A cold email that lands in spam might as well not exist. Most outbound failures blamed on copy or list quality are actually deliverability failures, and most of those are fixable in an afternoon if anyone bothers to look. This guide walks through the fundamentals every cold sender should understand: SPF, DKIM, DMARC, warmup, sender reputation, and the patterns that consistently drop you into the spam folder. It is genuinely educational. We don't ship deliverability infrastructure — Prsona generates the email, you send through your own inbox — so the goal here is to make you better at the part we don't do.
Key takeaways
- SPF, DKIM, and DMARC are the three DNS records that prove you're allowed to send from your domain.
- Warmup matters because mail providers weight the recency and consistency of legitimate engagement on a sending domain.
- Inbox placement and delivery are not the same. “Delivered” in your sequencer can still mean spam folder.
- Sender reputation is per-IP and per-domain. Burning one sometimes burns both.
- Most spam-flag triggers are content-shaped: too many links, too many merge tokens, too many unsubscribe-bait phrases.
The three records that have to be right
Every domain that sends email needs three DNS records configured before any cold campaign goes out: SPF, DKIM, and DMARC. Skip these and your email is either rejected outright or routed straight to spam. The good news: setting them up is a one-time job that takes about thirty minutes if you have access to your DNS host.
SPF (Sender Policy Framework)is a TXT record that lists which servers are allowed to send email on behalf of your domain. If a receiving server gets an email claiming to be from you but the sending IP isn't in your SPF list, that's a flag. SPF is necessary but insufficient — it doesn't prove the email content wasn't modified in transit.
DKIM (DomainKeys Identified Mail)is a cryptographic signature attached to every outgoing email. The receiving server uses your public key (also published in DNS) to verify the signature and confirm the email wasn't altered. Without DKIM, your emails are trivially forgeable.
DMARC (Domain-based Message Authentication, Reporting and Conformance) is the policy layer on top of SPF and DKIM. It tells receiving servers what to do when a message fails SPF or DKIM checks (reject, quarantine, or none) and where to send reports. The full DMARC specification is published by the IETF as RFC 7489and there's a non-technical primer at dmarc.org if you want a deeper read.
Common mistake: DMARC set to none and forgotten
A surprising number of teams set DMARC policy to “none” — which means “observe, don't enforce” — and never come back to change it. None mode is fine as a transition policy while you're verifying that legitimate mail authenticates. It's a bad permanent state because it gives you the reporting without the enforcement, and most mail providers now visibly downgrade trust on domains that publish DMARC at none long-term. Move to quarantine, then reject, once your reports show all legitimate mail passing.
Warmup: what it is and why it matters
A brand-new sending domain has no reputation. The mail providers (Gmail, Outlook, Yahoo) don't trust it yet. If you start sending two hundred cold emails a day from a domain that didn't exist last month, the providers' spam filters interpret the spike as a malicious sender and block or filter you immediately.
Warmup is the process of building reputation gradually: starting at a handful of emails per day, ramping over weeks, with a meaningful share of those emails being engaged-with (opened, replied to, marked as not spam). The goal is to teach the mail providers that this domain is a real business sender, not a spam operation.
Modern warmup tools simulate this engagement automatically by routing emails through a network of inboxes that open and reply on a schedule. That's a category of tool we don't build at Prsona. If you need it, the AI sales tools roundup at our resources page covers the dedicated deliverability vendors. The honest framing: cold email at volume requires either a warmup partner or a multi-month organic warmup you do by hand. Skipping the step is the most common reason new outbound programs fail in their first quarter.
What hurts inbox placement after the records are in place
Even with SPF, DKIM, DMARC, and warmup in good shape, four common patterns push otherwise-clean campaigns into the spam folder. Each has its own diagnostic.
Inbox placement vs delivery
Sales engagement platforms report “delivered” numbers that look healthy: 98 percent, 99 percent, sometimes higher. That number is mostly useless. “Delivered” means the receiving mail server accepted the message. It does not mean the message reached the inbox. A message routed straight to spam is “delivered” in those reports but invisible to the prospect.
The metric that matters is inbox placement. Tools that test inbox placement send seed emails to monitored mailboxes across Gmail, Outlook, and Yahoo and report what percentage landed in the primary inbox versus promotions, updates, or spam. Run inbox placement tests at the start of every campaign, not just on the day you set up the domain. Placement drifts as the program runs, especially if reply rate drops or unsubscribes spike.
Sender reputation and how it gets burned
Sender reputation is tracked per-IP and per-domain. A single sending IP with a good ten-year history can absorb a bad week. A new domain on a shared IP has no buffer — one bad campaign tanks the score for everyone on that IP.
The reputation triggers that hurt fastest are spam complaint rate (anything above 0.1 percent is a red flag for Gmail), bounce rate (above 2 percent indicates a stale list), and unsubscribe rate paired with low engagement (which the providers read as “people don't want this”). Google operates a postmaster console that shows your reputation and domain-level reputation reports for any sender at meaningful volume; you can read up on it at postmaster.google.com. If you're running cold email at any scale and you don't check Postmaster Tools weekly, you're flying blind.
Worked example: when to stop and warm again
A campaign that started with a 25 percent open rate and a 12 percent reply rate drops over four weeks to a 9 percent open rate and a 2 percent reply rate. The team blames the copy and rewrites the opener. The actual issue is reputation drift: the domain is now flagged in enough Gmail accounts that subsequent emails go to spam. The fix is not new copy. The fix is pausing volume, restarting warmup, and resuming at a third of the previous volume. Most teams never run the diagnostic — they keep sending and watch the numbers fall.
Content patterns that trigger spam filters
Spam filters are content-aware. The patterns that flag are well-known and mostly avoidable.
- Too many links. One link in a cold email is fine. Three or more in a hundred-word email reads as promotional.
- Image-heavy emails. Cold emails should be plain text or near-plain HTML. A cold email with banner images and a logo is structurally a marketing email.
- Trigger phrases. “Free,” “guarantee,” “limited time,” “act now,” and the rest of the marketing-mail glossary all carry weight.
- Tracking pixels. Open tracking is a pixel that loads from a third-party domain. Some providers downgrade messages with tracking pixels, especially if the pixel domain has a thin reputation. Sending without tracking on cold campaigns is becoming the default for serious senders.
- Broken merge fields. “Hi [first name]” that didn't merge tells the filter (and the prospect) the email is automated.
The list hygiene problem
Bad lists kill deliverability faster than bad copy. Every email sent to a non-existent address is a hard bounce, and hard bounces accumulate against your reputation. Lists pulled from data providers that haven't verified the email recently can have bounce rates of 15 percent or higher, which is enough to wreck a domain in a single send.
The fix is verification before send. Bulk verification tools cost a few dollars per thousand addresses and are non-negotiable for any list you didn't collect yourself. The other half of hygiene is suppression — keeping a do-not-email list of past unsubscribes, hard bounces, and uninterested replies. A team that sends to the same dead address three times across three quarterly campaigns is doing structural damage to its sending reputation.
One-domain-per-purpose
Mature outbound teams separate sending domains by purpose. The transactional mail (receipts, password resets) goes from one domain. The marketing mail (newsletters) goes from another. The cold outbound goes from a third — often a lookalike domain (yourcompany-sales.com instead of yourcompany.com) so that a deliverability hit on the cold program doesn't take down the transactional mail your business depends on.
This is overkill for a solo founder doing fifty touches a week. It's essential for a team running multiple SDRs at meaningful volume. The decision point is around the moment cold email volume exceeds the transactional volume — at that point, the cold mail is what mail providers see when they think of your domain, and that's when you want separation.
Where Prsona fits, honestly
Prsona generates the cold email and pulls the prospect signal. We do not ship sending infrastructure, warmup, or deliverability monitoring. The email you generate goes from your own inbox or sequencer, and the deliverability of that send is governed by the records and warmup status of your domain, not by us. That's an intentional scope choice. If you want a single tool that handles drafting and sending and warmup, it's a different category of product. We focus on the drafting half because that's the half most existing tools do worst.
The thirty-minute deliverability checklist
If you do nothing else, run through this list before your next campaign:
- Confirm SPF, DKIM, and DMARC are configured. Test with a free authentication checker.
- Verify the entire list with a bulk email verification tool.
- Send the first batch at low volume — 20 to 30 emails — and monitor open and reply rates.
- Check Postmaster Tools (or your domain's equivalent) for reputation flags.
- Run an inbox placement test before scaling up.
- Strip tracking pixels and excess links from the templates.
- Set up a suppression list and update it after every campaign.
One last note
Deliverability is the unglamorous part of outbound. Nobody gets promoted for setting up DMARC. But every reply you don't get because your email went to spam is a deal you didn't close, and the math on that compounds quickly. Most cold-email programs that fail in their first quarter fail on this dimension, not on copy. If you want a single thing to invest in before you write your next batch of emails, it's thirty minutes on the records and the list.
Want to see Prsona in practice?
Try Prsona free. Generate the draft. Send from your own inbox. Solo plan is free, 10 lifetime credits, no card.