If your cold email open rate is under 30%, your problem isn't your copy, it's deliverability. Mailbox providers (Gmail, Outlook, Yahoo) decide where your mail lands long before a human ever sees the subject line. In 2026 that decision is driven almost entirely by ten technical signals.

This is the complete checklist. Walk it top to bottom, the items near the top have the biggest leverage, and skipping any one of them in 2026 will quietly cap your inbox placement somewhere between "tolerable" and "spam folder."

Most of these are one-time DNS or settings changes. The few that are ongoing, warmup, bounce hygiene, engagement, are exactly what Bulk Email Boxer automates so you don't have to think about them.

This checklist is the tactical companion to our Complete Guide to Cold Email Deliverability.

1. SPF on the sending domain

SPF (Sender Policy Framework) is a DNS TXT record that lists every IP address or hostname allowed to send mail from your domain. When a receiving server gets your message, it checks: does the sending IP match the SPF record? If yes, you pass. If no, you fail SPF, which is one of three votes against you (the other two being DKIM and DMARC).

For Google Workspace senders (the most common cold-email setup):

v=spf1 include:_spf.google.com ~all

For Microsoft 365:

v=spf1 include:spf.protection.outlook.com ~all

For a custom SMTP relay you connect through Bulk Email Boxer (e.g., Fastmail, Zoho, Namecheap):

v=spf1 include:<provider's spf domain> ~all

Anti-patterns to avoid

-all (hard-fail) on a domain that has any forwarding set up. Even a single [email protected] redirect to Gmail will silently break SPF when forwarded mail is re-checked. Stay with ~all (soft-fail) unless you fully control every send path.
More than one SPF record per domain. SPF doesn't allow this, receivers will see "permerror" and treat your mail as unauthenticated. If you need to authorize multiple services, combine them into a single record with multiple include: clauses.
SPF lookups exceeding 10. Each include: mechanism counts toward a hard limit of 10 DNS lookups. Add too many and you hit permerror. Use our DNS lookup tool to count yours.

Want a plain-English explainer? See the SPF entry in our glossary.

2. DKIM signing

DKIM (DomainKeys Identified Mail) puts a cryptographic signature on every outgoing email. Receiving servers fetch your public key from DNS, verify the signature, and confirm: yes, this message actually came from this domain, and nobody tampered with it in transit. Skip DKIM and Gmail treats your mail as "unauthenticated," which is essentially synonymous with "spam."

For Google Workspace (5-minute setup): follow our step-by-step DKIM setup for Google Workspace guide. The short version:

admin.google.com → Apps → Google Workspace → Gmail → Authenticate email.
Select your domain. Click Generate new record. Choose 2048-bit key length.
Copy the DNS TXT record Google generates.
Publish it at <selector>._domainkey.yourdomain.com in your DNS.
Wait 10 minutes for DNS propagation, then click Start authentication in the admin console.

Verify DKIM is working: send a test email to a Gmail address. In Gmail, open the message → click the three dots → Show original. Look for DKIM: 'PASS' with domain yourdomain.com. If you see none or fail, the DNS record didn't propagate or the selector is wrong.

Key rotation

Best practice is to rotate DKIM keys annually. Most cold-email operators forget, and a never-rotated key is a soft signal of low operational hygiene.

3. DMARC alignment + reporting

DMARC ties SPF and DKIM together. It tells receiving servers two things: (1) what should you do with mail from my domain that fails both SPF and DKIM? and (2) send me aggregate reports of who's trying to send mail using my domain. The second part is the underrated one, it's how you discover spoofing attempts and misconfigured legitimate services.

Recommended starter record:

v=DMARC1; p=none; rua=mailto:[email protected]; pct=100; fo=1; aspf=r; adkim=r

Publish this at _dmarc.yourdomain.com as a TXT record.

The policy progression

Start at p=none for at least 2 weeks. Read the aggregate reports (a service like Postmark's free DMARC Digests makes them human-readable). Once you confirm that legitimate sources are all authenticated, move to p=quarantine for 2-4 more weeks, then optionally p=reject.

p=none → just observe, no enforcement
p=quarantine → unauthenticated mail goes to spam
p=reject → unauthenticated mail is bounced

Most cold-email senders should sit comfortably at p=quarantine. Moving to p=reject requires confidence that every legitimate source is correctly authenticated; one missed forwarder will bounce real mail.

Why DMARC reporting matters even pre-launch

If someone is spoofing your domain (using yourdomain.com in the From: header without authorization), DMARC aggregate reports will surface that within days. For brand-protection alone, the cost of publishing a DMARC record is zero.

4. RFC 8058 List-Unsubscribe headers, the 2024 sea-change

As of February 2024, Gmail and Yahoo enforce one-click unsubscribe for any sender exceeding 5,000 messages/day. The mechanism is two specific SMTP headers stamped on every send:

List-Unsubscribe: <https://yourdomain.com/unsub?u=...&t=...>
List-Unsubscribe-Post: List-Unsubscribe=One-Click

This is separate from the unsubscribe link in your email body. A body-link unsubscribe still satisfies CAN-SPAM, but it does not satisfy Gmail/Yahoo's 2024 requirements. Without these headers, your inbox-placement rate drops 20-40% the moment you cross the volume threshold.

Bulk Email Boxer stamps both headers automatically on every send, signed with HMAC so they can't be spoofed. If you're running a homegrown setup, you'll need to either build this into your SMTP layer or use a tool that does it for you. Our List-Unsubscribe explainer covers the implementation details and edge cases.

Common mistakes

Putting only mailto: in List-Unsubscribe and skipping the HTTPS URL. Gmail's one-click feature requires the HTTPS form. Include both: <mailto:[email protected]>, <https://yourdomain.com/unsub?...>.
Returning a redirect on the unsubscribe POST. The receiver expects HTTP 200 directly. A 302 to a "you've been unsubscribed" page breaks the protocol for some clients.
Not processing the unsubscribe within seconds. Some receivers (especially Yahoo) re-check unsub status before next-send. A delay > 1 minute can result in re-sends being flagged.

You can generate an RFC 8058-compliant header pair for your own setup using our free Unsubscribe Header Generator.

5. Domain reputation, the long game

Sender reputation in 2026 is overwhelmingly domain-based. IP reputation still exists (and matters for transactional senders on dedicated IPs), but for cold email through your own Gmail / Outlook / SMTP mailboxes, what mailbox providers track is your domain's behavior over time.

Signals that build domain reputation:

Consistent send volume. No huge daily spikes from 0 to 500.
Low bounce rate. Under 2% hard bounces, sustained.
High engagement. Opens and replies trend up over time.
Authentication. Every send passes SPF + DKIM + DMARC.
List hygiene. Suppress unsubscribers and complainers immediately.

Signals that destroy it:

Spam-trap hits. Even one or two over a few weeks tanks reputation for months.
Spike-and-vanish patterns. Sending 500 emails one day and 0 the next.
High complaint rate. Even 0.3% of recipients clicking "Spam" will get you flagged.
Authenticated mail from new domains. Brand-new domains start at "neutral" and have to earn their way up. There's no shortcut.

Postmaster Tools, the source of truth

Sign up for Google Postmaster Tools (postmaster.google.com) for your sending domain. It exposes the actual reputation Google is tracking: spam rate, IP reputation, domain reputation, authentication pass rates. Most cold-email operators never look at this, which is wild given it's free and definitive.

For Yahoo / AOL: their feedback loop is private but you can sign up via senders.yahoo.com.

For Microsoft / Outlook: sendersupport.olc.protection.outlook.com/snds/ for SNDS data on outbound IPs.

6. Warmup, the 14-day plan

A new domain has zero reputation. Sending 200 cold emails on day one trips every spam filter on the planet. Real warmup looks like a deliberate ramp over 2-4 weeks, mixing peer-pool traffic (to simulate two-way engagement) with real cold leads (to start earning genuine signal).

The schedule Bulk Email Boxer uses by default (configurable per-mailbox):

Day	Volume	Mix
1	5 emails	~80% peer pool, 20% real
2-3	10-15	70% peer pool
4-7	20-30	50/50
8-10	50	40% peer pool
11-13	100-200	30% peer pool
14+	300-500	Full real send, peer pool only as needed

Why peer-pool matters

A new mailbox sending exclusively cold mail looks like a spammer. A mailbox that's also receiving replies, getting starred, having mails marked "Important", that looks like a real person. The peer pool gives mailbox providers the second signal so they conclude you're a real human, not a bot.

This is the part homegrown setups can't replicate. Building a peer pool requires a network of opted-in mailboxes that auto-exchange messages, that's why the major cold-email tools (us, Smartlead, Instantly, Lemlist) all run one. Read our 14-day warmup deep-dive for the day-by-day mechanics.

When to skip warmup

Never, on a new domain. Even if the domain is "old" but has never sent email before (e.g., you registered yourcompany.com 5 years ago for the website but never sent mail), it's effectively new from a mailbox-provider perspective. Warm it.

The only legitimate skip case: the domain has been actively sending transactional mail (signup emails, password resets) for years and you're just adding cold outreach. Even then, warm for at least 7 days before going full volume.

7. Volume caps per mailbox

Even on a fully warmed domain, never exceed your provider's recommended daily limit per mailbox. The published limits are higher than the practical limits, because the practical limits are when spam filters start triggering, not when the SMTP gate refuses to send.

Provider	Published daily limit	Practical daily limit for cold email
Gmail (free)	500/day	150-200/day
Google Workspace	2,000/day	300-400/day
Outlook / Office 365	10,000/day	300/day
Outlook.com (free)	300/day	100/day
Yahoo Mail	500/day	100/day
Zoho Mail	250/day	150/day

The "practical" limits are what cold-email patterns trip, bulk-similar content, low historical reply rates, recipients without prior contact. Your bank's transactional sends could blow past these limits all day without issue because they look totally different to spam filters.

If you need more volume

Add more mailboxes, not more per mailbox. Bulk Email Boxer supports unlimited mailboxes per workspace on every plan, exactly because this is the only safe way to scale cold-email volume without burning reputation. Use our daily send-limit calculator to figure out how many mailboxes you need for your monthly target.

8. Bounce hygiene

A bounce rate above 5% is a hard red flag to every receiver. Above 10% and you're getting flagged for poor list hygiene. The cost of an unverified list isn't just inbox-placement drag, repeated high bounce rates trigger receiver-side rate limiting that can persist for weeks after you fix the underlying problem.

Verify before you send

Run every new lead list through email verification before importing. The verifier should check:

Syntax, is [email protected] a valid format?
DNS / MX, does the domain even have a mail server?
Disposable detection, is this a 10minutemail.com / mailinator.com address?
Role-based filter, is this info@ or admin@ (low engagement, often a distribution list)?
SMTP-level mailbox probe, does the mailbox actually exist on the server?
Catch-all detection, does the domain accept mail for any address?
Spam-trap detection, known traps from public + private lists.

Bulk Email Boxer's built-in email verifier runs all 10 layers at a flat $6 per 1,000, ~25% cheaper than ZeroBounce or NeverBounce, with credits that never expire. Or use whatever verifier you already trust; what matters is you're verifying.

Suppress aggressively

Once you import a verified list and start sending, suppress on the first signal:

Hard bounce → permanent suppression, never retry.
Soft bounce → retry once after 24h, then suppress if still failing.
Complaint (Gmail/Yahoo feedback loop) → immediate permanent suppression.
Unsubscribe (link click or List-Unsubscribe-Post) → immediate, never re-send.

Bulk Email Boxer maintains a workspace-level suppression list that automatically populates from all four signals. You'll never accidentally email the same hard-bouncer twice across campaigns.

For the full vocabulary of bounce codes, see our glossary on hard bounce and the SMTP bounce decoder tool.

9. Reply rate, the metric mailbox providers actually weight

Open rate is broken (thanks to Apple Mail Privacy Protection pre-fetching pixels). Click rate is okay but inflated by link-scanning security tools. The only engagement signal mailbox providers fully trust in 2026 is reply rate.

A 5%+ reply rate is the floor for sustainable cold email. Below 3% and your reputation starts trending downward week-over-week, even with perfect technical setup. Above 8% and you're compounding upward; mailbox providers actively give you more inbox placement.

How reply rate compounds

This is the underrated dynamic. Every reply is a strong "this isn't spam, the recipient cares" signal. The recipient's mailbox provider sees the reply and upgrades your reputation. The compound effect: a campaign with strong replies in week 1 lands more inboxes in week 2, which gets more replies, which earns more inboxes, and so on.

This is also why generic mass-templated campaigns plateau. They get a 2% reply rate, hold reputation flat, and never break through. Personalized campaigns earning 8%+ replies create a flywheel.

What drives reply rate

Personalization beyond first_name. A real reference to the recipient's specific work.
Short emails. Under 100 words consistently outperform longer.
One clear ask. Multiple CTAs reduce reply rate.
No links in the first email. Link-heavy first emails feel marketing-y.
Send to verified ICP. Off-target prospects don't reply, period.

Our B2B cold-email templates post covers the patterns that hit 8-12% reply rates.

10. Content + spam triggers

Most "spam trigger word" lists circulating online are out of date or outright wrong. Modern spam classifiers don't pattern-match individual words ("free," "guarantee," "click here"), they use neural models that score the whole message against a learned distribution of spam.

But there are still real content patterns to avoid:

Excessive caps in subject lines. URGENT: Quick question!!! reads as spam to humans and classifiers.
Image-only emails. A subject + a single image with no body text scores high on spam. Use HTML with real text.
Shortened URLs. bit.ly, tinyurl.com, goo.gl links from cold senders are heavily penalized.
Generic high-volume domains in From:. [email protected] for cold B2B reads as a privacy-mask spammer. Use your real domain.
Mismatched Reply-To. If From: is [email protected] but Reply-To: is [email protected], that's a strong spam signal.
HTML-only with no plain-text alternative. Always send multipart/alternative. Use our HTML-to-plain-text tool to generate the text part.

Test before you launch

Run your draft through our free subject-line tester for spam-score grading. Or send a test campaign to a Mail-Tester inbox and aim for 10/10 before you send to real prospects.

The summary checklist

Print this and pin it. Before launching any cold-email campaign:

SPF record published on the sending domain, single record, ≤10 lookups
DKIM signing active (DKIM=PASS in Gmail "Show original")
DMARC published with rua= reporting address, policy at p=quarantine
List-Unsubscribe + List-Unsubscribe-Post headers stamped on every send
Domain warmed for at least 14 days before real cold volume
Volume capped per practical limits per mailbox provider
Lead list verified through 10-layer verification before send
Hard bounces suppressed immediately, never retried
Soft bounces retried once, then suppressed
Reply rate above 3% sustained; below = pause and improve copy or list
No image-only emails, no shortened URLs, no mismatched From/Reply-To
Postmaster Tools monitored weekly for reputation drift

Want this automated?

Every item in this list is something Bulk Email Boxer does for you by default, warmup runs automatically, RFC 8058 headers stamp on every send, bounce hygiene is enforced at the workspace suppression list, volume caps are per-mailbox-provider, and the built-in 10-layer verifier costs $6 per 1,000 with credits that never expire.

Start your free 14-day trial →, no credit card, set up in 5 minutes, 100 emails/day cap on the trial.

Cold email deliverability checklist for 2026, the complete guide