why one domain in a stack can tank while its neighbors stay healthy. Filters score at the domain and IP level, so isolating your best segments on separate domains protects them from a bad batch on another. That is the logic behind domain rotation and behind never sending your whole book from a single domain.
Client case: agency at 3,000 inboxes recovers placement
One outbound agency client running 3,000 inboxes across 40 domains came to us after a campaign-wide collapse. Their reply rate had fallen under 1% and half their sends were landing in spam. The DNS audit found the pattern from Reason 1 across most of their domains: 14 domains carried two SPF records each, 22 had no DMARC, and DKIM was misconfigured on a third of the fleet. On top of that, they were pushing every inbox to 15 cold sends per day, well past the safe 8 to 10 for Outlook Premium, and complaint rate on their two worst domains had passed 0.4%.
We rebuilt authentication across all 40 domains, paused the two burned domains and rotated their volume to fresh warmed reserves, and cut per-inbox volume back to 8 sends per day with a 61-minute minimum interval. Within three weeks inbox placement recovered to 97% on the healthy domains, the two paused domains cooled and re-entered rotation at day 12, and reply rate climbed back above 3%. The single largest lever was authentication, which alone moved roughly two-thirds of the recovery.
Reason 3: Copy Triggers, and Why Outlook Is Stricter Than Gmail
Copy is where senders lose Outlook placement fastest, because Outlook does something Gmail does not. Microsoft Defender and Safe Links pre-scan the message body before it reaches the inbox. A tracking pixel or a body link that Gmail tolerates gets an Outlook message routed to junk before the recipient ever sees it. This is the reason a campaign can hit the inbox on Gmail and the spam folder on Outlook at the same time.
The rules therefore differ by inbox type, and applying the wrong set burns inboxes. Google Workspace is the most permissive of the four products we run, because Google scores domain reputation over server or IP signals. Outlook is the strictest. The table below is the copy ruleset we enforce across the MailDeck platform.
| Copy element | Google Workspace | Outlook (Normal and Premium) | Private SMTP |
|---|---|---|---|
| Open tracking pixel | Safe to use | Never. Spikes Defender spam detection | Avoid |
| Links in body | Safe | Never. Triggers Safe Links scanner | Minimize |
| ESP matching (same-provider targeting) | Acceptable, slightly beneficial | Beneficial. Same-provider delivery routes internally and tends to place better | N/A |
| Dollar signs / financial language | Use with care | Never | Avoid |
| Email length | Short preferred | Max 50 words, treat like SMS | Under 50 words |
| Spintax | Helpful | Every 2 to 3 words, especially signatures | Every 2 to 3 words |
| HTML | Plain text base | Plain text only | Plain text only |
A few universal rules apply everywhere, on every provider. Keep the opener to 1 or 2 lines and the whole email to 25 to 50 words, because short messages look like real human mail and long ones read as a sales pitch. Use a casual, conversational tone, because corporate-sounding templates get filtered. Base everything on plain text, because HTML raises spam score across every receiving server. Make each email slightly different, because identical copy blasted to thousands of addresses is the pattern filters are built to catch.
If your Outlook messages are going to spam and your authentication is clean, copy is almost always the cause. Strip the tracking pixel, remove the body link, cut the word count, and add spintax. The change takes effect on the very next send.
Client case: SaaS founder recovers Outlook placement in days
A seed-stage B2B SaaS founder running a single-person outbound motion on 6 Outlook Normal inboxes across 2 domains told us his emails were "going straight to junk on Outlook" even though the same copy hit the inbox when he tested against his own Gmail. Authentication checked out clean. The problem was entirely copy. He was running open tracking to measure his sequence, including a "book a demo" link in the first email, and sending a 140-word pitch that mentioned pricing in dollars.
Every one of those triggers Outlook Defender. We turned off open tracking, moved the link out of the first touch and into a reply after interest, rewrote the email to 44 words with spintax on the signature, and dropped the dollar figure. He kept per-inbox volume at the safe 3 to 5 sends per day for Outlook Normal. Placement on his Outlook test seats went from junk to inbox on the next batch, and over the following week his reply rate on the sequence roughly doubled. No new infrastructure, no new domains, just copy matched to the inbox.
Reason 4: Skipped or Rushed Warmup
Warmup is how a new inbox and domain build the sending history that mailbox providers trust. Skip it or rush it and a fresh domain looks exactly like a spammer's throwaway domain, so filters route it to junk on the first cold send. Warmup is one of the top causes of spam placement on new setups, and the required window depends entirely on the inbox type.
| Inbox type | Minimum warmup | Ideal before first cold send | Why |
|---|---|---|---|
| Outlook Premium | 3 to 5 days | 10 to 14 days | Inherits established Microsoft tenant reputation |
| Outlook Normal | 5 to 7 days | 10 to 14 days | Same Azure IPs, slower license ramp |
| Google Workspace | 15 days | 20 to 25 days | Longest warmup, but highest deliverability once warm |
| Private SMTP | 3 to 4 weeks | 6+ weeks | Reputation built from zero, no inherited IP trust |
Two mistakes recur. The first is treating warmup as one-size-fits-all and sending cold from a Google domain after five days, which is a quarter of the window it needs. The second is using a bad warmup pool. Some warmup tools actively hurt deliverability by generating unnatural patterns, and a bad pool is worse than no warmup at all. Stick to trusted pools such as Smartlead Premium, Instantly, or Pipl.ai, and keep the warmup running in the background even after cold sending starts.
The reason MailDeck Outlook inboxes warm faster than a domain you spin up yourself is that they sit on official Microsoft Azure tenants with established sender reputation and official Microsoft IP pools that are whitelisted by default across virtually every receiving server. That inherited trust cuts Outlook Premium warmup to as little as 3 to 5 days instead of the 2 to 4 weeks a cold self-built domain needs. For the full protocols, ramp schedules, and pool settings by inbox type, see our guide on cold email warmup and what actually works in 2026.
Reason 5: Dirty Lists and High Bounce Rates
Bounces are the fastest way to destroy a domain's reputation. When you send to invalid addresses, mailbox providers read the pattern as a sender who did not clean the list, which is spammer behavior, and they start filtering everything from the domain. A bounce rate above 7% pushes a domain toward burn, and the safe ceiling to hold is under 2%.
The fix is upstream. Verify every address before it enters a sequence, and re-verify aged lists before you re-hit them. On the MailDeck side, we recommend re-hitting a list no more than every 90 days with fresh angles, because contacts churn and a list that verified clean in January carries dead addresses by April. A high bounce rate is a list problem, and no amount of warmup or authentication compensates for sending into a graveyard.
List quality also interacts with reputation in a way that compounds. A dirty list drives bounces, bounces drive reputation down, and low reputation sends even your valid addresses to spam. Clean the list and you break the loop at the source.
Reason 6: The Wrong Inbox Type or a Shared IP
The last cause is structural. If your infrastructure sits on a shared IP pool, one bad sender on that pool can drag your reputation down with theirs, and no fix on your end resolves it because the problem is a neighbor you cannot see. This is the core weakness of shared-IP providers. Reputation is pooled, so you inherit everyone else's mistakes.
Inbox type also sets a ceiling on how well you can ever place. Deliverability ranks in a consistent order across the platform.
| Rank | Inbox type | IP model | Relative deliverability |
|---|---|---|---|
| 1 | Google Workspace | Official Google IP pools | Baseline (best) |
| 2 | Outlook Premium | Official Microsoft IP pools | 15% to 20% behind Google |
| 3 | Outlook Normal | Official Microsoft IP pools | 20% to 25% behind Google |
| 4 | Private SMTP (dedicated) | Dedicated IP per client | 35% to 50% behind Google |
None of the MailDeck products use shared IPs. Outlook and Google Workspace inboxes send from official Microsoft and Google IP pools that are trusted by default across essentially every receiving server, and Private SMTP uses a dedicated IP per client so your reputation depends only on your own sending. The practical implication is to match the inbox to the audience: route your best segments and C-suite targets through Google Workspace, run high-volume bulk through Outlook, and use dedicated SMTP as a cheap buffer that absorbs spikes and protects your premium inboxes. The IP model changes the placement ceiling, so a shared-IP provider caps how well you can ever land no matter how clean your copy is.
How to Stop Cold Emails Going to Spam: The Fix Framework
Run these six steps in order. The order matters, because it front-loads the fixes that recover the most placement per hour of work. Skipping to step 3 before step 1 is why most senders stay stuck in spam.
Step 1: Audit DNS authentication
Check SPF, DKIM, and DMARC on every sending domain. Look specifically for the top errors from the 67% audit: multiple SPF records, SPF ending in +all, more than 10 DNS lookups, missing or unsigned DKIM, and DMARC stuck on p=none. Publish one clean SPF record with a hard fail, a valid DKIM key with the correct selector, and DMARC at p=quarantine or stronger. This is a same-day fix once DNS propagates.
Step 2: Check reputation and stop the burn
Open Google Postmaster Tools and Microsoft SNDS. If spam complaints exceed 0.3%, bounces exceed 7%, or open rate has sat below 10% for 7 or more days, the domain is burning. Pause it and rotate its volume to a warmed reserve. Do not try to nurse a burned domain back with better copy. It does not work.
Step 3: Strip copy triggers
Remove open tracking pixels, body links, and financial language. Cut every email to 25 to 50 words and add spintax every 2 to 3 words. On Outlook this is the difference between the inbox and the junk folder, because Defender and Safe Links scan before delivery. This fix takes effect on the next send.
Step 4: Warm up for the full window
Warm each inbox for its type: 5 to 7 days for Outlook Normal, 3 to 5 days for Outlook Premium, 15 to 25 days for Google Workspace, and 3 to 4 weeks for SMTP. Use only trusted warmup pools, and keep warmup running in the background after cold sending begins.
Step 5: Clean the list
Verify every address before sending and hold bounce under 2%. Re-verify aged lists before re-hitting them, and re-hit no more than every 90 days.
Step 6: Match inbox type to audience
Use official Microsoft or Google IP pools for primary sending instead of shared SMTP. Route best segments through Google Workspace, bulk through Outlook, and buffer spikes on dedicated SMTP.
For a printable version of this procedure that you can run as a repeatable audit, our 15-point cold email deliverability checklist covers each step with pass/fail criteria you can hand to a teammate.
What Recovery Actually Looks Like
The two client cases above show the two most common shapes of a spam problem. The agency case was infrastructure at scale: broken authentication across 40 domains, two burned domains past the complaint threshold, and inboxes pushed past their safe volume. The fix was systematic, took three weeks, and the largest single lever was authentication.
The founder case was pure copy: clean DNS, correct volume, but tracking pixels, body links, and financial language that Outlook Defender filtered on sight. The fix took one send cycle and cost nothing but a rewrite.
Most spam problems are one of these two shapes, or a combination. Diagnose which one you have before you spend money. A new sequencer will not fix authentication, and more warmup will not fix a tracking pixel. Match the fix to the actual cause, work the six steps in order, and placement recovers.
Frequently Asked Questions
Why are my cold emails going to spam?
Cold emails going to spam almost always trace back to one of six measurable causes: broken DNS authentication, low sender reputation, spam-trigger copy, skipped or rushed warmup, Outlook Defender pre-scanning links and tracking pixels, and dirty lists that bounce. The most common single cause is authentication. A MailDeck DNS audit of 1,000+ domains found 67% had at least one critical error, most often multiple SPF records (23%), no DMARC record (19%), or SPF ending in +all (14%). Fix authentication first, then reputation, then copy, because that is the order that recovers the most placement per hour of work.
How do I stop my cold emails from going to spam?
Work the six causes in order. Fix SPF, DKIM, and DMARC on every domain. Check Google Postmaster Tools and Microsoft SNDS for reputation and pause any domain past the burn thresholds (spam complaints above 0.3%, bounce above 7%, open rate below 10% for 7 days). Strip open tracking, body links, and financial language from copy and cut emails to under 50 words. Warm each inbox for its full window before the first cold send. Verify the list to hold bounce under 2%. MailDeck onboarding automates the authentication and warmup steps and delivers 98% inbox placement from day one.
How many cold emails can I send per day without going to spam?
Per-inbox limits depend on the inbox type. On MailDeck platform data, Outlook Normal inboxes safely send 3 to 5 cold emails per day, Outlook Premium 8 to 10, Google Workspace 18 to 22, and Private SMTP 10 to 15, with a minimum 61-minute interval between sends. The number that matters for spam is the per-inbox rate rather than the per-person total. Scale total volume by adding inboxes and domains rather than by pushing any single inbox harder. One Outlook domain runs 100 inboxes for roughly 800 sends per day, while one Google domain runs 5 inboxes for roughly 100 sends per day.
Do spam trigger words still matter in cold email?
Trigger words matter less than structure, but they still hurt on strict filters. Financial language, dollar signs, and salesy phrasing raise spam scores everywhere and are a hard rule to avoid on Outlook, where Defender pre-scans the message before delivery. The bigger structural triggers are open tracking pixels, links in the body, HTML-heavy templates, and identical copy sent to thousands of addresses. On MailDeck, the copy rules that protect Outlook inboxes are no tracking, no body links, no financial language, under 50 words, and spintax every 2 to 3 words.
Why do my cold emails go to spam in Outlook but not Gmail?
Outlook applies a pre-delivery scan that Gmail does not. Microsoft Defender and Safe Links inspect the message body before it reaches the inbox, so tracking pixels and links that Gmail tolerates get an Outlook message routed straight to junk. Google's filtering leans more on domain reputation and engagement, which is why links and open tracking are safe on Google Workspace but never safe on Outlook. Match the copy rules to the inbox. Applying Google-style copy to Outlook is one of the fastest ways to burn Outlook inboxes.
How long does it take to fix cold email deliverability?
Authentication fixes take effect within hours of DNS propagation. Reputation recovery takes longer. A domain past the burn thresholds usually needs to be paused and replaced, and rotating to a warmed reserve domain takes 1 to 3 days if reserves are ready or 7 to 10 days without them. A fresh domain needs its full warmup window before cold sending: 5 to 7 days for Outlook Normal, 3 to 5 days for Outlook Premium, and 15 to 25 days for Google Workspace. Plan on 1 to 3 weeks for a full recovery on a burned setup.
Methodology
All MailDeck data points in this article come from platform data as of Q3 2026: 833.9K+ managed inboxes across Microsoft 365 Outlook, Google Workspace, and Private SMTP; 1,200+ domains under management; 1,631+ clients; 7.5M+ emails sent per day; 270M+ cold emails sent lifetime; and 98% inbox placement after authentication and warmup.
The authentication error frequencies (67% of domains with a critical error, and the ranked breakdown of multiple SPF records at 23%, no DMARC at 19%, SPF +all at 14%, and the rest) come from a MailDeck DNS audit of 1,000+ domains. Domain burn thresholds (spam complaints above 0.3%, bounce above 7%, open rate below 10% for 7+ days, "Bad" reputation) and the 10% to 20% monthly burn rate reflect MailDeck platform observations at enterprise scale (100K+ emails per month). Per-inbox send limits, warmup windows, and copy rules are the current production settings by product.
Client cases are anonymized composites drawn from MailDeck client scenarios with specific figures adjusted to protect client identity. Every metric stays within the platform aggregate ranges above.
External references: SPF (RFC 7208), DKIM (RFC 6376), DMARC (RFC 7489), Google Postmaster Tools, and Microsoft SNDS. Pricing and platform figures are subject to change.
Last updated: Q3 2026.
Ready to Scale Your Email Infrastructure?
Join top outbound teams using MailDeck for enterprise-grade deliverability.
Get Started