The cold email deliverability setup that actually lands in Primary

Most cold email dies before anyone reads a word of it. Not because the copy was bad, but because the sending setup underneath was wrong. The filters decided the message was spam before a human ever got a vote.

This is the setup we run for every client campaign. None of it is secret. It is just unglamorous work that most teams skip, and it is the difference between a 0.5% reply rate and a 5% one.

Never send cold email from your main domain

The first rule costs nothing and saves everything. Your company domain carries years of reputation: it gets you into customer inboxes, password resets, invoices. Cold outreach is statistically guaranteed to generate some spam complaints, even when it is polite and targeted. Those complaints must never touch the domain your business runs on.

So you send from lookalike domains you buy for the purpose. If your company is acme.com, you send from domains like getacme.com or acmeteam.com, or from subdomains on roots you own. Either way, the reputation risk is contained in assets that cost about $9 a year to replace.

Three mailboxes per domain, no more

Mailbox providers track reputation per domain. Stack ten mailboxes on one domain and a problem with any of them drags down all ten. Spread them out and a burned mailbox is a contained incident.

Three mailboxes per sending domain is the ratio we use across every campaign we run. It is the reason a block of 50 mailboxes maps to roughly 17 dedicated domains. That sounds like a lot of domains until you compare it with the cost of your entire send landing in spam.

Authentication is not optional anymore

Since the big mailbox providers tightened bulk-sender rules, unauthenticated mail is dead on arrival. Three DNS records do the work:

• SPF lists which servers are allowed to send for your domain. One record, but easy to get subtly wrong when tools each want their own include.
• DKIM cryptographically signs each message so receivers can verify it was not altered and really came from you.
• DMARC tells receivers what to do when SPF or DKIM fail, and where to send reports. Start at p=none to observe, then move to quarantine once your sending is stable.

Every record should be verified before the first email goes out, not discovered broken three weeks in. A send from a domain with failing DKIM does not get a second chance.

Redirects and tracking domains: the details that quietly kill sends

Prospects who get a cold email often type the sending domain into a browser. If it resolves to nothing, that reads as disposable infrastructure, to people and to filters. Every sending domain should forward to your real website, and the forward needs to be masked properly, because a naive redirect chain is itself a spam signal.

The same logic applies to link tracking. Sequencers default to shared tracking domains used by thousands of other senders, some of whom are abusive. A custom tracking domain per sending domain keeps your click tracking on reputation you control.

Warmup: two to three weeks, no shortcuts

New mailboxes that immediately send hundreds of emails a day look exactly like what spammers do. Warmup services exchange realistic mail between real inboxes so your mailboxes build a normal-looking history first.

Two to three weeks is the honest number. Anyone promising you can safely blast from week one is selling you a burned domain with extra steps. If you genuinely need volume sooner, aged domains exist, but that is a purchase decision, not a warmup shortcut.

Volume: stay boring

A healthy, warmed mailbox can send 20 to 30 cold emails a day without raising eyebrows. Past that, deliverability decays fast, and the math never works in your favor: doubling daily volume per mailbox to save money on infrastructure routinely costs more than half the replies.

If you need more volume, add mailboxes. That is what blocks of 50 are for.

Why we disable open tracking

Open tracking works by hiding a tiny image pixel in your email. Filters know this, and the pixel itself hurts deliverability. The data it produces is also mostly fiction now, since Apple and Google prefetch images whether or not a human opened anything.

We turn it off on every campaign. Replies are the metric that matters, and replies cannot be faked by a prefetcher.

The checklist

• Sending domains separated from your company domain
• 3 mailboxes per domain
• SPF, DKIM, and DMARC verified on every domain before sending
• Masked forwards from every sending domain to your real site
• Custom tracking domains, or no link tracking at all
• 2 to 3 weeks of warmup
• 20 to 30 sends per mailbox per day, ramped gradually
• Open tracking off
• Copy scrubbed of spam triggers (run it through our free spam word checker)

You can build all of this yourself in a long weekend of DNS panels and documentation. Or it is the exact stack we set up and monitor for $1 a mailbox, live in under 24 hours, with free replacements when something burns. Either way, do not send a single email until the foundation is right.