2025-02-21

Cold Email Deliverability: The Technical Guide You Can't Afford to Ignore

You can write the greatest email in history. Pulitzer-worthy prose. An offer so compelling it should be illegal. Personalization that makes the prospect think you've been stalking them (in a good way).

None of it matters if the email lands in spam.

Deliverability is the foundation everything else builds on. And it's more technical than most sales teams want to admit. So let's get into the weeds. The boring, technical, absolutely critical weeds.

How Email Actually Works (The Short Version)

When you hit "send," here's what happens:

Your email client connects to your SMTP server
Your SMTP server looks up the recipient's mail server
Your server hands off the email to the recipient's server
The recipient's server decides: inbox, spam, or reject
If accepted, the email waits in the recipient's mailbox

Step 4 is where deliverability lives or dies. And that decision isn't arbitrary — it's based on dozens of signals that tell the receiving server whether to trust you.

The Authentication Trinity: SPF, DKIM, DMARC

These three acronyms determine whether major providers (Google, Microsoft, Yahoo) trust your emails. Ignore them at your peril.

SPF (Sender Policy Framework)

SPF answers the question: "Is this server allowed to send email for this domain?"

You publish an SPF record in your DNS. It lists the IP addresses and servers authorized to send email on your behalf. When a receiving server gets an email from your domain, it checks your SPF record. If the sending server isn't on the list, red flag.

Common SPF mistakes:

Not having an SPF record at all (immediate trust penalty)
Using `+all` or `?all` instead of `-all` (tells servers "maybe trust everyone")
Including too many lookups (SPF has a 10-lookup limit; exceed it and the record breaks)
Forgetting to include all your sending services (each tool you use needs to be in the record)

A proper SPF record looks like:

v=spf1 include:_spf.google.com include:sendgrid.net -all

Translation: Google and SendGrid can send for this domain. Everything else should be rejected.

DKIM (DomainKeys Identified Mail)

DKIM adds a digital signature to your emails. It proves the email hasn't been modified in transit and actually came from your domain.

Here's how it works:

You generate a public/private key pair
You publish the public key in your DNS
Your sending server signs outgoing emails with the private key
Receiving servers verify the signature against your public key
If verification passes, the email is authentic

Why DKIM matters:

Prevents email spoofing (someone pretending to be you)
Ensures message integrity (email wasn't altered)
Major factor in Gmail and Outlook's trust calculations

Common DKIM mistakes:

Weak key length (use 2048-bit minimum; 1024-bit is deprecated)
Key rotation failures (when you rotate keys, ensure old emails in transit don't break)
Misaligned selectors (the selector in your DNS must match what your server uses)

DMARC (Domain-based Message Authentication, Reporting, and Conformance)

DMARC ties SPF and DKIM together and tells receiving servers what to do when authentication fails.

Your DMARC policy specifies:

What percentage of emails to apply the policy to (start at a low percentage, ramp up)
What to do with failures (none, quarantine, or reject)
Where to send aggregate and forensic reports

The progression most companies should follow:

`p=none` — Monitor only. See what's failing without affecting delivery.
`p=quarantine` — Failed emails go to spam, not inbox.
`p=reject` — Failed emails get rejected entirely.

Why you need DMARC:

Protects your domain reputation from spoofing attacks
Gives you visibility into authentication failures
Required by an increasing number of enterprise email gateways

A starter DMARC record:

_dmarc.yourdomain.com TXT "v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com; pct=100"

Beyond Authentication: The Reputation Factors

SPF, DKIM, and DMARC are table stakes. Everyone serious about email has them. What separates inbox from spam is reputation.

IP Reputation

Every email comes from an IP address. That address has a reputation score based on:

Sending volume and patterns
Bounce rates
Spam complaint rates
Engagement rates (opens, clicks, replies)
Presence on blacklists

Shared IPs vs. Dedicated IPs:

Shared IPs are used by multiple senders. Cheaper, but your reputation is tied to everyone else using that IP. If another user spams, you suffer.

Dedicated IPs are yours alone. More expensive, but full reputation control. Requires proper warming (you're building reputation from scratch).

For cold email, dedicated IPs or local sending infrastructure is usually worth the investment.

Domain Reputation

Separate from IP reputation, your domain itself has a reputation score. Google's algorithms track how recipients engage with emails from your domain across all IPs.

Domain reputation factors:

Overall engagement rates
Spam complaint rates
Sending consistency (sudden volume spikes hurt)
Content quality signals
User reports (marking as spam, moving to inbox)

Critical: Domain reputation takes months to build and days to destroy. One bad campaign can undo months of good behavior.

Content Signals

Email providers analyze your content for spam indicators:

Trigger words: "Free," "Guarantee," "No obligation," "Act now," excessive punctuation (!!!), ALL CAPS. These don't automatically put you in spam, but they raise the spam score.

Image-to-text ratio: All-image emails look spammy. Maintain a healthy text-to-image balance.

Link quality: Links to suspicious domains, URL shorteners, or mismatched domains (display URL doesn't match actual URL) hurt deliverability.

HTML quality: Broken HTML, missing plain-text versions, suspicious formatting. Clean code matters.

The Infrastructure Decisions That Matter

Your technical setup impacts deliverability more than most teams realize.

Mailbox Provider Choice

Google Workspace and Microsoft 365 are the enterprise standards. They have good reputations by default and provide the authentication tools you need.

Avoid:

Cheap shared hosting email (poor IP reputation)
Brand-new providers without established trust
Any provider that doesn't support full SPF/DKIM/DMARC

Sending Infrastructure

Cloud email tools are convenient but come with tradeoffs:

Shared IP pools (reputation risk)
Volume throttling (limits how fast you can send)
Additional authentication hops (can complicate SPF)

Local or dedicated sending infrastructure gives you full control but requires technical expertise to manage properly.

DNS Management

Your DNS host affects how quickly authentication record changes propagate. Use a reliable DNS provider with fast propagation times.

Common DNS mistakes:

Too many DNS lookups (SPF limit is 10)
Syntax errors in records (one typo breaks everything)
Slow TTL (time-to-live) settings delaying updates
Missing or duplicate records

Monitoring and Maintenance

Deliverability isn't set-and-forget. It requires ongoing monitoring:

Regular Checks

Weekly:

Delivery rates by domain (Gmail, Outlook, Yahoo)
Bounce rates (hard bounces damage reputation immediately)
Spam complaint rates (should be under 0.1%)

Monthly:

Authentication test (use tools like MailTester or GlockApps)
Blacklist checks (ensure your IPs/domains aren't listed)
Reputation scores (Google Postmaster Tools, Microsoft SNDS)

Quarterly:

Full deliverability audit
Authentication record review
Infrastructure assessment

Tools Worth Using

Google Postmaster Tools: Free insights into how Gmail treats your emails. Shows domain reputation, spam rates, authentication success.

Microsoft SNDS (Smart Network Data Services): Microsoft's equivalent for Outlook/Hotmail delivery data.

Mail-Tester.com: Quick deliverability tests. Send an email to their test address; get a spam score and recommendations.

GlockApps: More comprehensive deliverability testing across multiple providers.

Troubleshooting Deliverability Issues

When things go wrong, here's how to diagnose:

Problem: Sudden delivery drop

Check if your domain or IP is blacklisted
Review recent volume changes (did you send way more than usual?)
Look for authentication failures in your logs

Problem: High spam folder rate

Analyze your content for spam triggers
Check engagement rates (low engagement = spam folder)
Verify authentication is working properly
Review your sending patterns

Problem: High bounce rate

Clean your list (old emails go bad)
Verify email addresses before sending
Check if you're hitting rate limits

Problem: Specific provider blocking you

Check provider-specific reputation tools (Postmaster for Google, SNDS for Microsoft)
Review their bulk sender guidelines
Contact their postmaster if unfairly blocked

The Bottom Line

Deliverability is technical, tedious, and absolutely non-negotiable. You can have the best product, the best offer, the best copy in the world. If your emails don't arrive, none of it matters.

Get your authentication right. Monitor your reputation. Maintain your infrastructure. Treat deliverability as the foundation it is, not an afterthought.

The teams that master this invisible technical layer are the teams whose emails actually get read. The rest are just shouting into the void.

Which team are you on?

---

Suplex handles deliverability infrastructure automatically, including authentication setup and reputation monitoring. Focus on your message; we'll handle the technical stuff.

Ready to supercharge your outreach?

Suplex combines lead scraping, email finding, and outreach automation in one platform.

Get Suplex™ Now.